Perforce Software Responds to McAfee White Paper on Operation Aurora

Company Statement

Perforce Software Responds to McAfee White Paper on Operation Aurora

March 4, 2010

Perforce Software as well as other companies, whose applications house critical data, was the subject of a White Paper issued by McAfee on March 3, 2010.

As the White Paper states, Perforce “has long been a staple of source code control systems and has thousands of customers. Its products are used by the largest Fortune 1,000 companies.” It stands to reason that when hackers are looking for a company’s intellectual property (IP), they would look to Perforce where the content is versioned and managed.

Christopher Seiwald, President and Chief Technology Officer of Perforce Software said, “Our product has several security levels that most of our customers take advantage of. However, our security is not designed to stop attackers who breach a company’s IT defenses and are then able to masquerade as legitimate users. We use our own product, Perforce, to develop our product and we use security software to protect ourselves.”

McAfee’s White Paper and Perforce

According to McAfee’s White Paper, hackers used an Internet Explorer exploit to masquerade as our customers' legitimate users. They then accessed Perforce as legitimate users in an attempt to steal IP.

In addition, McAfee Labs reviewed the freely available version of our SCM system aimed specifically at people evaluating Perforce and casual users. Many of the vulnerabilities McAfee identified were due to running our product with security turned ‘off’, which is how we distribute the trial version of our SCM system. In addition, they did not determine these vulnerabilities played a role in the recent attacks.

What We Are Doing

Last week we received a preliminary version of McAfee’s findings. We plan to follow the recommendations McAfee has suggested. These improvements are aimed at ensuring legitimate users stay within their bounds.

We are issuing a reminder to our customers to run Perforce with the security turned ‘on’ as well as other security recommendations.

About the Perforce SCM System

Perforce, the Fast Software Configuration Management System, is an award- winning tool that versions and manages source code and digital assets for enterprises large and small. Perforce is easy to install, learn and administer; seamlessly handles distributed development; and supports developers across a large number of platforms. Perforce ensures development integrity by grouping multi-file updates into atomic changes, enables concurrent development, and intelligently manages multiple software releases using its Inter-File Branching system.