Quantcast
Channel: Justin Shafer
Viewing all 123 articles
Browse latest View live

Dexis Class Sensors with NVidia Video Drivers

May 13, 2020, 7:18 pm
$
0
0
I thought I would make a quick blog post about this. I have a client that loves his Dexis Classic sensors, he also has Vatech EZ3D software, which requires the NVidia card.

The problem is, NVidia drivers have a conflict with the pmccia service in Windows. To fix this, you have to change the order in which Windows loads services.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcmcia]
"Type"=dword:00000001
"Start"=dword:00000002

Changing the Start to 2, will force Windows to start the pcmcia service after NVidia's has loaded. Works great.

Tested on Windows 10 32bit.
Search

How I helped secure the Dental Industry

April 25, 2016, 5:40 am
$
0
0
It all started around 2009 when I started to have fun with "security". It started with a thumbs up feature that DentalTown added, and ended with me making a FTC Statement and 4 US-CERT vulnerability notes. 1 to Faircom, 2 to Dentrix (1 remains private) and 1 to Eaglesoft.

"Data security is very cool on the cloud. I’m a big believer in establishing proven backup procedures for my clients. I’ve seen too many practices lose all of their data before I could help them. But procedures rely upon people, and too many times people don’t follow procedures. The cloud, on the other hand, is automated. Data backup is a natural part of the cloud. The doctor using Web-based dental software will never be bothered by its database backup or software upgrade worries ever again. There isn’t a better business continuity plan than the cloud."
Sigh.

After the thumbs up thing I realized I could actually ban people on DentalTown, and I did this to one person intermittently (that was actually really funny). I eventually realized that there were problems in the mechanism used to upload images as you could use it to upload shells or other peoples pictures or even deface the site.
Shell:

 After this I progressed to other websites that I won't name, but two I will. I would love to name some others but I shouldn't. I like to say, I help law enforcement though. And even a financial institution. I never thought that would happen, but to my surprise, I started seeing problems with all sorts of different websites, and I couldn't help but try to get them fixed, most of the time.

2011:

Dental Websites: If you had a business in dentistry, I might of tested you.

http://www.dentalaegis.com/news/?id=1 I remember... Oh.. nevermind. Heh.

later on:
http://www.dentalrecord.com/ Just because Darrell was buying paper from there. Heh.

American Dental Association:
This was something called SQL Injection. I was just being a white hat, and I knew what damage this could do to dentists. I never really inspected all the databases or tables or really went into this.


Me to Howard Farran:
From: Justin Shafer [mailto:justinshafer@gmail.com]
Sent: Monday, January 17, 2011 10:36 PM
To: Howard Farran
Subject: Hacks

New stuff lately.

1.       http://dexis.com/mambo/ (I didn’t write that, it was already there.. which was funny as hell)
2.       I got into the dentrix credit card processing. They left the admin password as password. But they still haven’t completely fixed it, after I told them!
3.       ADA is open to exploit! I can look at test scores? Havent tried changing them. Gave this to Steve Roberts and I am hoping between the two of you the ADA wont get too mad. =)

Don’t share this with ANYONE. JUST YOU! And ken if you like.



Know anyone at the ADA Howard? I am giving dentrix a week until I tell them to fix the credit card stuff.

Howard Farran to Me:
From: Howard Farran <howard@dentaltown.com>
Date: Mon, Jan 17, 2011 at 11:48 PM
Subject: Get me all the ADA dentists emails and you just made yourself some money dude! I am serious!!!
To: Justin Shafer <justinshafer@gmail.com>


Get me all the ADA dentists emails and you just made yourself some money dude!  I am serious!!!  This is only between you and me. 

Create a great day!

Howard

Howard Farran DDS, MBA, MAGD

Today's Dental: * 10850 South 48th Street * Phoenix, Arizona 85044 USA * O) 480-893-1223 * F) 480-496-9363 * E) Howard@TodaysDental.com  * W) www.TodaysDental.com

Farran Media: * 9633 South 48th Street, Suite 200 Phoenix, Arizona 85044 USA * O) 480-480-445-9712 * F) 480-598-3450 * E) Howard@DentalTown.com  * W) www.DentalTown.com  * W) www.HygieneTown.com * W) www.OrthoTown.com *www.Facebook.com/DrHowardfarran

WHY?
From: Howard Farran [mailto:howard@dentaltown.com]
Sent: Tuesday, January 18, 2011 9:36 PM
To: justinshafer@gmail.com
Subject: The more I think about this Justin, the more you need to realize!

The more I think about this Justin, the more you need to realize!  You are going to turn more dentists onto first world dentistry than anyone!  When I just travel 100 miles south of Phoenix into Mexico the quality of the dentistry drops 90%.  If we can find these dentists, send them an email, and turn them onto first world dental information we will truly make a difference in this world!  This could be the most important project of your life! www.DentalTown.com has 140 free continuing education courses and the www.ADA.org has zero, yet they collect over $100 million a year in dues! 

Create a great day!

Howard

Howard Farran DDS, MBA, MAGD

Today's Dental: * 10850 South 48th Street * Phoenix, Arizona 85044 USA * O) 480-893-1223 * F) 480-496-9363 * E) Howard@TodaysDental.com  * W) www.TodaysDental.com

Farran Media: * 9633 South 48th Street, Suite 200 Phoenix, Arizona 85044 USA * O) 480-480-445-9712 * F) 480-598-3450 * E) Howard@DentalTown.com  * W) www.DentalTown.com  * W) www.HygieneTown.com * W) www.OrthoTown.com *www.Facebook.com/DrHowardfarran

OH! But what about the law?

Justin Shafer justinshafer@gmail.com

1/19/11

to Howard

DONT DO IT!
From: Howard Farran [mailto:howard@dentaltown.com]
Sent: Wednesday, January 19, 2011 9:04 AM
To: Justin Shafer
Subject: RE: The more I think about this Justin, the more you need to realize!

Don’t do it dude

Create a great day!

Howard

Howard Farran DDS, MBA, MAGD

Today's Dental: * 10850 South 48th Street * Phoenix, Arizona 85044 USA * O) 480-893-1223 * F) 480-496-9363 * E) Howard@TodaysDental.com  * W) www.TodaysDental.com

Farran Media: * 9633 South 48th Street, Suite 200 Phoenix, Arizona 85044 USA * O) 480-480-445-9712 * F) 480-598-3450 * E) Howard@DentalTown.com  * W) www.DentalTown.com  * W) www.HygieneTown.com * W) www.OrthoTown.com *www.Facebook.com/DrHowardfarran

Lorne Lavine:

Dental Technology Consultants drlavine@thedigitaldentist.com

2/1/11

to me

Get me those 55,000 emails and dinner is on me J Sincerely,

image001

Check out my blog: http://thedigitaldentist.blogspot.com Lorne Lavine, DMD, A+, Network+2501 W. Burbank Blvd. #303Burbank, CA 91505866.204.3398drlavine@thedigitaldentist.comwww.thedigitaldentist.com

From: Dental Technology Consultants [mailto:drlavine@thedigitaldentist.com]
Sent: Tuesday, February 01, 2011 10:56 PM
To: Justin Shafer
Subject: RE: Xray

Yup…if I knew how and could use a different IP to access, I probably would. I certainly would never advocate theft or anything like that, but if the list happened to plop into my lap, not so sure I would throw it out.

Sorry if you think less of me for that, I happen to know the value of email addresses for someone like me who uses the Internet extensively to market.

Sincerely,
image001
Check out my blog: http://thedigitaldentist.blogspot.com

Lorne Lavine, DMD, A+, Network+
2501 W. Burbank Blvd. #303
Burbank, CA 91505
866.204.3398
drlavine@thedigitaldentist.com

Howard gets Curious:

Howard Farran howard@dentaltown.com

2/3/11

to me

Now the ADA is spamming me with emails??  LOL..  How many emails did you actually get? 

Create a great day!

Howard

Howard Farran DDS, MBA, MAGD

Today's Dental: * 10850 South 48th Street * Phoenix, Arizona 85044 USA * O) 480-893-1223 * F) 480-496-9363 * E) Howard@TodaysDental.com   * W) www.TodaysDental.com * www.Facebook.com/TodaysDental

Farran Media: * 9633 South 48th Street, Suite 200 Phoenix, Arizona 85044 USA * O) 480-445-9712 * F) 480-598-3450 * E) Howard@DentalTown.com   * W) www.DentalTown.com   * W) www.HygieneTown.com  * W) www.OrthoTown.com  *www.FarranMedia.com * www.Facebook.com/DrHowardfarran

OK! 
So some time goes by and the ADA was still exploitable and I sent them an email asking them why and my response was an email from the director, in the form of a threat, I threatened to tell DentalTown Magazine (rofl):

From: OLoughlin, Kathleen T. <oloughlink@ada.org>
Date: Mon, Apr 4, 2011 at 4:57 PM
Subject: RE: Ummm
To: Justin Shafer <justinshafer@gmail.com>
Cc: "Pittman, Lalita"<pittmanl@ada.org>


Dear Mr. Shafer:

    We appreciate your interest in ADA and in ensuring the security of our computer systems.  You may be assured that we have addressed the issues with which you expressed concern and are confident that our measures are successful.  If you have specific evidence of weaknesses in our systems, or points of entry whereby you think access is possible, we would be pleased to learn more. 

    We are concerned, however, with what appear to be threats that you have made in your recent messages to publicize purported weaknesses in the ADA systems.  To make such threatswithout disclosing the nature of the alleged weaknesses, and for the apparent purpose of soliciting business from our organization, seems to us to be a questionable practice.  Moreover, we are equally concerned that you might be attempting, whether successful or not, to access ADA’s computer system in a manner that ADA has not authorized and that might therefore violate the law.

     Please understand that we do not intend to be overly contentious.  Nevertheless, we do take exception to the suggestion of actions that would have no purpose other than to embarrass the ADA and create issues with our constituents.  We take the security of our computer systems very seriously, and we hope that you are not implying anything to the contrary. 

     Should you wish to communicate with me further, please feel free to do so, but only if there is a constructive purpose to be served.  Please call me by phone if you wish to discuss.

Thank you

Kathy O’Loughlin


Kathleen T. O'Loughlin, DMD, MPH  oloughlink@ada.org
Executive Director
American Dental Association
312.440.2700
312.440.7488 (FAX)
________________________________________________________________________
American Dental Association  211 E. Chicago Ave.  Chicago,  IL 60611  www.ada.org


My Response: 
I told them I never sent them an invoice and I showed their IT guy what tool I used and everything, I sent a screenshow that said NOT FIXED!

And then they finally fixed this SQL Injection problem as far as I know. I was actually more worried about the DentPin Database but I knew to stay away from it. She DID tell me thank you in the end.


What I did:
I sent Dr. Farran a large sample of just email addresses without nationalities which is just absolutely useless to send to mexican dentists. We stopped talking about this, and I stopped thinking about it.

EXCEPT THIS: I asked Steve Roberts at Henry Schein to find me a connection, and he found me the director.

Dentrix Credit Card Processing Website!
epay.dentrix.com was next though I never really meant to do this on purpose. I was at a clients house waiting for him to stop arguing with his wife, and he was paying his bills, and this login prompt was on his laptop, and I thought it would be fun to try admin and password as my credentials.





After this, I had impressed people so I got invited to a Dentrix Summit??? This is where Dentrix invites "leaders and popular people" to come up to Utah and have a circle-jerk about their software. When I arrived I was all ready to see the new Dentrix G5 Beta with the new Database. We all signed an NDA to attend.


2008 Photo: (I was invited before, and I had a blast!)




 
2011

THE LIE!

I was told Dentrix G5 would have an encrypted database and encrypted tcpip packets, but as soon as the presentation was over, and employee looked at me, and told me "It's easy!" without making to much noise. I was then asked if I would like a job at Dentrix, and I told them my mom had a stroke and my dad had a heart attack (all true), but in reality I felt like I was just being asked to aide in a cover up of lies.

I waited to see Dentrix for myself.

Henry Schein Practice Solutions advertised database encryption and security from hackers because their new database flies "low under the radar" from nefarious people. *rofl*http://web.archive.org/web/20140428021311/http://www.dentrix.com/products/dentrix/documentation/g5-white-paper.pdf 

They then asked me if I would like to work for them. 3 tech guys I didn't really know that well.


After the Summit:

I got an email from Howard Bangerter asking me if I would like to enroll in the Dentrix G5 Beta. I declined but told him I would. I noticed it had a Non-Disclosure Clause, and I figured that is what he really wanted. Then I was told by Howard Bangerter via a phone call that Sikkasoft was reading the Dentrix G5 database without being enrolled in the Dentrix Developer Program, and asked me how it might be possible, which was odd to me because someone from Utah told me that ODBC access was easy, even before I received this phone call. I told Howard that packet sniffing is the first place to start. I gave Howard the professional courtesy of saying "I am the last person you want to tell this to". 


Waiting Game 1:

Waited to see Dentrix G5 release. I was also asked if I would like to be employed at the local Schein office, but I really don't know if they knew what was going on with me and the folks at Utah... I do have this one suspicion and I will get to that later.

I got bored and decided to really read up on FairCom ACE Databases. I got a trial and read the manual, created a database, and learned how I could bypass a lot of my own security.

I finally got to see it around April 2012, and as soon as I did I blew right threw ALL security. Encryption and Authentication. I was really happy about this, because I thought I could show Dentrix, and they would just fix it, and maybe stop lying. I created a youtube video that showed the password and for this I received a phone call from Michael Allsop:




I remove the video in question, and just asked that Henry Schein take security more seriously. They told me they would and that was that. 

Dentrix G5 HotFix 1 Patch through Dentrix G5 HotFix 2:

They changed the password and that was it. This was around June of 2012. So I decided to make a post on DentalTown about it, I also emailed the good folks at Dentrix to tell them the new password.

HotFix2 was a little better, they changed a dll file that no longer showed the password in a tcpip packet, but the older dll could be swapped out and it showed the new password, so FAIL.

I showed them emails showing them me accessing my SSN and asked them if we should tell DentalTown about AES.  They asked me again to be a Dentrix Beta Tester, which I again refused. My customer number starts with 666, maybe they view me as the AntiChrist.



LightHouse 360 and Write Access:

Dentrix had given DemandForce exclusive access to the Dentrix G5 Database. This was GREAT if you had a financial interest in DemandForce, otherwise it was kinda shitty. People were upgrading to G5 to find that they could not WRITE to the database. I thought this was bad. Partly because Schein doesn't seem to give a shit about security, but on the other hand uses the security, to restrict other companies from writing to the database.

Using False Encryption to Keep Customers:

I found that Provo Dental Care was trying to leave Dentrix G5 but she was going to be charged an hourly rate to decrypt her database. This made them upset. I have also received an email from Curve Dental asking if I could do anything at all in regards to Dentrix giving them the run-around in regarding decrypting a database.
http://thedigitaldentist.com/2012/02/dentrix-g5-ships/

Dentrix 11 Database on the piratebay:

I found a database in September 2012 on a file-sharing website, and 18 people were seeding this database without realizing what they were seeding most likely. Either way this was bad, and I emailed Dentrix. Bangerter asked me not to "out the doctor" because he was probably already on Dentrix G5. I informed Howard my SSN had not changed between 11 and G5 letting him know that I wasn't buying their security bullshit, and I called the doctor to let him know, and then Howard followed up. Howard told me again not to out the doctor. I had a feeling they would blame me if I did. Just a hunch.


US-CERT & DentalTown Ad:

Since they asked me not to out the doctor, for a very serious breach, I sensed a real culture problem at Henry Schein, so I decided I should probably tell US-CERT about Dentrix. This was going to have serious reprocussions on my business and contacts\relationships, but I felt like this shouldn't matter because a lie is a lie is a lie, and someone should try to stop them.

US-CERT created VU# 948155 in response, in October of 2012 and during this time was working with Schein.

While all of this was going on, Schein decided to go ahead and advertise encryption and safety from hackers, before the first VU# from US-CERT was even public on DentalTown.


This irritated me, mainly because they were now ignoring my work. This is fine if your just some ho-hum company, but when your in charge of writing the nations #1 PMS Software in Dentistry... not good culture. During this time I pleaded with Howard Goldstein at Dentaltown which he told me:

From: Howard Goldstein <HoGo@farranmedia.com>Date: Tue, Nov 6, 2012 at 8:49 PMSubject: RE: oh yeahTo: Justin Shafer <justinshafer@gmail.com>, howard.bangerter@henryschein.com

Justin-You are much smarter than I am with technology and I listen to you.However I am much smarter than you with common senseJEven if you are right, common sense says that it is not worth getting into a legal battle with a big company.Please listen to me and let this go.Take Care…Howard Howard M. Goldstein, DMDDirector of Continuing EducationFarran Media LLCDentaltown / Orthotown / HygienetownDentaltown Message Board Manager9633 S 48th Street  / Suite 200  /  Phoenix, AZ 85044cell: 610.216.3374   | fax: 610.866-1936 HoGo@farranmedia.com

This upset me because all my posts (that got deleted) and emails were falling on deaf ears.

I had a conversation with Lorne:

The Digital Dentist drlavine@thedigitaldentist.com

11/6/12

to me

Well, here's my take on it, you can take it as advice from someone older, or just ignore it as the ramblings of someone whose opinion doesn't matter: One of the things I've learned after 25+ years in business is that what you know is rarely as important as who you know. Dentistry is a small community and you never know who you're going to want in your corner someday. If you choose to do battle with an $8 billion company, I guess that's your prerogative, but it separates you away from a good chunk of the rest of the community. I compete with Schein on deals every day…but I also get a lot of my income from doing webinars, lectures, whitepapers, etc for them and their partners. There's no reason you can't play nicely with them and turn it to your advantage. Your posts, however, are having the opposite effect. I don't know if HoGo has communicated with you, but if I were Moderator of that forum, I'd certainly be suggesting that you tread lightly. Again, take the advice as you want. As a colleague and friend, I felt I owed it to you to at least try. Sincerely,

image001


Then I was threatened with a "Linked In View".. ROFL. Yes that is correct, except how would you feel? Bangerter told me "they even work on Christmas!"
http://www.proskauer.com/professionals/sigal-mandelker/


Sigal testified before Congress a number of times on matters of criminal law, prepared Administration officials for congressional hearings, and negotiated various legislative provisions with congressional staff and within the Administration. She also represented the Department of Justice before the Federal Communications Commission, chaired Team Telecom, an interagency group that reviews telecommunications licenses where there is foreign investment and worked with a number of Federal agencies on a wide-range of regulatory and policy matters. In numerous enforcement areas, she coordinated the Department’s work with the FBI, DHS, ICE, U.S. Secret Service, the State Department, USTR, the Department of Commerce, the White House, the National Security Council, the Homeland Security Council and other government agencies.


I went on DentalTown and made a post that I needed a Ferrari if I was going to look the other way now. This was just a joke, but my intention was to let them know I was not backing down.

Right before this went public in April 2013, I created a new youtube video showing off how FairCom Standard Encryption could always be bypassed, confusing a lot of people. as they thought this new video had something to do with the VU# that came out, but it didn't.
Dentistry IQ released an article about this, and let Lorne Lavine give a quote, in which he said there was nothing to really worry about. Yeah... Hard-Coding Credentials, Local Admin, and Flash.. nothing to worry about there.... (IDIOT)

Chalk it up to a culture problem. Lorne was with me at the summit, and perhaps he just doesn't care about security and being honest. At this point, I thought Dentrix G5 was finally fixed regarding authentication, up until I had the weirdest dream! More on that later.


US-CERT Part 2:

Faircom Standard Encryption Vulnerability! US-CERT decided to do something with the second youtube video I made.

 They talked to Faircom and persuaded Faircom to rename encryption to something called data camouflage, which is a catchy name for data scrambling. I commend Faircom for doing this.

Henry Schein ignored ALL of this, and just kept calling Dentrix G5 encrypted for HIPAA, which was just an absolute awful thing to do.

Not only this, but I was getting PISSED. I decided to come up with a new plan. Remember that Dentrix Database on a File-Sharing Site????

Waiting Game 2:

May 2013, I was about to freak out. Waiting for US-CERT to do the second VU#. Dentrix was no longer talking to me, none of my efforts seemed to have had any affect, and everyone I knew told me not to care about this, and let it go, but I just didn't want to quit. I realized my mugshots were also on the internet. Everytime I went to US-CERT, mugshots.com would find dirt to dig up on me. This really depressed me as I had been arrested in the past and I just hated knowing someone would try using this against me to shut me up. I decided to play into this (screw it right?). I posted an instrumental version to Cypress Hill's Illusions.



And I had a bite from someone named DewDropInn... I kinda regretted doing this test, but I figured eventually they would try to laugh me off of DentalTown if GIVEN ENOUGH TIME. So I decided my time on DentalTown was most likely short lived. It was only a matter of time until the mugshots oozed into DentalTown by "mistake" only to be there long enough for enough people to see it, and then Hogo will "act" like he cares and moderate it. I figure this video would let someone know, I don't give a shit about the mugshots.. Bring it!!! In fact, I will GO FIRST!

My dad offered me a job so I took it because I was extremely depressed at this point in my life. I regret this, but I would probably not have my house still if I hadn't... All I could do was keep my head down on my desk, I barely answered the phone.. Life really sucked. Working for your parents wasn't all I thought it would be, worse I spent most of my time doing computer projects like intraoral capture buttons.

