FBI Raids Home of Researcher Who Alerted Company of Publicly Exposed Data
This happens in America again. After arresting a security researcher for exposing flaws in an Elections website, now the FBI has raided the house of the researcher who had reported about publicly exposed data to a company.
It seems the law keepers in America cannot distinguish between cyber criminals and genuine security researchers who take it upon themselves to report flaws to companies/authorities for greater good. The house of Justin Shafer, 36, of Texas, a dental computer technician and software security researcher, was raided by over a dozen FBI agents who in the past had reported security issues in the software and server infrastructure of a U.S. based healthcare services provider, reports The Daily Dot.
Prior to having his house searched, Shafer had reported a vulnerability in Eaglesoft practice management software to the manufacturer Patterson Dental back in February, which was storing private patient records in a publicly-available FTP server. Eaglesoft is manufactured by Patterson Dental, a division of Patterson Companies.
Shafer discovered this while he was investigating the company’s Eaglesoft software. He was searching for the hard-coded database credentials when he discovered an anonymous FTP server which anyone could access. Shafer notified the company as well as CERT.
Shafer worked with DataBreaches.net to secure the FTP server with Patterson Dental and made his findings public in mid-February. The unsecured Eaglesoft FTP server exposed sensitive information on about 22,000 patients, and Shafer claims it has done so as early as 2006.
At the end of March, US-CERT also published an alert on Patterson Dental’s Eaglesoft software issues, related to its hard-coded database credentials. It wrote, “An attacker with knowledge of the hard-coded credentials and with network access to the database may be able to obtain sensitive patient information.” CERT added that it was “currently unaware of a full solution to this problem.”
However, fast forward several months, Shafer and his wife who were sound asleep were woken up at 6:30am local time last Tuesday morning to the doorbell that started ringing continuously. Later, the family heard a loud banging on their door.
“My first thought was that my dad had died,” Shafer told the Daily Dot in a phone interview, “but then as I went to the door, I saw all the flashing blue and red lights.”
With the baby crying in fear from the racket, Shafer opened the door to find what he estimated to be 12 to 15 FBI agents. One was “pointing a ‘big green’ assault weapon at me,” Shafer told the Daily Dot, “and the baby’s crib was only feet from the door.”
The agents allegedly ordered Shafer to put his hands behind his back. As they handcuffed him, his 9-year-old daughter cried in terror, Shafer said. His wife tried to tell the agents that there were three young kids in the house, but they apparently didn’t care.
Once handcuffed, Shafer was dragged outside while still wearing his boxer shorts, “not knowing what was going on or why.”
The agents over the next few hours seized all of Shafer’s computers and devices—“and even my Dentrix magazines,” Shafer said. “The only thing they left was my wife’s phone.” The seized property list shows that federal agents took 29 items.
What was his alleged crime? Responsible disclosure. Instead of thanking the researcher for his proper disclosure of a sensitive data leak, Patterson Digital filed a complaint with local law authorities about being hacked.
FBI agents told Shafer during the house search that Patterson Dental had claimed that he “exceeded authorized access” when researching the issue of the publicly-available FTP server.
Anyone could have accessed the server, it’s not like it was secured. Shafer told the Daily Dot, that the FTP server had been unsecured for years.
In an email statement, he wrote:
“Many IT guys in the dental industry know that the Patterson FTP site has been unsecured for many years. I actually remember them having a passworded FTP site back in 2006. To get the password you would call tech support at Eaglesoft\Patterson Dental and they would just give you the password to the FTP site if you wanted to download anything. It never changed. At some point they made the FTP site anonymous. I think around 2010.”
This is not the first time that Shafer has faced this problem from the healthcare industry. In the past, the researcher had found out that Henry Schein was making false claims that its Dentrix G5 software was using encryption. Shafer’s findings led to another US-CERT alert, and a fine from the FTC.