Cybersecurity Company Extorted Its Clients, Says Whistleblower

An anonymous reader writes: Richard Wallace used to be an investigator for Tiversa, a cybersecurity company that sells services like "breach protection" and "incident response." These days, Wallace is testifying in federal court that Tiversa faked breaches to encourage sales, and extorted clients that weren't interested. For example, Wallace said Tiversa targeted a cancer testing center called LabMD in 2010, tapping into their computers and downloading medical records. Tiversa then used those records as evidence to convince LabMD they had been hacked, offering its "incident response" service at the same time. LabMD didn't fall for it, so Tiversa told the FTC about the "hack." The FTC, none-the-wiser, went after LabMD in court, eventually destroying the business. Wallace has also cast suspicion on reports Tiversa has issued, including one saying President Obama's helicopter blueprints were found on Iranian computers.

Some guyz in my old neghborhood used to do this

[NotDrWho]

"Hey, you need us for security protection, otherwise you never know when a break-in might happen, right Vinnie?"

"Yeah boss, this place *definitely* needs to pay for our security protection."

"See? You should listen to Vinnie, he's a security expert and shit."

Re:

[jellomizer]

More of an ethnist

Re:

[Anonymous Coward]

I went to school with a Korean kid named Vinnie.

Re:

[OhSoLaMeow]

He was a Yute.

Re:

[Dutch Gun]

Did you say "yute"? What is a "yute"?

The FTC report

[YrWrstNtmr]

Details here: https://www.ftc.gov/enforcemen... [ftc.gov]

That's some messed up stuff. Tiversa needs to be burned to the ground, and their board members in actual jail.

Re:The FTC report

[YrWrstNtmr]

However, the plot thickens:
From the Motion to Dismiss: https://www.ftc.gov/system/fil... [ftc.gov]
(in part)"In 2008, Lime Wire was found on a LabMD workstation at Internet Protocol address 64.190.82.42 in Atlanta, Georgia. Lime Wire was installed by a LabMD employee, without authorization and in violation of company policy."

"On May 13, 2008, Tiversa contacted Lab MD, advised that Tiversa had downloaded LabMD's file, but refused to provide any additional information unless LabMD paid Tiversa for "remediation." Over the next two months, Tiversa sent six more sales-pitch emails to LabM0. LabMD, however, declined Tiversa's shakedown."

Re:

[Anonymous Coward]

Lime Wire was found on a LabMD workstation

That alone warrants burning LabMD to the ground, salting the earth, raping their women and putting heads on stakes as a warning to others, never to consider the possibility of committing the most hideous and unspeakable of crimes: possible copyright infringement.

Re:

[YrWrstNtmr]

Copyright infringement has nothing to do with it.
If that workstation and user has access to patient data, and that patient data is/was exposed via a P2P application...then yes, maybe they do need to be burned to the ground as well as the asshat 'security company'.

Re:

[Malenx]

However, there is literally no admissible evidence that they actually had any files shared via a P2P application, only the word of a company financially motivated to hurt them.

Re:

[YrWrstNtmr]

That's why I said "if"

Tiversa breached systems?

[Anonymous Coward]

So Tiversa breached systems to get data from them to show the system owner that they needed their services?

But if Tiversa did breach those systems, then they did need Tiversa's services didn't they?

Re:Tiversa breached systems?

[Pi1grim]

Well, fun fact, if some kid breaches the system and then gives the evidence that system is flawed to the company without demanding any money - than he's a criminal, if a large company does the same, only demanding a large payment for services rendered and subscription to future services - then it's business as usual.

Theyre creating jobs!

[Anonymous Coward]

Im off to go smash some windows.

Its okay though because i work for Window Smashers LLC.

Re:

[Anonymous Coward]

That's called American Capitalism. Working as intended.

Re:

[BitZtream]

I knew some asshole would try to use some bullshit like Aaron Schwartz to try and act like theres a double standard.

The reason you're hearing about this on slashdot ... IS BECAUSE THEY ARE IN FEDERAL COURT.

Seriously, its in the fucking summary, don't even need to get to the full article.

Re:Tiversa breached systems?

[gstoddart]

But, honestly though ... if a corporation is charged in federal court, will they pay a fine, or will someone do jail time?

Because if the corporation will pay a fine, but a person would get jail time ... that's pretty much what a double standard means.

So before you go all full-metal asshole on the poor guy, ask yourself, has anybody from a corporation who does this kind of crap gone to jail?

If doing something on behalf of a corporation means you don't go to jail, there more assuredly is a double standard.

yo dawg

[Hognoxious]

Hey, you defined a double standard twice!

Re:

[q4Fry]

One kind of double standard applies to people like gstoddart.
The other kind applies to everyone else.

Re:

[dcollins117]

Because if the corporation will pay a fine, but a person would get jail time ... that's pretty much what a double standard means.