Also during this time I was asked many times to refrain from talking about Dentrix. Howard Goldstein told me I was not allowed to talk about it. I reminded him to remind Howard Farran about the ADA Emails and I would do whatever the hell I fucking please. Ta Ta!
From: Howard Goldstein <HoGo@farranmedia.com>Date: Thu, May 16, 2013 at 9:42 AMSubject: RE: Reported Post: Total Lack of SupportTo: Kerrie Kruse <kerrie@farranmedia.com>, Lorie Xelowski <lorie@farranmedia.com>, Ashley Harris <ashley@farranmedia.com>, Ken Scott <ken@farranmedia.com>Cc: "Justin Shafer (justinshafer@gmail.com)"<justinshafer@gmail.com>

Justin-Today was your last post about ANYTHING Dentrix.  Even if helpful.   Sorry but I have way too much of a workload to have to be monitoring you on a daily basis.  Uwe Mohr is not allowed to post anything about Cerec.  Kevin Tighe is not allowed to post about 123postcards.com.  Others are not allowed to post about other subjects that they have issues with.  The new rule is that you are not allowed to post about Dentrix.Your other posts are valuable but enough is enough....Sorry...Howard
Howard M. Goldstein, DMDDirector of Continuing EducationFarran Media LLCDentaltown / Orthotown / HygienetownDentaltown Message Board Manager9633 S 48th Street  / Suite 200  /  Phoenix, AZ 85044cell: 610.216.3374

I also added links to my DentalTown Signature so ALL my posts would show this information, and I have 11K of posts!

Breaking Hard Coded Credentials AGAIN:

That is right. I thought it was fixed, I wanted it to BE fixed. I posted on DentalTown it was fixed. I told US-CERT it was fixed. But in reality it was NOT fixed. I give credit to god for this (Yeah, I know this sounds quite bizarre) but I had this dream one night that I was using WinHex to swap actual hashes out of the FairCom.FCS file and pasting it to another, and if you did this with 9.0, it would show that password hash in RAM. This was a dream, and I was doing it with someone... holier then me. I know, it is crazy right? Well I woke up and ran to me computer and sure enough, that method WORKED! And I was BACK IN BUSINESS!!!!! WOOT WOOT!!!!!!!!!!!!!!!!!!!

I told US-CERT, and heard nothing.......  So I figured they were in Schein's pocket at this point, or had some other motive I was and am still not REALLY that fully aware of, except that US-CERT has WAY more patience then I do!

NIST and US-CERT Release VU# 900031:

I can FINALLY go to the folks at DentalTown and tell them that YES, even NIST agrees with me!
https://www.kb.cert.org/vuls/id/900031
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0148
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4952

I contacted Hogo and literally got nowhere. We had a phone call (Ken and others were on the line) and all they wanted me to do was not talk about this on DentalTown and find an alternative method, this bugged me because DentalTown was paid money to carry on a lie, and I wanted them to DO something about it. (Not realizing that is easier said then done, I really didn't give a shit, and still don't).



Shit Hits the Fan:


August 2013, I had enough of this. I decided I would start a thread stating that Dentrix G5 was NOT encrypted. I think I called out Lorne, but I am not 100% sure since DentalTown deleted the thread.
http://www.dentaltown.com/MessageBoard/thread.aspx?s=2&f=145&t=209313

I have already been reminded to what would happen to me if I was banned:
From: Howard Goldstein [mailto:HoGo@farranmedia.com]
Sent: Wednesday, February 08, 2012 5:40 PM
To: justin@onsitedentalsystems.com
Cc: Ken Scott; Lorie Xelowski; Kerrie Kruse
Subject: Justin's Account...

Justin- If we are forced to ban you, you no doubt would open a new fake account.  However you would never be able to post openly on Dentaltown again.  This would not be good for your business or your reputation.   We would not hetitate to let Townies know why Justin is gone.  If you EVER give out a password like you did on that post today or post so rudely about a company the way that you did today,  your account will be officially inactivated.  Use your head and think before you post on Dentaltown.  You do not have free reign to post whatever you feel.. Furthermore your account information has you listed as Phfvtacb Vbvbjqmg from San Francisco with a phone # of 555-666-0606.You need to update your account within 24 hours or your account will be inactivated. Regards…Howard   Howard M. Goldstein, DMDDirector of Continuing EducationFarran Media LLCDentaltown / Orthotown / HygienetownDentaltown Message Board Manager9633 S 48th Street  / Suite 200  /  Phoenix, AZ 85044cell: 610.216.3374   | fax: 610.866-1936 HoGo@farranmedia.com

In the Dentrix G5 thread, I remember Lorne saying that Dentrix G5 was encrypted, even after US-CERT and NIST said it wasn't. I called him ignorant, a hybrid (part IT part perio), and asked him if he was in on the take. I also promised him that one day when you googled "Dentrix Encryption" that all the results would be truthful. He was actually the top result, and he posted that he was glad and he should commend his social marketing manager.

I then was banned for 1 week, and I decided this should be a permanent ban. Why participate on a board that doesn't care about truth or hurting patients during a data breach? Why continue years of posts knowing this? Even after the ADA, Thumbs up and even being able to grab the entire database and SSL keys, even after the Dentrix Credit Card thing, even after the Dentrix Database on a File Sharing Site, and NIST and US-CERT (twice), no somehow none of this was enough..

Justin-
You are accusing Lorne of being on the take.
You have called him ignorant on our message board.
We have told you repeatedly that you cannot let your anger get the best of you and do that on the message board.
You can get your points without the personal attacks...
I am going to inactivate your account for one week so you can think about ways that you can get your points across without the personal attacks.
Please don't hack back in.
Next Sunday I will reactivate your account.
You have been warned so many times.  We have no choice.
...Howard

Howard M. Goldstein, DMD
Director of Continuing Education
Farran Media LLC
Dentaltown / Orthotown / Hygienetown
Dentaltown Message Board Manager
9633 S 48th Street  / Suite 200  /  Phoenix, AZ 85044
cell: 610.216.3374
HoGo@farranmedia.com<mailto:HoGo@farranmedia.com>

So I decided to exploit a cross site scripting vulnerability that I told Ken the Dentaltown IT guy about. The reason I found it was because in July 2013 someone had their gmail account hacked and thought it was Dentaltown because DT and Gmail were the only 2 sites that had that password, further more at the same time someone was able to make posts in the Classifieds section without an account. Anyways the night of my first ban I started posting as other people, and I ended DentalTown with a good Rick Roll. I do apologize if I offended anyone or used your account to make a statement. Also, you should say thank you to me because in the end, I increased the security of DentalTown and also posted that they tell everyone to change their passwords especially if your DT password was the same as your email, then I could have logged into you account..... I may have tested this theory.

I originally wanted to turn DewDropInn's avatar into Mike Barr's monkey butt photo, but instead I did "civil disobedience" in DentalLand.

So now I am banned!





That Didn't Work... Whatever happened to that Data Breach I found out about?????


SHIT REALLY HITS THE FAN:


So I noticed that Data Breach was not on the HHS Wall of Shame, and the dentist never called me back, and Howard Bangerter acted like they were "taking care of it" and the doctor was going to notify HHS. But I didn't see it on the wall of shame, so I called Dr. David DiGiallorenzo's Office Manager to ask her if they mailed out letters, and she told me I would have to ask the doctor that question. I then went on LinkedIn and asked an employee and she had no idea of what I was talking about, which was odd to me. So eventually I contacted a local news station, WNEP in Pennsylvania. I gave them a list of patients and Dave Bohman went around asking people if they had received a letter from the doctor.

Basically the doctor said I hacked him and filed 2 criminal complaints against me in 2 states, mine and his.


http://wnep.com/2013/12/09/stolen-data-on-thousands-of-williamsport-area-dental-patients/
(This is continued in another blog post on my site because of the length)

This is when I met a woman named PogoWasRight aka Dissent


DISSENT (Bum Bum Bum):


2014
"Hell hath no fury like a woman scorned"

Dissent aka "PogoIsRight" is a woman who runs a couple of blogs on databreaches. She knows a lot of people and loves to read stuff that only attorneys would like to read. She is very helpful.

She made this awesome blog post!
http://www.phiprivacy.net/dentrix-claims-it-encrypts-their-data-but-does-it/
And she has friends!
http://www.alertboot.com/blog/blogs/endpoint_security/archive/2014/01/14/hipaa-encryption-when-is-encryption-not-encryption.aspx

And this is what got Dentrix to stop calling the database encrypted. She found many experts and had them comment, and that was enough to make them think twice about what life will be like in a court room?

She also taught me that when someone accuses you, you should respond to this allegation. I think she is right. She wrote some FTC complaints and I gave her statements and worked with her on understanding how all these hacks work. This took awhile and after we finished she said "now wait a couple of years" and I thought I was going to die!

US-CERT... Again:
March 2014
I took the oportunity to show US-CERT my FTC statement hoping that would get their attention along with muttered phrases like "who lies to homeland security???" and I figured this would get some sort of emotional response out of this black hole called CERT. I jokingly say this because we did have some phone calls in 2012 and I found them to be "cool", up until they ignored me, albeit, I can be annoying as hell to some people I want to be annoying to. I usually do this by sending LOTS and LOTS of email.

To my surprise, they responded. I was using techniques from my dream and they told me my dream wasn't good enough. They told me I had to actually crack the algorigthm, even though my youtube video was good enough to me.

So I then worked out the algorithm and they asked me to put it in a script form and that was my requirement to get a new VU#... Sigh.. So I called a friend and he created a script from the algorithm and THEN they assigned me VU# 176231.

CERT told me that Schein should have it fixed with Dentrix G5.3 and that a fix probably would not be around until August 2014 but could be later.

ADA posts a notification of a Data Breach:
May 2014
http://www.databreaches.net/american-dental-association-notifies-some-dentpin-users-of-breach/
ADA has a tiny data breach and still notifies. Good Job! 
I also had a hand at getting a website called the dental record updated.

WAITING GAME 4:
August 2014:
After US-CERT told me to wait, I did. I heard that Dentrix G5.3 was not actually going to be released, instead they were going to call the product Dentrix G6. So I met a client with Dentrix G6 Beta and I tested the security of that. I found that the hard coded credentials were STILL present, which meant that I was waiting for nothing.

I then say this and realized that the Dentrix was REALLY not taking things seriously:
http://blog.osvdb.org/2013/05/21/henry-schein-practice-solutions-legal-threat/ They had also threatened legal action against a well known security researcher. Not a good feeling. This was an old blog post, but this was news to me.

Since the argument was based wether or not the exploit could be used remotely, I decided to port scan the internet, and 10 minutes later I found a server running Dentrix that was exposed to the internet. I decided to exploit this and when into the resource table and found the office phone number and doctor's social security number. Instead of just calling the office, I sent an email to US-CERT, FTC and HSPS and then waited about 3 days. After that I called the dentist and he reconfigured the internet and I told him this was not a data breach, but was more my own security testing.

"that should shut them up"

CSO Magazine, Baby:
So after a REALLY long wait of wondering when US-CERT would publish my vulnerability, I got on twitter and told Dissent that I was getting depressed and wasn't sure we were getting anywhere. She calls on a friend of her's named Steve Ragan. Steve is cool. He writes an article about Dentrix Hard Coded Credentials.

This seems to help a lot, in the background.

During this time my friend who works at Henry Schein Tech Support sent me some screenshots of what was going around.

November 2015:
My patience started to run thin. I posted my G5 and G6 security research on my blog and my evidence on the LANAP breach, and to my dismay the investigation into that data breach was already over. Wow.


