NSS ~ Counterfeiting Stock ~ MM Games Played

[fourkids_9pets]

Hedge Fund and Cybersecurity Firm Team Up to Short-Sell Device Maker

By MATTHEW GOLDSTEIN, ALEXANDRA STEVENSON and LESLIE PICKER
SEPT. 8, 2016

The cybersecurity firm behind a short-seller’s campaign against St. Jude Medical, a major manufacturer of pacemakers, has a curious operating history.

The firm, MedSec, says it has been around 18 months. But it was incorporated in the United States in Delaware just last month. Justine Bone, its chief executive, came on board two months ago.

And MedSec’s headquarters shares the same address as a virtual office in Miami that provides space to a number of companies.

The start-up is at the center of an unusual story line that brings together a Wall Street short-seller and the mysterious world of computer hacking.

Three weeks ago, Carson Block, an investor known for betting against, or shorting, companies’ stocks, announced that he and MedSec had uncovered “troubling cybersecurity flaws” in St. Jude’s pacemakers. Those flaws, he claimed, made them vulnerable to hackers and posed a potential health hazard. The situations put forward by Mr. Block were more akin to an international spy thriller than his usual forensic examination of a company’s accounting.

Mr. Block went public about three months after he received a call from Robert Bryan, a former hedge fund manager who helped raise money for MedSec, asking him to breakfast. Mr. Bryan proposed that MedSec and Mr. Block’s Muddy Waters hedge fund join forces to expose a potential security vulnerability that Mr. Bryan said MedSec had discovered in St. Jude’s pacemakers.

The firms agreed to share in the windfall of any decline in St. Jude’s stock.

“I have a very jaundiced view of how companies treat cybersecurity,” Mr. Block said in an interview on Thursday. “This is why this issue spoke to me so much.”


Short-sellers stake bets against stocks and profit when the share price falls. They often find themselves taking the heat for protesting loudly about the company they have waged a financial bet against. St. Jude has itself accused Muddy Waters, which manages about $100 million, of publishing a misleading report for its own financial gain. The company’s share price fell about 5 percent on Aug. 25 after Muddy Waters released MedSec’s research.

Muddy Waters’ partnership with MedSec is unorthodox. The cybersecurity firm counts Mr. Bryan, a former Goldman Sachs analyst, as one of its directors. Mr. Block and Mr. Bryan first met when Mr. Bryan was running a now-defunct hedge fund in New York called Metaval Capital.

MedSec has portrayed itself as a company that researches vulnerabilities in medical devices as a public service and considers itself among a group of hackers that engage in bounty hunting for bugs in networks and software programs. But unlike many of these hackers, who typically confront the company with their findings and seek compensation, MedSec chose not to go to the company.


One of the possible flaws in the pacemakers is a lack of encryption. Credit St. Jude
Ms. Bone, MedSec’s chief, said in an interview with Bloomberg Television on Aug. 25, that MedSec did not go to St. Jude with its findings because they were “worried that they would sweep this under the rug.”

MedSec says that St. Jude’s pacemakers and defibrillators have security flaws including a lack of encryption and an opening that allows unauthorized devices to intercept communication between the implanted device and its home monitor.

But St. Jude has said the findings are in error. On Wednesday, the company filed a lawsuit in Federal District Court in Minnesota accusing MedSec and Mr. Block of making false statements and conspiring to manipulate its shares.

In the lawsuit, St. Jude noted that a group of researchers at the University of Michigan had reproduced MedSec’s experiment and “came to strikingly different conclusions” and said the problems uncovered were overblown.

St. Jude, like many medical device manufacturers, has had a history of problems with some of its products — some with deadly results. In 2012, the company had to make changes to some of its heart defibrillators because of problems with wires that protruded from their casings that had led to a number of deaths.

The recent questions about the security of St. Jude’s pacemakers comes as the company is being acquired by Abbott Laboratories in a stock and cash deal valued at $25 billion. Abbott has said it plans to continue pursuing the deal, which was announced on April 28, shortly before Mr. Block met with Mr. Bryan to discuss teaming up.

