unsecured

As legal cannabis has expanded around the United States for both recreational and medical use, companies have amassed troves of data about customers and their transactions. People who have applied for medical marijuana cards have had to share particularly personal health data to qualify. For some patients in Ohio who use medical weed, a recent data exposure could impact their sensitive information.

Security researcher Jeremiah Fowler found a publicly accessible database in mid-July that appeared to contain medical records, mental health evaluations, physician reports, and images of IDs like driver’s licenses for people seeking medical cannabis cards. The 323-GB trove stored close to a million records, including Social Security numbers, email addresses, physical addresses, dates of birth, and medical data—all organized by name.

Based on information that seemed to describe specific employees and business partners, Fowler suspected that the data belonged to the Ohio-based company Ohio Medical Alliance LLC, which goes by the name Ohio Marijuana Card. Fowler contacted the company on July 14; when he checked the database the next day, it had been secured and was no longer publicly accessible online. Fowler did not receive a response about his submission.

Ohio Medical Alliance did not answer WIRED’s questions about Fowler’s findings. At one point, though, the company’s president, Cassandra Brooks, wrote in an email: “I need time to investigate this alleged incident. We take data security very seriously and are looking into this matter.”

“There were physicians’ reports that would say what the underlying problem was—whether it was anxiety, cancer, HIV, or something else. In some cases, the applicants would submit their own medical records as proof” of their qualifying condition, Fowler tells WIRED. “I saw identification documents from lots of states, from everywhere. And I even saw offender release cards, which are basically IDs for people who just got out of prison that they submitted as proof of identity to get a medical marijuana card.”

Fowler says that most of the files in the database were image formats like PDFs, JPGs, and PNGs. One CSV plaintext document called “staff comments” appeared to be an export of internal communications, appointment histories, notes about clients, and application status. That file also contained more then 200,000 email addresses of Ohio Medical Alliance employees, business associates, and customers.

Databases that are misconfigured and have inadvertently been left publicly exposed on the open internet are a common problem online in spite of efforts to raise awareness about the mistake and its privacy implications.

Source link

A major privacy concern involving more than 40,000 security cameras worldwide has been revealed by Cybersecurity firm Bitsight. According to the company’s TRACE research division, these cameras are live-streaming video feeds that are fully exposed to the internet — meaning that one can gain access without needing any sort of authentication, encryption, or even a basic password. In most cases, a person can access real-time footage from these exposed cameras simply by knowing their IP address.

Bitsight initially flagged the issue back in 2023, but recent research suggests that the situation “hasn’t gotten any better.” According to the latest research, these vulnerable cameras are not limited to one region or industry. The United States has close to 14,000 cameras that are potentially exposed, with states like California, Texas, Georgia, and New York having the highest numbers. Next on the list is Japan, with 7,000 exposed cameras, followed by Austria, Czechia, and South Korea, each of which have close to 2,000 vulnerable devices.

It is true that not every camera hooked up to the internet is a cause for concern, and some livestreams are set up intentionally to showcase scenes, like a beach or a birdhouse, for public viewing. However, some of these vulnerable cameras have been found in more private environments — including residential setups monitoring front doors, backyards, and even living rooms.

You may like

Image 1 of 2

(Image credit: Bitsight)(Image credit: Bitsight)

Cameras in office spaces, factories, as well as public transportation systems were also found. Bitsight researchers were able to observe sensitive spaces, monitor foot traffic, and, in some cases, even see details written on whiteboards — all in real time. The majority of the exposed devices are said to be using HTTP, while the rest stream through RTSP (Real-Time Streaming Protocol), which is a common protocol for controlling and managing streaming media over IP networks.

In addition to raising privacy and surveillance concerns, these exposed devices pose serious security risks. Information collected by Bitsight’s Cyber Threat Intelligence team suggests that users are openly discussing the feeds on dark web forums, where users are sharing tools and techniques to gain unauthorized access, and even selling access, to unprotected video streams.

Users and organizations are advised to double-check on how their cameras are configured: Disable remote access if not in use, update to the latest firmware, and make sure the device is protected behind a firewall or connected to a secure network. A simple way to check whether your camera is exposed or not is by accessing it from outside your home network. If you are able to view the camera feed without logging into a secure app or using a VPN (Virtual Private Network), it’s likely open to anyone on the internet. Additionally, one should replace any default usernames and passwords as many camera devices ship with a default set of credentials that are easy to crack.

Follow Tom’s Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.

Source link

Highly Sensitive Medical Cannabis Patient Data Exposed by Unsecured Database

Massive privacy concern: over 40,000 security cameras are streaming unsecured footage worldwide