Category: Computer Fraud and Abuse Act

May 27 2016

Armed FBI agents raid home of researcher who found unsecured patent data

(credit: DailyDot)

FBI agents armed with an assault weapon raided the home of a security professional who discovered sensitive data for 22,000 dental patients was available on the Internet, according to a report published Friday.

Justin Shafer, who is described as a dental computer technician and software security researcher, reportedly said the raid happened on Tuesday at 6:30am as he, his wife, and three young children were sleeping. He said it started when his doorbell rang incessantly and someone banged hard on his door. According to Friday's report:

“My first thought was that my dad had died,” Shafer told Daily Dot in a phone interview, “but then as I went to the door, I saw all the flashing blue and red lights.”

With the baby crying in fear from the racket, Shafer opened the door to find what he estimated to be 12 to 15 FBI agents. One was “pointing a ‘big green’ assault weapon at me,” Shafer told Daily Dot, “and the baby’s crib was only feet from the door.”

The agents allegedly ordered Shafer to put his hands behind his back. As they handcuffed him, his 9-year-old daughter cried in terror, Shafter said, and his wife tried to tell the agents that there were three young children in the house.

Once handcuffed, Shafer was taken outside, still in his boxer shorts, still not knowing what was going on or why.

Over the next few hours, the agents seized all of Shafer’s computers and devices—“and even my Dentrix magazines,” Shafer said. “The only thing they left was my wife’s phone.” The seized property list, a copy of which was provided to Daily Dot, shows that federal agents took 29 items.

Enter Eaglesoft

A FBI agent told Shafer the raid stemmed from an incident in February, when Shafer discovered a file transfer protocol server operated by Eaglesoft, a provider of dental practice management software. The FTP server reportedly stored patient data in a way that made it easily accessible to anyone. Shafer contacted DataBreaches.net and asked for help privately notifying the software maker, and once the patient data was secured, the breach notification site published this disclosure. In a blog post of his own, Shafer later discussed the FTP lapse and a separate Eaglesoft vulnerability involving hard-coded database credentials.

Read 3 remaining paragraphs | Comments

Dec 14 2015

13 Million MacKeeper Users Exposed

The makers of MacKeeper — a much-maligned software utility many consider to be little more than scareware that targets Mac users — have acknowledged a breach that exposed the usernames, passwords and other information on more than 13 million customers and, er…users. Perhaps more interestingly, the guy who found and reported the breach doesn’t even own a Mac, and discovered the data trove merely by browsing Shodan — a specialized search engine that looks for and indexes virtually anything that gets connected to the Internet.

mackeeperIT helpdesk guy by day and security researcher by night, 31-year-old Chris Vickery said he unearthed the 21 gb trove of MacKeeper user data after spending a few bored moments searching for database servers that require no authentication and are open to external connections.

Vickery told Shodan to find all known instances of database servers listening for incoming connections on port 27017. “Ports” are like doorways that govern access into and out of specific areas of a server, and each port number generally maps to one or a handful of known Web applications and services. Port 27017 happens to be associated with MongoDB, a popular database management system.

In short order, Vickery’s request turned up four different Internet addresses, all of which he later learned belonged to Kromtech, the company that makes MacKeeper.

“There are a lot of interesting, educating and intriguing things that you can find on Shodan,” Vickery said. “But there’s a lot of stuff that should definitely not be out there, and when I come across those I try to notify the owner of the affected database.”

Vickery said he reached out the company, which responded quickly by shuttering public access to its user database, and publicly thanking him for reporting it.

“Some 13 million customer records leaked from is aware of a potential vulnerability in access to our data storage system and we are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use,” the company said in a statement published to its site totday. “We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.”

Kromtech said all customer credit card and payment information is processed by a 3rd party merchant and was never at risk.

“Billing information is not transmitted or stored on any of our servers. We do not collect any sensitive personal information of our customers,” the statement continues. “The only customer information we retain are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses.”

Vickery said Kromtech told him its database had been inadvertently exposed as a result of a server misconfiguration that was introduced just last week. But Vickery said he doubts that’s the case, because some of the Shodan records he found that pointed back to Kromtech’s database were dated mid-November 2015.

“The funny thing is, I don’t even own a Mac, and I had never heard of MacKeeper until last night,” Vickery said. “I didn’t know it was some sort of scamming scareware or software that pushes itself on people. The irony here is pretty thick.”

