10 Aug Hackers and government live in an uneasy house – Black Hat

Michael has been at Black Hat for the past few days. Here’s is a reblog of the best summary of the event. This has been reblogged from

courtesy of


Black Hat, the annual gathering in Las Vegas of hackers, researchers, government officials and corporate security chiefs, is perhaps the most significant cybersecurity conference of the year. That’s not because it makes major news about advances in new security technology, but more often it reveals deep and serious flaws in how we are protected from criminal mischief. And yet yesterday’s opening session focused less on how smartphones, cars, and even satellites can be hacked (yes, they all can), but more significantly how growing mistrust between the technology community and our own government is threatening to blow wide open.

The tone was set in the morning’s opening keynote by Jennifer Granick, a director with the Stanford Center for Internet and Society. Granick, who has been attending Black Hat and another hacker conference, Def Con, for a long time, did not mince words before an audience that responds well to candor. “The dream of Internet freedom that brought me to Def Con twenty years ago is dying,” said Granick.

She pointed to increased government regulation, both in the U.S. and abroad, as a major reason for her concern, citing misguided laws and zealous overregulation on the part of Congress as key factors. “The message from our government is that if you step over the line, we will come for you,” Granick told the somber gathering.

Sessions that followed her on the densely packed Black Hat program helped reinforce her concern. One of the day’s most stunning examples was the story of LabMD, an Atlanta-based medical technology company who has been fighting a two year battle with the Federal Trade Commission (FTC). Appearing at a session yesterday afternoon, LabMD’s founder, Michael Daugherty described how one supposedly leaked file led the FTC to prosecute his company without the kind of disclosure normally found in a court of law.

“The FTC, like most agencies, has playbooks that are top secret,” said Daugherty, who ultimately was forced to close his company and fire over 40 employees. But he has refused to give in to the FTC.

The story of LabMD has been documented in bits and pieces in the press for the last year as the case rolled on. The gist, as recounted yesterday by Daugherty and described more recently in the media, is that the FTC acted when a mysterious private cybersecurity company called Tiversa provided them with evidence (which Daugherty has yet to see) of a data breach. According to the LabMD founder, his company refused an offer from Tiversa to “fix the problem” for a fee, which prompted the cybsersecurity firm to notify the FTC.

Three months ago, a former Tiversa employee testified in federal court that the company engaged in fraud and shakedowns of small technology companies.

Daugherty has documented his saga in a book, “The Devil Inside the Beltway,” and expressed concern yesterday that the FTC needs to be reigned in by Congress. “All this is to me is bullying behavior,” said Daugherty.

Despite presentations like the LabMD case, the program at Black Hat also included government representatives seeking to mend fences and perhaps build bridges to the hacking and security research community. For the first time in memory, a high ranking official from Department of Justice attended Black Hat and presented his side of a tough story.

Leonard Bailey, the special counsel for national security at the Department of Justice, made his point that of the over 56,000 cases filed by the federal government last year, only 194 of them dealt with computer fraud.

“We’re not coming after security researchers,” said Bailey.

But the Justice official acknowledged that prosecution of computer crime can have an intended impact. “All it takes is one flogging in the public square, and there’s a chilling effect,” said Bailey.

The Department of Justice has come under fire in the hacking community over theprosecution of Aaron Swartz, a hacktivist who was arrested for creating a program at MIT that would automatically download academic journal articles. Faced with 35 years in prison, Schwartz committed suicide in 2013.

The first question for Bailey from the audience yesterday concerned his agency’s handling of the Swartz case. “That was a tragedy,” said Bailey, but he refused to comment further.

Another government enforcement agency on the Black Hat agenda yesterday was the Federal Bureau of Investigation (FBI). Three members of the team that recently brought down one of the most significant cybercrime operations ever discovered, the Gameover Zeus botnet, presented their findings to a captivated audience.

The operation targeted a vast network of one million infected machines that systematically looted banks and corporations. “They were able to move money a lot faster than we were able to chase it,” said Elliott Peterson, a special agent with the FBI.

According to Peterson, Zeus was run by a sophisticated mix of Russian and Ukraine criminals, led by a man named Evgeniy Bogachev who has yet to be caught. The FBI announced yesterday that they are offering an unprecedented $3 million reward for information leading to Bogachev’s arrest.

