It all started around 2009 when I started to have fun with "security". It started with a thumbs up feature that DentalTown added, and ended with me making a FTC Statement and 4 US-CERT vulnerability notes. 1 to Faircom, 2 to Dentrix (1 remains private) and 1 to Eaglesoft.
Sigh.
After the thumbs up thing I realized I could actually ban people on DentalTown, and I did this to one person intermittently (that was actually really funny). I eventually realized that there were problems in the mechanism used to upload images as you could use it to upload shells or other peoples pictures or even deface the site.
After this I progressed to other websites that I won't name, but two I will. I would love to name some others but I shouldn't. I like to say, I help law enforcement though. And even a financial institution. I never thought that would happen, but to my surprise, I started seeing problems with all sorts of different websites, and I couldn't help but try to get them fixed, most of the time.
This was something called SQL Injection. I was just being a white hat, and I knew what damage this could do to dentists. I never really inspected all the databases or tables or really went into this.
New stuff lately.
Know anyone at the ADA Howard? I am giving dentrix a week until I tell them to fix the credit card stuff.
So some time goes by and the ADA was still exploitable and I sent them an email asking them why and my response was an email from the director, in the form of a threat, I threatened to tell DentalTown Magazine (rofl):
I told them I never sent them an invoice and I showed their IT guy what tool I used and everything, I sent a screenshow that said NOT FIXED!
And then they finally fixed this SQL Injection problem as far as I know. I was actually more worried about the DentPin Database but I knew to stay away from it.
After this, I had impressed people so I got invited to a Dentrix Summit??? This is where Dentrix invites "leaders and popular people" to come up to Utah and have a circle-jerk about their software. When I arrived I was all ready to see the new Dentrix G5 Beta with the new Database. We all signed an NDA to attend.
I was told Dentrix G5 would have an encrypted database and encrypted tcpip packets, but as soon as the presentation was over, and employee looked at me, and told me "It's easy!" without making to much noise. I was then asked if I would like a job at Dentrix, and I told them my mom had a stroke and my dad had a heart attack (all true), but in reality I felt like I was just being asked to aide in a cover up of lies.
I waited to see Dentrix for myself.
Henry Schein Practice Solutions advertised database encryption and security from hackers because their new database flies "low under the radar" from nefarious people. *rofl*
http://web.archive.org/web/20140428021311/http://www.dentrix.com/products/dentrix/documentation/g5-white-paper.pdf They then asked me if I would like to work for them. 3 tech guys I didn't really know that well.
After the Summit:I got an email from Howard Bangerter asking me if I would like to enroll in the Dentrix G5 Beta. I declined but told him I would. I noticed it had a Non-Disclosure Clause, and I figured that is what he really wanted. Then I was told by Howard Bangerter via a phone call that Sikkasoft was reading the Dentrix G5 database without being enrolled in the Dentrix Developer Program, and asked me how it might be possible, which was odd to me because someone from Utah told me that ODBC access was easy, even before I received this phone call. I told Howard that packet sniffing is the first place to start. I gave Howard the professional courtesy of saying "I am the last person you want to tell this to".
Waiting Game 1:
Waited to see Dentrix G5 release. I was also asked if I would like to be employed at the local Schein office, but I really don't know if they knew what was going on with me and the folks at Utah... I do have this one suspicion and I will get to that later.
I got bored and decided to really read up on FairCom ACE Databases. I got a trial and read the manual, created a database, and learned how I could bypass a lot of my own security.
I finally got to see it around April 2012, and as soon as I did I blew right threw ALL security. Encryption and Authentication. I was really happy about this, because I thought I could show Dentrix, and they would just fix it, and maybe stop lying. I created a youtube video that showed the password and for this I received a phone call from Michael Allsop:
I remove the video in question, and just asked that Henry Schein take security more seriously. They told me they would and that was that.
Dentrix G5 HotFix 1 Patch through Dentrix G5 HotFix 2:
They changed the password and that was it. This was around June of 2012. So I decided to make a post on DentalTown about it, I also emailed the good folks at Dentrix to tell them the new password.
HotFix2 was a little better, they changed a dll file that no longer showed the password in a tcpip packet, but the older dll could be swapped out and it showed the new password, so FAIL.
