Whistleblower Claims Cybersecurity Company Generated Fake Data Breaches To Sell Protective Services

from the selling-you-fixes-you-don't-need-for-problems-you-don't-have dept

Thu, May 14th 2015 4:09am — Tim Cushing

Making money without actually having to earn it is the American dream, isn't it?

In a federal court this week, Richard Wallace, a former investigator at cybersecurity company Tiversa, said the company routinely engaged in fraud -- and mafia-style shakedowns.

To scare potential clients, Tiversa would typically make up fake data breaches, Wallace said. Then it pressured firms to pay up.

"Hire us or face the music," Wallace said on Tuesday at a federal courtroom in Washington, D.C.. CNNMoney obtained¹ a transcript of the hearing.

Tiversa would allegedly turn over "information" about these fake breaches to the FTC and push the agency to come down hard on the companies who refused to hire it. Once the FTC started asking questions, Tiversa would again approach these companies and ask them if they'd reconsidered the use of their services.

Wallace's testimony suggests Tiversa engaged in several unethical practices at the behest of CEO Bob Boback. One of the companies it targeted with its fake breaches was LabMD. After LabMD expressed reluctance to hire Tiversa, Bob Boback delivered a simple message to Wallace.

Q. Are you aware of whether or not LabMD agreed or refused to do business with Tiversa?

A. I think initially I don't think that there was a -- I don't think that they did not want to do business with Tiversa initially, and I think that as the communication advanced back and forth from Bob and different people with LabMD, I think that that's when they decided that they did not want to do business with Tiversa.

Q. Did Mr. Boback have a reaction to LabMD's decision not to do business with Tiversa?

A. Yes.

Q. And what was that reaction?

A. Do I say it?

MS. BUCHANAN: Answer the question.

THE WITNESS: He basically said f--- him, make sure he's at the top of the list.

The "list" was a compilation of prospective Tiversa customers, compiled with the assistance of investigators who had managed to secure personally identifiable information from companies' servers. This was the information that was threatened to be turned over to the FTC (or in some cases, was turned over before contacting the companies) if these companies refused to purchase Tiversa's services.

Q. Why does their name appear on the list?

A. So that the FTC would contact them and notify them of a data breach and hopefully we would be able to sell our services to them.

Q. Did someone tell you to put their name on the list?

A. Yes.

Q. Who?

A. Our CEO, Bob Boback.

Q. Why?

A. To use -- to be able to use any means necessary to let them know that an enforcement action is coming down the line and they need to hire us or face the music, so to speak.

Q. Did you, at the time this was created, have information on companies who fit the threshold but whose names do not appear on that list?

A. Yes.

Q. Why does their name not appear on the list?

A. The list was scrubbed of all clients in the past and future clients that we felt that there might be, you know, the prospect of doing business with them. Their information was removed.

Q. Clients of Tiversa?

A. Yes.

Q. Who made the decision to remove their names from the list?

A. Bob Boback.

In order to make the breaches look legit, Tiversa's investigators would download sensitive files, move them to the company's servers and alter information to make it appear as though the files had been accessed or stored by a variety of IP addresses, including those of known/suspected identity thieves.

THE WITNESS: Usually it would be after the fact, Bob would make contact with the company, without coming to me or coming to anyone else first, and say, you know, your file has spread to three additional IP addresses, it's in Europe and Nigeria and Poland and who knows. So then it would be up to me to make it appear that way in the data store so, if there was ever an audit or, you know, somebody was catching on, the data would be there if you -- Coveo is basically a front end for the data store. It's like a Google site, so you could type in there "insurance aging" and it's going to come up with a list of IP addresses along with the file, date and time.

More on that tactic:

JUDGE CHAPPELL: If I understood you correctly, it was not true that the file was at this IP address.

THE WITNESS: That is correct.

JUDGE CHAPPELL: And if I were Company B in my earlier scenario, do I have any way to go to Apache Junction and see if they've downloaded my data?

THE WITNESS: We would see that in our -- in our real data store, we would show -- like, for example, with this one, this individual had over -- I was very familiar with this guy. He had over 3,000 tax returns, and he was zipping them up and selling them. Therefore, we knew that he was a bad actor, and it made it easy to put this file there, so to speak, even though he never had it physically on that computer, but we made it look -- appear like he did.

JUDGE CHAPPELL: All right. So if I follow you correctly, you never -- the file was never actually at Apache Junction.

THE WITNESS: No.

JUDGE CHAPPELL: But I, Company B, had no way of ever verifying that or knowing that.

THE WITNESS: Right.

Wallace's testimony may be useful in placing Tiversa in the FTC's sights, something Darrell Issa brought to its attention last year. But it won't do much for LabMD, which appears to have been prosecuted out of existence based on Tiversa's phony claims.

Tiversa claims Wallace's testimony is nothing more than a fired employee being vindictive and cites its multiple awards from law enforcement agencies as evidence of its forthrightness and honesty. All well and good, but if law enforcement agencies have been subjected to the same tactics -- bogus problems and bogus fixes -- they might be handing out awards based on perceived effectiveness rather than Tiversa's actual cybersecurity skills.

