The NSA patches up its reputation with a gift to Microsoft

On Monday, rumors swirled that Microsoft was preparing to release a particularly noteworthy software patch for a serious vulnerability in its Windows operating system.

“I get the impression that people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner,” tweeted Will Dormann, a vulnerability analyst at CERT-CC, a computer security-focused arm of the Pittsburgh-based nonprofit Software Engineering Institute. “Even more so than others. I don’t know… just call it a hunch? ¯_(ツ)_/¯”

Dormann’s “hunch” proved valid: In a Tuesday bulletin, Microsoft revealed the details of a troubling spoofing vulnerability. If exploited by attackers, the flaw would enable them to trick people into downloading malicious files that appeared to be from trusted sources. Microsoft urged customers in a blog post to “update their systems as quickly as practical.” (The company noted that it had “not seen it used in active attacks.”)

For those of us who are neither hackers nor systems administrators, the most interesting aspect of the flaw was the origin of its discovery: the U.S. National Security Agency. (Kudos to Brain Krebs, an independent investigative reporter, for connecting the dots about this earlier than others.)

This is the first time Microsoft has publicly credited the NSA for disclosing a software vulnerability to the company. (Longtime readers of this newsletter may recall an apparent backchannel between the NSA and Microsoft that seemed to avert a potential security disaster in 2017.) Historically keeping to itself, the NSA—jokingly referred to as No Such Agency—has broken with tradition.

This is not your parent’s NSA. The shadowy agency’s reputation was in shambles after former contractor Edward Snowden began leaking loads of internal documents detailing its practices and capabilities in 2013. In the years since, the NSA has been attempting to refurbish its public image, speaking more openly and showing up, undisguised, at industry events. Now, with the Microsoft patch, we see it even seeking recognition for its security findings.

Heck, Rob Joyce, former White House cybersecurity czar and NSA’s most public face, is now inviting people to drop by the NSA’s table to pick up “swag” at the cybersecurity industry’s RSA Conference in March. (Apparently, the agency will be giving out “I patched” stickers; similar to “I voted” stickers, but much, much nerdier.)

As businesses patch their computers, the NSA patches its reputation.

Robert Hackett

Twitter: @rhhackett

Email: robert.hackett@fortune.com

THREATS

Easy as Apple pie. President Donald Trump called on Apple to "step up to the plate" and help the Justice Department unlock two iPhones said to have belonged to a shooter who killed three people at a Florida Navy base last month. The remarks add to the pressure Attorney General William Barr has been applying to the company. Apple, echoing its stance from several years ago in the wake of the San Bernardino shooting, is preparing for another potential legal battle.

Eye on Iran. The FBI issued an advisory last week warning American companies that Iran has stepped up its "cyber reconnaissance activity" since the U.S. killed Iranian general Qassem Soleimani. Top targets for the hackers include defense contractors, government agencies, academia and think tanks. The attackers like to exploit "virtual private network," or VPN, applications, the FBI said. Also, buried in a recent New York Times story was the tidbit that if Iran escalated its retaliatory attacks on the U.S., the latter had developed a plan to cripple Iran’s oil and gas sector with a cyberattack.

Hua-wait a minute. Citing national security risks, U.S. intelligence officials are warning UK Prime Minister Boris Johnson's administration that using Huawei technology in its 5G network buildout would be "nothing short of madness," the Financial Times reports. Johnson is anticipated to approve Huawei equipment for use in the periphery of Britain's 5G networks, rather than at its core—but U.S. officials believe even this is still too risky. Johnson's dilemma: He is attempting to maintain a good relationship with China and also not jeopardize intelligence-sharing agreements with the U.S. and other Five Eyes countries.  China, meanwhile, is decoupling itself economically from the U.S. 

Your voice matters. As alleged Russian hackers look to dig up dirt on Democratic presidential frontrunner Joe Biden by attempting to infiltrate Burisma, the Ukrainian oil and gas firm which once employed his son, one might wonder: What have the candidates been saying about cybersecurity lately? President Trump recently made some comments about "the cyber," saying, in reference to the possibility of Iranian cyberattacks, "If we ever get hit, we'll hit very hard." Democratic challenger Bernie Sanders, asked if he uses two-factor authentication on his phone, cryptically told the New York Times: "There is a woman in my office whose name is Melissa who drives me crazy and gets angry at me all the time." (Sounds like you're doing the Lord's work, Melissa.) And Mike Bloomberg, the billionaire businessman, former New York City Mayor, and recent race entrant, just released his own plan for protecting elections. 

Everything leaks eventually: r/StarWarsLeaks/DuelofFates.

ACCESS GRANTED

Jumping off President Trump's Apple-cajoling above... As the Justice Department ramps up its efforts to pressure Apple, many cybersecurity experts are wondering why the Feds are having any trouble at all. As the Wall Street Journal notes, a cottage industry has sprouted up that sells hacking tools—including ones designed to divulge data locked away in many iPhone models—that seem to make this a tractable challenge.

Just a few years ago, many iPhones were almost impossible to crack, but that is no longer true, security experts and forensic examiners say. Companies including Grayshift LLC, Israel’s Cellebrite Mobile Synchronization Ltd. and others offer methods to retrieve data from recent iPhones.

“We’ve got the tools to extract data from an iPhone 5 and 7 now,” said Andy Garrett, a chief executive of Garrett Discovery, a forensics investigation firm. “Everybody does.”

THE FUTURE OF FORTUNE IS HERE

In 1930, Fortune published its first-ever issue, featuring the goddess Fortuna and her wheel on the cover. This year, on our 90th anniversary, we’re celebrating with a new Fortune. Here’s what’s in store for you:

• We’ve launched a new site, where you’ll find the best of business all in one place: strategic insights, deep-dive stories, and exclusive access to what executives are thinking. To access all of our revamped stories, register for free.
• Later this month, we’re launching new newsletters: The Bull Sheet, a daily brief on finance news, and The Broadside, a monthly bulletin for career-oriented women. Sign up to stay up to date on their launches.
• We’ve launched a new hub for our exclusive videos. It curates collections of executive insights—the latest and best from our interviews with business leaders, analysis series, and conference sessions. Access hundreds of hours of content.
• Starting with the February 2020 issue, we’re substantially upgrading our print magazine. There will be more stories per issue, and the reading experience will be more premium, with gorgeous, higher quality covers and stock. To see for yourself, subscribe to the magazine.

FORTUNE RECON

Facebook criticized for deleting posts supporting Iranian General killed by U.S. by Alyssa Newcomb

Why Microsoft is leaning into E3—and Sony is bowing out—amid ‘marketing hype war’ by Chris Morris

What the struggles of pizza and coffee-making robots mean for investors by Jonathan Vanian

Disney is ready to roll out new ‘Star Wars’ sagas as one story ends by Dale Rutledge

ONE MORE THING

Wondering how Carlos Ghosn, the erstwhile CEO of Nissan and Renault and fugitive from Japanese law enforcement, made his great escape from Tokyo? Bloomberg Businessweek tells how an Army Special Forces veteran masterminded the extraction. It involves bullet trains, hotels, airports with lax security...and stuffing the executive into an oversized audio gear case.