Mr. Block, in an interview, said the timing of the meeting was a coincidence and that MedSec had broadly looked at whether other pacemaker manufacturers were vulnerable to similar attacks and found problems only at St. Jude.

“I don’t think you can conclude that they came together to short St. Jude,” Mr. Block said of MedSec.

In an emailed response, Mr. Bryan described himself as a minority investor in MedSec and said the company “raised seed capital far before contacting Carson.” He added that “it’s implausible that we’d develop an entire study a year ago on the hope a short-seller would take the case and not speak to any of them.”

He said the company was incorporated in St. Kitts and Nevis, a Caribbean nation, last year and incorporated in Delaware so it could “receive compensation” from Mr. Block’s fund. Mr. Bryan said the firm has a long-term “sublease and physical office space” and “recently we signed up a few clients including a hospital in Texas.” He declined to disclose any names.

A number of hedge funds, which had placed bets on the likelihood of the Abbott deal closing, lost money when shares of St. Jude fell last month, erasing more than $1 billion in market value. Some of them, as well as other investors in St. Judge, have discussed filing a lawsuit against Muddy Waters and MedSec, and brought in lawyers at a prominent Wall Street law firm as counsel, according to people briefed on the discussions.


Justine Bone, MedSec’s chief, said in an interview with Bloomberg Television that MedSec did not go to St. Jude with its findings because they were “worried that they would sweep this under the rug.”
MedSec’s board and staff is an unusual mix, including a former congressman, university professors and people from the world of hacking. Mr. Block has arranged for his public relations firm to handle media for MedSec.

A doctor who is on the company’s board and issued a letter vouching for the firm’s results also has an equity stake in MedSec.

The firm sought to add some gravitas to its ranks with the hiring of Ms. Bone, who previously held top network security jobs at Bloomberg and Dow Jones. A former ballet dancer in New Zealand, Ms. Bone also is the former chief executive of Immunity, a company that specializes in cybersecurity threat assessment, and she has been a featured speaker at major hacker community conferences.

Immunity emerged last year in a document dump by WikiLeaks of emails with companies that had business discussions with Hacking Team, an Italian company that has come under scrutiny for selling digital spy tools to governments with records of human rights abuses.

MedSec and Muddy Waters have given varying accounts of the urgency of their discovery. In her television interview, Ms. Bone said the company saw “no evidence of an immediate threat.”

In their report, however, MedSec and Muddy Waters quote Hemal Nayak, a cardio-electrophysiologist at the University of Chicago Medicine, who recommended that his patients unplug their St. Jude devices and said he would not implant any new pacemakers until the security problems were addressed.

Dr. Nayak, who could not be reached for comment, also serves as a medical adviser and board member at MedSec and has an equity stake in the firm. He has acknowledged not being an “expert in cybersecurity” but said he “witnessed, firsthand, the experiments MedSec has conducted.” Dr. Nayak was given an equity interest in the firm “prior to MedSec reaching its conclusions,” according to a footnote in the research report.

A spokeswoman for the University of Chicago Medicine said: “The work Dr. Nayak conducted with MedSec/Muddy Waters was done on his own time and not in his capacity as a faculty member or physician at the University of Chicago Medical Center.”

The same day that Mr. Block and MedSec went public with their findings, they sent a copy of the research to the federal Food and Drug Administration.

Angela Stark, a spokeswoman for the F.D.A., said in an emailed statement the agency “is aware of the allegations and concerns raised in MedSec’s public report” and is investigating them.

She added that the agency said patients with St. Jude pacemakers should continue to use them.

http://www.nytimes.com/2016/09/09/business/dealbook/hedge-fund-and-cybersecurity-firm-team-up-to-short-sell-device-maker.html?smprod=nytcore-iphone&smid=nytcore-iphone-share&_r=1

original link courtesy of alanc

4kids