Justin Shafer’s Record of Finding Security Vulnerabilities
Who is Justin Shafer?
Justin Shafer is known among cybersecurity professionals around the world as a white-hat security researcher.
He has been publicly credited at least three times by Carnegie Mellon University’s Software Engineering Institute (SEI), which is sponsored by the Cybersecurity Division of the Department of Homeland Security, for his work in discovering security vulnerabilites. It’s been estimated that the identities of half a million patients were protected by the expertise and actions of Justin Shafer.
Below are the three serious vulnerabilities that Justin Shafer properly reported to U.S. authorities between 2013 and 2016.
Vulnerability Note VU#948155
Henry Schein Dentrix G5 uses hard-coded database credentials shared across multiple installations
“Thanks to Justin Shafer for reporting this vulnerability.” CERT, April 26, 2013
Vulnerability Note VU#900031
Faircom c-treeACE database weak obfuscation algorithm vulnerability
“Thanks to Justin Shafer for reporting this vulnerability.” – CERT, June 10, 2013
Vulnerability Note VU#619767
Open Dental installs with default database credentials
“Thanks to Justin Shafer for reporting this vulnerability.” – CERT, September 6, 2016
* CERT stands for Computer Emergency Response Team, an expert group that handles computer security incidents.
The CERT Coordination Center is the worldwide center for coordinating information about Internet security at Carnegie Mellon University. It is the first and most well-known CERT.
RECENT NEWS AND BLOG ARTICLES ABOUT JUSTIN SHAFER
A security researcher embarrassed the D.O.J., and the F.B.I. retaliated with a subpoena.
The crazy story of how the DOJ issued a subpoena to Twitter attempting to identify five Twitter users, not because of anything they had done, but because someone else the DOJ disliked — a security researcher named Justin Shafer — had tweeted an emoji at them in response to a discussion about a different case.
DOJ Subpoenas Twitter Users Over Smiley-Face-Emoji Tweet
Popehat (First-Amendment Law Blog): popehat.com/2017/10/24/in-which-my-identity-is-sought-by-federal-grand-jury-subpoena/
Daily Dot: dailydot.com/layer8/justin-shafer-fbi-raid/
FBI raids security researcher who discovered private patient data on public server
Someone alerts you to exposed, unencrypted patient information on your FTP server. Is the correct response to thank them profusely or try to have them charged as a criminal hacker?
— Darrell Pruitt (@Proots) October 26, 2017
Below is the voice of the first witness in the Rivello case.