In an alert sent to medical and dental healthcare entities, the FBI is asking organizations to mind and secure their FTP servers in the face of hackers trying to get protected health information (PHI) and personally identifiable information (PII).
The FBI says hackers are using information they find on unsecured FTP servers to "intimidate, harass, and blackmail business owners."
The Agency's alert is consistent with reports in the infosec community. During the past year, the attacks on healthcare organizations have increased. One particular hacker, known as TheDarkOverlord has been extremely active.
FBI warns against usage of anonymous FTP accounts
The FBI’s alert – a PIN (Private Industry Notification) – specifically mentions unsecured (anonymous) FTP servers that allow anyone to connect with the “anonymous” or “ftp” username, and with no password.
The PIN alert even cites research published by the University of Michigan in 2015, titled “FTP: The Forgotten Cloud,” in which researchers revealed they discovered one million anonymous FTP servers exposed on the Internet.
In September 2016, a security expert nicknamed Minxomat reproduced the same research, but despite the passage of nearly two years, the number of exposed anonymous FTP servers has remained at high levels, the researcher finding 796,578 FTP servers exposed on the IPv4 address space.
FBI: FTP servers used to store malware, launch DDoS attacks
Besides leaking critical user and company data, the FBI also said crooks could also use these exposed FTP boxes to store malicious files in malware distribution schemes or hijack the machines for DDoS attacks.
For one person, the FBI’s alert is more painful than for most. This person is Justin Shafer, a dental software researcher.
The FBI raided Shaffer’s home in 2016 after the researcher found unencrypted patient data exposed on a healthcare company’s FTP server. Instead of thanking the researcher for his findings, the company complained to the FBI, claiming Shaffer hacked their server when in reality the data was left exposed to anyone that had the time to look for it.
Comments
agamoto - 6 years ago
There's a lot more to this story.
Here's what I know based on what I've read, seen and heard from Justin, his databreach media partner, his wife, and of course the complaints and court documents that were released.
To start with, nothing ever came from that initial raid against Shafer in May 2016. No charges, no indictment. No repercussions for the company which falsely claimed they were hacked, no word at all from the FBI about when Shafer's electronics would be returned.
Fast forward several months, and Shafer is still hard at it, finding patient data all over the place and reporting all of it to his media partner @ databreaches.net, to the Department of Health and Human Services/Office for Civil Rights and to the parties at fault holding the unsecured data. In this short span, he's uncovered dozens of insecure sites and helped secure the identities of , by his own estimate, about 500,000 people.
Then, enter "The Dark Overlord"... In June of 2016, the infamous hacker (or hackers) informs the media he has three medical databases exposing hundreds of thousands of patients. Shafer, already on a mission to protect patient data everywhere, adds "Take down TDO" to his mission and opens a dialogue with him/she/them via twitter in an effort to determine if the data is legitimate and to find a way to bring TDO down. TDO sends the smallest database of the three to Justin and another researcher named Jeremy Kirk as proof.
Justin informs the FBI regarding the receipt of this database via telephone, email and twitter the day he receives it, and has the phone and email records to prove it. He's asked for TDO's twitter handle, that's all. No one ever calls him back. He's ignored. Investigators, apparently unaware of Justin's intention to HELP them catch him are watching TDO's interactions with others online via twitter. The communications with Justin trigger them to believe they must be in cahoots and they get a warrant to raid Shafer again in January 2017 as part of the TDO investigation. Sure enough, they find that database in his possession.
Fast forward a few months more and they still have nothing to show for those raids. No charges, no indictments. Shafer is rightfully pissed about all of this and wants his stuff back, but he doesn't have the contact info for the agent in charge of his case, he attempts contact with the FBI via their main email/switchboard and twitter accounts, receiving little to no response for months with regards to the investigation, when he'll get his stuff back and who will pay for damage to his car.
Growing increasingly frustrated at the lack of contact and closure on his case, on or about March 21, Shafer learns his case agent's actual last name. This is the agent responsible for raiding and interrogating him twice. He then starts digging around facebook and google to find out who he is so he can attempt direct contact. He makes the critical mistake of documenting his progress of that search publicly on his twitter and facebook, which the feds would later use to indict him on USC 18 119 charges. He locates the agent's relatives profiles, including the agent's wife and notes that on Twitter/Facebook. He follows her on twitter, and sends her a absolutely non threatening message via facebook asking her to tell her husband to please give his stuff back so he can have the pictures and videos of his children. Finally, he emails the agent directly at his federal address with the statement "F**k the Police! ;)" followed by a query regarding why an FTP site he informed them about weeks prior was still open and insecure. He followed this up with a second message, quoting the first, adding only: "Welcome to the Federal Government!"
