Nov 182017

Guy Boulton reports:

Confidential medical information or other personal data of 9,500 patients at the Medical College of Wisconsin was compromised by a targeted attack on the school’s email system in July, the Medical College said Friday.

The compromised email accounts contained one or more of the following types of information: patients’ names, home addresses, dates of birth, medical record numbers, health insurance information, dates of service, surgical information, diagnosis or medical condition, and treatment information.

Read more on Journal Sentinel.


Nov 182017

On Friday, December 1, lawyers for an infosec researcher who has been in jail since April will  argue that U.S. District Judge David C. Godbey should release Justin Shafer from jail while he awaits trial.

Justin Shafer

For those who are not familiar with the case, Shafer, a dental integrator technician and independent infosecurity researcher, faces federal charges of  cyberstalking an FBI agent and the agent’s family. And those are the only charges he currently faces, although you might have been misled by others’ headlines into believing that he is an alleged hacker or an alleged co-conspirator of the blackhats known as TheDarkOverlord.  Shafer has not been charged with any hacking-related activity at all.

In fact, the case against Shafer initially had nothing to do with blackhat hackers at all and everything to do with the fact that Shafer was uncovering and disclosing leaking databases and the entities who he was reporting upon did not always take kindly to being embarrassed publicly for their poor data security. Shafer would also file complaints with HHS/OCR and the FTC over sloppy or failed data security.  And it was one of those entities who apparently tried to accuse Shafer of hacking them after he found patient data on a public FTP server that did not require any login.

Once the FBI started investigating Shafer as if he was some blackhat criminal for finding and disclosing leaky databases, Shafer’s relationship with one Dallas FBI agent started to deteriorate. And it was only against the backdrop of that already somewhat adversarial relationship that when one month later, Shafer started investigating TheDarkOverlord and trying to help the FBI, that the FBI started treating him as a possible co-conspirator instead of as an asset.

To be clear: while Shafer repeatedly and demonstrably attempted to help the FBI catch TheDarkOverlord, Shafer did make negative public comments to and about a Dallas FBI agent, Nathan Hopp, whom Shafer felt harassed by over a period of years. Those comments were made on Shafer’s blog and on his Twitter account.  But was there really anything criminal about those comments or are they protected speech under the First Amendment?

And who wouldn’t be angry if you’d been raided three times by the FBI and you had never done anything illegal? Maybe it was imprudent to shoot off his mouth at an FBI agent or his family, but Shafer and his family have been through a lot of harassment from their perspective. I recently reported what Shafer’s wife told me about how all these raids have affected their children, but here’s a snippet of Shafer’s description of one of the raids, and his concern for his child’s safety because of it.  On February 2, he wrote about the second (January) raid:

… I heard some boots making noise outside the house. I went outside, and there was a guy with an AK-47 pointing it at me, freaking out because my hands are not up.

That is when I saw 5 or 6 guys buy my garage, and I think everyone had an AK-47 it seemed. These dudes were TWICE the size of the guys who raided me the first time. They told me they were not part of the first people who raided me, because I asked if Nathan Hawk was around. =)

[Note: at the time of this raid, Shafer still mistakenly thought Agent Hopp’s name was “Hawk”].

I remember what [a lawyer] said, and decided I would take his friendly advice. He told me if he was raided, he would decline all interviews and just leave. You don’t need to be present during a raid, really.

The FBI Agent who had a gun on me, told me we could go inside after they “cleared” the house (make sure nobody else is inside). I told him I “respectfully decline the interview”.. I then told him I wanted to leave, and they said okay but didn’t let me leave. Then he told me again, they would let me leave after I talked, and reminded him that I “respectfully decline this interview”. So they put me into a NRH cop car, and then told me they were taking me to jail


I was upset when my 3  year old daughter handed me a CR-2032 battery. Any kid who eats one of those, dies. Horrific. I am very careful to keep shit off the floor. If she had of eaten it, I would be losing my mind…..

Might you be upset with the FBI under similar circumstances?

But wait, you say – didn’t the FBI find actual evidence during that January raid that Shafer was conspiring with the blackhat hackers known as TheDarkOverlord? Didn’t you see something about a stolen database and a chat log?

No, the FBI did not find evidence of any conspiracy nor any criminal activity on Shafer’s part.

What they found was that TheDarkOverlord gave Shafer information in 2016 which Shafer had then promptly passed along to the Dallas FBI via e-mail and phone to help them. What they found in January, 2017 was what Shafer had already given them and other law enforcement agencies in 2016 to help them catch TheDarkOverlord.

And if you haven’t seen the evidence I posted showing that Shafer was trying to help the FBI  – see this post for screenshots.

So Shafer was charged on charges of cyberstalking that were padded by references to claims that he was being investigated as a co-conspirator of TheDarkOverlord when the factual history shows that Shafer was passing along information on TheDarkOverlord to law enforcement in both this country and the U.K.

When Shafer was arrested, he was released with pre-trial conditions. Those conditions included what many First Amendment experts might consider prior restraint of speech.  Shafer has every right to complain about an FBI agent whom he feels is harassing him or his family. He has every right to complain loudly and publicly about an agency repeatedly raiding him even though there is no evidence of wrongdoing on his part.

Criticizing an FBI agent publicly doesn’t seem exactly prudent, but that doesn’t make it  criminal speech or conduct. So why has it cost Shafer his freedom for all these months?

On December 1, Tor Ekeland, Shafer’s attorney, will argue that Shafer should be released from jail while he awaits trial on the cyberstalking charges.  That trial date has now been set to begin January 22, 2018.

I remember the days when EFF and the ACLU would be all over a case like this, forcefully speaking up for and defending someone in Shafer’s position. While EFF did make a few comments to a Dallas reporter about this case, the ACLU of Texas and the national ACLU have remained silent. Why?

