Will they try it for 30 days first? McAfee goes private again in $14bn cash deal

Plus: Uncle Sam gets tough on patching, NIST needs you, and more


In brief A consortium of private equity types have stumped up $12bn in cash to acquire what's left of McAfee the company plus another couple of billion to pay off its debts.

McAfee has been in and out of the stock market: it last went public in October 2020 with a valuation of $3.6bn. It then spun off its enterprise security business in March for $4bn in another cash deal, and now the consumer side of the business has been snapped up for $14bn total.

“This transaction is a testament to McAfee’s market-leading online protection solutions, our talented employees, and outstanding customers and partners,” said McAfee president and CEO Peter Leav in a statement today.

“We want to thank our employees for their continued hard work and commitment to McAfee. We are thrilled to be partnering with premier firms who truly understand the cybersecurity landscape and have a proven track record of success.”

The consortium is led by Advent, Permira Advisers, the Abu Dhabi Investment Authority, Crosspoint Capital Partners, GIC, and the Canada Pension Plan Investment Board. The group offered $26 per share to take McAfee private, which is 22.6 per cent higher than the stock's $21.21 price at market close on November 4 and a little higher than its price today of $25.50.

Hackers earn million-dollar payday after exploiting 61 zero-days at Pwn2Own

Another Pwn2Own contest, in which security experts compete for cash prizes by exploiting zero-day vulnerabilities in products, wrapped up on Friday, leaving its successful entrants $1,081,250 better off and vendors with details of 61 flaws to fix. About a dozen of the exploited bugs are rated 10 out of 10 in severity on the CVSS scale.

The aim of the contest is to reward bug hunters and exploit developers for finding, demonstrating, and privately reporting vulnerabilities to participating vendors, who then cough up the cash and issue necessary patches to users. The vendors have 120 days to release their updates ahead of public disclosure of the flaws. In other words, details of the exploited bugs are kept secret until they are fixed or the deadline expires.

Top earner was the Synacktiv team, which took home $197,000, followed by DEVCORE with $180,000 in winnings. The Zero-Day Initiative's Dustin Childs told The Register the budget was doubled for the competition in part to keep up with outfits that buy and sell exploits increasing their offers for details of vulnerabilities.

"The advantage with this is you're not having to go through exploit brokers," he explained. "Plus the exploits go straight to the vendors for a fix, rather than being sold on to unknown third parties."

The average age of the contestants in the competition is going down, we're told. "It's a young person's game at the moment, but teams can benefit from experienced folk as well," said Childs.

COVID-19 permitting, the next competition is scheduled for Miami in January and will be a hybrid event, with some folks attending in person and the rest remote. So far this seems to have worked; DEF CON and Black Hat tried the hybrid model this year and, while visitor numbers were around a quarter of the usual, the post-con infection rate appears to be low. This latest contest was a fully remote affair.

US defense contractor less than brilliant at security

Electronic Warfare Associates, which operate under the slogan "Enabling a more secure future," has confirmed it was compromised by miscreants in a phishing attack.

The US defense contractor, which makes training simulators, drone-jamming gear, radar equipment, and other military tools, filed an incident report [PDF] this month saying a "threat actor" was discovered in its email system on August 2 this year following a "phishing incident."

"We were made aware of the situation when the threat actor attempted wire fraud," the advisory stated, adding that names, social security numbers and drivers' licences were exfiltrated from company servers to an unknown destination.

On the one hand, no defense secrets were lost, it seems, though on the other hand, this kind of information could be quite useful in phishing staff for further information.

Critical vulnerability found in Linux kernel

If you've enabled Transparent Inter Process Communication (TIPC) support in the Linux kernel on your systems, be aware you ought to apply a patch to avoid having your boxen hijacked by miscreants. This vulnerable feature is not enabled by default.

Spotted by Sentinel Labs, CVE-2021-43267 "can be exploited either locally or remotely within a network to gain kernel privileges," said vulnerability boffin Max Van Amerongen.