The House Oversight Committee looked into Tiversa's allegations against LabMD last year and was none too impressed by the supposedly upstanding company's inability/unwillingness to turn over the information it requested.

The Committee has obtained documents and information indicating Tiversa failed to provide full and complete information about work it performed regarding the inadvertent leak of data on peer-to-peer computer networks. In fact, it appears that, in responding to an FTC subpoena issued on September 30, 2013, Tiversa withheld responsive information that contradicted other information it did provide about the source and spread of the data, a billing spreadsheet file.

Despite a broad subpoena request, Tiversa provided only summary information to the FTC about its knowledge of the source and spread of the file.

The letter details Tiversa's evasiveness in response to the HOC's requests, noting that while it did turn over nearly 8,700 pages in response to the subpoena, 8,500 of those were five identical copies of the 1,718-page LabMD insurance aging file at the center of the FTC's investigation, leaving only 79 pages of other materials, none of which substantiated Tiversa's claims.

If the allegations are true, Tiversa is likely looking at altering its business model. Being just another name in the cybersecurity business means even less when that name is increasingly tied to fraudulent behavior.

¹ Let's address CNN's claim about "obtaining" a transcript of the hearing. Like far too many press outlets, CNN seems to believe publicly-filed documents are trade secrets and refuses to provide download links or pointers as to where these might be obtained. In this case, it apparently obtained the transcript from former LabMD CEO Michael Daugherty's website. Or it may have had it sent to it by Daugherty himself. But either way, it did not "obtain" something no one else could have obtained, no matter how much its wording suggests some sort of exclusivity. And it could have done what Daugherty did: posted the transcript so readers could read it for themselves. But it didn't. TL;DR: CNN "obtained" this transcript in the non-exclusive way that you and I "obtain" air or any other non-rival good. (Yes, air becomes rivalrous in air-free environments, but non-pedantically, the comparison holds.)

264860922 May 5 2015 PUBLIC Final Trial Transcript (PDF)264860922 May 5 2015 PUBLIC Final Trial Transcript (Text)

House Oversight Letter Dec 2014 (PDF)House Oversight Letter Dec 2014 (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bob boback, cybersecurity, data breaches, fake data breaches, ftc, hacks, richard wallace, shakedown, whistleblower, white hat
Companies: labmd, tiversa

22 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

BentFranklin (profile), 13 May 2015 @ 9:57pm

Not much different from our government protectors...
[ link to this | view in chronology ]
- Ninja (profile), 14 May 2015 @ 4:19am
  
  Re:
  My thoughts. Manufacture 'terrorists' to keep useless programs alive? Check. Manufacture 'truths' and stretch connections and interpretation to maintain surveillance programs? Check. Threat with server punishment and jail time unless citizen pleads guilty regardless of innocence? Check.
  
  I could go on. It's just another day in the US. (Before somebody points out it happens elsewhere we are talking about the US. I know it happens elsewhere but elsewhere is not where the article focus.)
  [ link to this | view in chronology ]
That One Guy (profile), 14 May 2015 @ 4:31am

What a terrible price to pay...
If the allegations are true, Tiversa is likely looking at altering its business model. Being just another name in the cybersecurity business means even less when that name is increasingly tied to fraudulent behavior.

If the allegations are true, they should be facing multiple criminal charges for extortion and fraud. 'Altering it's business model'? That's not a punishment, that's barely even a slap on the wrist.
[ link to this | view in chronology ]
Anonymous Coward, 14 May 2015 @ 5:02am

The only thing that can be said in defense of Tiversa is that they did report on security breaches. That those were of their own making and how they abused them is another story.
[ link to this | view in chronology ]
Anonymous Coward, 14 May 2015 @ 5:43am

"Whistleblower Claims Cybersecurity Company Generated Fake Data Breaches To Sell Protective Services"

No way, this would never happen. The market is self regulating and therefore does not need to be regulated by the government. /s
[ link to this | view in chronology ]
jim, 14 May 2015 @ 5:45am

is?
Is any worse than McAfee, or the others advertising on the web, as there is a virus on your set? That you have to buy a certain program, to remedy this.. Or the company that finangles web porn to your search question and sends out requests for monies? Those companies have been out there since the 80's. All trying to cheat you out of a dollar, and trying to get laws in place to invade your privacy. And, damn it, some judges don't see thru them, and stomp on them. A legal and controlled mob.
[ link to this | view in chronology ]
- Anonymous Coward, 14 May 2015 @ 7:12am
  
  Re: is?
  There is a difference in these two statements:
  
  Do you have a virus? Buy our product/service to find out!
  
  You have a virus and we have proof! Buy our product/service to resolve the problem!
  [ link to this | view in chronology ]
  - Roger Strong (profile), 14 May 2015 @ 7:19am
    
    Re: Re: is?
    We found a tracking cookie in your browser cache. We'll just label it a malware threat to "prove" that you had a problem, and that we fixed it!
    [ link to this | view in chronology ]
- Roger Strong (profile), 14 May 2015 @ 7:24am
  
  Re: is?
  Symantec, McAfee and others sold antivirus software for Windows Mobile and Palm PDAs and phones. A great many people purchased these products, and paid for the yearly renewals.
  
