back to article Muddying the waters of infosec: Cyber upstart, investors short medical biz – then reveal bugs

A team of security researchers tipped off an investment firm about alleged software vulnerabilities in life-preserving medical equipment in order to profit from the fallout. Researchers at MedSec Holdings, a cybersecurity startup in Miami, Florida, believed they found numerous holes in pacemakers and defibrillators …

  1. Snowy Silver badge
    Facepalm

    Smells of...

    insider trading to me.

    1. Thomas Whipp

      Re: Smells of...

      well no... to do insider trading you have to be an "insider", i.e. privy to knowledge only held within the organisation. From a regulatory perspective this is an outsider having done some research and understanding more about the company than it knew itself.

      This would be insider trading if the research had been performed in house or if the results had been made known toe SJ and then one of thier management team acted on it.

      From a legal perspective this is much closer to "we've looked at firm X and discovered that they have missed out applying for key business licences in half of the countries they operate in"

      1. This post has been deleted by its author

    2. TooManyFish

      Re: Smells of...

      Then you don't understand the concept.

      At no point was anyone from inside the device company shorting the stock.

      This was just trading, no insider element.

    3. DNTP

      Re: Smells of...

      A loss of objectivity for the MedSec security review team? Since they are shorting the stock of the company whose product safety they are reviewing, it's literally true that the worse their report is going to be, the more money they make. Instead of accepting their findings with a degree of impartiality, their target can simply say, "These safety reports are exaggerated due to a clear financial motive" and, whether or not this is true, use it to delay having to spend money on recalls or updates.

    4. Mark 85

      Re: Smells of...

      Not quite "insider trading"... but more like "market manipulation"... I'm sure there's all sorts of ethics and possibly legal issues from the way they handled this.

  2. John Browne 1
    Pint

    Agreed

    At the very least, a rather grubby way to get a 'bug bounty'.

  3. Mage Silver badge

    Shorting

    Shorting is plain wrong and ought to be illegal. Deploying information like this is unethical.

    1. Yet Another Anonymous coward Silver badge

      Re: Shorting

      Shorting is ethically and financially right and necessary - otherwise there is no way of the market saying that a company is going down. Only being able to signal that something is going up leads to bubbles.

      It's like saying that the media should only be allowed to report good news

  4. Anonymous Coward
    Anonymous Coward

    "They could have simply gone to the device maker, showed them the holes, got them fixed."

    ~ True! But lets not pretend that this approach works universally. The Reg has reported cases where corporations have merely gagged the messenger or sued them or found another way to bury the truth.

    ~ For example, the case of the smart meter comes to mind etc: "Seattle Suehawks: Smart meter hush-up launched because, er ... terrorism"....

    ~ But the real problem here is that the ill gotten gains should have all gone to charity to prove this really was done for all the right reasons...

    1. Anonymous Coward
      Anonymous Coward

      Re: "They could have simply gone to the device maker, showed them the holes, got them fixed."

      Charity?

      Engineers gotta eat too.

      *some* proceeds to charity, sure...but all of it? No.

      Try mugging someone and donating all the money to charity. See how much they shave off the tariff.

  5. tony2heads

    Muddy Waters

    WRONG PICTURE

    Should have been the legendary Blues guitarist

  6. Missing Semicolon Silver badge
    Thumb Up

    Actually this might work...

    ... if it pushes "security" up the priority list by directly affecting the value of the senior exec's stock options.

    In the future, companies like this may well ensure that the security analysis is done up-front, to prevent this happening. Nothing else seems to have worked so far.

    1. Doctor Syntax Silver badge

      Re: Actually this might work...

      ...in which case if it isn't currently illegal it soon will be.

  7. Anonymous Coward
    Anonymous Coward

    surely this si market abuse?

    (Disclosure, I work at a financial services firm, and I've done three rounds of compliance training in the last 14 months due to changing jobs and whatnot; I just finished the last round last week. I'm just a humble IT droid, with no access to any trading systems or seekrit info, but everyone has to do the compliance training. )

    Surely trading on the basis of material, non-public information (MNPI) open and shut insider trading? Whether the info has come from within the medical device vendor or not not is immaterial. No? (Looking for clue from actual finance people, please, not guesses by IT droids.)

    AC for obvious security reasons

    1. Yet Another Anonymous coward Silver badge

      Re: surely this si market abuse?

      Nope - this was non-public but wasn't insider.

      It's no different from discovering that the brakes in our VW are made from cheese, then finding out that all the other VWs in the parking lot have cheese brakes - and then deciding that the price of VW might go down.

  8. Paul Johnson 1

    What happens if Muddy Waters turn out to have exaggerated the scope of the problem? If you boost a stock and sell at the top its called "pump and dump", and is illegal. What is the other way around called? "Short and Diss"? And would that be illegal?

  9. Bob Dole (tm)
    Holmes

    I like it

    I have to admit, my first thought was that the hackers/profiteers should be in jail. However upon further reflection I think this is exactly the type of approach that needs to be taken.

    I don't care if targets medical device manufacturers, cars, mobile phones or IoT light bulbs. Name them, shame them and make a buck in the process. The result is going to be that companies become proactive about security instead of reactive. ( target, Home Depot, khols - I'm thinking of you ).

  10. Anonymous Coward
    Anonymous Coward

    Shifty for sure...

    But unless infosec people get paid what they're worth this will happen.

    Businesses are in business to make money.

    That includes every business in the healthcare industry.

  11. Mark 85

    Thinking this through..

    Upon further reflection on this... there will probably be lawsuits filed by St. Jude Medical. There's a hint of blackmail by the security people. Could it become the new normal... "pay us for these bugs, or we make a big stink in public and short your stock."? The upside it might work this time. St. Jude might just fix the holes and keep their stock growing which will hurt the security guys.

    But what about the next time? What about if someone say publicly "you have serious security holes so were shorting your stock?" when they haven't found any holes.

    Or go the other way... "we found no holes, we're going long on your stock"...?

    There's a lot of room here for abuse and manipulating stock prices.

  12. Old Handle
    Trollface

    TRO LLC

    Didn't Weev propose doing this right after he got out of prison? I guess someone else beat him to it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon