Whistleblower Claims Cybersecurity Company Generated Fake Data Breaches To Sell Protective Services
from the selling-you-fixes-you-don't-need-for-problems-you-don't-have dept
Making money without actually having to earn it is the American dream, isn't it?
In a federal court this week, Richard Wallace, a former investigator at cybersecurity company Tiversa, said the company routinely engaged in fraud -- and mafia-style shakedowns.Tiversa would allegedly turn over "information" about these fake breaches to the FTC and push the agency to come down hard on the companies who refused to hire it. Once the FTC started asking questions, Tiversa would again approach these companies and ask them if they'd reconsidered the use of their services.
To scare potential clients, Tiversa would typically make up fake data breaches, Wallace said. Then it pressured firms to pay up.
"Hire us or face the music," Wallace said on Tuesday at a federal courtroom in Washington, D.C.. CNNMoney obtained1 a transcript of the hearing.
Wallace's testimony suggests Tiversa engaged in several unethical practices at the behest of CEO Bob Boback. One of the companies it targeted with its fake breaches was LabMD. After LabMD expressed reluctance to hire Tiversa, Bob Boback delivered a simple message to Wallace.
Q. Are you aware of whether or not LabMD agreed or refused to do business with Tiversa?The "list" was a compilation of prospective Tiversa customers, compiled with the assistance of investigators who had managed to secure personally identifiable information from companies' servers. This was the information that was threatened to be turned over to the FTC (or in some cases, was turned over before contacting the companies) if these companies refused to purchase Tiversa's services.
A. I think initially I don't think that there was a -- I don't think that they did not want to do business with Tiversa initially, and I think that as the communication advanced back and forth from Bob and different people with LabMD, I think that that's when they decided that they did not want to do business with Tiversa.
Q. Did Mr. Boback have a reaction to LabMD's decision not to do business with Tiversa?
A. Yes.
Q. And what was that reaction?
A. Do I say it?
MS. BUCHANAN: Answer the question.
THE WITNESS: He basically said f--- him, make sure he's at the top of the list.
Q. Why does their name appear on the list?In order to make the breaches look legit, Tiversa's investigators would download sensitive files, move them to the company's servers and alter information to make it appear as though the files had been accessed or stored by a variety of IP addresses, including those of known/suspected identity thieves.
A. So that the FTC would contact them and notify them of a data breach and hopefully we would be able to sell our services to them.
Q. Did someone tell you to put their name on the list?
A. Yes.
Q. Who?
A. Our CEO, Bob Boback.
Q. Why?
A. To use -- to be able to use any means necessary to let them know that an enforcement action is coming down the line and they need to hire us or face the music, so to speak.
Q. Did you, at the time this was created, have information on companies who fit the threshold but whose names do not appear on that list?
A. Yes.
Q. Why does their name not appear on the list?
A. The list was scrubbed of all clients in the past and future clients that we felt that there might be, you know, the prospect of doing business with them. Their information was removed.
Q. Clients of Tiversa?
A. Yes.
Q. Who made the decision to remove their names from the list?
A. Bob Boback.
THE WITNESS: Usually it would be after the fact, Bob would make contact with the company, without coming to me or coming to anyone else first, and say, you know, your file has spread to three additional IP addresses, it's in Europe and Nigeria and Poland and who knows. So then it would be up to me to make it appear that way in the data store so, if there was ever an audit or, you know, somebody was catching on, the data would be there if you -- Coveo is basically a front end for the data store. It's like a Google site, so you could type in there "insurance aging" and it's going to come up with a list of IP addresses along with the file, date and time.More on that tactic:
JUDGE CHAPPELL: If I understood you correctly, it was not true that the file was at this IP address.Wallace's testimony may be useful in placing Tiversa in the FTC's sights, something Darrell Issa brought to its attention last year. But it won't do much for LabMD, which appears to have been prosecuted out of existence based on Tiversa's phony claims.
THE WITNESS: That is correct.
JUDGE CHAPPELL: And if I were Company B in my earlier scenario, do I have any way to go to Apache Junction and see if they've downloaded my data?
THE WITNESS: We would see that in our -- in our real data store, we would show -- like, for example, with this one, this individual had over -- I was very familiar with this guy. He had over 3,000 tax returns, and he was zipping them up and selling them. Therefore, we knew that he was a bad actor, and it made it easy to put this file there, so to speak, even though he never had it physically on that computer, but we made it look -- appear like he did.
JUDGE CHAPPELL: All right. So if I follow you correctly, you never -- the file was never actually at Apache Junction.
THE WITNESS: No.
JUDGE CHAPPELL: But I, Company B, had no way of ever verifying that or knowing that.
THE WITNESS: Right.
Tiversa claims Wallace's testimony is nothing more than a fired employee being vindictive and cites its multiple awards from law enforcement agencies as evidence of its forthrightness and honesty. All well and good, but if law enforcement agencies have been subjected to the same tactics -- bogus problems and bogus fixes -- they might be handing out awards based on perceived effectiveness rather than Tiversa's actual cybersecurity skills.
