Someone alerts you to exposed, unencrypted patient information on your FTP server. Is the correct response to thank them profusely or try to have them charged as a criminal hacker?
It is not a trick question. Once again, a security researcher has found himself facing possible prosecution under a federal statute known as the Computer Fraud and Abuse Act (CFAA). His crime, according to a dental-industry software company, was accessing what had been left publicly available on the open Internet.
Meet dental computer technician and software security researcher Justin Shafer, 36, of Texas.
Shafer and his wife were sound asleep at 6:30am local time on Tuesday morning when the doorbell started ringing incessantly, and the family heard a loud banging on their door.
“My first thought was that my dad had died,” Shafer told the Daily Dot in a phone interview, “but then as I went to the door, I saw all the flashing blue and red lights.”
With the baby crying in fear from the racket, Shafer opened the door to find what he estimated to be 12 to 15 FBI agents. One was “pointing a ‘big green’ assault weapon at me,” Shafer told the Daily Dot, “and the baby’s crib was only feet from the door.”
The agents allegedly ordered Shafer to put his hands behind his back. As they handcuffed him, his 9-year-old daughter cried in terror, Shafter said, and his wife tried to tell the agents that there were three young children in the house.
Once handcuffed, Shafer was taken outside, still in his boxer shorts, still not knowing what was going on or why.
Over the next few hours, the agents seized all of Shafer’s computers and devices—“and even my Dentrix magazines,” Shafer said. “The only thing they left was my wife’s phone.” The seized property list, a copy of which was provided to the Daily Dot, shows that federal agents took 29 items.
For those who do not recognize his name, Shafer was responsible for exposing the fact that Dentrix software, produced by Henry Schein Dental, was misleading customers when it claimed to provide “encryption.” In collaboration with DataBreaches.net, a site operated by your author, he exposed that vulnerability and filed an FTC complaint that recently resulted in Henry Schein signing a consent order to settle Federal Trade Commission charges.
So why was the FBI raiding Shafer and treating him like a dangerous criminal? The Daily Dot was unable to obtain a copy of the probable cause affidavit by the time of publication, and it may be under seal. But as one agent subsequently informed Shafer, it stemmed from an incident in February, when Shafer discovered another security vulnerability in dental records, this one a publicly available File Transfer Protocol (FTP) server operated by the team behind Eaglesoft, a dental practice management software.
Eaglesoft is manufactured by Patterson Dental, a division of Patterson Companies. According to Shafer, he was researching an issue with hard-coded database credentials when a search for a password led him to an anonymous FTP server that allowed anyone access. When Shafer looked at the files on the publicly available server and saw a directory with patient data, he took steps to alert Patterson to secure the protected health information.
The FBI was not, of course, there to commend Shafer for responsible disclosure. The agent told him that Patterson Dental was claiming Shafer had “exceeded authorized access” in accessing its FTP server, which is illegal under the CFAA. Attempts by the Daily Dot to contact Patterson by email, website contact form, and phone over the past 24 hours produced no responses.
Shafer discovered the exposed patient data at the beginning of February and contacted DataBreaches.net to request help with the notification and responsible disclosure. Both DataBreaches.net and Shafer began attempting to notify Patterson and clients whose unencrypted patient information had been exposed for an unknown period of time. Over the next few days, we emailed or called Patterson; Timberlea Dental Clinic in Alberta, Canada; Dr. M Stemalschuk in Canada; Massachusetts General Hospital Dental Group; and Dr. Rob McCanon.
Only after Shafer determined that the patient data had been secured did he and DataBreaches.net disclose the incident publicly. As reported on DataBreaches.net, Shafer found that 22,000 patients had had their unencrypted sensitive health information at risk of access by others. It is not clear how long the publicly accessible FTP server was available, and Patterson Dental did not answer the questions DataBreaches.net asked of it on the matter. Shafer told the Daily Dot, however, that the FTP server had been unsecured for years. In an email statement, he wrote (typos corrected):
“Many IT guys in the dental industry know that the Patterson FTP site has been unsecured for many years. I actually remember them having a passworded FTP site back in 2006. To get the password you would call tech support at EaglesoftPatterson Dental and they would just give you the password to the FTP site if you wanted to download anything. It never changed. At some point they made the FTP site anonymous. I think around 2010.”
A cached copy of the directory, still available on FileWatcher, shows that the files were originally uploaded in 2009:
Shafer wrote about the exposed patient data on his blog, but he also called attention to a security vulnerability he had found with Eaglesoft itself—a vulnerability that would make it easy for someone to attack a database and steal patient information. Shafer reported the vulnerability to CERT, a division of the Software Engineering Institute at Carnegie Mellon University that is sponsored by the Department of Homeland Security, which issued a Vulnerability Note.