FTC RESPONDS!!!
January 2016:
Schein was fined 250K for my efforts if I can interpret the news correctly. I am also aware that this is a public comment period as well. I personally hoped for a larger fine in all honesty, but at least I know nobody in dentistry will falsely advertise security again. (I hope!)

Dentrix G6.2:
Dentrix drops the hard-coded credentials and adobe flash! Great Job Mick Gomm, Nick Pelliccio and me. NOW you set a Database Passphrase and this will then be scrambled to be a Database Password you do not know.
Dentrix G6.2 Screenshot!


Summary:
Was this worth it to lose this many friends?????????? Not even my own Dentist uses me for IT Services, because when I went to work for my dad I told him to use my friend and instead he signed some contract paying $600 a month for IT Services... Sigh.

I don't have access to my 12 year diary (DentalTown).

I don't really feel like this was "closure".

Was it worth it?
Ask me in 10 more years, and I might have a better answer. I still wait for some answer regarding LANAP and I wonder when US-CERT will come around. I do know that when people discuss Dentistry and Security, I get a smile on my face. So yeah, probably so. I also know a woman in a van drove to my house honking her horn and told me if you care about your kids and drove away during late 2012. That had my heart rate up to 160 bpm for months. Usually when I tell this part of the story people say something like "Uhhhh, yeah". I received a call from the FBI and I kept thinking I would hear back from them again. I got really paranoid.



CERT RESPONDS TO MY EAGLESOFT WORK! 


Yeah.... I made a promise not to do this, but after I realized how much help they needed..... 

http://justinshafer.blogspot.com/2016/02/moving-onto-eaglesoft-aka-patterson.html

*Why not SoftDent?
a) I want the LATEST version to test
b) They are transitioning between Faircom from 1997 and Microsoft SQL
c) I know I could find their password and I am sure it is most likely the same across all installations
d) I make up a lot of excuses not to.

Hopefully.. they will get the message.. Otherwise, anyone could easily do it from just watching my Dentrix Videos...........

Dentrix Image stores SSNs... Why I don't know... All one needs is the SQL SA account password that is hard coded? Not sure about Dexis 10, I am pretty sure it does not. I have heard other rumors..

Mogo??? Sure... why not?

Now you know, and knowing is half the battle... Seriously.. the other half is getting people to care.

Developers have this idea that the network is the last line of defense, when in reality, it SHOULD be the DATABASE. Most companies choose to hard-code the database back end passwords...........

Except for Open Dental. But then again, that was one really big reason why Jordan Sparks left the Dentrix Platfrom and started development on Free Dental, which in turn became Open Dental... control over the database.

I have heard Dentrix Enterprise owners can set the backend database password.. No idea of the validity on that, but I am pretty sure it is true. Strange.

Thanks again to PogoIsRight\Dissent and Dr. Darrell Pruitt, a local Fort Worth dentist.

Eaglesoft 18 Beta Security

March 6, 2016, 12:32 pm
$
0
0

Eaglesoft 18 Release Candidate 3 Security: 

This was tested with ES 18 RC3 because Eaglesoft 18 is currently in beta.

How does ES Authenticate?


When ES18 is installed, 3 backend database accounts are created: SA, DBA, and PDBA.
All 3 passwords are randomly generated, and each have different levels of access. Though the SA password may go off the License File. (Needs more testing)

These passwords are stored in a binary file called:
C:\Eaglesoft\Data\Eaglesoft.Server.Configuration.data

Patterson Eaglesoft consists of 2 main services to function (actually 3):
“Sybase SQLAnywhere” and the “Patterson Application Server” service.

When the The Patterson Application Server service starts, it reads the Eaglesoft Server Configuration Data File at: C:\Eaglesoft\Data\Eaglesoft.Server.Configuration.data, which then allows it to know all the backend database passwords, when it does this it resets the password for the SA account, if the password has changed, but leaves PDBA and DBA untouched.

This service also checks the database signature to make sure it is from a Patterson Database.

SELECT user_id, "option", setting FROM SYS.SYSOPTION WHERE "option" = 'database_authentication';

Example of returned information:
Company=Patterson Technology Center;
Application=Patterson EagleSoft;
Signature=010fa55157edb8e14d818eb4fe3db41447146f1571g574591ba89b065b5aabdb10bca8923c8b6b14496

This signature seems to match data in Eaglesoft.Server.Configuration.data file, because the two seem to go together.

NOW THE SERVER IS READY TO HANDLE CLIENTS!


What happens next?
The Eaglesoft Clients on workstations talk to the "Patterson Application Server" service that is running on the server and get the database credentials through TCP and Ajax calls (partly encrypted).

This allows the Eaglesoft Client to login as DBA or PDBA respectively.

Example of a DSN-Less ConnectString:
DBN=DENTSERV;DSN=DENTAL;UID=PDBA;PWD=vBB(JDvSi1M?p%weic$f-T-SFOMm#UAz
DBN=DENTSERV;DSN=DENTAL;UID=DBA;PWD=CKGHF2L.

Patient, and Provider SSN's seem encrypted.
Example of what is in the database
SSN=*****6789
Encrypted SSN=/KYTzmB7YfkdyN4SqbNM5vPzw2lxbpli5gr1Niv6UXE=




Passwords in the actual database that Eaglesoft users store are now hashed.




Thoughts:

What happens if we only have the Patterson Database files without the file that knows the passwords??? C:\Eaglesoft\Data\Eaglesoft.Server.Configuration.data  Lets say someone forgot to back that file up? I suppose I could change the hashes in the database server, reset passwords to a different installation based off the same license file?

IS Eaglesoft 17... Not HIPAA Compliant because of the lax security and passwords that are not hashed?????? http://justinshafer.blogspot.com/2016/02/moving-onto-eaglesoft-aka-patterson.html

NOW FOR THE BAD NEWS: WEAK LINKS!


The big weak link I see is someone who is malicious (or obsessive), could use an Eaglesoft 18 client to find the PDBA Password by just hacking the wifi, and launching Eaglesoft.exe, and then use WinHex to find the backend password for that installation, then dump the patient table.

The last thing they will have to deal with (the third possible weak link) is decrypting the SSN, although they would have the last 4 digits of the SSN which could pose a security risk.

This doesn't matter, because someone could (in theory) dump the database remotely (after they hacked the wifi), and then use the Eaglesoft software itself to decrypt the database (yes, with a different license installed). I have a good idea that the key is a 64 character key, but you would need to know exactly how the Patterson Services Crypto Service decrypts the password. Once they dump the databases, and have the PDBA Password, they could probably get the SSN's out of the database (I think I could, but only using the actual ES software, after I added the patients table to my own database).

The weak link I see in this overall design is the Patterson Application Server service, and it handing out backend database passwords to people who know how to ask it without some sort of password from an administrator. (Hard-Coded Credentials\Authentication!!!!!!)

Solution:

When a new client wants to connect or install, let the office come up with their own database password to initially connect. I believe this is how Dentrix G6.2 is going to work (I hope). You could make it a database passhphrase (scrambled password) instead of a password, or just make it the actual password. Or beef up the Patterson Application Server Service. OR... let ES clients read the Eaglesoft.Server.Configuration.data file via file-sharing, because that is protected by another layer that the office DOES have control over.....

Error 1935 while installing Visual C++ 2008 and maybe 2005

February 6, 2021, 10:22 pm
$
0
0
Error 1935 while installing Visual C++ 2008 You may have read some stuff on the internet... Here is a fix: Component Services, Computers. Right click your computer go to properties. Go to the Default Properties tab. Connect and Identify is what you want. Reboot. Now try.. This and stopping Windows Module Installer or starting that is the best fix.. that and sfc and dism etc.. This can also fix Windows Search.... and stuck Windows Updates.

Security Research Continued!!

September 11, 2016, 7:07 am
$
0
0
Thought I would make a quick blog post on some of my security research.

 

Dexis Imaging Suite 10:
https://www.kb.cert.org/vuls/id/282991
Not much to talk about. It is what it is. They do go off the SYSTEM account which means if you CAN authenticate with the server, you can ALSO create user accounts and do almost anything you would like.

Dentsply Sirona CDR DICOM (formerly Schicktech):
http://www.kb.cert.org/vuls/id/548399
This uses the Network account, so you can't take control of the server like you can if they used the SYSTEM account, but you CAN use this account to take files off of file shares.

Open Dental:
https://www.kb.cert.org/vuls/id/619767
This was interesting. I mentioned to CERT that Open Dental uses a blank password for the majority of installations and few people change that password. I didn't think CERT could do hard coded credentials, as most know that Open Dental allows the mysql database password to be changed. They also have a website with documentation on how to change the password. CERT changed this to the program uses Default Credentials (root and a blank password for mysql). This is true. Not sure what will happen but I am glad that we get to discuss changing the password.

NEW Vulnerabilities I have submitted to CERT:
Planmeca ROMEXIS:
Installation Manuals
https://www.scribd.com/document/209880096/10014600-21-pdf
ftp://ftp.plandent.se/MANUALER/PLANMECA/ROMEXIS/TM_ROMEXIS_10037884_6.pdf

just google "pwr0mex!s" without quotes. Older installations appear to use "pwr0mex1s"

Not sure if they support changing the password.. I would try at an office but few doctors want me messing with their passwords. I will keep trying, perhaps CERT should ask Planmecca.

Carestream Softdent:
http://www.carestreamdental.com/ImagesFileShare/.sitecore.media_library.Files.Practice_Management.SoftDent.v15.cs_softdent_practice_management_software_installation_guide_for_clientserver_configurations.pdf

That is the manual for sertting up a client and server. Search it for the word password, and you can see the username is ADMIN and the password is ADMIN.

They do not support changing the password.

FTP SERVERS that stored patient data in the public (Anonymous authentication) that I downloaded went to these offices allegedly: (Blowing a whistle on the "internet"?)
Timberlea Dental Clinic (Patterson Dental)
Massachusetts General Hospital (Patterson Dental)
Dr. M Stemalschuk (Patterson Dental)
Grand Street Medical
OakView
Doctor's Health Group of South Florida
George Prevas (less then 500, 7 SSN)
Bailey's Crossroads Dental Services
http://filemare.com/en-us/browse/wsip-184-191-212-74.dc.dc.cox.net/shares/Ezdental_backup/DATA/Rsc_dat.dat



POST-RAID
Dr. Ronald Schultz DDS:
https://www.databreaches.net/its-10-pm-somewhere-do-you-know-where-your-old-databases-are/

Total Family Dentistry\Dansville Dental:
54,218 Patients
The latest was from an FTP Server with Acronis Disk Image.
Each archive was 30GB:


Dentech PMS has 54,218 Patients

WHY DOES THIS SERVER HAVE X-RAY SOFTWARE REGISTERED TO AN OFFICE THAT IS NOT THIS OFFICE???