I showed them emails showing them me accessing my SSN and asked them if we should tell DentalTown about AES. They asked me again to be a Dentrix Beta Tester, which I again refused. My customer number starts with 666, maybe they view me as the AntiChrist.
LightHouse 360 and Write Access:
Dentrix had given DemandForce exclusive access to the Dentrix G5 Database. This was GREAT if you had a financial interest in DemandForce, otherwise it was kinda shitty. People were upgrading to G5 to find that they could not WRITE to the database. I thought this was bad. Partly because Schein doesn't seem to give a shit about security, but on the other hand uses the security, to restrict other companies from writing to the database.
Using False Encryption to Keep Customers:
I found that Provo Dental Care was trying to leave Dentrix G5 but she was going to be charged an hourly rate to decrypt her database. This made them upset. I have also received an email from Curve Dental asking if I could do anything at all in regards to Dentrix giving them the run-around in regarding decrypting a database.
http://thedigitaldentist.com/2012/02/dentrix-g5-ships/
Dentrix 11 Database on the piratebay:
I found a database in September 2012 on a file-sharing website, and 18 people were seeding this database without realizing what they were seeding most likely. Either way this was bad, and I emailed Dentrix. Bangerter asked me not to "out the doctor" because he was probably already on Dentrix G5. I informed Howard my SSN had not changed between 11 and G5 letting him know that I wasn't buying their security bullshit, and I called the doctor to let him know, and then Howard followed up. Howard told me again not to out the doctor. I had a feeling they would blame me if I did. Just a hunch.
US-CERT & DentalTown Ad:
Since they asked me not to out the doctor, for a very serious breach, I sensed a real culture problem at Henry Schein, so I decided I should probably tell US-CERT about Dentrix. This was going to have serious reprocussions on my business and contacts\relationships, but I felt like this shouldn't matter because a lie is a lie is a lie, and someone should try to stop them.
US-CERT created
VU# 948155 in response, in October of 2012 and during this time was working with Schein.
While all of this was going on, Schein decided to go ahead and advertise encryption and safety from hackers, before the first VU# from US-CERT was even public on DentalTown.
This irritated me, mainly because they were now ignoring my work. This is fine if your just some ho-hum company, but when your in charge of writing the nations #1 PMS Software in Dentistry... not good culture. During this time I pleaded with Howard Goldstein at Dentaltown which he told me:
From: Howard Goldstein <HoGo@farranmedia.com>Date: Tue, Nov 6, 2012 at 8:49 PMSubject: RE: oh yeahTo: Justin Shafer <justinshafer@gmail.com>, howard.bangerter@henryschein.com
Justin-You are much smarter than I am with technology and I listen to you.However I am much smarter than you with common sense. JEven if you are right, common sense says that it is not worth getting into a legal battle with a big company.Please listen to me and let this go.Take Care…Howard Howard M. Goldstein, DMDDirector of Continuing EducationFarran Media LLCDentaltown / Orthotown / HygienetownDentaltown Message Board Manager9633 S 48th Street / Suite 200 / Phoenix, AZ 85044cell: 610.216.3374 | fax: 610.866-1936 HoGo@farranmedia.com
This upset me because all my posts (that got deleted) and emails were falling on deaf ears.
I had a conversation with Lorne:
The Digital Dentist <drlavine@thedigitaldentist.com> |
| | |
|
|
Well, here's my take on it, you can take it as advice from someone older, or just ignore it as the ramblings of someone whose opinion doesn't matter: One of the things I've learned after 25+ years in business is that what you know is rarely as important as who you know. Dentistry is a small community and you never know who you're going to want in your corner someday. If you choose to do battle with an $8 billion company, I guess that's your prerogative, but it separates you away from a good chunk of the rest of the community. I compete with Schein on deals every day…but I also get a lot of my income from doing webinars, lectures, whitepapers, etc for them and their partners. There's no reason you can't play nicely with them and turn it to your advantage. Your posts, however, are having the opposite effect. I don't know if HoGo has communicated with you, but if I were Moderator of that forum, I'd certainly be suggesting that you tread lightly. Again, take the advice as you want. As a colleague and friend, I felt I owed it to you to at least try. Sincerely,
![image001]()
Then I was threatened with a "Linked In View".. ROFL. Yes that is correct, except how would you feel? Bangerter told me "they even work on Christmas!"
