An anonymous reader quotes a report from Ars Technica: Cybersecurity at eight federal agencies is so poor that four of them earned grades of D, three got Cs, and only one received a B in a report issued Tuesday by a US Senate Committee. "It is clear that the data entrusted to these eight key agencies remains at risk," the 47-page report stated. "As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable."

The report, issued by the Senate Committee on Homeland Security and Governmental Affairs, comes two years after a separate report found systemic failures by the same eight federal agencies in complying with federal cybersecurity standards. The earlier report (PDF) found that during the decade spanning 2008 to 2018, the agencies failed to properly protect personally identifiable information, maintain a list of all hardware and software used on agency networks, and install vendor-supplied security patches in a timely manner. The 2019 report also highlighted that the agencies were operating legacy systems that were costly to maintain and hard to secure. All eight agencies -- including the Social Security Administration and the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education -- failed to protect sensitive information they stored or maintained.

Tuesday's report, titled Federal Cybersecurity: America's Data Still at Risk, analyzed security practices by the same agencies for 2020. It found that only one agency had earned a grade of B for its cybersecurity practices last year. "What this report finds is stark," the authors wrote. "Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS managed to employ an effective cybersecurity regime for 2020. As such, this report finds that these seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America's sensitive data." State Department systems, the auditors found, frequently operated without the required authorizations, ran software (including Microsoft Windows) that was no longer supported, and failed to install security patches in a timely manner. The department's user management system came under particular criticism because officials couldn't provide documentation of user access agreements for 60 percent of sample employees that had access to the department's classified network. "This network contains data which if disclosed to an unauthorized person could cause 'grave damage' to national security," the auditors write. "Perhaps more troubling, State failed to shut off thousands of accounts after extended periods of inactivity on both its classified and sensitive but unclassified networks. According to the Inspector General, some accounts remained active as long as 152 days after employees quit, retired, or were fired. Former employees or hackers could use those unexpired credentials to gain access to State's sensitive and classified information, while appearing to be an authorized user. The Inspector General warned that without resolving issues in this category, 'the risk of unauthorized access is significantly increased.'"

Ars Technica adds that the Social Security Administration "suffered many of the same shortcomings, including a lack of authorization for many systems, use of unsupported systems, failure to Compile an Accurate and Comprehensive IT Asset Inventory, and Failure to Provide for the Adequate Protection of PII."

An anonymous reader shares a report: It has been over three months since Click Studios, the Australian software house behind the enterprise password manager Passwordstate, warned its customers to "commence resetting all passwords." The company was hit by a supply chain attack that sought to steal the passwords from customer servers around the world. But customers tell TechCrunch that they are still without answers about the attack. Several customers say they were met with silence from Click Studios, while others were asked to sign strict secrecy agreements when they asked for assurances about the security of the software. One IT executive whose company was compromised by the attack said they felt "abandoned" by the software maker in the wake of the attack.

Passwordstate is a standalone web server that enterprise companies can use to store and share passwords and secrets for their organizations, like keys for cloud systems and databases that store sensitive customer data, or "break glass" accounts that grant emergency access to the network. Click Studios says it has 29,000 customers using Passwordstate, including banks, universities, consultants, tech companies, defense contractors and U.S. and Australian government agencies, according to public records seen by TechCrunch.

At the Black Hat security conference Wednesday, two security researchers have disclosed a security issue impacting hosted DNS service providers that can be abused to hijack the platform's nodes, intercept some of the incoming DNS traffic, and then map customers' internal networks. From a report: Discovered by Shir Tamari and Ami Luttwak from cloud security company Wiz, the vulnerability highlights the amount of sensitive information collected by managed DNS platforms and their attractiveness from a cyber-espionage and intelligence data collection standpoint.

Also known as DNS-as-a-Service providers, these companies effectively rent DNS servers to corporate entities. While it's not hard to run your own DNS name server, the benefit of using a service like AWS Route53 or the Google Cloud Platform is that companies can offload managing DNS server infrastructure to a third-party and take advantage of better uptime and top-notch security. Companies that sign up for a managed DNS provider typically have to onboard their internal domain names with the service provider. This typically means companies have to go to a backend portal and add their company.com and other domains to one of the provider's name servers (i.e., ns-1611.awsdns-09.co.uk). Once this is done, when a company employee wants to connect to an intranet app or an internet website, their computer will query the third-party DNS server for the IP address it needs to connect. What the Wiz team discovered was that several managed DNS providers did not blacklist their own DNS servers inside their backends.

An anonymous reader shares a report: Late last year, researchers at the Los Angeles-based cybersecurity company Resecurity stumbled across a massive trove of stolen data while investigating the hack of an Italian retailer. Squirreled away on a cloud storage platform were five gigabytes of data that had been stolen during the previous three and half years from foreign ministries and energy companies by hacking their on-premises Microsoft Exchange servers. In all, Resecurity researchers found documents and emails from six foreign ministries and eight energy companies in the Middle East, Asia and Eastern Europe.

The attacks, which haven't been previously reported, served as a prequel to a remarkably similar, widely publicized hack of Microsoft Exchange servers from January to March of this year, according to Resecurity. A person familiar with the investigation into the 2021 attack, who wasn't authorized to speak publicly and requested anonymity, made a similar allegation, saying the data theft discovered by Resecurity followed the same methods. The 2021 hack was extraordinary for its scope, infecting as many as 60,000 global victims with malware. Microsoft quickly pinned the 2021 cyberattack on a group of Chinese state-sponsored hackers it named Hafnium, and the U.S., U.K., and their allies made a similar claim last month, attributing it to hackers affiliated with the Chinese government. Resecurity can't say for sure the attacks were perpetrated by the same group. Even so, the cache of documents contained information that would have been of interest to the Chinese government, according to Gene Yoo, Resecurity's chief executive officer. The person familiar said the victims selected by the hackers and type of intelligence gathered by attackers also pointed to a Chinese operation.

Microsoft launched its new cloud PC Windows 365 service earlier this week, and the company has already had to pause free trials due to demand. From a report: Windows 365 lets you rent a cloud PC -- with a variety of CPU, RAM, and storage options -- and then stream Windows 10 or Windows 11 via a web browser. The service reached max capacity after only a day of signups. "Following significant demand, we have reached capacity for Windows 365 trials," reads a statement from the Microsoft 365 Twitter account. "We have seen unbelievable response to Windows 365 and need to pause our free trial program while we provision additional capacity," explains Scott Manchester, director of Windows 365 program management.