Random Thoughts about moving to the "CLOUD":
Oh... I have thought more about Cloud vs Traditional Software... and I would like to see the "Cloud" incorporate at a minimum: Two Form Authentication. And I would like to see the ability to encrypt the data on the cloud with a key that the doctor has control over. .. I don't know of anyone in Dentistry that offers this. So if you read this and think "I should just move to the cloud".. you could still be hacked if someone finds your credentials, and without two form, it would be EASY for someone to just login. If the cloud provider gets hacked, what does the Business Associate Agreement say about things like: Who pays the expense of notification? Who will assume the financial burden? On the other side of that coin is: If someone breaks into your office, you don't have to worry NEARLY as much as having a physical server onsite, stuff like that. Then there is the hybrid cloud. where your server is on the cloud, but fully accessible on your office network.

"And Stuff".







Eaglesoft 21 Bugs!

June 3, 2021, 1:33 am
$
0
0

Eaglesoft 21 Bugs!



I thought I would make a blog post over Eaglesoft 21 bugs. They are driving me crazy.



Ever since upgrading from Eaglesoft 16, we occasionally have a problem where C:\windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config gets deleted or c:\Eaglesoft\Shared Files\eaglesoft.config gets deleted. What code has been written that would cause machine.config to disappear??? 

I am not sure why, but I have been occasionally asking Patterson Technical support about it, and so far the developers are still working on a fix.

Good god! Hurry up please!

How hard would it be to at least write a program that fixes these issues? 

Maybe add ocxreg.exe UNREG and ocxreg.exe REG

I am SOOOO tired of getting a call about Eaglesoft can't find the server on Checkout or etc.


Eaglesoft 21 Authentication Problem (FULL DISCLOSURE)

June 22, 2021, 6:48 am
$
0
0

Primer:

Eaglesoft when installed without internet, has a default username and password in the database. Same for everyone, until the office gets internet.

What happens then is, a service running on the server will go out on the internet and talk to a patterson server out on amazon, and give it the office license... then the server spits back database credentials that the office will now use. This might also be exploited but is a protected computer I think, not sure.. haven't looked but I would guess you also need a certificate to talk to it.

Client

Run Eaglesoft, Eaglesoft fetches a list of employees\users so the login screen is populated but at this moment I am a bit confused on if this is from the database or the patterson application service. I believe after correctly logging in, the client then gets the database credentials from the patterson application service, but this is based on client validation. One can just ask the Patterson Application Service running on the office server for the database credentials and as long as you have the certificate, it will give it to you.

The certificate is all you really need...


Bennett.Prows@hhs.gov



CERT Coordination Center cert@cert.org

to mecert
Greetings--

We will be closing this case on our end due to unresponsiveness from the
vendor.  We encourage you to request CVE ID(s) for your research in this
case by visiting https://cveform.mitre.org/.  Additionally, we encourage
you to publish your research if you desire to do so; we have exhausted
the avenues available for coordinated disclosure with the vendor's
participation.

Thank you for your report, and please feel free to reply with any
questions you may have.


~Eric Hatleback

Vulnerability Analysis Team
======================================================================
CERT Coordination Center
kb.cert.org / cert@cert.org
======================================================================


On 3/25/2020 7:21 AM, Justin Shafer wrote:
> Also I found this:
corporate.communications@pattersoncompanies.com
>
> which is probably more current then the Jennifer Joly one.
>
> On Wed, Mar 25, 2020 at 6:20 AM Justin Shafer <justinshafer@gmail.com>
> wrote:
>
>> I found this on the internet in an Eaglesoft press release:
>>
>> Corporate Communications Manager
>> jennifer.joly@pattersoncompanies.com
>>
>> On Mon, Mar 23, 2020 at 3:46 PM CERT Coordination Center <cert@cert.org>
>> wrote:
>>
>>> Greetings--
>>>
>>> We still have no response from the vendor on our end.  Do you perhaps
>>> have alternate contact addresses that we could try?  Thus far, we have
>>> been attempting to reach Eaglesoft via ptc.support@pattersondental.com.
>>>
>>> Thanks for any any alternative addresses you might be able to suggest.
>>>
>>>
>>> ~Eric Hatleback
>>>
>>> Vulnerability Analysis Team
>>> ======================================================================
>>> CERT Coordination Center
>>> kb.cert.org / cert@cert.org
>>> ======================================================================
>>>
>>>
>>> On 3/11/2020 8:20 AM, Justin Shafer wrote:
>>>> Anything new? Reading the SMBv3 compression VU... wow. Another way to
>>>> defeat bitlocker if someone stole the office server and just relied on
>>> tpm.
>>>>
>>>>
>>>>
>>>> On Tue, Feb 18, 2020 at 12:45 PM CERT Coordination Center <
>>> cert@cert.org>
>>>> wrote:
>>>>
>>>>> Hello--
>>>>>
>>>>> We have made two attempts to contact the vendor, but thus far we have
>>>>> received no response.
>>>>>
>>>>>
>>>>> Vulnerability Analysis Team
>>>>> ======================================================================
>>>>> CERT Coordination Center
>>>>> kb.cert.org / cert@cert.org
>>>>> ======================================================================
>>>>>
>>>>>
>>>>> On 2/14/2020 9:27 PM, Justin Shafer wrote:
>>>>>> How's it going?
>>>>>>
>>>>>> On Mon, Jan 6, 2020 at 9:42 AM CERT Coordination Center <
>>> cert@cert.org>
>>>>>> wrote:
>>>>>>
>>>>>>> Greetings,
>>>>>>>
>>>>>>> We have received your report and are tracking it as VU#664029. Please
>>>>>>> retain the VU# in the subject of any email you send to us about this
>>>>> issue.
>>>>>>>
>>>>>>> Additionally, we received your 12-17-19 email, which seemed to
>>> indicate
>>>>>>> that the vulnerability has now been made public.  Could you please
>>>>>>> clarify this situation for us?
>>>>>>>
>>>>>>> Thank you,
>>>>>>>
>>>>>>>
>>>>>>> ~Eric Hatleback
>>>>>>>
>>>>>>> Vulnerability Analysis Team
>>>>>>>
>>> ======================================================================
>>>>>>> CERT Coordination Center
>>>>>>> kb.cert.org / cert@cert.org
>>>>>>>
>>> ======================================================================
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>> --
>> Justin Shafer
>> Onsite Dental Systems
>> 7704 Sagebrush Ct. S.
>> North Richland Hills, TX. 76182
>> (817) 909-4222

I even helped HHS after all this, but they have always ignored me.


Eaglesoft 18 through 21 vulnerability

July 18, 2021, 11:17 am
$
0
0

What is Eaglesoft? 

Eaglesoft is dental software that we call PMS or Practice Management Software. It holds the chart info, insurance, patient info, scheduling, scanned documents and in some cases x-rays if the office is licensed for imaging.

Eaglesoft at one time relied on hard-coded credentials but has now changed the authentication.

When you install Eaglesoft with the server option, the installer installs Sybase SQL Anywhere with a default username and password. It also creates a service called Patterson Application Service, and of course Eaglesoft client itself although this is an option for the server installation. You could just install the database and application service all by itself, though most people install all 3. 

Database Password:

If the office has internet access, then the Patterson Application Service will send a server that is hosted on Amazon the Eaglesoft license\serial number and the Amazon Server will respond with sending a username and password that is now assigned to the office installation. This information is stored in C:\Eaglesoft\Data\Eaglesoft.Server.Configuration.data which is encrypted. The Patterson Application Service changes the SQL Anywhere Database to use these credentials from this point forward. 

Client Authentication:

When you install Eaglesoft the client, the client doesn't know the credentials for the database. The client will talk to the Patterson Application Service over the LAN to get the credentials, but this is where the vulnerability is. To talk to the Patterson Application Service, you must use a certificate that is installed on the client and server version of Eaglesoft. The certificate itself is stored in the windows certificate store. The certificate can be exported with the private key using the windows certificate mmc console. First the client will ask the Patterson Application Service for a list of Eaglesoft Users which is just a table in the database itself (not database users), to populate the main screen of Eaglesoft. At this point, the client still does not know the database credentials, and is still talking to just the Patterson Application Service. If the password entered for the user is correct, then the Patterson Application Service will give the client the SQL Anywhere database credentials. 

What is vulnerable?

This is a pretty good design, except that the Patterson Application Service isn't intelligent enough to know if someone has first gone through the Eaglesoft username and password authentication. If someone reverse engineers the communications and learns the appropriate calls\methods, they could just write a program to ask the Patterson Application Service for the database credentials and the service will give them out to whoever is asking.

1. Eaglesoft runs, talks to Patterson App Service, gets a list of usernames for Eaglesoft.

2. The end user enters the password for an Eaglesoft User and if correct will then receive the database credentials for SQL Anywhere.

Again, the vulnerability is that someone can write a program to bypass the Eaglesoft User authentication and just ask the Patterson Application Service for the SQL Anywhere credentials. That and if the office doesn't have the internet, then the client and server fall back on hard-coded default database credentials.

What can I do to mitigate this problem?

Unfortunately, firewalling or stopping the Patterson Application Service running on the server will break the client authentication, so there isn't really a great way to fix this.  At least not until the Patterson Application Service is smart enough to know that the person asking for database credentials, has not yet gone through the Eaglesoft Username and Password authentication which will hopefully be fixed in a future Eaglesoft update.

How have I tested this?

I have access to about 11 different Eaglesoft installations and tested it on about half of them and all half I tested were vulnerable. The installations have different server names and licenses and all of them would give me the database credentials with a tool I put together.

Search

Dentist Wifi Hack tweet analysis

April 25, 2016, 1:23 am
$
0
0
I am doing this out of boredom, and just because I thought this was interesting.

Not exactly scientific research. I searched twitter for Dentist Hack and couldn't help but notice these tweets where they claimed to of hacked a dentist wifi. No telling who they really are, I just thought it was interesting. Especially because in 2015, most dentists use WPA2, and not a dictionary word? But then again it is possible the guest network is simply another router attached to the office router and its not restricting the subnet. Or this is just bullshit. It makes sense though, the majority is female. This does NOT include tweets about attempting to hack the wifi (mainly female, yet again), nor did I include a dentist claiming he got hacked because he seemed to be joking.



And no, I don't "owe you 3 minutes of time back".. hahaha.




Suni Sensor with Apteryx notes

August 25, 2021, 5:47 pm
$
0
0

 I have a client with a Nomad Portable XRay head.. and wanted to see what the settings were for Threshold. That tab asks for a password so I used another program to figure it out. Since Suni is out of business, thought I would share.

Password is dentalimage

Here is what Dental TI or someone set for it, most likely for the Nomad. His patient was a former Suni sales rep... 



Community Health Plan of Washington - NTTData - Databreach from 2016

December 27, 2021, 11:55 pm
$
0
0

I thought I would make a blog post about the time I found a data leak. I was up late one night, similar to right now. I was hunting for leaks and I decided it would be fun to search filemare.com. I liked to search Filemare. Filemare.com WAS a search engine that indexed public FTP servers instead of WWW.  

