Another major breach in Healthcare with 5.3 terabytes of sensitive data at risk, Google claims that moving to Rust is not only more secure, it’s easy and is it time to educate users on sextortion?
Welcome to Cyber Security Today. I’m your host, Jim Love.
A major data breach at Confidant Health, a US-based AI healthcare firm, has potentially exposed 5.3 terabytes of sensitive mental health records.
Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected misconfigured server containing confidential patient information from the Texas-based company’s telehealth platform.
The exposed data includes over 126,000 files and 1.7 million logging records. The breach may have compromised a wide range of sensitive information, including:
– Personal details like names, addresses, and driver’s licenses
– Detailed mental health assessments and family histories
– Prescription medication lists and diagnostic test results
– Insurance information and Medicaid cards
– Audio and video recordings of therapy sessions
– Psychotherapy intake notes discussing trauma and substance abuse
Confidant Health, which offers services including alcohol rehab and opioid withdrawal management across five states, has acknowledged the leak and restricted access. However, the duration of exposure and potential unauthorized access remain unknown.
While health care has been a frequent target, this breach highlights the critical importance of robust data security in the rapidly growing telehealth industry.
This breach appears to be purely as a result of human error with the misconfigured server being a relatively easy target.
For IT and healthcare leaders, this incident underscores the urgent need to review their security practices, looking at encryption, access controls, regular audits, and comprehensive incident response plans as we accumulate more and more sensitive data in telehealth services.
Sources include: Hackread.com, VPNmentor
Google is not only rewriting protected virtual machine firmware in their Android Virtualization Framework using Rust, but they are encouraging the industry to follow suit, claiming it’s “easy” to boost security with Rust replacements.
In a write up on Google’s security blog, Android engineers Ivan Lozano and Dominik Maier documented the technical details of replacing legacy C and C++ code with Rust. In an interview with The Register they said: “You’ll see how easy it is to boost security with drop-in Rust replacements, and we’ll even demonstrate how the Rust toolchain can handle specialized bare-metal targets,”
The US government, with support from leading tech firms and non-profit initiatives has been pushing for critical open-source projects and components to be written in Rust. Witness the The Cybersecurity & Infrastructure Security Agency published its recommendation last year insisting that companies “make it a top-level company goal to reduce and eventually eliminate memory safety vulnerabilities from their product lines.”
Google has gotten on board with this recommendation, but not only to add increased security. They are also reporting their Rust developers are twice as productive as C++ engineers.
Not everyone in the industry agrees. The Rust for Linux project recently saw its maintainer step down due to resistance from kernel developers. Some of the Linux developers claim that there are other ways to solve the problem of memory leaks. Some also say that Rust’s steep learning curve also contradicts Google’s “easy” claim.
But Google’s leadership could be a push to reshape firmware development to minimize if not eliminate memory errors, even if adoption may be more gradual than many might hope.
Sources include: The Register, Google Security Blog
A long-standing email scam known as “sextortion” has taken a disturbing new turn. Recent reports indicate that these scams now include photos of the target’s home, likely obtained from online mapping services like Google Maps, in an attempt to make their threats more convincing.
The scam emails, which claim that malware has captured webcam footage of recipients in compromising situations, now address targets by name and include images of their street or front yard. The messages demand Bitcoin payment, typically around $2,000, to prevent the alleged video from being released to the recipient’s contacts.
While the core of the scam remains unchanged, this personalized approach potentially makes the threats more frightening for recipients. It’s important to note that in most cases, these are automated scams with no actual compromising footage.
In the US, the FBI gives predictable advice compromising images of yourself, avoid opening attachments from unknown sources, and to keep webcams covered when not in use. They also provide a hotline so that if you believe you’re a victim of sextortion, contact your local FBI office or call 1-800-CALL-FBI.
Its not a topic that many corporate security programs address, but with the blurring of the lines between corporate and personal use, with work from home, it may be something to consider. While the current round of threats focused on a dollar payment, an employee who is targeted may have consequences for their company. First, someone got into their machine, which could be a corporate PC and second, as any auditor will tell you, an employee who is being blackmailed is a potential corporate risk as well.
Sources include: KrebsOnSecurity
That’s our show. You can find the show notes with links at technewsday.com or .ca – take your pick..
I didn’t manage to find a Canadian number for sextortion reporting, if one does exist. But if someone knows, please drop me a note.
I’m your host, Jim Love, thanks for listening.