What does a security researcher get for responsibly disclosing a dental database vulnerability that is exposing the sensitive information of tens of thousands of patients? Not a bug bounty monetary reward. Not even a “thank you” from the company. He gets raided by a least a dozen armed FBI agents and may be charged under Computer Fraud and Abuse Act (CFAA).
Justin Shafer, who is described as a 36-year-old security researcher and dental computer technician, reported a vulnerability in Eaglesoft practice management software to the manufacturer Patterson Dental back in February.
He had been searching for the hard-coded database credentials when he discovered an anonymous FTP server that anyone could access. The unsecured Eaglesoft FTP server exposed sensitive information on about 22,000 patients. Shafer notified the company as well as CERT.
Fast forward several months to the morning of May 24. The Daily Dot reported that at 6:30 a.m., 12 to 15 armed FBI agents raided Shafer’s house. He was awakened by them incessantly ringing his doorbell and banging on the door. When he opened the door, one of the agents “was pointing a ‘big green’ assault weapon” at him.
There were three young kids in the house, but the agents apparently didn’t care. Not only was his baby’s crib but a few feet away and the infant was crying in fear from “all the racket,” but the feds handcuffed him in front of his 9-year-old daughter who was crying “in terror.” He was hauled outside while still wearing his boxer shorts, “not knowing what was going on or why.”
Over the next few hours, the agents seized all of Shafer’s computers and devices—“and even my Dentrix magazines,” Shafer said. “The only thing they left was my wife’s phone.” The seized property list, a copy of which was provided to the Daily Dot, shows that federal agents took 29 items.
What was his alleged crime? Responsible disclosure. Yes, he reported the vulnerability. He and Databreaches.net waited until it had been secured before publicly disclosing the incident, which affected 22,000 dental patients whose sensitive information had been public for years.
Shafer told The Daily Dot that an FBI agent said:
When CERT published a vulnerability notice about Patterson Dental Eaglesoft’s hard-coded database password in March, it wrote, “An attacker with knowledge of the hard-coded credentials and with network access to the database may be able to obtain sensitive patient information.” CERT added that it was “currently unaware of a full solution to this problem.”
One of feds reportedly asked Shafer how he knew Andrew “weev” Auernheimer. Shafer doesn’t know weev, but he had tweeted that he was glad weev was out of jail. Since Auernheimer’s conviction was overturned and he was released from prison in April 2014, this is a classic example of how anything you say on social media may come back to bite you.
In fact, Tor Ekeland, one of Auernheimer’s lawyers, told the Daily Dot, “It’s weev all over again.” Ekeland has offered to help Shafer.
CFAA has needed reforms for a long time, and Shafer’s predicament is yet another example of how bad the over-reaching anti-hacking CFAA law really is. FileWatcher shows that those unsecured files on a public FTP server were originally uploaded in 2009.
Anyone could have accessed the server. It’s not like it was secured. And labeling it as “unauthorized access” is crazy. No good deed goes unpunished, huh?