For context, I had been raided by the FBI in May 2016 for downloading a file from a public FTP server and the company claimed I "hacked them" which is called CFAA or USC 18 1030a, a felony. It got a lot of publicity because nobody had ever heard of such a thing, in the tech industry. People download files from public FTP servers as well as HTTP all the time. The onus, was on the FBI, and me being me decided I would help them in their quest. And the best way to do that is make them feel stupid. This ended up being an unwise move in the end, and it taught me a lesson in how to treat people. Most of the time anyways, I guess you could save I am a "recovering asshole". If I found an FTP server with PHI I would usually email it to the guy who was in charge of my raid. Just to make sure we are clear. I got upset at times and got emotional, mainly because of the car. Mid life crisis I guess.

Anyways, I searched for the word HIPAA and it came back with a server with odd-looking XML data, and when it loaded in the browser, and just kept loading and loading because there was SO MUCH DATA.

I am sure my initial assessment was incorrect lol. But I did mess with some XML libraries for a bit.



I also found info.zip on the FTP server which meant the account used for public viewing could also write to the FTP server. There was a virus going around the internet looking for public FTP servers that allowed write access, and if that was allowed, would copy itself to the FTP server. 

I also checked the openftp4 repository on GitHub, which was a snapshot of every public FTP server in the ipv4 address space shortly after my raid, which shows something called a Banner. A Banner is what you see when you login to the FTP server and it showed if it allowed "anonymous access" which means public.


I still have a screenshot and there is so much data you might as well just imagine a 100% redacted document.

I decided to show all my friends on Facebook so they could witness this, as this breach was SO large I wanted some other folks to see what I was seeing. Why? Because companies just LOVE to LIE. And the FBI doesn't give a sh*t. They will even vandalize a car if you're a smart ass about it. So... have fun going after my Facebook friends for something that isn't illegal. That was my thinking back then, and the supreme court ruled that I WAS RIGHT in mid-2021. This is the reality\society we live in. The federal government would at one time, raid you on some behest of a company, because.. you downloaded a file they that some IT guy didn't secure. Land of the Free and Home of the Brave, you say?



Anyways, I helped 400K that time. This is still the largest I have found to date, the runner-up being MedEvolve. When I say "Data security is really cool on the cloud", it comes from this: https://www.dentaltown.com/magazine/article/2623/corporate-profile-curve-dental Which I think I blogged earlier about, and how full of sh*t I was for saying that.

I should tell the story of how I found some social security numbers on the https://npiregistry.cms.hhs.gov/ database using google, only 24, but it was still cool to me. I reported it to the government, and they changed the SSN to $ characters. Hooray for me!

I realized who's server this was, by going to the WWW side of this server instead of FTP and could see a Community Healthplan of Washingon Logo, etc. This side was NOT public, it required a username and password.


Month's later the FBI would go onto claim I stalked them by friend requesting an agent's wife with the message I thought he was homosexual and was surprised he was married. Also I posted some back the blue image on my facebook that scared them. There had been a recent shooting between an armed gunman and the Dallas Police Dept. And the FBI took that to mean... something stupid. But being stupid is nothing new to the FBI. 



So much the agent's wife claimed she needed a firearm, armed security at her work, and she had to move out of her house for 2 weeks. Literally. When it got close to trial my actual judge (Judge Godsby), let me out of jail on first amendment and the prosecution didn't like that. So they got another lower judge to claim I had cyber-stalked him too, from just emailing him regarding him signing search warrants to allow the FBI to raid me. So then, Judge Godsby had to recuse himself and they found a judge from Houston to try my case. And she seemed to side with me too, but that is for another story. Misdemeanor is what she thought would be a good idea, but not over FTP, yes.. to make the judge happy and save 20K at trial, I plead guilty to threatening an FBI agent's family member.. But we all know what really happened, don't we? They also claimed I was the mastermind of "thedarkoverlord" hacking group. But that is also for another story.

Life got unreal. While I was in jail awaiting trial this person tweeted this image to me:

https://twitter.com/matter_2575/status/859579175648231424 



This was interesting because it was an attachment I sent to 2 people to prove how long I had called someone at CHPW, just in case because you have to make sure you have all this stuff. One was Jeff and Bob Young the Seattle Times guy. I should have recorded CHPW because they lied in their report to the Seattle Times. I left them my name and number and even tweeted to them as well. 

https://www.seattletimes.com/seattle-news/health/data-breach-exposes-info-for-400000-community-health-plan-members/

"The incident began when someone left a phone message with the agency on Nov. 7. McGuire said she doesn’t have information about that person’s identity or motive. The caller, McGuire said, just indicated that they had identified a vulnerability in the computer network of the firm that provides the organization with technical services."

1. I never call something public a "vulnerability".

2. I always leave my info, and in fact, they returned my call. I called from my Google and Verizon phone numbers.



But the fact that someone was now tweeting this image to me from my private email meant either, the Seattle Times reporter Bob Young was making fun of me. Or the FBI had used the attachment to make fun of me and matter_2525 is an FBI agent, OR matter_2525 is a local HIPAA attorney named Jeff, I kind of doubt that but one never knows. He gave me 1K cash when I got out of jail which I am thankful for. But.. maybe he felt guilty??  

Funny fact: I thought the FTP server was managed by Dell, but Dell had sold this to NTTData very recently in that time and could have been Dell's fault for all we know. I went to see the @NTTDataServices account on twitter and they had ALREADY blocked me. lol.

Anyways, this entire pissing match started over Patterson Dental having me raided over their FTP server mistake, which they NEVER were fined for by HHS for such a blatant HIPAA violation. I still have the data too, the FBI recently gave it back to me. I might even have this data but the drive doesn't work and I doubt it worked when the FBI went to "format" it or whatever they tried to do.. Sigh. Up until my FBI raid I had only found some FTP servers in my spare time (Grandstreet) but after my raid, I kicked my research into FULL GEAR. I have never REALLY blogged about it, and this post doesn't really count. Like the Nevada Marijuana Databreach... that was really cool. Not sure about NTT Data, or all the other FTP servers I found on the internet, like Dansville Dental (50K of Patients), or Patient's Choice which I wonder about, because they claimed 1069 patients when in reality it was 1069 pdf files, not patients. Doubt letters were mailed out. I personally submitted complaints with PHI and screenshots of Google search results, recorded phone conversations, their answer: We aren't going to investigate. 

"Sorry, the Federal Government can't look stupid, by having you find patient data on public FTP servers"... click.

 It is dumb to raid someone for downloading a file that didn't have ANY technological safeguards and was deemed public for anyone to download. But, we all knew that anyway... didn't we? I am sure I emailed my findings to the Dallas FBI at the time just to gloat. 

As Dr. Larry Emmott would say:


I made a FOIA request to the government!

January 10, 2022, 4:51 am
$
0
0

 I made one to the FBI, and then two to HHS. I made two because the first FOIA "2022-00073-FOPA-OS" Never got updated on the HHS website. 

So I made one on muckrock.

https://www.muckrock.com/foi/united-states-of-america-10/js-submission-documents-123454/

It is similar to this one I found, which has gone unanswered.

https://www.muckrock.com/foi/united-states-of-america-10/justin-shafer-submission-documents-45951/

I hope one day, I find out more about the time HHS ignored what I found on public FTP and HTTP servers. I still have all those letters and some info I sent them, but I will always wonder why they chose not to investigate. 


Eaglesoft 21.20 fixes a security vulnerability.

February 1, 2022, 6:38 am
$
0
0

 I thought I would make a blog post about the latest Eaglesoft which is 21.20.7 as this version has a fix for the security issue I found.

Now the authentication requires an attacker to know the office license before attacking the database from a computer that doesn't have Eaglesoft installed. Which gives a "uniqueness" to the office that the attacker is attacking. I don't see any major issues with this except maybe someone could try to brute force since it is only numerical and the customer number is embedded into the license.

But, hat tip to Patterson's developer that made this happen.

I haven't seen Patterson acknowledge that there was a vulnerability in the first place, leaving users in the dark. People on older versions would have a reason to upgrade the software.


...... I think I completed my project.



Shake it off, Why doesn't HHS do its job?

April 12, 2017, 10:00 pm
$
0
0

Proverbs 3:30



https://www.bleepingcomputer.com/news/security/fbi-alert-urges-companies-to-secure-ftp-servers/

https://www.databreaches.net/developing-justin-shafer-arrested-charging-with-cyberstalking-fbi-agents-family/

https://motherboard.vice.com/en_us/article/fbi-investigating-security-researcher-for-links-to-dark-overlord-hacking-gang Seems my phone call to the St. Louis FBI fell on deaf ears (I felt like she was an air head anyways), and me sending the Farmington Database to the Dallas FBI on July 1st 2016 had zero affect. TDO told me he is hacking everyone because the FBI "Butt Fisted" me.. his words. The only other insightful thing he told me is that he does security for a living.

https://assets.documentcloud.org/documents/3535241/Shafer-Complaint.pdf (they padded this complaint with TDOHack3r krud)

Accessing an anonymous (public) FTP SERVER is NOT a violation of the CFAA. =)

How about this:
Why does the Office of Civil Rights refuse to investigate GRAND STREET MEDICAL?
https://www.databreaches.net/ny-treasure-trove-of-grand-street-medical-associates-patient-data-exposed-and-indexed/

To add to the confusion the Dallas Office of Civil Rights is investigating Patient's Choice. They told me to keep it on the down low, but not after all this. They had a public FTP Server, I even recorded the IT guy. https://soundcloud.com/justin-shafer/tracks So why does one office refuse to investigate, but another office does investigate?

https://www.scribd.com/document/345133237/OCR001

When will I get my videos of my kids back? When will I get my property back? When will the FBI apologize for the way they have treated me? (NEVER). Maybe attorneys will learn to turn off tracking changes. heh.

 

I would LOVE to sue Patterson Dental. No, REALLY. Instead I am going to spend my money hiring a very good attorney named Tor Ekeland. It is what it is. 

 

Not allowed to get on Twitter or Facebook etc. (Anything to get out of jail, right?)  A judge said so. They also said I was a flight risk after turning myself in and then they had the audacity to say I was a threat to society. Riiiiiight. I even get to have 8 mental health evaluations because my Probation Officer said people were afraid I would kill myself! Ha!

Threats:

1. The VAN. A woman drove to my house and laid on the horn until I went outside.. I asked her what she wanted and she told me if I cared about my kids and drove away. (I had just submitted a breach to HHS regarding Williamsport but I used the doctors name and made up a patient count of 2600 (funny, because that was the number they used too, haha), because Dentrix had talked to the doctor and Dentrix told me they were "sure I wasn't the one who uploaded it"... I was too afraid to use my name for fear of retaliation. I thought the van was either Schein or the FBI. (It was the FBI)  http://justinshafer.blogspot.com/2016/01/williamsport-pa-databreach-update.html 

 

2. Phone call from Nathan Hopp during March 2013. After I went to WNEP about Williamsport, agent Hopp called me to ask me if I was a penetration tester and told me I don't want to get another phone call from the FBI. (I felt threatened by this, and told him I would tell ALL my friends on facebook.. not sure why I said that.. but... yeah)

 

3. The Patterson Dental RAID: Agent Hopp told me I should move. I gave him a look and he told me.. ."to colorado"...  He repeated this later.. I am pretty sure this is because I used to buy pot from a guy who had PTSD and he kept telling me he would kill me if I was late.. And finally I told him he should move... (after he told me he would meet me at my work, he had seen my website which means my house) I told him I was working with the "government" regarding the FTC and Dentrix and we would "both" be in a lot of trouble. Seemed to work too. =)

 

4. They beat the shit out of my car during the RAID. A fort worth cop was with me when they made all the racket and knocked over a metal trash can. Now I have dents on my car like they beat it with something and then opened my car door hard enough to put a dent in it, because there are kids toys next to my car, and they didn't bother to move them. 

