Will they try it for 30 days first? McAfee goes private again in $14bn cash deal

In brief A consortium of private equity types have stumped up $12bn in cash to acquire what's left of McAfee the company plus another couple of billion to pay off its debts.

McAfee has been in and out of the stock market: it last went public in October 2020 with a valuation of $3.6bn. It then spun off its enterprise security business in March for $4bn in another cash deal, and now the consumer side of the business has been snapped up for $14bn total.

“This transaction is a testament to McAfee’s market-leading online protection solutions, our talented employees, and outstanding customers and partners,” said McAfee president and CEO Peter Leav in a statement today.

“We want to thank our employees for their continued hard work and commitment to McAfee. We are thrilled to be partnering with premier firms who truly understand the cybersecurity landscape and have a proven track record of success.”

The consortium is led by Advent, Permira Advisers, the Abu Dhabi Investment Authority, Crosspoint Capital Partners, GIC, and the Canada Pension Plan Investment Board. The group offered $26 per share to take McAfee private, which is 22.6 per cent higher than the stock's $21.21 price at market close on November 4 and a little higher than its price today of $25.50.

Hackers earn million-dollar payday after exploiting 61 zero-days at Pwn2Own

Another Pwn2Own contest, in which security experts compete for cash prizes by exploiting zero-day vulnerabilities in products, wrapped up on Friday, leaving its successful entrants $1,081,250 better off and vendors with details of 61 flaws to fix. About a dozen of the exploited bugs are rated 10 out of 10 in severity on the CVSS scale.

The aim of the contest is to reward bug hunters and exploit developers for finding, demonstrating, and privately reporting vulnerabilities to participating vendors, who then cough up the cash and issue necessary patches to users. The vendors have 120 days to release their updates ahead of public disclosure of the flaws. In other words, details of the exploited bugs are kept secret until they are fixed or the deadline expires.

Top earner was the Synacktiv team, which took home $197,000, followed by DEVCORE with $180,000 in winnings. The Zero-Day Initiative's Dustin Childs told The Register the budget was doubled for the competition in part to keep up with outfits that buy and sell exploits increasing their offers for details of vulnerabilities.

"The advantage with this is you're not having to go through exploit brokers," he explained. "Plus the exploits go straight to the vendors for a fix, rather than being sold on to unknown third parties."

The average age of the contestants in the competition is going down, we're told. "It's a young person's game at the moment, but teams can benefit from experienced folk as well," said Childs.

COVID-19 permitting, the next competition is scheduled for Miami in January and will be a hybrid event, with some folks attending in person and the rest remote. So far this seems to have worked; DEF CON and Black Hat tried the hybrid model this year and, while visitor numbers were around a quarter of the usual, the post-con infection rate appears to be low. This latest contest was a fully remote affair.

US defense contractor less than brilliant at security

Electronic Warfare Associates, which operate under the slogan "Enabling a more secure future," has confirmed it was compromised by miscreants in a phishing attack.

The US defense contractor, which makes training simulators, drone-jamming gear, radar equipment, and other military tools, filed an incident report [PDF] this month saying a "threat actor" was discovered in its email system on August 2 this year following a "phishing incident."

"We were made aware of the situation when the threat actor attempted wire fraud," the advisory stated, adding that names, social security numbers and drivers' licences were exfiltrated from company servers to an unknown destination.

On the one hand, no defense secrets were lost, it seems, though on the other hand, this kind of information could be quite useful in phishing staff for further information.

Critical vulnerability found in Linux kernel

If you've enabled Transparent Inter Process Communication (TIPC) support in the Linux kernel on your systems, be aware you ought to apply a patch to avoid having your boxen hijacked by miscreants. This vulnerable feature is not enabled by default.

Spotted by Sentinel Labs, CVE-2021-43267 "can be exploited either locally or remotely within a network to gain kernel privileges," said vulnerability boffin Max Van Amerongen.

A heap overflow vulnerability can be exploited when "the function tipc_crypto_key_rcv is used to parse MSG_CRYPTO messages to receive keys from other nodes in the cluster in order to decrypt any further messages from them," he explained in a patch for the flaw.

The bug resides in kernel versions "between 5.10 and 5.15," according to Sentinel. There's no evidence yet that it has been exploited in the wild. Admins should either wait for their distro to release a patched kernel and install it, deploy the above fix themselves, or disable TIPC. Your distro may already be on it; Fedora has issued an update, for instance.

US government cracks the whip on vuln patching

The US government's Cybersecurity and Infrastructure Security Agency has told federal agencies they have to get known vulnerabilities patched within a more aggressive timeline.

The agency has released a catalog of hundreds of known vulnerabilities, across many different platforms, that it wants to see patched within six months. In addition all federal agencies must report their vulnerability management practices within the next 60 days or face a telling off.

"The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities," it said. "These default timelines may be adjusted in the case of grave risk to the Federal Enterprise."

NIST seeks counsel on software security standards labels

In an attempt to make software security more palatable to normal folk, NIST has opened a public consultation, asking what kind of warning stickers would help.

“We are establishing criteria for a label that will be helpful to consumers,” said Michael Ogata, a NIST computer scientist and co-author of the draft document. “The goal is to raise consumers’ awareness about the various security needs they might have and to help them make informed choices about the software they purchase and use.”

The agency has been mulling this over for years and if you've got good ideas send them in. At the moment any labeling scheme would be entirely voluntary. ®