Where it gets interesting is that for about $80 and a a little paperwork you can incorporate yourself. Whether you are contemplating a life of crime or just concerned about the possibility of someone suing you, it seems like money well spent considering all the legal protections you gain.

Re:

[orlanz]

Thank you! There is so much less festering and feces here than the other parts of the world. Thou you seem to have more of one color vs another. Oh well, red or blue, not much different than green or dark blue or dark red.

Re:Tiversa breached systems?

[Capt.Albatross]

So Tiversa breached systems to get data from them to show the system owner that they needed their services?

But if Tiversa did breach those systems, then they did need Tiversa's services didn't they?

Yet the linked-to article says "If Wallace is telling the truth, the FTC aggressively prosecuted a company based on bogus evidence."

The only way I can see the evidence being bogus is if Wallace exploited a position of trust granted to him by the target company, and not even necessarily then. Whatever the truth is, the report is not self-consistent. Apparently, rational analysis and critical thinking are not employed at CNN - but we suspected that, anyway.

Re:Tiversa breached systems?

[Bob9113]

LabMD may still have had a security problem worthy of investigation. But Tiversa's behavior is the subject of this criminal investigation. If Tiversa only blew the whistle on LabMD after they declined to purchase Tiversa's services, they are arguably engaged in racketeering, and should be prosecuted.

Re:

[sjames]

You seem confused. Wallace is the whistle blower. If his claim that the "evidence" was fake is true then the FTC aggressively prosecuted a company based on bogus evidence.

Does that help?

Re:Tiversa breached systems?

[radarskiy]

Tiversa's claim to LabMD was not that LabMD had vulnerabilities, but that LabMD had been breached. Tiversa then claimed to the FTC that LabMD had failed to disclose a breach but did not disclose that the breach was by Tiversa themselves.

LabMD may have needed the services of a security consulting company. No one needs the services of a lying security consulting company.

Re:Tiversa breached systems?

[JWSmythe]

That's probably the biggest reason to have good in-house security people. They don't have a financial interest to make breaches or lie about them. It's in their best interest to keep everything secure, and continue to look for new ways to attempt breaking into their own stuff.

I've never felt good about letting third parties in to do security testing. When someone above my rank decided to let a 3rd party do external tests, they'll pick anything and make it sound disastrous. One place was bitching about anything.

They complained that we had the current version of Bind running on the DNS servers. "But people can do DNS requests!" Yup.

They flagged the fact that we dropped unwanted traffic at the firewall. Yup. Get over it. They were upset it took forever to scan the network. Good.

They flagged us for having a web server providing static content. They were upset they couldn't find any way to exploit CGIs or do SQL injection. Yup. That was kind of the idea.

There were a whole bunch of other trivial things that they flagged us for. Then they were brought to the office, and got upset that we didn't provide wifi. Nope, that's a security risk. They wanted to plug their laptop into our network, so they were only given external access. Again, they bitched. But letting an unknown computer owned by an unauthorized party plug into our network is a security risk.

They eventually gave up trying to bully us into dropping our security precautions and gave us a pass.

I already habitually ran tests with privileged access to make sure even if all layers of protection failed, nothing really bad could happen.

Honestly, if they are given everything, they can find something. Give them administrative rights to everything, and credentials to everything, they can find something. Like, email accounts can be accessed with full admin rights. Funny how that works.

Re:

[Livius]

Exactly why legitimate fire departments only hire former mob arsonists!

LEO

[jythie]

I love how they use awards by law enforcement as an example of them being good actors. One of the old and scary problems in our legal system has always been law enforcement working with really shady companies and protecting them. The fraternal atmosphere tends to leave police departments particularly vulnerable to being scammed, esp when those scams result in things that benefit the department like cash, 'evidence', or validation of existing prejudice.

Carnegie Mellon involvement

[Anonymous Coward]

Were people with respected academic credentials involved?
Was anyone from Carnegie Mellon involved?
Did Carnegie Mellon have any involvement?

I don't care about Gen. Wesley Clark. Wasn't he the 4th stooge?

They reveal themselves !

[redelm]

Hmm ... Iran has blueprints ... sounds bad. But of _course_ they have blueprints of that model helo -- the Shah bought them prior to 1979! Marine One is [usually] a Sikorski VH-3 "Sea King" which first flew in 1959.

When advocates make inflammatory claims that have innocent explanations, I consider them confidence crooks. They know their best arguments and have made them. Yet another example of lies being more revealing than the truth (so long as you already know it.)

Re:

[slimdave]

Your argument, that the presence of an innocent explanation let you consider the advocates to be confidence crooks, is based on your belief that the blueprints were for VH-3.

They were not -- they were for the VH-60, which started coming into service in the mid-let 1980's for VIP duties, nearly 10 years after the Iranian Revolution.

Re:

[redelm]

Good point. But the judgement stands, given that the warning is from 2009 -- hardly current news.

Iraq War

[tekrat]

Funny thing, but the Iraq war worked the same way. George Bush took the word of an informant (who would later turn out to be an Iranian spy); that Iraq had WMD.