 

5. That VAN was parked outside of Colleen's and Matt's (neighbors) house during the Patterson Raid.

 

Nathan Hopp laughed at me and told me "Man.. Schein really burned you" and I told him it was them who really burned me. This wasn't a threat but just more of his smart ass attitude. When they pulled me out of my house in my boxers the FIRST thing I said was "WOW, This is how you treat people who help protect the American People?" By my count I am up to 500,000 Social Security Numbers.

 

FBI is shady. Make NO mistake about it. 

 

Nathan does nothing but threaten people, in my opinion. 

 

Can't wait to test Dentrix G6.3, maybe they FINALLY got rid of the hard-coded credentials. Maybe one day US-CERT will update their VU#.

 

Patterson Dental's FTP Server Notes:

https://www.experts-exchange.com/questions/26983588/powershell-ftp-user-creation.htmlTony Elam worked on a Powershell script that would create a directory for a new user and restrict that directory to just that user. Seems to have worked to.





He wrote it in 2011. That is when most files on the ftp server were created.
http://www.mmnt.net/db/0/0/ftp.eaglesoft.net/TrainersYou can see most of these folders were created in 2011.
So.. these users\folders are SUPPOSED to be Denied access for ALL users EXCEPT for the user that the folder is assigned to.
Except mmnt's older cache reports sometime in 2013 that it was able to cache Eaglesoft.
http://web.archive.org/web/20150412233208/http://www.mmnt.net/db/0/0/ftp.eaglesoft.net
  Server: ftp://ftp.eaglesoft.net
     Total files found: 294,387
     Total  dirs found: 42,297
     Total links found: 0
     Indexed at: Thu Aug  1 06:39:19 2013
Someone could argue that the server was ONLY configured for directory listing and NOT read access..
But the whole point of the powershell script is to prevent even Directory Listing, Let alone Read Access.
Tony Elam got promoted in 2013, and someone else (I bet) started to administer the ftp server at Patterson Dental, and HAD to of RESET the NTFS File Permissions, and when they did that, it allowed the ENTIRE WORLD to READ the folders and files on the ENTIRE ftp server.
Case in point: http://www.pdfpump.com/patterson-test/ Pdf pump was able to read a pdf file in a trainer folder.



I attached the trainers.png for you to see otherwise it is still there. I have contacted pdfpump and asked to see if they have a file called MGH Evaluation Reports.pdf that was on the Trainers MGH Dental Group Folder.
I have connected to Tony Elam as well on linked in about 30 minutes ago explaining some of this.. And also commending him on doing a good job on the powershell script. And pdfpump.. and etc.
I see what went wrong. And I feel like I am being blamed. I am hoping maybe they would like to gracefully exit this situation. Also my personal dentist may have downloaded the dental.log file that has the MGH patient data inside.
HARD TO EXPLAIN????

I pray for the FBI, and all the good guys at the Mansfield Federal Holding Facility. They were SOOOOO NICE to me. Specifically to a guy named X who helped me appreciate life more, he is a good example for any Christian. God bless you, and thanks for hooking me up with soups when I was hungry. He was right.. I am skinny. =) 6 of em.. and a cup and a bowl. All X did the entire time I was there was pray and read scriptures. He has a full back tatoo that says Crime Pays. Guys like him deserve a second chance.

 

A great read:

https://books.google.com/books?id=NcLwhTDBICgC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false


 

God help all the kids in Dallas County with face tattoos. 

 

John doesn't believe "Dope Smokers" are on the right path.. I think he may be onto something. You must pick up your cross daily. The narrow gate that few ever find. You have to deny yourself daily.

 

No comments allowed on this blog post, and blogger is NOT social media. It IS my first amendment right. You can take my facebook and twitter, but you will NOT take away my blog.

 

Happy Good Friday! When life gives you lemons... Make lemonade.

 

Shake it off, Why doesn't HHS do its job?

April 13, 2017, 9:57 am
$
0
0

Proverbs 3:30



https://www.bleepingcomputer.com/news/security/fbi-alert-urges-companies-to-secure-ftp-servers/

https://www.databreaches.net/developing-justin-shafer-arrested-charging-with-cyberstalking-fbi-agents-family/

https://motherboard.vice.com/en_us/article/fbi-investigating-security-researcher-for-links-to-dark-overlord-hacking-gang Seems my phone call to the St. Louis FBI fell on deaf ears (I felt like she was an air head anyways), and me sending the Farmington Database to the Dallas FBI on July 1st 2016 had zero affect. TDO told me he is hacking everyone because the FBI "Butt Fisted" me.. his words. The only other insightful thing he told me is that he does security for a living.

https://assets.documentcloud.org/documents/3535241/Shafer-Complaint.pdf (they padded this complaint with TDOHack3r krud)

Accessing an anonymous (public) FTP SERVER is NOT a violation of the CFAA. =)

How about this:
Why does the Office of Civil Rights refuse to investigate GRAND STREET MEDICAL?
https://www.databreaches.net/ny-treasure-trove-of-grand-street-medical-associates-patient-data-exposed-and-indexed/

To add to the confusion the Dallas Office of Civil Rights is investigating Patient's Choice. They told me to keep it on the down low, but not after all this. They had a public FTP Server, I even recorded the IT guy. https://soundcloud.com/justin-shafer/tracks So why does one office refuse to investigate, but another office does investigate?

https://www.scribd.com/document/345133237/OCR001

When will I get my videos of my kids back? When will I get my property back? When will the FBI apologize for the way they have treated me? (NEVER). Maybe attorneys will learn to turn off tracking changes. heh.

 

I would LOVE to sue Patterson Dental. No, REALLY. Instead I am going to spend my money hiring a very good attorney named Tor Ekeland. It is what it is. 

 

Not allowed to get on Twitter or Facebook etc. (Anything to get out of jail, right?)  A judge said so. They also said I was a flight risk after turning myself in and then they had the audacity to say I was a threat to society. Riiiiiight. I even get to have 8 mental health evaluations because my Probation Officer said people were afraid I would kill myself! Ha!

Threats:

1. The VAN. A woman drove to my house and laid on the horn until I went outside.. I asked her what she wanted and she told me if I cared about my kids and drove away. (I had just submitted a breach to HHS regarding Williamsport but I used the doctors name and made up a patient count of 2600 (funny, because that was the number they used too, haha), because Dentrix had talked to the doctor and Dentrix told me they were "sure I wasn't the one who uploaded it"... I was too afraid to use my name for fear of retaliation. I thought the van was either Schein or the FBI. (It was the FBI)  http://justinshafer.blogspot.com/2016/01/williamsport-pa-databreach-update.html 

 

2. Phone call from Nathan Hopp during March 2013. After I went to WNEP about Williamsport, agent Hopp called me to ask me if I was a penetration tester and told me I don't want to get another phone call from the FBI. (I felt threatened by this, and told him I would tell ALL my friends on facebook.. not sure why I said that.. but... yeah)

 

3. The Patterson Dental RAID: Agent Hopp told me I should move. I gave him a look and he told me.. ."to colorado"...  He repeated this later.. I am pretty sure this is because I used to buy pot from a guy who had PTSD and he kept telling me he would kill me if I was late.. And finally I told him he should move... (after he told me he would meet me at my work, he had seen my website which means my house) I told him I was working with the "government" regarding the FTC and Dentrix and we would "both" be in a lot of trouble. Seemed to work too. =)

 

4. They beat the shit out of my car during the RAID. A fort worth cop was with me when they made all the racket and knocked over a metal trash can. Now I have dents on my car like they beat it with something and then opened my car door hard enough to put a dent in it, because there are kids toys next to my car, and they didn't bother to move them. 

 

5. That VAN was parked outside of Colleen's and Matt's (neighbors) house during the Patterson Raid.

 

Nathan Hopp laughed at me and told me "Man.. Schein really burned you" and I told him it was them who really burned me. This wasn't a threat but just more of his smart ass attitude. When they pulled me out of my house in my boxers the FIRST thing I said was "WOW, This is how you treat people who help protect the American People?" By my count I am up to 500,000 Social Security Numbers.

 

FBI is shady. Make NO mistake about it. 

 

Nathan does nothing but threaten people, in my opinion. 

 

Can't wait to test Dentrix G6.3, maybe they FINALLY got rid of the hard-coded credentials. Maybe one day US-CERT will update their VU#.

 

Patterson Dental's FTP Server Notes:

https://www.experts-exchange.com/questions/26983588/powershell-ftp-user-creation.htmlTony Elam worked on a Powershell script that would create a directory for a new user and restrict that directory to just that user. Seems to have worked to.





He wrote it in 2011. That is when most files on the ftp server were created.
http://www.mmnt.net/db/0/0/ftp.eaglesoft.net/TrainersYou can see most of these folders were created in 2011.
So.. these users\folders are SUPPOSED to be Denied access for ALL users EXCEPT for the user that the folder is assigned to.
Except mmnt's older cache reports sometime in 2013 that it was able to cache Eaglesoft.
http://web.archive.org/web/20150412233208/http://www.mmnt.net/db/0/0/ftp.eaglesoft.net
  Server: ftp://ftp.eaglesoft.net
     Total files found: 294,387
     Total  dirs found: 42,297
     Total links found: 0
     Indexed at: Thu Aug  1 06:39:19 2013
Someone could argue that the server was ONLY configured for directory listing and NOT read access..
But the whole point of the powershell script is to prevent even Directory Listing, Let alone Read Access.
Tony Elam got promoted in 2013, and someone else (I bet) started to administer the ftp server at Patterson Dental, and HAD to of RESET the NTFS File Permissions, and when they did that, it allowed the ENTIRE WORLD to READ the folders and files on the ENTIRE ftp server.
Case in point: http://www.pdfpump.com/patterson-test/ Pdf pump was able to read a pdf file in a trainer folder.



I attached the trainers.png for you to see otherwise it is still there. I have contacted pdfpump and asked to see if they have a file called MGH Evaluation Reports.pdf that was on the Trainers MGH Dental Group Folder.
I have connected to Tony Elam as well on linked in about 30 minutes ago explaining some of this.. And also commending him on doing a good job on the powershell script. And pdfpump.. and etc.
I see what went wrong. And I feel like I am being blamed. I am hoping maybe they would like to gracefully exit this situation. Also my personal dentist may have downloaded the dental.log file that has the MGH patient data inside.
HARD TO EXPLAIN????

