They say that 60% of the time, it works every time—unless you’re the federal government, then it only works 40% of the time.

A US Government Accountability Office (GAO) report published January 19 that found glaring deficiencies in how the federal government is approaching cybersecurity. In the six-page report, the GAO detailed a plethora of incomplete security measures, including recommendations the office had made that have yet to even be attempted.

“Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them,” the report said.

Bad pattern. Federal cybersecurity efforts have been found wanting over the past few years. As IT Brew reported last month, commercial spyware is increasingly being used by adversaries to target US officials overseas. And the threats aren’t limited to the international sphere; US federal courts were hacked in December 2020.

In the case of the courts hack, the Department of Justice was criticized after not sharing details about what happened until pressed by lawmakers. Sen. Ron Wyden wrote a letter to the courts to “express serious concerns that the federal judiciary has hidden from the American public and many Members of Congress the serious national security consequences of the courts’ failure to protect sensitive data to which they have been entrusted.”

Read more here.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Like true love, MySpace, and, uh, drum pants, macOS malware does, in fact, exist, no matter how many people doubt it.

“Despite prevailing opinion, macOS is not a ‘safer’ platform,” said a January threat report from the cybersecurity services and software provider BlackBerry.

Telemetry from BlackBerry found that 34% of client organizations using macOS had the malicious adware Dock2Master on their network (and 26% of machines had the application installed).

“This is not an urban legend…People say, ‘There’s malware for Macs, but we haven’t seen it.’ No, we are seeing it, and we’re seeing it in enterprise environments,” said Ismael Valenzuela, VP of threat research and intelligence at BlackBerry.

Mac attacks are no folk tale, thanks to cross-platform code. The popular programming language GoLang (Go), for example, allows developers to write statements just once before they are then interpreted on different platforms—including macOS. In its report, Blackberry noted an increase in the use of GoLang to target macOS systems with malicious spam emails.

Some of the Mac-specific malware found in the threat research:

• Adware: What looks like a legitimate application may, in fact, be an unwanted, ad-serving application like Dock2Master.
• Browser hijackers: Like their names suggest, these tools can steal the credentials and credit card information entered during sessions.
• Proxy malware: With support from programming languages like GoLang, which work with proxy libraries, this type of Trojan code turns infected machines into a malicious intermediate server.

Safe or out? So, what explains the “prevailing opinion” that Macs are secure? Apple machines have a relatively closed-off structure, said Valenzuela, and they don’t require as much backward compatibility as Windows machines.

Keep reading here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Heatwave-induced disruptions at data centers for a UK hospital group lasted for weeks thanks to its reliance on “371 legacy IT systems,” according to a board review of the matter.

Guy’s and St. Thomas’ NHS Foundation Trust (GSTT) was one of multiple organizations impacted by a summer 2022 heatwave that fried data centers across the London region—and its recovery took two months to complete. As temperatures soared, cooling systems servicing the two data centers that ran clinical and community IT systems for GSTT hospitals and clinics in London failed on July 19.

As a result, electronic patient records became inaccessible, forcing staff to switch to paperwork and causing delays that affected clinical systems involving everything from lab work to surgeries. The Guardian reported that the hospitals were forced to divert ambulances and critically ill patients to other institutions.

Contributing factors identified by the review included a “complex and confusing” system of roles and responsibilities in data center operations, old infrastructure, and problems with cooling systems. For example, responsibility for the system was split between two GSTT in-house teams, as well as ATOS, a private company that managed the data centers, NetApp, which manufactured the storage network equipment, and Secure IT, which serviced crucial cooling equipment.

Keep reading here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

Today’s top IT reads.

Stat: 77%. That’s the percentage of participants in a University of Pennsylvania study who got an “F” grade on a quiz about how digital devices and services track their online behavior. (the New York Times)

Quote: “It lives in the real world, where change is always happening, and it can perform well under almost any conditions thrown at it.”—Mathias Lechner, MIT researcher, on how a worm’s nervous system is inspiring new designs for liquid neural networks (Quanta Magazine)

Read: How the New York Times is building its own tech stack. (TechCrunch)

Access granted: Hit a wall building a client’s membership website? You’re not alone. Memberful’s powerful membership software can help you over the hump, handling the hard stuff so you can focus on the build. Check it out.*

^{*This is sponsored advertising content.}