Page 24 - AT
P. 24
A24 TECHNOLOGY
Thursday 16 January 2020
NSA finds major security flaw in Windows 10, free fix issued
By MATT O'BRIEN said. If successfully ex-
AP Technology Writer ploited, attackers would
The National Security Agen- have been able to con-
cy has discovered a major duct "man-in-the-middle
security flaw in Microsoft's attacks" and decrypt con-
Windows 10 operating sys- fidential information they
tem that could let hackers intercept on user connec-
intercept seemingly secure tions, the company said.
communications. Some computers will get
But rather than exploit the the fix automatically, if
flaw for its own intelligence they have the automatic
needs, the NSA tipped off update option turned on.
Microsoft so that it can fix Others can get it manu-
the system for everyone. ally by going to Windows
Microsoft released a free Update in the computer's
software patch to fix the settings.
flaw Tuesday and credited Microsoft typically releases
the intelligence agency security and other updates
for discovering it. The com- once a month and waited
pany said it has not seen until Tuesday to disclose
any evidence that hackers This Aug. 7, 2017, file shows a Microsoft Widows sign on display at a store in Hialeah, Fla. the flaw and the NSA's in-
Associated Press
have used the technique. volvement. Microsoft and
Amit Yoran, CEO of secu- founding director of the on Tuesday said "the con- looked like a file came from the NSA both declined to
rity firm Tenable, said it is Department of Homeland sequences of not patching a trusted source. say when the agency pri-
"exceptionally rare if not Security's computer emer- the vulnerability are severe "The user would have no vately notified the compa-
unprecedented" for the gency readiness team, and widespread." way of knowing the file was ny. The agency shared the
U.S. government to share its urged all organizations to Microsoft said an attacker malicious, because the vulnerability with Microsoft
discovery of such a critical prioritize patching their sys- could exploit the vulner- digital signature would ap- "quickly and responsibly,"
vulnerability with a com- tems quickly. ability by spoofing a code- pear to be from a trusted Neal Ziring, technical di-
pany. Yoran, who was a An advisory sent by the NSA signing certificate so it provider," the company rector of the NSA's cyber-
security directorate, said in
Dating apps leak personal data, Norwegian group says a blog post Tuesday.
Priscilla Moriuchi, who re-
tired from the NSA in 2017
LONDON (AP) — Dating with all European and after running its East Asia
apps including Grindr, U.S. regulations. The U.S. and Pacific operations,
OkCupid and Tinder leak doesn’t have federal said this is a good example
personal information to regulation like the GDPR, of the "constructive role"
advertising tech compa- although some states, that the NSA can play in
nies in possible violation notably California, have improving global informa-
of European data privacy enacted their own laws. tion security. Moriuchi, now
laws, a Norwegian con- Nine civil rights groups, in- an analyst at the U.S. cy-
sumer group said in a re- cluding the American Civil bersecurity firm Recorded
port Tuesday. Liberties Union of Califor- Future, said it's likely a re-
The Norwegian Consumer nia, the Electronic Privacy flection of changes made
Council said it found “seri- Information Center, Pub- in 2017 to how the U.S.
ous privacy infringements” lic Citizen and U.S. PIRG determines whether to dis-
in its analysis of how shad- sent a letter to the Fed- close a major vulnerability
owy online ad companies In this Wednesday, May 29, 2019 file photo, a woman checks eral Trade Commission, or exploit it for intelligence
track and profile smart- the Grindr app on her mobile phone in Beirut, Lebanon. Congress and state attor- purposes.
phone users. Associated Press neys general of California, The revamping of what's
The council, a govern- Texas and Oregon asking known as the "Vulnerability
ment-funded nonprofit ers with legally-compliant and is investigating the them to investigate the Equities Process" put more
group, commissioned consent mechanisms. issue “to understand the apps named in the report. emphasis on disclosing vul-
cybersecurity company The council took action sufficiency of Grindr’s “Congress should use the nerabilities whenever possi-
Mnemonic to study 10 against some of the com- consent mechanism.” findings of the report as a ble to protect core internet
Android mobile apps. It panies it examined, filing Period tracker app My- road map for a new law systems and the U.S. econ-
found that the apps sent formal complaints with Days and virtual makeup that ensures that such fla- omy and general public.
user data to at least 135 Norway’s data protection app Perfect 365 were also grant violations of privacy Those changes happened
different third party servic- authority against Grindr, among the apps sharing found in the EU are not after a mysterious group
es involved in advertising Twitter-owned mobile personal data with ad ser- acceptable in the U.S.,” calling itself the "Shadow
or behavioral profiling. app advertising platform vices, the report said. the groups said in a state- Brokers" released a trove
“The situation is com- MoPub and four ad tech IAC, owner of Tinder and ment. of high-level hacking tools
pletely out of control,” companies. OkCupid, said the compa- The FTC confirmed it re- stolen from the NSA, forc-
the council said, urging Grindr sent data including ny shares information with ceived the letter but de- ing companies including
European regulators to users’ GPS location, age third parties only when it clined to comment fur- Microsoft to repair their
enforce the continent’s and gender to the other is “deemed necessary to ther. The creators of the systems. The U.S. believes
strict General Data Priva- companies, the council operate its platform” with MyDays, Perfect 365 and that North Korea and Rus-
cy Regulation, or GDPR. said. third party apps. Grindr apps did not im- sia were able to capitalize
It said the majority of the Twitter said it disabled The company said it con- mediately respond to re- on those stolen hacking
apps did not present us- Grindr’s MoPub account siders the practice in line quests for comment.q tools to unleash devastat-
ing global cyberattacks.q
