A puzzling private industry notification from the FBI (UPDATED)

Update of March 31: Tonight, Justin Shafer contacted this site to report that the FBI was raiding him again – for the third time – and this time, they had an arrest warrant for him. DataBreaches.net is waiting to get additional details and will post something when we know more.

Original post:

On March 22, the FBI issued a Private Industry Notification that this blogger found somewhat surprising, to say the least. In PIN Number 170322-001, they write that they are

aware of criminal actors who are actively targeting File Transfer Protocol (FTP) servers operating in “anonymous” mode and associated with medical and dental facilities to access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass, and blackmail business owners. (emphasis added by DataBreaches.net)1

What case(s) or investigation is this stemming from, though? My first thought was that the FBI might be believing accusations by some covered entities who may have felt embarrassed after Justin Shafer exposed the fact that they were  leaking PII and PHI on “anonymous” FTP servers. At least one of those covered entities allegedly tried to get Shafer charged with hacking under the federal hacking statute (CFAA), and it’s still not clear whether Shafer will actually be charged by federal prosecutors. The FBI raided Shafer in May, 2016,  and then again in January of this year.

But the PIN says that the purpose of accessing the publicly exposed data is to “intimidate, harass, and blackmail business owners.” Is there any evidence Shafer ever did any of those things? Is there any evidence anyone ever did any of those things? The PIN does not provide any specific examples or cases at all. If this is such a significant problem that the FBI wants the private sector to take action to secure these FTP servers, how is it that they provided not even one example?

Could It Be Shafer?

DataBreaches.net knows, from experience, that if Shafer believes an entity should be disclosing or reporting a leak, he will continue to contact the entity to pressure them to do so – and/or he will file a formal complaint with HHS/OCR about the leak and the entity. But that is all likely protected speech and not criminal behavior. To this site’s knowledge, Shafer has never attempted to harass or blackmail any of the entities whose PHI he found exposed, although if they are on the receiving end of phone calls or numerous emails from him, they might feel harassed.

But blackmail? Truly criminal conduct? Shafer? That doesn’t sound plausible based on his history, although it might explain why during the second FBI raid, the agents were looking for bank accounts and credit cards. Could they really suspect him of blackmail?

Could It Be TheDarkOverlord?

The second FBI raid, which I had reported here, continues to be a head-scratcher, unless you know about a very peculiar convo TheDarkOverlord had with Shafer in private messages on Twitter. On February 6, TheDarkOverlord (TDO) contacted Shafer. It was  approximately one week after the raid and this site’s published post about the raid. In that conversation, TheDarkOverlord (TDO) made some bizarre statements to Shafer, including:

We understand your frustrations, Justin. Perhaps the FBI raided you because you’ve divulged intelligence to us?

Shafer (understandably) responded:

?

Somewhat later in the convo, TDO made a surprising admission or claim:

We’ve had a lot of fun with Dentrix lately, mate.

and

You’ve been a great help to us, Justin. We owe you some internet money.

What help would that be? Disclosing the fact that Dentrix used hard-coded credentials and wasn’t as secure as their advertising had claimed? Is that how Shafer allegedly helped them?

Was TDO trying to set Shafer up? It certainly sounded possible, as later in the convo, there was also this exchange:

TDO: What did you do with those coins we sent you before?
JS: I have no idea what you are refer ing to
TDO: We cut you in, remember?
JS: nope
TDO: Oh, right! Shhhh

At other points, TDO made comments like:

They’re onto our collaboration, perhaps?

[…]

We all know you’re passing us leads, mate.

[…]

Say Justin, do you think the FBI thinks you’re working with us?

From the writing style, the individual sending those messages is not the same individual who had posted as TDO’s spokesperson in the past. This individual appeared to be either trolling Shafer, trying to frame him, or phishing to find out if Shafer had had any relationship with the former TDO spokesperson. Whatever the explanation, the comments and questions might hurt Shafer if the FBI has been monitoring his private communications and if the FBI were to believe TDO’s claims in that convo.

But given TDO’s claims that they had been exploiting Dentrix installations and had been busy “showing Dentrix whose boss,” (sic), could the FBI be investigating TDO for acquiring PII/PHI from public FTP servers and using it to harass, intimidate, or blackmail business owners? A blackmail claim would certainly more consistent with TDO’s MO than with anything Shafer has ever been known to do.

To be clear: DataBreaches.net has no knowledge that TDO or its former spokesperson have been engaged in helping themselves to data from “anonymous” FTP servers. Nor does this site have any knowledge as to whether TDO has really been attacking Dentrix installations. But if the PIN is based on sound investigation, some criminal activity has occurred or is occurring, and if it’s not Shafer who’s engaging in attempted blackmail, then who is?

In any event, the FBI’s advice is good advice – review your servers and configurations to ensure that you are not making PII/PHI available on “anonymous” FTP servers.

——–
1 While PINS are not to be distributed or cited publicly, because this PIN was posted in its entirety publicly in a few places, and reported on and discussed by others, it seems appropriate to comment on it here, too.

About the author: Dissent