Rogue cybersecurity firm killed cancer testing lab, claims ex-employee

Bollocks, says Tiversa – he's making it up

A former employee of well-connected security firm Tiversa has claimed in court that the company falsified information about the severity of a data breach at a cancer laboratory that was later forced to close after a government data security investigation.

Georgia cancer testing laboratory LabMD – or rather, what's left of it now that all of its staff have been let go – is locked in a legal battle with the US Federal Trade Commission over claims that it violated data safety rules by allowing patients' information to leak online.

LabMD, on the other hand, claims Tiversa set it up, and on Tuesday it called a former employee of the security firm as a witness to make its case.

Richard Wallace testified that he used peer-to-peer software to download a file containing patient data from LabMD's servers while working as an investigator at Tiversa in 2008. He further claimed that his then-boss, Tiversa CEO Robert Boback, asked him to make it look as though the file had been found on other computers run by known identity thieves.

Wallace claims Boback then told LabMD that the patient records had been found on a peer-to-peer network and offered Tiversa's services to deal with the problem – either for a one-off fee or via an annual service contract.

When LabMD refused the offer, Boback then threatened to report the lab to the FTC for not securing its records properly, LabMD's founder Michael Daugherty has claimed. And when LabMD again refused to pay, Boback allegedly followed through on his threat, prompting investigations that ultimately bankrupted the medical facility.

Wallace said he resigned his position at Tiversa in February 2014 because he was being pressured to lie under oath in legal proceedings over the LabMD case. He has since been granted legal immunity by the Congressional House Committee on Oversight and Government Reform in exchange for testimony on Tiversa's activities.

Wallace claimed that falsifying data was common practice at Tiversa. The firm would log the IP addresses of known computer criminals who had been arrested, he said, then tell companies that their files had been downloaded from computers linked to those addresses and offer to fix the problem for a fee.

Tiversa also manufactured security events for publicity, Wallace claimed, including the widely reported case of the theft of blueprints for Marine One, the US President's personal helicopter, which the firm claimed to have found online on an Iranian computer. The files had actually come from a US contractor's computer and police had already dealt with the matter, Wallace said.

"It was a very publicized story. Tiversa, you know – it was very good press for Tiversa. And believe it or not, it was not easy to find an active Iranian IP address that law enforcement couldn't get ahold of," he testified, according to a transcript.

If Wallace's allegations are true, it would be rather embarrassing for former NATO supreme commander General Wesley Clark, who serves on Tiversa's advisory board. At the time of the Marine One incident, Clark said the firm's investigators "know exactly what computer [the blueprints] came from" and that they had alerted government regulators.

Clark isn't the only big name at Tiversa. Howard Schmidt, Obama's former cyber-security coordinator, also sits on the firm's advisory board, as does Larry Ponemon, founder of the eponymous institute.

Tiversa's CEO firmly denies Wallace's claims. While Wallace says he resigned on principle, Boback told The Register he was fired with cause. And as for the Marine One incident, Boback said Tiversa's report that some parts of the helicopters had appeared on an Iranian computer has been confirmed by the US Navy. Tiversa has been investigated thoroughly by the House Oversight and Government Reform Committee, he said, and "no evidence of wrong doing was ever found."

"Ironically, LabMD’s witness [Wallace] actually destroyed any defense that LabMD was attempting to mount in this case," Boback told The Reg. "Wallace testified that he, personally, downloaded the LabMD file by using a desktop computer and LimeWire, not by using Tiversa’a technology. Wallace just contradicted [LabMD's] entire argument by testifying that he only used a simple program that hundreds of millions of people have used." ®

Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022