I pray for the FBI, and all the good guys at the Mansfield Federal Holding Facility. They were SOOOOO NICE to me. Specifically to a guy named X who helped me appreciate life more, he is a good example for any Christian. God bless you, and thanks for hooking me up with soups when I was hungry. He was right.. I am skinny. =) 6 of em.. and a cup and a bowl. All X did the entire time I was there was pray and read scriptures. He has a full back tatoo that says Crime Pays. Guys like him deserve a second chance.

 

A great read:

https://books.google.com/books?id=NcLwhTDBICgC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false


 

God help all the kids in Dallas County with face tattoos. 

No comments allowed on this blog post, and blogger is NOT social media. It IS my first amendment right. You can take my facebook and twitter, but you will NOT take away my blog.

 

Happy Good Friday! When life gives you lemons... Make lemonade.

 

Search

How I fixed the Pano

April 19, 2022, 11:02 am
$
0
0

 Problem: At some point, the RayScan Pano started doing strange things with Curve Capture:


After a long diagnostic, I realized it wasn't related to the new 64-bit version of Curve Capture, plus the TwainApp.exe program they use is still 32-bit.

So, from my own programming experience, I know how hard it is to get a window to be the top window, in Microsoft Windows 10. I can see Curve Capture trying to get the Twain Window to be the "top window" when we call the window. I have also noticed that the Curve Capture application will minimize and maximize a window.


The function in Windows for doing this is called ShowWindow (along with many others) and if you use IDA you can see for yourself what is going on. If the Twain UI Window is not at the top of Z-Order, then minimize and restore the Window. 


See the ShowWindow being called twice with options 6 and 9? The is minimize and restore being called on the Twain window... However, the RayScan Pano window we are dealing with is a Modal Popup style window and doesn't support either option. 


So... I decided to just have ShowWindow do number 1 instead. Anytime 6 and 9 are being called I changed it to 1.



And then save the patched bytes back to the TwainApp.exe program and PRESTO!



Update: I narrowed this down to ShowWindow(6) (Minimize) causing the UI program with the RayScan Pano Twain Driver. If I call 9 twice in a row, the UI still looks fine. Emailed someone with the code I use to get at the top of the Z-Order. Maybe they will implement it.

Eaglesoft 20 Authentication

September 7, 2018, 8:00 am
$
0
0 
Someone sent me an email about this, and thought I would share.

Via email... Alan..
Open Eaglesoft, open the database navigator.. Drop to console and run this command:

Use this:
WMIC /OUTPUT:Process.txt path win32_process get Caption,Processid,Commandline

And you will get this:

dbisqlc.exe "C:\EagleSoft\Shared Files\dbisqlc.exe" -cDBN=DENTSERV;DSN=DENTAL;UID=PDBA;PWD=fK)ZAqhDc/yvg!x`1k=IpxUC#HQKEcL4

Now you know the PDBA Password: In this case..

fK)ZAqhDc/yvg!x`1k=IpxUC#HQKEcL4

Have fun!
https://pattersonsupport.custhelp.com/app/home

                       


                           
                       
                     


                   


                   


                   
                   
                   
                                        

                       

                         
                
    

                       

                     

                     

                   
                                    
                                                                                                                                                                                                                                                                          
                                                                            
                                                                                                                                                                                                                     
                   

                     
                     
                   

                   


                     
                                        


                   
                   

                                          
Eaglesoft 21 Bugs! Part 2

                     

                                              June 16, 2022, 10:11 am
                     


                     
                     

                     
                     
                                          
                     
                                          
                     
                   


                   
                   


                     
                     

                       
                       

                         
                              
                         

                          
                           $
                         

                         

                            
                               
                           
                           0
                         


                         

                            
                               
                           
                           0
                         


                         
                               
                         

                         
                                
                         
                       

                     

    
                                                               
                     
                     

                       

                         
 Update to post: https://justinshafer.blogspot.com/2021/06/eaglesoft-21-bugs.html
I decided it would be fun to take a look at what can cause machine.config to disappear and I think it has something to do with Microsoft.ServiceBus.dll because it seems to be the only dll capable of editing machine.config, and this dll is part of the Eaglesoft API Service. This might be right as the bug may have appeared when the API service started back in a prior version of Eaglesoft. I have spent some time googling Microsoft.ServiceBus.dll and I think the version Eaglesoft is using may have some bug. 
Eaglesoft is currently using this version, and Microsoft seems to have fixed some bugs since this version as the current version is 6.2.2 which supports 4.6.2. 3.4.6 is for DotNet 4.5.2
None of the actual dll files Eaglesoft API uses are referencing this dll, the only thing I can find is an addition to Patterson.Eaglesoft.API.Server.exe.config
https://nuget.info/packages/WindowsAzure.ServiceBus/3.4.6





                       


                           
                       
                     


                   


                   


                   
                   
                   
                   
                                    
                                                                                                                                                                                                                                                                          
                                                                            
                                                                                                                                                                                                                     
                   

                     
                     
                   

                   


                     
                                        


                   
                   

                                          
A great sermon

                     

                                              July 5, 2022, 6:47 am
                     


                     
                     

                     
                     
                                          
                     
                                          
                     
                   


                   
                   


                     
                     

                       
                       

                         
                              
                         

                          
                           $
                         

                         

                            
                               
                           
                           0
                         


                         

                            
                               
                           
                           0
                         


                         
                               
                         

                         
                                
                         
                       

                     

    
                                                               
                     
                     

                       

                         
 Someone I follow posted this sermon on Twitter and I really enjoyed watching it.



                       


                           
                       
                     


                   


                   


                   
                   
                   
                   
                                    
                                                                                                                                                                                                                                                                          
                                                                            
                                                                                                                                                                                                                     
                   

                     
                     
                   

                   


                     
                                        


                   
                   

                                          
OCR Letter Regarding Patterson Dental

                     

                                              July 22, 2022, 2:43 am
                     


                     
                     

                     
                     
                                          
                     
                                          
                     
                   


                   
                   


                     
                     

                       
                       

                         
                              
                         

                          
                           $
                         

                         

                            
                               
                           
                           0
                         


                         

                            
                               
                           
                           0
                         


                         
                               
                         

                         
                                
                         
                       

                     

    
                                                               
                     
                     

                       

                         
 I made a complaint to HHS a while back. It was in regards to Patterson Dental not answering requests from CERT regarding Eaglesoft. CERT is an entity that helps coordinate security problems between researchers and vendors. Eaglesoft is a Business Associate, for all the dental offices that use it, under HIPAA. It is included in the Eaglesoft end-user license agreement when you install Eaglesoft. Basically, the point of this post is to highlight how large companies seem to barely get into trouble with the government. Want to lie about your encryption? The fine is an easy 250K. No problem when you have billions. Want to share out files on your public FTP server? You don't pay a fine, instead, the guy who found it gets raided by the FBI. Then when that guy wants to close a security hole, the company can ignore it and HHS doesn't care. I have read where someone left an unencrypted laptop somewhere and wound up paying millions. Who knows. 
I received an email from an investigator who is in Region 8, who doesn't cover Minnesota nor Illinois. And his official job title is  "Equal Opportunity Specialist".  I figure by now OCR\HHS probably knows who I am in regards to some sort of "history", lol. So I tell Sean the investigator a 1 hour story, and he was actually a lot of fun to talk to. He did ask me jokingly if I was "TheDarkOverlord" lol. I did tell Sean that the FBI gave me back Patterson Dental's files, as some sort of final "F you" I guess along with a flash drive that has an NTFS Label of "JMS SUCKS ASS", to support my claim. lol. 
I left out the part about the time I alerted the FBI and HHS to the time I found SSN on the HHS NPI database via an ic3 report. Or the time we emailed some guy named Bennett Prows. I did tell him once I submitted a databreach report to HHS as a David DiGiallorenzo and put the patient count at 2600. And so when HHS put it on the wall of shame, after I went to the news, the number was 2600. https://www.databreaches.net/hhs-corrects-entry-for-lanap-implant-center-breach/
I admitted it was stupid. I had to explain the whole captain crunch whistle stuff. It was because someone at Dentrix told me I would be blamed if I ever told anyone.
 Anyways, 2 days after the interview I received an email they are closing the investigation. Oh well, I tried. I guess you cannot win them all. I still feel like the entire thing was unfair, but I have learned to stop expecting great things from the government. I was super lucky I won the FTC thing. I was told the fines are calculated by some algorithm. I will file this HHS letter with the rest of them, some I have uploaded to muckrock. https://www.muckrock.com/foi/united-states-of-america-10/js-submission-documents-123454/ 


https://www.reddit.com/r/hacking/comments/63es06/justin_shafer_arrested_again_this_time_for/
Yet, you can slander the hell out of someone, have the FBI raid a guy because you goofed, and then call it "theft" lol, etc. I struck up a conversation with this kiddo around July 2021, and it was interesting. 

He just didn't care that he had slandered me. I found out his dad worked for Patterson Dental doing security. I told him in response, that I was not going to sue him. Instead, I would finish my work. I can see now, that he has deleted his account. Interesting. I had attempted to get Patterson to respond to a vulnerability and didn't have any success, but I decided I should try again. I was successful in this regard, just not with HHS. https://nvd.nist.gov/vuln/detail/CVE-2021-35193

The 22,000 patients comes from this:
https://justinshafer.blogspot.com/2016/01/williamsport-pa-databreach-update.html

His username was tpayne174 and I found this, after finding more stuff. His dad no longer worked at Patterson at this point in our conversation. The kiddo still didn't care. Showed him how I "allegedly" proved how the torrent was uploaded, etc. The kiddo still didn't care.

Patterson Companies, Inc.
Total Duration6 yrs 10 mos
TitleInformation Security Manager II
Full-time
Dates EmployedJul 2017 – Oct 2019
Employment Duration2 yrs 4 mos
LocationSaint Paul, MN
• Manage the security staff and toolset for a $6+ billion-dollar Fortune 500 company, including Identity, Security Operations, Security Engineering, and Application Security functions.
• Represent Information Security in meetings with project teams, senior management, and outside collaborators to ensure that security is engaged with the business at all levels.




                       


                           
                       
                     


                   


                   


                   
                   
                   
                   
                 
               


            
            
                              



               
               





                                   
                     

                     
                        Viewing all 123 articles
                     
                     

                                                                                                      

               

                
                        

                  
             
         
            
               
             
         
         
                              


               

                                                                     
                     
                        Browse latest
                     
                                                      
                     
                        View live
                     
                                                 


               

               

               


               
                          
                        
            
                                      
            

            

              

                
                
    

              

            

            



          


          
          
            


              
                            


                                
                                

                  

                    
                  

                

                
                  
                                


                                    
                  
                                    

                                                                                                                                        
                

                  

                    
                    

                      Search
                                          

                  

                                    
                  
                

                  


                                                                             
 
 

                
 
              

    
                            

                
              


            

        

                    
        
            
        
        

        


                

        

        

                          
     
      
                        
               



            
     

                              
               



        
    
    



 
        
        
        
    

              

          




            
       












      
 

        
     

        


                

          <script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async>
</script>