Peterson was joined by the highly-regarded security researcher Michael Sandee who highlighted one curious aspect of the Zeus case. According to Sandee, the code created to steal money was also designed to gather government and intelligence agency data. “This is something we don’t typically see in financial malware,” said Sandee.

As the power of Internet continues to grow, there is a great deal at stake for governments, corporations, and individual citizens. This week’s Black Hat dialogue only reinforced the feeling that sorting all of this out will be difficult and contentious at best. Meanwhile, the U.S. Senate adjourned for their summer recess yesterday without taking action on a cybersecurity bill passed by the House three months ago.

Original article found here

Read More

06 Aug Book Signing at Black Hat USA

Screen Shot 2015-06-20 at 8.41.03 AM

Michael is signing books at Black Hat USA 2015

Thursday Aug 6th at 11:50AM
The bookstore is located in room Reef F, Level 2 at Mandalay Bay Hotel in Las Vegas. The bookstore will continue to be open until 3:30 for purchases.
For more information on the full schedule, click HERE
More information on social media – follow @BlackHatEvents on Twitter and tweet using the hashtag of #BHUSA
Read More

30 Jun Cybersecurity Firm Tiversa Accused of Extortion


Reblogged from Hacked – written by Neil Sandesai – to view the original post, click HERE

Large corporations and government organizations are often targets for hackers, and as a result, rely on cybersecurity firms to provide security guidance. However, in an ironic twist, one cybersecurity firm may have actually hacked its own clients. Tiversa is a Pittsburgh-based security consultancy, and according to an ex-employee, Tiversa stages data breaches to extort clients.  

Tiversa’s Mafia-Style Tactics

According to Richard Wallace, the whistleblower accusing Tiversa of fraud, Tiversa engages in mafia-style shakedowns to pressure potential clients. Wallace gave his testimony in a federal court in May, and according to a transcript obtained by CNNMoney, Tiversa’s strategy can be summed up as, “Hire us or face the music.”

Wallace describes how Tiversa ruined at least one company – LabMD, a small Georgia-based cancer testing laboratory. While working as an investigator at Tiversa, Wallace hacked LabMD’s servers and obtained a file containing patient data. His then-boss, Tiversa CEO Robert Boback, asked Wallace to make it look as if the breach had originated from IP addresses associated with known identity thieves. Tiversa then approached LabMD, informing the company that it had been hacked, and offered “incident response” services. However, LabMD refused to pay up, and Tiversa threatened to notify the Federal Trade Commission of the (staged) data breach. Soon afterwards, Tiversa carried out the threat, and the FTC ended up taking LabMD to court. LabMD ultimately had to let go of its staff as the long legal battle bankrupted the company. According to Michael Daugherty, CEO of the now-dead cancer lab,

We were a small company…It’s not like we had millions of dollars to fight this and tons of employees.

There was reputation assassination. There was intimidation. We thought we were extorted. My staff and management team was demoralized. My VP left. My lawyer left.

Furthermore, the LabMD incident isn’t the only example of Tiversa making up a hack, says Wallace. Tiversa also made up information pointing to Iran for allegedly stealing blueprints for Marine One, President Obama’s helicopter. If Wallace’s story is true, LabMD and other companies may have been destroyed by fraudulent “evidence.”

Tiversa has firmly denied Wallace’s allegations, dismissing them as “baseless” claims from a disgruntled former employee. Tiversa’s CEO told CNNMoney,

This is an overblown case of a terminated employee seeking revenge…Tiversa has received multiple awards from law enforcement for our continued efforts to help support them in cyber activities.

However, if the allegations against Tiversa are true, they will be very embarrassing for the company and its highly-decorated board members, including Wesley K. Clark, former NATO Supreme Allied Commander in Europe, and Howard Schmidt, former cyber-security coordinator for the Obama administration.

Read More

22 Jun The FTC Goes Whistling Past the Graveyard


The FTC has decided not to oppose LabMD’s request for a criminal investigation into Tiversa’s behavior…AS THEY SPIT IN THE FACE OF JUSTICE. They have enabled crime, ignored evidence, and are now sitting on the sidelines. These are hypocritical tyrants as they boast they are out to protect consumers. Their energy is being spent on keeping their incompetent and corrupt culture under wraps.

Not this time.

Look at the facts.

It’s unbelievable but sadly true.