No real investigation was done, and we invaded a country and slaughtered many hundreds of thousands, destabilized the entire region and ended up creating ISIS.

So, yeah, this kind of stuff happens all the time.

Re:

[countach74]

So because it's been unstable for centuries, that justifies any acts that the US takes that could aid in its instability?

Re:

[sjames]

Of course not. It was based on Bush wanting to be a war president like his daddy. From there, they just had to get a few shady people to tell a few convenient lies and it's off to the races.

Re:

[belthize]

Well mostly all the time. April 11th 1954 was noted for it's absence of this kind of shit.

http://www.dailymail.co.uk/sci... [dailymail.co.uk]

Re:

[YrWrstNtmr]

No real investigation was done, and we invaded a country and slaughtered many hundreds of thousands, destabilized the entire region and ended up creating ISIS.

You do realize, that after Gulf War 1 (1991), we (Western military forces) never left the region. You're aware of this, right?

Re:

[operagost]

I didn't support the USA going in, but it's best we act like adults and not pretend that Iraq was just minding its own business while we made an unprovoked attack. Iraq was supposed to allow UN inspectors to ensure they didn't develop WMDs; they'd long been keeping them out. That, combined with the (faulty) intelligence, indicated malfeasance.

Re: Iraq War

[AvitarX]

Didn't it come out recently that they did have WMDs.,and the reports were burried because they were made in America.?

Not that I would consideassderyconsiderid similar in any way.

Re:

[tompaulco]

Nothing happened to the ex-employee.

Well, it kind of depends on why he was disgruntled. If he was fired for cause, he may have done something wrong and deserved to be fired. However, if the company laid him off because they had made him promises and didn't want to follow through, then the company deserves everything they got and more.

Re:

[Hognoxious]

Bollocks. They might have deserved a fine, or being ordered to pay compensation, but not this.

My take is that when someone makes an intentionally & blatantly false call to LE, then 1) the subject of the complaint should get the right to actually commit the crime against the complainant with impunity or 2) the complainant serves the maximum sentence for the alleged offence(s), doubled.

Re:

[moeinvt]

These regulatory and law enforcement douche-nozzles love to exercise their power over helpless victims. They raid small businesses, family farms and sole proprietorships just to get their jollies. Makes them feel like real tough guys to intimidate someone into compliance. The worst are the bureaucrats in agencies like OSHA and EPA.
Until you've run a small business, you can't possibly understand the nitpicking BS that these jerks will pull on you.

LabMD and the FTC

[silas_moeckel]

They were breached and data did get out the bad actors, it really does not matter than it was those same said bad actors that told the FTC about it. LabMD failed to keep patient records safe and when they were told about the breach failed to act upon that information.

Re:

[sjames]

The whistle blower's allegation is that LabMD was NOT actually breached. Do you have an independent report that says otherwise?

Re:

[silas_moeckel]

Per the article the whistleblower Wallace testified that he breached LabMD and downloaded patient data. Sounds like a breach to me.

Re:

[sjames]

Looking again, it seems TFA claims both. Perhaps a reporter who needs to slow down a bit, drink more coffee.

Sounds like Hongkong action movies....

[sentiblue]

I come from a country where small thugs run business in a jurisdicitonal area....

In which area, the hoodlum gets to collect cash from small businesses in exchange for protection... but in fact they dont really provide any protection, that's just the cost for being able to run a business. Whoever refuses to pay, their business gets smashed/burnt...

This company we're reading about is exactly that and I hold the US government agencies responsible to make very very very sure that their entire group of dec

I have worked with these sorts

[EmperorOfCanada]

In every single, and I mean without exception, every single consulting company that I worked for/with the "security specialists" were full of shit assholes. The guys who were in charge of the actual network were very well trained and capable security people but they weren't marketing themselves as specialists. The security guys just spouted endless paranoia and blah blah'd about military grade security. Yet when put to a test not a single one of them could exploit a linux system that hadn't had an upgrade in a year.

What they didn't have in skill they made up in swagger and threats. If consultants in the company didn't submit their laptops to them for a security audit they got all shitty saying how our laziness would take down the company. So my solution was to hand them a laptop that I would get fresh from IT with nothing installed, no documents, and fully up to date. Then I would laugh at their report where they would say that I had all kinds of unencrypted documents and had installed insecure software on the laptop. Then when I showed this to upper management they got even angrier that I had wasted what otherwise would have been valuable billing hours, even though it was they who wanted to audit all the computers.

But the thing that finally broke their stranglehold over the company's management was when they bullied their way into a friend's project devastating his budget after they convinced the client he was working for that his unaudited system would leave their company wide open. So he made a mirror image of their laptop from a backup, changed the background to a picture of two guys having sex with the company logo of the client on the face of the guy getting it and a picture of the security "expert" over the face of the guy giving it. Then on the way to the meeting he swapped laptops. Security expert was fired that day.