CERT’s records indicate that, since Patterson Dental was first notified on Feb. 19, the company has yet to provide CERT with a plan to patch or address that vulnerability. Patient data may still be at risk, as CERT describes the impact of the vulnerability this way:
“An attacker with knowledge of the hard-coded credentials and with network access to the database may be able to obtain sensitive patient information.”
Knowledge of those hard-coded credentials is fairly widespread, Shafer claimed in a blog post, where he provided the default login for read access.
To recap: Shafer reported that Patterson Dental had left patient data on an unsecured FTP server, and then he called attention to another vulnerability in one post in February, and then again in a second post in March. And now, according to an FBI agent, Patterson Dental was allegedly claiming that in accessing their unsecured anonymous FTP server, Shafer had accessed it “without authorization” and should be charged criminally under CFAA.
Shafer is now left wondering, is this an attempt to silence or discredit him? This would not be the first time a company seemingly attempted to chill Shafer’s speech about their security issues. And he would certainly not be the first researcher accused of criminal hacking.
After programmer and open-data activist Aaron Swartz took his own life in 2013 under the pressure of what many described as an overly aggressive prosecution under CFAA, there was public support for reforming the law. In February 2013, Cindy Cohn and Marcia Hofmann of the Electronic Frontier Foundation addressed the need to reform the law and to protect researchers from criminal prosecution in certain scenarios. They wrote:
“The law needs to protect tinkerers, security researchers, innovators, and people who seek to avoid being tracked and discriminated against. The CFAA not only fails to protect these people, it allows ambitious prosecutors (and unhappy companies) to target them.”
Despite increased support, a bill proposed by Sens. Ron Wyden (D-Ore.), Rand Paul (R-Ky.), and Rep. Zoe Lofgren (D-Calif.) failed to pass last year. More than three years after Swartz’s death, CFAA has yet to be reformed, and unhappy companies can still attempt to get security researchers prosecuted as criminals.
“It’s weev all over again.”
Prophetically, perhaps, one FBI agent asked Shafer how he knew Andrew “weev” Auernheimer, a notorious hacker-troll who became famous for leaking the personal information of AT&T iPad users he accessed through the company’s publicly available website. Shafer told him that they didn’t know each other, but he had tweeted to him that he was glad he was out of jail (after a court overturned Auernheimer’s conviction in a hacking case over a challenge to venue).
There are some similarities between Auernheimer’s prosecution for “hacking” AT&T and Shafer’s situation. As George Washington University Law professor and CFAA scholar Orin Kerr explained in 2013, when asked why he was representing Auernheimer pro bono on appeal:
“At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an ‘unprotected website’ that is ‘open to the public.’”
The same should be true of FTP servers that have no protection on them and are indexed where anyone can find them via a search engine, legal experts say. When asked for his opinion on Shafer’s case, Kerr told the Daily Dot:
“This is a troubling development. I hope the government doesn’t think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA. If that turns out to be the government’s theory—which we don’t know yet, as we only have the warrant so far—it will be a significant overreach that raises the same issues as were briefed but not resolved in weev’s case. I’ll be watching this closely.”
For his part, Shafer shared his feelings about Patterson Dental with the Daily Dot, saying that they are the ones who acted irresponsibly.
“I think it is a cowardly thing to do to my family,” he said. “I think they owe me a thank you, and I think they owe the patients and covered entities an apology. I also feel like they should be heavily fined for storing patient data on an anonymous FTP site for years.”
Asked whether he was nervous about the possibility of being prosecuted, he replied: “Yes, only because of how I see how harsh they were to guys like Chelsea Manning and guys like Aaron Swartz. Although I haven’t heard of anyone being prosecuted for downloading files from an anonymous FTP [server] before, I suppose there is a first time for everything.”
Defense attorney Tor Ekeland, who represented Auernheimer in the federal court case in New Jersey, has offered to help Shafer, telling the Daily Dot, “It’s weev all over again.”
If the government does plan to charge Shafer, which remains undecided, they may find themselves up against some legal heavy-hitters on the CFAA. It will also be forced to confront that, while exposing a company’s inadequate security may not be good for its business, chilling security research could be bad for consumers and all businesses.
Dissent Doe is the pseudonym of a privacy advocate who reports on privacy issues and data security breaches on PogoWasRight.org and DataBreaches.net. Her research on breaches has fueled resources such as DataLossDB.org and InfoisBeautiful, and it has served as the basis for a number of Federal Trade Commission investigations.