LabMD – Mtn Referral 6 19 15

Read More



Will be presenting to BlackHat USA 2015 Aug 1-6, 2015, Mandalay Bay, Las Vegas, NV

While the FTC, FCC and Homeland Security joust over who is going to regulate the internet, Michael J. Daugherty will rivet you about his blood in the water battle with the Federal Trade Commission over their relentless investigation into LabMD’s data security practices showing you what they do to those who dare not “go along to get along.”

This is an insider’s look at how agencies exploit their power by bullying the small and weak to control the private sector. You will hear about Mike’s shrewd investigation of the investigator (FTC) which resulted in a House Oversight investigation, a stinging Congressional report about the FTC’s behavior, and criminal immunity from the Justice Department for a whistleblower. The administrative case against LabMD, stayed in June 2014 when the whistleblower pled the 5th, started again May 5, 2015, after criminal immunity had been granted. Mike exposes the real time maneuvers of government lawyers and regulators who are accustomed to no one looking.

Because of his work, Mike has testified before the House of Representatives House Oversight Committee and regularly keynotes in front of healthcare, law, business and technology audience educating them on what to expect when the Federal Government investigates you.

Sign up to attend here.

Read More

15 May Mike Daugherty speaking in Toronto at SC Congress June 11, 2015

photo (1) photo

As you may know I will be speaking and doing a book signing at SC Congress Toronto on June 11th, 2015. The team at SC Magazine and I have teamed up to offer a unique opportunity to pass on to you, my loyal readers.

The first 10 people who sign up for a Free Expo Plus pass with the code DaughertyEXPO will also get a signed copy of my Book!

Each free Expo Pass provides you with:

– 5 Keynotes and 1 editorial sessions of choice

– Full access to Exhibit Hall

– Up to 6 CPE credits

– Passport to Prizes

Expo Plus Passes cost $150, but register as a Michael Daugherty Expo VIP with the Discount Code DaughertyEXPO and get a FREE Expo Plus Pass and a chance to win a singed copy of my book.

SC Congress is also offering my readers a two day conference pass for $595 ( regular 2 day tickets are $1,095) and 1 day tickets for $495 ( regular 1 day tickets are $895).

Register with the discount code DaughertyLabMD or you can get your discounted tickets here:

Each 2 day pass provides you with:

– All Keynotes and editorial sessions over 2 days

– Full access to Exhibit Hall

– All breakfasts, luncheons, meals and cocktail receptions

– Earn up to 14 CPE credits

– Passport to Prizes

2-day pass: $595 (reg. $1,095)
1-day pass: $495 (reg. $845)
Use discount code DaughertyLabMD or click this link.

You can also sign up for a complimentary digital subscription to SC Magazine.

Read More

13 May Cato Blog Sums It Up Perfectly

photo (3)
Screen Shot 2015-05-13 at 1.39.37 PM

As was written by Walter Olson in his article “A Spurned Vendor — And a Tip To the FTC”…

In 2010, the Federal Trade Commission approached an Atlanta-based medical testing company, LabMD, with accusations that it had wrongfully left its customer data insecure and vulnerable to hackers. LabMD’s owner denied that the company was at fault and a giant legal battle ensued. To quote my post last year at Overlawyered:

…according to owner Michael Daugherty, allegations of data insecurity at LabMD emanated from a private firm that held a Homeland Security contract to roam the web sniffing out data privacy gaps at businesses, even as it simultaneously offered those same businesses high-priced services to plug the complained-of gaps.

Last week, finally, after five years, the case reached an administrative hearing at the FTC, which heard “bombshell” testimony given under immunity by former Tiversa employee Richard Wallace:

After LabMD CEO Michael Daugherty refused to buy Tiversa’s services, Tiversa reported false information to the FTC about an alleged security incident involving LabMD’s data, Wallace claimed in his testimony.

To read the full article, click HERE

Read More

10 May Bombshell Testimony as FTC Fails to Verify Evidence

Screen Shot 2015-05-10 at 7.13.02 PM

Grab your popcorn and turn off House of Cards because it doesn’t get better than this.

The testimony of former Tiversa employee Rick Wallace is bombshell transparent testimony.

It took over a year to get Rick on the stand with criminal immunity. This is no “he said she said” game, criminal immunity isn’t easily approved by the Justice Department, but the consistency and forensic evidence provided to Chairman Darreell Issa and the Justice Department must have done the trick.

Tsk Tsk Tsk, if the FTC had only verified evidence before embarking on their shameless seek and destroy fishing expedition.