http://www.proskauer.com/professionals/sigal-mandelker/
Sigal testified before Congress a number of times on matters of criminal law, prepared Administration officials for congressional hearings, and negotiated various legislative provisions with congressional staff and within the Administration. She also represented the Department of Justice before the Federal Communications Commission, chaired Team Telecom, an interagency group that reviews telecommunications licenses where there is foreign investment and worked with a number of Federal agencies on a wide-range of regulatory and policy matters. In numerous enforcement areas, she coordinated the Department’s work with the FBI, DHS, ICE, U.S. Secret Service, the State Department, USTR, the Department of Commerce, the White House, the National Security Council, the Homeland Security Council and other government agencies.
I went on DentalTown and made a post that I needed a Ferrari if I was going to look the other way now. This was just a joke, but my intention was to let them know I was not backing down.
Right before this went public in April 2013, I created a new youtube video showing off how FairCom Standard Encryption could always be bypassed, confusing a lot of people. as they thought this new video had something to do with the VU# that came out, but it didn't.
Dentistry IQ released an article about this, and let Lorne Lavine give a quote, in which he said there was nothing to really worry about. Yeah... Hard-Coding Credentials, Local Admin, and Flash.. nothing to worry about there.... (IDIOT)
Chalk it up to a culture problem. Lorne was with me at the summit, and perhaps he just doesn't care about security and being honest. At this point, I thought Dentrix G5 was finally fixed regarding authentication, up until I had the weirdest dream! More on that later.
US-CERT Part 2:
Faircom Standard Encryption Vulnerability! US-CERT decided to do something with the second youtube video I made.
They talked to Faircom and persuaded Faircom to rename encryption to something called data camouflage, which is a catchy name for data scrambling. I commend Faircom for doing this.
Henry Schein ignored ALL of this, and just kept calling Dentrix G5 encrypted for HIPAA, which was just an absolute awful thing to do.
Not only this, but I was getting PISSED. I decided to come up with a new plan. Remember that Dentrix Database on a File-Sharing Site????
Waiting Game 2:
May 2013, I was about to freak out. Waiting for US-CERT to do the second VU#. Dentrix was no longer talking to me, none of my efforts seemed to have had any affect, and everyone I knew told me not to care about this, and let it go, but I just didn't want to quit. I realized my mugshots were also on the internet. Everytime I went to US-CERT, mugshots.com would find dirt to dig up on me. This really depressed me as I had been arrested in the past and I just hated knowing someone would try using this against me to shut me up. I decided to play into this (screw it right?). I posted an instrumental version to Cypress Hill's Illusions.
And I had a bite from someone named DewDropInn... I kinda regretted doing this test, but I figured eventually they would try to laugh me off of DentalTown if GIVEN ENOUGH TIME. So I decided my time on DentalTown was most likely short lived. It was only a matter of time until the mugshots oozed into DentalTown by "mistake" only to be there long enough for enough people to see it, and then Hogo will "act" like he cares and moderate it. I figure this video would let someone know, I don't give a shit about the mugshots.. Bring it!!! In fact, I will GO FIRST!
My dad offered me a job so I took it because I was extremely depressed at this point in my life. I regret this, but I would probably not have my house still if I hadn't... All I could do was keep my head down on my desk, I barely answered the phone.. Life really sucked. Working for your parents wasn't all I thought it would be, worse I spent most of my time doing computer projects like intraoral capture buttons.
Also during this time I was asked many times to refrain from talking about Dentrix. Howard Goldstein told me I was not allowed to talk about it. I reminded him to remind Howard Farran about the ADA Emails and I would do whatever the hell I fucking please. Ta Ta!