Vickery said he was able to connect to the database that Shodan turned up for him just by cutting and pasting the information into a commercial tool built to browse Mongo databases. Asked whether he’s worried that some clueless organization or overzealous prosecutor might come after him for computer hacking, Vickery said he’s not concerned (for background, see the controversy over bone-headed cases brought against researchers under the Computer Fraud and Abuse Act).

“It’s a concern, but I’ve made peace with that and you can’t live your life in fear,” he said. “I feel pretty confident that if you configure a server for public access — without authentication — and it gets publicly accessed, that’s not a crime.”

I admire Vickery’s courage and straightforward approach, and his story is a good reminder about the importance of organizations using all of the resources available to them to find instances of public access to sensitive or proprietary data that shouldn’t be public.  Consider taking the time to learn how to use Shodan (it’s actually fairly intuitive, but some data may only be available to paying subscribers); use it to see if your organization has unnecessarily exposed databases, networking devices, security cameras and other “Internet of Things” devices.

Finally, if you’re a MacKeeper customer and you re-used your MacKeeper user password at other sites, it’s now time change that password at the other sites — and not just to your new MacKeeper password! For more password do’s and don’ts, check out this primer.

Mar 20 2013

Andrew Auernheimer AKA Weev Gets 41 Months Jail Time For GET Requests

This is a pretty sad case, and one which I’m sure all of us have followed since it first started. Surprisingly it hasn’t gotten a whole lot of media attention, but then this legal precedent sticks it to the man and has some consequences regarding the infosec industry – and who would want to publicize [...] The post Andrew...

Read the full post at darknet.org.uk
Sep 18 2012

Feds Charge Activist with 13 Felonies for Rogue Downloading of Academic Articles

Photo: selfagency/Flickr

Federal prosectors added nine new felony counts against well-known coder and activist Aaron Swartz, who was charged last year for allegedly breaching hacking laws by downloading millions of academic articles from a subscription database via an open connection at MIT.

Swartz, the 25-year-old executive director of Demand Progress, has a history of downloading massive data sets, both to use in research and to release public domain documents from behind paywalls. He surrendered in July 2011, remains free on bond and faces dozens of years in prison and a $1 million fine if convicted.

Like last year’s original grand jury indictment on four felony counts, (.pdf) the superseding indictment (.pdf) unveiled Thursday accuses Swartz of evading MIT’s attempts to kick his laptop off the network while downloading millions of documents from JSTOR, a not-for-profit company that provides searchable, digitized copies of academic journals that are normally inaccessible to the public.

Using a program named keepgrabbing.py, the scraping took place from September 2010 to January 2011 via MIT’s network, and was invasive enough to bring down JSTOR’s servers on several occasions, according to the indictment.

Disclosure: Swartz was part of a small team that sold Reddit to Condé Nast, Wired’s parent company, and has done coding work for Wired.

In essence, many of the charges stem from Swartz allegedly breaching the terms of service agreement for those using the research service.

“JSTOR authorizes users to download a limited number of journal articles at a time,” according to the latest indictment. “Before being given access to JSTOR’s digital archive, each user must agree and acknowledge that they cannot download or export content from JSTOR’s computer servers with automated programs such as web robots, spiders, and scrapers. JSTOR also uses computerized measures to prevent users from downloading an unauthorized number of articles using automated techniques.”

MIT authorizes guests to use the service, which was the case with Swartz, who at the time was a fellow at Harvard’s Safra Center for Ethics.

The case tests the reach of the Computer Fraud and Abuse Act, which was passed in 1984 to enhance the government’s ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality.

The government, however, has interpreted the anti-hacking provisions to include activities such as violating a website’s terms of service or a company’s computer usage policy, a position a federal appeals court in April said means “millions of unsuspecting individuals would find that they are engaging in criminal conduct.” The 9th U.S. Circuit Court of Appeals, in limiting reach of the CFAA, said that violations of employee contract agreements and websites’ terms of service were better left to civil lawsuits.

The rulings by the 9th Circuit cover the West, and not Massachusetts, meaning they are not binding in Swartz’ prosecution. The Obama administration has declined to appeal the ruling to the Supreme Court.

The indictment accuses Swartz of repeatedly spoofing the MAC address — an identifier that is usually static — of his computer after MIT blocked his computer based on that number. The grand jury indictment also notes that Swartz didn’t provide a real e-mail address when registering on the network. Swartz also allegedly snuck an Acer laptop bought just for the downloading into a closet at MIT in order to get a persistent connection to the network.