Shafer’s speech may have been imprudent, but unpopular speech is exactly what most needs protection and vigorous defense.  If using Google to look up someone’s address or saying “hi” to someone’s wife on Facebook can be construed as evidence of “cyberstalking,” we are all in trouble.

This is one of those cases that has the potential to make bad law on free speech. If you care about the First Amendment and pushing back against government attempts to erode your right to protected speech, maybe you should get to the Dallas federal courthouse on December 1 at 10:00 am and show your support for Shafer and the issue of free speech.

And if you’re an infosec researcher who has ever been falsely accused of hacking or wrongdoing because you tried to do the right thing to improve data security, then perhaps you should speak up and support Shafer, because if they can chill his speech by jailing him for so long, what can they do to your speech and ability to disclose vulnerabilities and leaks you find?




Nov 182017

Rachel Polansky reports:

Dozens of Southwest Floridians are sick and tired of waiting for answers from FEMA after being hit by Hurricane Irma and then, identity thieves.

A month after the NBC2 Investigators exposed a major scheme involving criminals stealing local identities to defraud the federal government, the NBC2 Investigators are finally getting answers from FEMA.

Read more on NBC-2.

Nov 172017

Sam Wildman reports that a Wellingborough, U.K. man who has been linked to TheDarkOverlord has been sentenced to jail for three years, but for crimes that do not unequivocally appear to be the work of the blackhat hacking collective.

“Crafty Cockney,” whose real name is Nathan Wyatt, had pleaded guilty in September to 20 counts of fraud by false representation, two counts of blackmail and one count of possession of an identity document with intent to deceive (a false passport). Among the charges that he confessed to was using his dead stepfather’s credit card for months to make fraudulent purchases.

Selfie of Nathan Wyatt, aka “Crafty Cockney,” taken approximately 5 years ago. Provided by Wyatt.

As I reported last year, on September 24, 2016, Wyatt was arrested on suspicion of Computer Misuse Act offences for allegedly attempting to broker the sale of what he claimed were pictures of Pippa Middleton that had been hacked from her iPhone. He was later released without any charges stemming from that incident, and he never publicly identified who the actual hacker was who had hacked Middleton’s iPhone. He repeatedly denied that he was the hacker.

As Wildman explains, however, once law enforcement seized Wyatt’s computer and other devices, they found evidence of other crimes, including his attempt to extort money from an unnamed law firm for the return of files he had allegedly obtained by using malware. You can read more of Wildman’s coverage on Northamptonshire Telegraph.

The Daily Mail provides some interesting additional details, including that the ransom letter to the law firm was signed “Regards, The Dark Overlords.” It is difficult to imagine the hacking group getting their name wrong, so if that was not a typo by the news outlet, then there may be some reason to wonder whether the extortion attempt really was by the TheDarkOverlord or if it was just Wyatt trying to capitalize on any fear their brand might generate.  Neither Wyatt nor any spokesperson for TheDarkOverlord have ever claimed to this journalist that Wyatt was ever any kind of core member of the hacking collective.

Although Wyatt may or may not have been a core member of TDO, the judge sentencing him seems to have recognized that Wyatt is likely responsible for many more crimes than were charged. According to Richard Spillett’s report in the Daily Mail, Judge Martin Griffiths sounded somewhat skeptical that Wyatt had been held to account for everything: “A rather more sceptical mind would say there was a great deal more to this behaviour than there is in these counts.” He reportedly added: “I consider this was a sophisticated piece of offending by you.”

Wyatt has not been charged criminally in the U.S. (or at least no charges have been made public as yet), but he has been linked to hacks by TheDarkOverlord of one or more Georgia clinics.

At various times, Wyatt told this journalist about a phone call he was supposed to make to a hacking victim to pressure him to pay the ransom demanded by TheDarkOverlord. As best as this journalist could determine, that victim was Athens Orthopedic Clinic. But did Wyatt actually make the phone call or not?

At one point, he claimed to this journalist that although he was supposed to make the call and had told his contact from TheDarkOverlord that he had made it, he hadn’t made it. was never able to obtain any direct communication with the clinic owner, and therefore does not know whether he claimed to have received any corresponding call, but here is the recording of the call that Wyatt informed me was his work. It was uploaded to YouTube on July 10, 2016.

Wyatt had also linked to the recording in a post on a now-defunct AlphaBay forum.

In addition to allegedly making a call to pressure a U.S. hacking victim into paying ransom, Wyatt allegedly served other functions for TheDarkOverlord, including setting up bank accounts in the U.K. where U.S. victims would then wire ransom payments.

Somewhat amazingly, perhaps, information obtained by revealed that Wyatt actually opened at least one of those accounts in 2016 using his real name. He also seems to have used his live-in partner’s real name for another one of the accounts. Although she, too, had been charged criminally in some matters, his partner was later acquitted after no evidence was reportedly produced by prosecutors at trial.

It is not clear whether Wyatt might be eligible for parole at some point or if he will have to serve the entire three years in jail.  Perhaps someone more familiar with the U.K. criminal justice system can address that question. And as to whether he will ever face charges over any U.S. crimes, I guess we’ll all have to just wait and see.

Correction: A previous version of this report indicated that the owner of Athens Orthopedic is named James Kayo. That was an error, and apologizes for the confusion. Kayo Elliott is the CEO of the clinic. 

Nov 172017

CNN reports:

A researcher says the Pentagon exposed huge amounts of web-monitoring data in a security failure.

Anyone with a free Amazon Web Services account could have looked at the hoard of information stored in the cloud by the U.S. Defense Department, according to Chris Vickery, a researcher at cybersecurity firm UpGuard who discovered the exposure.

Read more on CBS.