From: Howard Goldstein <HoGo@farranmedia.com>Date: Thu, May 16, 2013 at 9:42 AMSubject: RE: Reported Post: Total Lack of SupportTo: Kerrie Kruse <kerrie@farranmedia.com>, Lorie Xelowski <lorie@farranmedia.com>, Ashley Harris <ashley@farranmedia.com>, Ken Scott <ken@farranmedia.com>Cc: "Justin Shafer (justinshafer@gmail.com)"<justinshafer@gmail.com>
Justin-Today was your last post about ANYTHING Dentrix. Even if helpful. Sorry but I have way too much of a workload to have to be monitoring you on a daily basis. Uwe Mohr is not allowed to post anything about Cerec. Kevin Tighe is not allowed to post about 123postcards.com. Others are not allowed to post about other subjects that they have issues with. The new rule is that you are not allowed to post about Dentrix.Your other posts are valuable but enough is enough....Sorry...Howard
Howard M. Goldstein, DMDDirector of Continuing EducationFarran Media LLCDentaltown / Orthotown / HygienetownDentaltown Message Board Manager9633 S 48th Street / Suite 200 / Phoenix, AZ 85044cell: 610.216.3374
I also added links to my DentalTown Signature so ALL my posts would show this information, and I have 11K of posts!
Breaking Hard Coded Credentials AGAIN:
That is right. I thought it was fixed, I wanted it to BE fixed. I posted on DentalTown it was fixed. I told US-CERT it was fixed. But in reality it was NOT fixed. I give credit to god for this (Yeah, I know this sounds quite bizarre) but I had this dream one night that I was using WinHex to swap actual hashes out of the FairCom.FCS file and pasting it to another, and if you did this with 9.0, it would show that password hash in RAM. This was a dream, and I was doing it with someone... holier then me. I know, it is crazy right? Well I woke up and ran to me computer and sure enough, that method WORKED! And I was BACK IN BUSINESS!!!!! WOOT WOOT!!!!!!!!!!!!!!!!!!!
I told US-CERT, and heard nothing....... So I figured they were in Schein's pocket at this point, or had some other motive I was and am still not REALLY that fully aware of, except that US-CERT has WAY more patience then I do!
NIST and US-CERT Release VU# 900031:
I can FINALLY go to the folks at DentalTown and tell them that YES, even NIST agrees with me!
https://www.kb.cert.org/vuls/id/900031https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0148https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4952I contacted Hogo and Howard Farran and literally got nowhere. We had a phone call and all they wanted me to do was not talk about this on DentalTown, this bugged me because DentalTown was paid money to carry on a lie, and I wanted them to DO something about it. (Not realizing that is easier said then done, I really didn't give a shit, and still don't)
Shit Hits the Fan:
August 2013, I had enough of this. I decided I would start a thread stating that Dentrix G5 was NOT encrypted. I think I called out Lorne, but I am not 100% sure since DentalTown deleted the thread.
http://www.dentaltown.com/MessageBoard/thread.aspx?s=2&f=145&t=209313I have already been reminded to what would happen to me if I was banned:
From: Howard Goldstein [mailto:HoGo@farranmedia.com]
Sent: Wednesday, February 08, 2012 5:40 PM
To: justin@onsitedentalsystems.com
Cc: Ken Scott; Lorie Xelowski; Kerrie Kruse
Subject: Justin's Account...
Justin- If we are forced to ban you, you no doubt would open a new fake account. However you would never be able to post openly on Dentaltown again. This would not be good for your business or your reputation. We would not hetitate to let Townies know why Justin is gone. If you EVER give out a password like you did on that post today or post so rudely about a company the way that you did today, your account will be officially inactivated. Use your head and think before you post on Dentaltown. You do not have free reign to post whatever you feel.. Furthermore your account information has you listed as Phfvtacb Vbvbjqmg from San Francisco with a phone # of 555-666-0606.You need to update your account within 24 hours or your account will be inactivated. Regards…Howard Howard M. Goldstein, DMDDirector of Continuing EducationFarran Media LLCDentaltown / Orthotown / HygienetownDentaltown Message Board Manager9633 S 48th Street / Suite 200 / Phoenix, AZ 85044cell: 610.216.3374 | fax: 610.866-1936 HoGo@farranmedia.com
In the
Dentrix G5 thread, I remember Lorne saying that Dentrix G5 was encrypted, even after US-CERT and NIST said it wasn't. I called him ignorant, a hybrid (part IT part perio), and asked him if he was in on the take. I also promised him that one day when you googled "Dentrix Encryption" that all the results would be truthful. He was actually the top result, and he posted that he was glad and he should commend his social marketing manager.