Download it if you like…and grab a highlighter.

May 5, 2015 PUBLIC Final Trial Transcript

Screen Shot 2015-05-10 at 7.21.05 PM

Read More

07 May Whistleblower accuses cybersecurity company of extorting clients – CNN Money


As reported in CNN Money today by   @Jose_Pagliery

A cybersecurity company faked hacks and extorted clients to buy its services, according to an ex-employee.
In a federal court this week, Richard Wallace, a former investigator at cybersecurity company Tiversa, said the company routinely engaged in fraud — and mafia-style shakedowns.

To scare potential clients, Tiversa would typically make up fake data breaches, Wallace said. Then it pressured firms to pay up.
“Hire us or face the music,” Wallace said on Tuesday at a federal courtroom in Washington, D.C.

CNNMoney obtained a transcript of the hearing.

The results were disastrous for at least one company that stood up to Tiversa and refused to pay.

In 2010, Tiversa scammed LabMD, a cancer testing center in Atlanta, Wallace testified. Wallace said he tapped into LabMD’s computers and pulled the medical records.

The cybersecurity firm then alerted LabMD it had been hacked. Tiversa offered it emergency “incident response” cybersecurity services. After the lab refused the offer, Tiversa threatened to tip off federal regulators about the “data breach.”

When LabMD still refused, Tiversa let the Federal Trade Commission know about the “hack.”

The FTC went after the lab, giving the company a choice: sign a consent decree (basically a plea deal which means years of audits and a nasty public statement) or fight in court. The CEO of LabMD, Michael Daugherty, chose to fight, because a plea deal would have tarnished his reputation and killed the business anyway, he said.

Daugherty lost that battle in 2014, having run out of steam. The lawsuit killed LabMD, which was forced to fire its 40 employees last year.

“We were a small company,” he said. “It’s not like we had millions of dollars to fight this and tons of employees.”

“The fight with the government was psychological warfare,” he told CNNMoney. “There was reputation assassination. There was intimidation. We thought we were extorted. My staff and management team was demoralized. My VP left. My lawyer left.”

Daugherty launched a website and wrote a book about the ordeal. Cause of Action, a government watchdog group, picked up his case.

Wallace’s testimony casts doubt on the FTC’s case against LabMD. If Wallace is telling the truth, the FTC aggressively prosecuted a company based on bogus evidence.

The FTC declined to comment, citing an ongoing lawsuit against LabMD, which still hasn’t reached its conclusion.

LabMD wasn’t the first time Tiversa’s false hacks made national news, Wallace said. He claimed that Tiversa also made up information in 2009 pointing to Iran for supposedly stealing blueprints for President Obama’s helicopter, Marine One. That scare that led to several news stories published byNBC, Fox, CNET and others.

According to Wallace, Tiversa did this by using phony IP addresses — on the orders of Tiversa’s CEO, Bob Boback. The company, which works closely with law enforcement, would look up the Internet addresses that were used by known criminals or identity thieves, then claim that those IP addresses were sharing stolen files online. Wallace said it was a scare tactic that added “spread” to the supposed damage — and “wow factor.”

“So, to boil this down, you would make the data breach appear to be much worse than it actually had been?” FTC Administrative Judge Michael Chappell asked.

“That’s correct,” Wallace responded.

Tiversa denies Wallace’s allegations. On Thursday, Tiversa’s CEO told CNNMoney that the recent revelations were “baseless” and came from an ex-employee still angry for being fired.

“This is an overblown case of a terminated employee seeking revenge,” Boback said. “Tiversa has received multiple awards from law enforcement for our continued efforts to help support them in cyber activities.”

Tiversa is a small cybersecurity consultancy based in Pittsburgh. Its board members include several highly-decorated experts in the security and privacy fields, including the retired four-star U.S. Army General Wesley K. Clark (formerly NATO’s Supreme Allied Commander in Europe) and Larry Ponemon (founder of the Ponemon Institute, a pro-privacy think tank).

U.S. Rep. Darrell Issa, chairman of the House Oversight Committee, demanded last year that the FTC look into allegations of “corporate blackmail” by Tiversa. In a letter to the FTC in December, Issa noted that Tiversa assisted the FTC on data leak investigations of “nearly 100 companies.” This link potentially taints evidence in those cases too.