A heap overflow vulnerability can be exploited when "the function tipc_crypto_key_rcv is used to parse MSG_CRYPTO messages to receive keys from other nodes in the cluster in order to decrypt any further messages from them," he explained in a patch for the flaw.

The bug resides in kernel versions "between 5.10 and 5.15," according to Sentinel. There's no evidence yet that it has been exploited in the wild. Admins should either wait for their distro to release a patched kernel and install it, deploy the above fix themselves, or disable TIPC. Your distro may already be on it; Fedora has issued an update, for instance.

US government cracks the whip on vuln patching

The US government's Cybersecurity and Infrastructure Security Agency has told federal agencies they have to get known vulnerabilities patched within a more aggressive timeline.

The agency has released a catalog of hundreds of known vulnerabilities, across many different platforms, that it wants to see patched within six months. In addition all federal agencies must report their vulnerability management practices within the next 60 days or face a telling off.

"The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities," it said. "These default timelines may be adjusted in the case of grave risk to the Federal Enterprise."

NIST seeks counsel on software security standards labels

In an attempt to make software security more palatable to normal folk, NIST has opened a public consultation, asking what kind of warning stickers would help.

“We are establishing criteria for a label that will be helpful to consumers,” said Michael Ogata, a NIST computer scientist and co-author of the draft document. “The goal is to raise consumers’ awareness about the various security needs they might have and to help them make informed choices about the software they purchase and use.”

The agency has been mulling this over for years and if you've got good ideas send them in. At the moment any labeling scheme would be entirely voluntary. ®

Similar topics


Other stories you might like

  • Apple wins Epic court ruling: Devs will pay up for now as legal case churns on

    Previous injunction that ordered company to allow non-Apple payments systems is suspended

    Apple will not be required to implement third-party in-app payments systems for its App Store by 9 December, after a federal appeals court temporarily suspended the initial ruling on Wednesday.

    As part of its ongoing legal spat with Epic, a judge from the Northern District Court of California said Apple wasn’t a monopoly, but agreed it’s ability to swipe up to a 30 per cent fee in sales processed in iOS apps was uncompetitive. Judge Yvonne Gonzalez Rogers ordered an injunction, giving the iGiant 90 days to let developers add links or buttons in their apps to direct users to third-party purchasing systems.

    Those 90 days were set to end on 9 December. If developers were allowed to process financial transactions using external systems they wouldn’t have to hand over their profits to Apple, they argued. When Apple tried to file for a motion to stay, which would pause the injunction until it filed an appeal, Rogers denied its request.

    Continue reading
  • Meg Whitman – former HP and eBay CEO – nominated as US ambassador to Kenya

    Donated $110K to Democrats in recent years

    United States president Joe Biden has announced his intention to nominate former HPE and eBay CEO Meg Whitman as Ambassador Extraordinary and Plenipotentiary to the Republic of Kenya.

    The Biden administration's announcement of the planned nomination reminds us that Whitman has served as CEO of eBay, Hewlett Packard Enterprise, and Quibi. Whitman also serves on the boards of Procter & Gamble, and General Motors.

    The announcement doesn't remind readers that Whitman has form as a Republican politician – she ran for governor of California in 2010, then backed the GOP's Mitt Romney in his 2008 and 2012 bids for the presidency. She later switched political allegiance and backed the presidential campaigns of both Hillary Clinton and Joe Biden.

    Continue reading
  • Ex-Qualcomm Snapdragon chief turns CEO at AI chip startup MemryX

    Meet the new boss

    A former executive leading Qualcomm's Snapdragon computing platforms has departed the company to become CEO at an AI chip startup.

    Keith Kressin will lead product commercialization for MemryX, which was founded in 2019 and makes memory-intensive AI chiplets.

    The company is now out of stealth mode and will soon commercially ship its AI chips to non-tech customers. The company was testing early generations of its chips with industries including auto and robotics.

    Continue reading

Biting the hand that feeds IT © 1998–2021