Anyone who know's Justin knows that his communications skills are lacking and he often writes easily misinterpreted email and text/instant messages. I've conversed with him enough about the subject to know that the email was likely meant to be a criticism of a fumbling government who keeps failing to investigate breaches he's tried to help them with.
The agent now alerted to this, looks back through Shafer's twitter and facebook history, peppered with enough 140 character or less expletive laced insults and tirades against the Feds, the FBI, the agent himself, the HHS et. al. for their bureaucratic/investigative failures. Upon noting all of this, the agent filed a complaint indicating that he and his wife have suffered SUBSTANTIAL emotional harm due to Shafer's conduct.
The complaint filed with the court to get their warrant does its best to paint Shafer as a dangerous and threatening hacker with possible ties to some serious criminal activity! The complaint provides a scintillating tease of an alleged connection between Shafer and TDO, mentions that one of TDO's databases was found in the second raid, and of course discusses Mr. Shafer's "hacking" of the FTP site. This is clearly all padding there to paint Mr. Shafer in an unflattering light for the judge who signed the warrant. No mention is made whatsoever regarding the fact that the FTP site was open and anonymous and Justin hacked nothing, AND responsibly reported that breach, not even allowing the media to report on it until they secured the data. The complaint mentions nothing about Justin's efforts to reach out to the FBI regarding that database they "found" that he tried to tell them about when TDO distributed it to him and another researcher. Neither was there any mention at all regarding his efforts in the past year that have helped secure the identities of 500,000 citizens by revealing breach after breach. Nor does it mention that his security research and work with the FTC and CERT prior to the raids helped exposed security flaws and misleading advertising by the developer of America's #1 dental EHR software resulting in a large fine and corrective settlement. Mr. Shafer is deeply committed to patient information security as evidenced by his actions and deeds over the past few years, absolutely none of which made it into the complaint.
The complaint filed was supposed to be sealed from the public, but it was accidently released and was archived online by a sharp fellow security researcher before they sealed it once again. That is how all of this is known. Based on that complaint, a judge signed a warrant and Shafer was raided a 3rd time on March 31st. This time he is arrested and indicted on charges of cyberstalking and doxxing a federal employee. After a few days in jail, a judge releases him under bond with the condition that he is not to contact the agent or his relatives, he is not to use social media, he must wear a GPS/ankle monitor and he is only supposed to use his computer for work purposes.
On April 14th, he posts an article on his professional dental IT blog that discusses the status of several security breaches he's worked on and discusses the inaction of the feds on these matters, as well as offering a criticism of the justice system specifically the investigators at the FBI and at the Office for civil rights @ Health and Human services.
http://justinshafer.blogspot.com/2017/04/shake-it-off.html
According to court documents, his pre-trial officer monitoring his activity decided this was a violation of his release terms. Hauled in before the judge, he is told that his use of blogger was accessing social media w/o permission, and that he was not supposed to use a computer for anything other than work. He's now held without bail in a federal holding facility until he stands trial for the cyberstalking and doxxing charges which should be in a couple of months.
A blog is publishing platform, not a collaborative document and Mr. Shafer's blog is absolutely one used in a professional, not personal, capacity. Every news outlet in the USA with a website posts the same sort of articles. Each with the ability for people to comment and share the article. Does that make them social media websites too? No, it does not.
All of this started because some big multinational corporation with faulty security told the FBI that they were hacked and passed the buck to the person who responsibly reported their security problem instead of shouldering the blame for leaving that patient data out in the open on an anonymous FTP server.
Instead of questioning Shafer, or arranging to clone his drives, the FBI chose to raid Shafer at gunpoint, taking all the computers, game consoles, thumb drives, and laptops they could find while Mr. Shafer could only sit by and watch. The only thing they can pin on him is the facebook/twitter nonsense and they've got a case.
Nothing will happen to that company for crying wolf, nothing will happen to the FBI for what they've done here. For what Shafer has done, he's now facing a maximum stint of 15 years behind bars.
Could Justin actually be a co-conspirator with the TDO or is he TDO himself? We live in a world where Trump is the President, anything you dream can come true. The Feds seem to think there's something there, but they've provided absolutely zero evidence to support such a hypothesis despite 3 raids, seizure and forensic analysis of all his electronics, his social media records subpoenaed... Nothing, other than a cop-out charge for daring to say some stuff to someone on twitter/facebook.
It's insane, all of it. Meanwhile his wife and two small kids are in trouble. He was the sole bread winner. The feds don't care. They "got" their man.