To see the original article, click HERE

Read More

06 May Analyst Backs LabMD In FTC Row, Alleges Fraud At Tiversa


Originally posted on Law 360

By Jimmy Hoover

Screen shot 2014-08-22 at 5.55.03 AM

Law360, Washington (May 05, 2015, 9:16 PM ET) — LabMD Inc. on Tuesday scored a major hit in its data security fight with the Federal Trade Commission after a former analyst at the cybersecurity firm Tiversa Inc. testified that his company lied to the agency about the extent of LabMD’s data leaks after the medical testing firm turned down its services.

Richard E. Wallace said in a hearing that during his time as one of the company’s chief forensic analysts from 2007 to 2014, he helped Tiversa and CEO Robert J. Boback spin lies to the FTC about the “proliferation” of LabMD-held insurance records among identity thieves — which LabMD claims is the sole basis for the agency’s 2013 administrative complaint against it for alleged data protection failures.

Wallace said that, rather than a proliferation, he merely downloaded a file off of LabMD’s own server and manufactured those claims per Boback’s orders, who he said wanted to steer LabMD into using Tiversa’s monitoring and remedial services.

According to Wallace, Boback became infuriated that LabMD’s president and CEO, Michael J. Daugherty, rejected their services.

“[Boback] basically said F-him, make sure he’s at the top of the list,” Wallace said at the hearing, describing the Tiversa CEO’s reaction to LabMD’s refusal of services.

Atlanta-based LabMD conducts laboratory tests on samples that physicians obtain from patients and also performs medical testing for consumers around the country.

Tuesday’s proceedings before Administrative Law Judge D. Michael Chappell had stalled for several months after Wallace revealed that Tiversa had emerged as the subject of an investigation from the House Committee on Oversight and Government Reform and that he was pursuing immunity for his testimony in the FTC proceedings — immunity he finally received.

Wallace said that he left the company in February 2014 after Boback had pressured him to lie under oath in a planned deposition from LabMD’s attorneys about the extent of LabMD’s data leaks.

According to LabMD’s attorney Reed Rubinstein of Dinsmore & Shohl LLP, the testimony marked a “remarkable day” in the case and vindicated the company’s assertion that “the FTC action was based on manufactured evidence.” At the close of the hearing Tuesday, Rubenstein announced that LabMD will seek a criminal investigation against the Tiversa.

“Obviously the FTC never checked what came in from Tiversa,” Rubinstein said in an interview with Law360.

Under direct examination from William A. Sherman II of Dinsmore & Shohl, Wallace outlined a pattern of fraud and deception at his former company and said it was “common practice” at Tiversa to deceive companies into believing identity thieves had stolen their files off of peer-to-peer networks in an effort to charge for remedial services.

Wallace said Tiversa carried out the scheme by inserting the IP addresses of known identity thieves into a “data store” and making it appear to the companies that the identity thieves had pilfered their files, despite the fact that they had already been shut down by law enforcement. Because their computers were down, Wallace said, “there was no way to contradict what Tiversa was saying.”

During a re-direct examination Tuesday from his own attorney, Mary Beth Buchanan of Bryan Cave LLP, Wallace also recounted an episode in which Boback allegedly forced him to conjure up a report claiming that trade secrets related to the avionics found in the cockpit of Marine One, the helicopter for presidential transport, had been stolen by Iranian nationals — a fake story later plastered in headlines across major news outlets including, CBS News, NBC News and Fox News.

“It was very big press for Tiversa. And believe it or not, it was not easy to find an active Iranian IP address that law enforcement couldn’t get a hold of,” Wallace said.

The FTC declined an opportunity to depose as well as cross-examine Wallace on Tuesday, though FTC attorney Laura Riposo VanDruff indicated that she may file a motion to introduce a rebuttal witness within the next week.

Counsel for Tiversa and Boback could not be immediately reached Tuesday for comment.

LabMD is represented by William A. Sherman II, Reed Rubinstein and Sunni Harris of Dinsmore & Shohl LLP and Hallee Morgan, Kent Huntington, Daniel Epstein, Patrick Massari and Prashant K. Khetan of Cause of Action.

The FTC is represented by Alain Sheer, Laura Riposo VanDruff, Megan Cox, Ryan Mehm, John Krebs and Jarad Brown.

The case is In the Matter of LabMD Inc., docket number 9357, before the Federal Trade Commission Office of the Administrative Law Judges.

–Editing by Emily Kokoll.

To download your own copy of this article, click here

Read More