I then was banned for 1 week, and I decided this should be a permanent ban. Why participate on a board that doesn't care about truth or hurting patients during a data breach? Why continue years of posts knowing this? Even after the ADA, Thumbs up and even being able to grab the entire database and SSL keys, even after the Dentrix Credit Card thing, even after the Dentrix Database on a File Sharing Site, and NIST and US-CERT (twice), no somehow none of this was enough..
Justin-You are accusing Lorne of being on the take.You have called him ignorant on our message board.We have told you repeatedly that you cannot let your anger get the best of you and do that on the message board.You can get your points without the personal attacks...I am going to inactivate your account for one week so you can think about ways that you can get your points across without the personal attacks.Please don't hack back in.Next Sunday I will reactivate your account.You have been warned so many times. We have no choice....HowardHoward M. Goldstein, DMDDirector of Continuing EducationFarran Media LLCDentaltown / Orthotown / HygienetownDentaltown Message Board Manager9633 S 48th Street / Suite 200 / Phoenix, AZ 85044cell: 610.216.3374HoGo@farranmedia.com<mailto:HoGo@farranmedia.com>So I decided to exploit a cross site scripting vulnerability that I told Ken the Dentaltown IT guy about. The reason I found it was because in July 2013 someone had their gmail account hacked and thought it was Dentaltown because DT and Gmail were the only 2 sites that had that password, further more at the same time someone was able to make posts in the Classifieds section without an account. Anyways the night of my first ban I started posting as other people, and I ended DentalTown with a good Rick Roll. I do apologize if I offended anyone or used your account to make a statement. Also, you should say thank you to me because in the end, I increased the security of DentalTown and also posted that they tell everyone to change their passwords especially if your DT password was the same as your email, then I could have logged into you account..... I may have tested this theory.
I originally wanted to turn DewDropInn's avatar into Mike Barr's monkey butt photo, but instead I did "civil disobedience" in DentalLand.
So now I am banned!
![]()
![]()
That Didn't Work... Whatever happened to that Data Breach I found out about?????
SHIT REALLY HITS THE FAN:
So I noticed that Data Breach was not on the HHS Wall of Shame, and the dentist never called me back, and Howard Bangerter acted like they were "taking care of it" and the doctor was going to notify HHS. But I didn't see it on the wall of shame, so I called Dr. David DiGiallorenzo's Office Manager to ask her if they mailed out letters, and she told me I would have to ask the doctor that question. I then went on LinkedIn and asked an employee and she had no idea of what I was talking about, which was odd to me. So eventually I contacted a local news station, WNEP in Pennsylvania. I gave them a list of patients and Dave Bohman went around asking people if they had received a letter from the doctor.
Basically the doctor said I hacked him and filed 2 criminal complaints against me in 2 states, mine and his.
http://wnep.com/2013/12/09/stolen-data-on-thousands-of-williamsport-area-dental-patients/(This is continued in another blog post on my site because of the length)
This is when I met a woman named PogoWasRight aka Dissent
DISSENT (Bum Bum Bum):
2014
"Hell hath no fury like a woman scorned"
She also taught me that when someone accuses you, you should respond to this allegation. I think she is right. She wrote some FTC complaints and I gave her statements and worked with her on understanding how all these hacks work. This took awhile and after we finished she said "now wait a couple of years" and I thought I was going to die!
US-CERT... Again:
March 2014
I took the oportunity to show US-CERT my FTC statement hoping that would get their attention along with muttered phrases like "who lies to homeland security???" and I figured this would get some sort of emotional response out of this black hole called CERT. I jokingly say this because we did have some phone calls in 2012 and I found them to be "cool", up until they ignored me, albeit, I can be annoying as hell to some people I want to be annoying to. I usually do this by sending LOTS and LOTS of email.
To my surprise, they responded. I was using techniques from my dream and they told me my dream wasn't good enough. They told me I had to actually crack the algorigthm, even though my youtube video was good enough to me.
So I then worked out the algorithm and they asked me to put it in a script form and that was my requirement to get a new VU#... Sigh.. So I called a friend and he created a script from the algorithm and THEN they assigned me VU# 176231.
CERT told me that Schein should have it fixed with Dentrix G5.3 and that a fix probably would not be around until August 2014 but could be later.
ADA posts a notification of a Data Breach:
May 2014
ADA has a tiny data breach and still notifies. Good Job!