  Not that there ever a single virus for Windows Mobile or Palm.
  [ link to this | view in chronology ]
Anonymous Coward, 14 May 2015 @ 6:04am

Now here's a curious coincidence...
Let me direct your attention to this, from 2013: Report: Obama helicopter security breached

Quoting:

Employees of Tiversa, a Cranberry Township, Pa.-based security company that specializes in peer-to-peer technology, reportedly found engineering and communications information about Marine One at an IP address in Tehran, Iran.

Bob Boback, CEO of Tiversa, told WPXI-TV: "We found a file containing entire blueprints and avionics package for Marine One, which is the president's helicopter."

The company was able to trace the file back to its original source.

"What appears to be a defense contractor in Bethesda, Md., had a file-sharing program on one of their systems that also contained highly sensitive blueprints for Marine One," Boback said.

I wonder if the court would be interested in hearing Mr. Wallace's testimony about this matter.
[ link to this | view in chronology ]
Anonymous Coward, 14 May 2015 @ 6:27am

...and guess which one will inevitably go to prison for a thousand years?
[ link to this | view in chronology ]
velox (profile), 14 May 2015 @ 6:29am

As always, the first law of consulting is:
"First sell the problem, then sell the solution."

And now, Ethics for Consultants - concisely:
1. The problem must exist.
2. The solution must work.

Some disclosure here. I, uh... Well let's just say that I am familiar with how this works
: )
[ link to this | view in chronology ]
- John Fenderson (profile), 14 May 2015 @ 8:37am
  
  Re:
  I think that if you're "selling the problem", they are already in unethical territory even if the problem does really exist.
  
  If a problem is large enough that people are seeking solutions to it, then it doesn't need to be "sold". It only needs to be mentioned in the context of "this product (or me, if I'm a consultant) will ease that".
  [ link to this | view in chronology ]
  - velox (profile), 14 May 2015 @ 1:52pm
    
    Re: Re:
    Yes, and the best way to 'sell the problem' is to put out some version of 'Be Afraid. Be Very Afraid'.
    [ link to this | view in chronology ]
Anonymous Coward, 14 May 2015 @ 7:53am

But the Free Market Forces are supposed to stop things like these. I think we need to call the boss of the Free Market Forces and let them know how much they are slacking.
[ link to this | view in chronology ]
Anonymous Coward, 14 May 2015 @ 8:06am

Almost sounds like the Prenda guys coming up with another way to make money... (I mean, this *is* kind of like uploading & seeding your own films and then making downloaders pay up, isn't it?)
[ link to this | view in chronology ]
I'm Not Buyin It, 14 May 2015 @ 8:33am

Fearmongering
This reminds me of Liberty Mutual Insurance commercials FEARMONGERING "You totalled your brand new car." SCREW YOU LIBERTY MUTUAL FOR YOUR STUPID ADVERTISING
[ link to this | view in chronology ]
- I hate fearmongerers, 14 May 2015 @ 8:39am
  
  Re: Fearmongering
  To Liberty Mutual: "YOU TOTALLED YOUR BRAND NEW YACHTS"
  
  How do you like that?
  [ link to this | view in chronology ]
Anonymous Coward, 14 May 2015 @ 8:44am

Not surprising...
I've run into "consultants" who pull similar tricks where i live.

I know of one guy who does "computer work" for various companies in the area. One of the companies he did work for happened to be owned by a friend of mine. When she told me all the "virus" issues they started having - and that she couldnt' afford to pay him $80/hr to come clean up all the computers every couple weeks, I told her I would fix the problem.

Upon inspection, I saw that he had installed remote access software on every machine, supposedly so he could "fix problems remotely". Furthermore, he had configured their network router and neglected to tell anyone the password.

After resetting the router configuration, re-securing it, and removing all the remote access software - the constant problems stopped. She never had to call him again. He did call after the fact and ask if she had someone new working on the computers, to which she replied that she did... and that was the last she heard from him.
[ link to this | view in chronology ]
Anonymous Coward, 14 May 2015 @ 9:29am

Sounds almost like an antivirus company creating viruses so that they can be the first to detect them and to promote the need to buy their product.
[ link to this | view in chronology ]
Anonymous Coward, 14 May 2015 @ 11:23am

All digital evidence should be suspect
This story is a perfect example of why all digital evidence should be suspect. I'll even go as far as to say that it should be disallowed in court. It's fine to use it in pursuing an investigation that leads to reliable evidence. But the relative ease of planting/manipulating documents, pictures, logs, etc. is so well known now at this point that it is beyond me how these things can be considered proof of anything. Investigators, prosecutors, and/or rivals of any kind consistently show their willingness to distort "facts" in order to secure prosecutions, win lawsuits, and/or discredit individuals. Would it really come as a surprise to anyone to find out they're manipulating digital evidence? It's just too easy to do to consider it reliable.
[ link to this | view in chronology ]
Anonymous Coward, 14 May 2015 @ 1:35pm

Old School
This is plain old Mafia protection racket thuggery updated for the 21st century.
[ link to this | view in chronology ]