The House Oversight Committee looked into Tiversa's allegations against LabMD last year and was none too impressed by the supposedly upstanding company's inability/unwillingness to turn over the information it requested.
The Committee has obtained documents and information indicating Tiversa failed to provide full and complete information about work it performed regarding the inadvertent leak of data on peer-to-peer computer networks. In fact, it appears that, in responding to an FTC subpoena issued on September 30, 2013, Tiversa withheld responsive information that contradicted other information it did provide about the source and spread of the data, a billing spreadsheet file.The letter details Tiversa's evasiveness in response to the HOC's requests, noting that while it did turn over nearly 8,700 pages in response to the subpoena, 8,500 of those were five identical copies of the 1,718-page LabMD insurance aging file at the center of the FTC's investigation, leaving only 79 pages of other materials, none of which substantiated Tiversa's claims.
Despite a broad subpoena request, Tiversa provided only summary information to the FTC about its knowledge of the source and spread of the file.
If the allegations are true, Tiversa is likely looking at altering its business model. Being just another name in the cybersecurity business means even less when that name is increasingly tied to fraudulent behavior.
1 Let's address CNN's claim about "obtaining" a transcript of the hearing. Like far too many press outlets, CNN seems to believe publicly-filed documents are trade secrets and refuses to provide download links or pointers as to where these might be obtained. In this case, it apparently obtained the transcript from former LabMD CEO Michael Daugherty's website. Or it may have had it sent to it by Daugherty himself. But either way, it did not "obtain" something no one else could have obtained, no matter how much its wording suggests some sort of exclusivity. And it could have done what Daugherty did: posted the transcript so readers could read it for themselves. But it didn't. TL;DR: CNN "obtained" this transcript in the non-exclusive way that you and I "obtain" air or any other non-rival good. (Yes, air becomes rivalrous in air-free environments, but non-pedantically, the comparison holds.)
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bob boback, cybersecurity, data breaches, fake data breaches, ftc, hacks, richard wallace, shakedown, whistleblower, white hat
Companies: labmd, tiversa
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Re:
I could go on. It's just another day in the US. (Before somebody points out it happens elsewhere we are talking about the US. I know it happens elsewhere but elsewhere is not where the article focus.)
[ link to this | view in thread ]
What a terrible price to pay...
If the allegations are true, they should be facing multiple criminal charges for extortion and fraud. 'Altering it's business model'? That's not a punishment, that's barely even a slap on the wrist.
[ link to this | view in thread ]
[ link to this | view in thread ]
No way, this would never happen. The market is self regulating and therefore does not need to be regulated by the government. /s
[ link to this | view in thread ]
is?
[ link to this | view in thread ]
Now here's a curious coincidence...
Quoting:
Employees of Tiversa, a Cranberry Township, Pa.-based security company that specializes in peer-to-peer technology, reportedly found engineering and communications information about Marine One at an IP address in Tehran, Iran.
Bob Boback, CEO of Tiversa, told WPXI-TV: "We found a file containing entire blueprints and avionics package for Marine One, which is the president's helicopter."
The company was able to trace the file back to its original source.
"What appears to be a defense contractor in Bethesda, Md., had a file-sharing program on one of their systems that also contained highly sensitive blueprints for Marine One," Boback said.
I wonder if the court would be interested in hearing Mr. Wallace's testimony about this matter.
[ link to this | view in thread ]
[ link to this | view in thread ]
"First sell the problem, then sell the solution."
And now, Ethics for Consultants - concisely:
1. The problem must exist.
2. The solution must work.
Some disclosure here. I, uh... Well let's just say that I am familiar with how this works
: )
[ link to this | view in thread ]
Re: is?
Do you have a virus? Buy our product/service to find out!
You have a virus and we have proof! Buy our product/service to resolve the problem!
[ link to this | view in thread ]
Re: Re: is?
[ link to this | view in thread ]
Re: is?
Not that there ever a single virus for Windows Mobile or Palm.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Fearmongering
[ link to this | view in thread ]
Re:
If a problem is large enough that people are seeking solutions to it, then it doesn't need to be "sold". It only needs to be mentioned in the context of "this product (or me, if I'm a consultant) will ease that".
[ link to this | view in thread ]
Re: Fearmongering
How do you like that?
[ link to this | view in thread ]
Not surprising...
I know of one guy who does "computer work" for various companies in the area. One of the companies he did work for happened to be owned by a friend of mine. When she told me all the "virus" issues they started having - and that she couldnt' afford to pay him $80/hr to come clean up all the computers every couple weeks, I told her I would fix the problem.
Upon inspection, I saw that he had installed remote access software on every machine, supposedly so he could "fix problems remotely". Furthermore, he had configured their network router and neglected to tell anyone the password.
After resetting the router configuration, re-securing it, and removing all the remote access software - the constant problems stopped. She never had to call him again. He did call after the fact and ask if she had someone new working on the computers, to which she replied that she did... and that was the last she heard from him.
[ link to this | view in thread ]
[ link to this | view in thread ]
All digital evidence should be suspect
[ link to this | view in thread ]
Old School
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]