I also had a hand at getting a website called the dental record updated.
WAITING GAME 4:
August 2014:
After US-CERT told me to wait, I did. I heard that Dentrix G5.3 was not actually going to be released, instead they were going to call the product Dentrix G6. So I met a client with Dentrix G6 Beta and I tested the security of that. I found that the hard coded credentials were STILL present, which meant that I was waiting for nothing.
I then say this and realized that the Dentrix was REALLY not taking things seriously:
Since the argument was based wether or not the exploit could be used remotely, I decided to port scan the internet, and 10 minutes later I found a server running Dentrix that was exposed to the internet. I decided to exploit this and when into the resource table and found the office phone number and doctor's social security number. Instead of just calling the office, I sent an email to US-CERT, FTC and HSPS and then waited about 3 days. After that I called the dentist and he reconfigured the internet and I told him this was not a data breach, but was more my own security testing.
"that should shut them up"
CSO Magazine, Baby:
So after a REALLY long wait of wondering when US-CERT would publish my vulnerability, I got on twitter and told Dissent that I was getting depressed and wasn't sure we were getting anywhere. She calls on a friend of her's named Steve Ragan. Steve is cool. He writes an article about Dentrix Hard Coded Credentials.
This seems to help a lot, in the background.
During this time my friend who works at Henry Schein Tech Support sent me some screenshots of what was going around.
November 2015:
My patience started to run thin. I posted my G5 and G6 security research on my blog and my evidence on the LANAP breach, and to my dismay the investigation into that data breach was already over. Wow.
FTC RESPONDS!!!
January 2016:
Schein was fined 250K for my efforts if I can interpret the news correctly. I am also aware that this is a public comment period as well. I personally hoped for a larger fine in all honesty, but at least I know nobody in dentistry will falsely advertise security again. (I hope!)
Dentrix G6.2:
Dentrix drops the hard-coded credentials and adobe flash! Great Job Mick Gomm, Nick Pelliccio and me. NOW you set a Database Passphrase and this will then be scrambled to be a Database Password you do not know.
Dentrix G6.2 Screenshot!
Summary:
Was this worth it to lose this many friends?????????? Not even my own Dentist uses me for IT Services, because when I went to work for my dad I told him to use my friend and instead he signed some contract paying $600 a month for IT Services... Sigh.
I don't have access to my 12 year diary (DentalTown).
I don't really feel like this was "closure".
Was it worth it?
Ask me in 10 more years, and I might have a better answer. I still wait for some answer regarding LANAP and I wonder when US-CERT will come around. I do know that when people discuss Dentistry and Security, I get a smile on my face. So yeah, probably so. I also know a woman in a van drove to my house honking her horn and told me if you care about your kids and drove away during late 2012. That had my heart rate up to 160 bpm for months. Usually when I tell this part of the story people say something like "Uhhhh, yeah". I received a call from the FBI and I kept thinking I would hear back from them again. I got really paranoid.
CERT RESPONDS TO MY EAGLESOFT WORK!
Yeah.... I made a promise not to do this, but after I realized how much help they needed.....
http://justinshafer.blogspot.com/2016/02/moving-onto-eaglesoft-aka-patterson.html*Why not SoftDent?
a) I want the LATEST version to test
b) They are transitioning between Faircom from 1997 and Microsoft SQL
c) I know I could find their password and I am sure it is most likely the same across all installations
d) I make up a lot of excuses not to.
Hopefully.. they will get the message.. Otherwise, anyone could easily do it from just watching my Dentrix Videos...........
Dentrix Image stores SSNs... Why I don't know... All one needs is the SQL SA account password that is hard coded? Not sure about Dexis 10, I am pretty sure it does not. I have heard other rumors..
Mogo??? Sure... why not?
Now you know, and knowing is half the battle... Seriously.. the other half is getting people to care.
Developers have this idea that the network is the last line of defense, when in reality, it SHOULD be the DATABASE. Most companies choose to hard-code the database back end passwords...........
Except for Open Dental. But then again, that was one really big reason why Jordan Sparks left the Dentrix Platfrom and started development on Free Dental, which in turn became Open Dental... control over the database.
I have heard Dentrix Enterprise owners can set the backend database password.. No idea of the validity on that, but I am pretty sure it is true. Strange.
