Feb
8

Do Not Open That Email Attachment

Posted by Clif Burns at 10:11 am on February 8, 2010
Category: ChinaTechnical Data Export

Big News!Everyone that has sensitive data (including, of course, ITAR-controlled data) on their computers networks should read this sobering article in Wired, which reveals, for the first time that I am aware of, the methodology, extent and scope of Chinese cyber-attacks on U.S. computer networks. After you read this article, there will be no question in your mind that these attacks are orchestrated and carried out by the Chinese government, even though the Chinese government is currently issuing risible denials of its involvement. Also, you will never open an email attachment again from anyone. The problem is, of course, that someone on your network will.

Called Advanced Persistent Threats (APT), the attacks are distinctive in the kinds of data the attackers target, and they are rarely detected by antivirus and intrusion programs. What’s more, the intrusions grab a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures. …

The Heartland and RBS attackers, and other criminal hackers of their ilk, tend to use SQL injections attacks to breach front-end servers. The APT attackers, however, employ undetectable zero-day exploits and social engineering techniques against company employees to breach networks.

… They attempt to take every Microsoft Word, PowerPoint and Adobe PDF document from every machine they compromise, as well as all e-mail, says Mandia. …

Last year, for example, an unidentified defense contractor discovered 100 compromised systems on its network, and found that the intruders had been inside since at least 2007.

APT attackers also appear to be well-funded and well-organized. In some cases, Mandiant has found multiple groups inside a network, each pursuing their own data in a seemingly uncoordinated fashion. …

Many entities don’t discover a breach until someone from law enforcement tells them. By then, it’s too late.

“By the time the government is telling you, you’ve already lost the stuff you didn’t want to lose usually,” Mandia says, noting that it’s generally not possible to ascertain everything that an attacker took.

While APT attacks are sophisticated, they use simple techniques to gain initial entry and, once inside, adhere to a pattern.

For starters, the attackers conduct reconnaissance to identify workers to target in spear-phishing attacks — such as key executives, researchers and administrative assistants who have access to sensitive information — and then send malicious e-mails or instant messages that appear to come from a trusted colleague or friend.

The e-mails have an attachment or link to a ZIP file containing zero-day malware that exploits Microsoft Office or Adobe Reader vulnerabilities. Google employees received an e-mail with malware that exploited a vulnerability in Internet Explorer 6 that Microsoft had not yet publicly disclosed.

Once the attackers have a foothold on one system, they focus on obtaining elevated access privileges to burrow further into the network. They do this by grabbing employee password hashes from network domain controllers — and either brute-force decrypt them or use a pass-the-hash tool that tricks the system into giving them access with the encrypted hash.

Not only should you be extremely cautious about email attachments and forwarded links, even from trusted friends, but also you might think about taking down your entry on LinkedIn or other business networking sites. Unless, of course, it’s already too late.

Permalink Comments (4)


Feb
5

Breaking News from the Registration Front

Posted by Clif Burns at 4:26 pm on February 5, 2010
Category: DDTC

Big News!The biggest news today was the announcement by the Bureau of Industry and Security (“BIS”) of a U.K. company’s agreement to pay a $15 million fine, the largest fine ever collected by BIS. I’ll write about that when the charging and settlement documents are released.

In the meantime, however, I want to share with you a bumper crop of company press releases over the past few days announcing registration under Part 122 of the International Traffic in Arms Regulations. And, as always, these press releases are a never-ending source of amusement.

New-Hampshire-based Ion Beam Milling’s announcement perpetuates the myth that ITAR registration represents some kind of certification by the Directorate of Defense Trade Controls (“DDTC”):

Upon verification of a company’s ITAR compliance, an ITAR Registration Code is assigned and certifies the company’s clearance to work in conjunction with the US military and its counterparts.

Ion Beam also wins the award for the most original spin ever on ITAR registration:

ITAR Registration enhances Ion Beam Milling’s existing Intellectual Property and Document control policies.

A free subscription to this blog will be awarded to any reader who figures out just what the heck this means.

California-based Lenthor Engineering scores a first by issuing a press release announcing that it has renewed its registration. I can just imagine someone in the company saying that they’ve paid $2,250 and will be darned if they’re going to let that money go to waste.  Don’t be surprised if Lenthor announces next week that the company added another copy of the Pocket ITAR to the company’s library.

Munich-based computer hardware manufacturer Kontron AG’s announcement notes that the company

has registered and is in compliance with International Traffic in Arms Regulations (ITAR) administered by the United States Department of State Directorate of Defense Trade Controls who [sic] controls the export and import of defense articles and services.

Obviously Kontron didn’t have to take the legendary DDTC certification test or it would have known that DDTC only controls temporary imports of defense articles.

Permalink Comments (3)


Feb
4

OFAC Mugabe Sanctions Hit Home, Our Home Not His

Posted by Clif Burns at 10:34 pm on February 4, 2010
Category: Economic SanctionsZimbabwe Sanctions

Kokopelli Golf ClubA golf course in Marion, Illinois, is set to close as a result of economic sanctions imposed by the Department of Treasury’s Office of Foreign Assets Control against Zimbabwe’s Robert Mugabe and his cronies. How do the Mugabe sanctions have an impact almost 9,000 miles away?

According to this story in an Illinois newspaper, Kokopelli Golf Course was purchased, almost 15 months ago, from a Florida partnership by local investors. One of the partners in the Florida partnership, it appears, was John Bredenkamp, alleged by OFAC to be a Mugabe crony — a charge that Bredenkamp denies. So OFAC blocked the title to the golf course and the sale hasn’t closed, despite the intervention of Senator Durbin, the senior senator from Illinois, and despite arguments that the closing of the golf course as a result of OFAC’s blocking title to the club would have a significant impact on the local economy. Indeed, the closing of this town’s golf club would appear to be the only visible impact of the Mugabe sanctions since, the last time I checked, Mugabe was still sitting fat, happy, rich and in power in Zimbabwe.

The news story does not reveal the size of Bredenkamp’s interest in the partnership that owned the golf club. If his interest was greater than 50 percent, then under current OFAC guidance, as this blog reported here, the partnership and all of its assets, including the golf club, would be a blocked asset. This case shows the problem with such a rule is that it potentially punishes innocent parties. Assuming, as is likely the case, that the other partners entered into the partnership with Bredenkamp prior to Bredenkamp becoming designated by OFAC as subject to the Mugabe sanctions, there is no conceivable reason to punish the other partners. Instead, OFAC should block Bredenkamp’s interest in the partnership and any revenue due to him under the partnership agreement. The policy behind this position is even more obvious when blocking the interest of innocent partners has an impact on the economy of a small U.S. town.

If the Kokopelli Golf Club closes, Marion residents can, ironically, always go to Zimbabwe to tee off. According to Golf Digest:

Despite hyperinflation, cholera and hugely unpopular President Robert Mugabe, golf survives in Zimbabwe. At Bulawayo Golf Club (founded in 1895), members have been paying with gasoline because local bank notes are now worthless.

Fore!

Permalink Comments (2)


Feb
3

At Least Self-Debarment Beats Ritual Seppuku

Posted by Clif Burns at 4:55 pm on February 3, 2010
Category: Arms ExportDDTC

Interturbine HeadquartersEarlier this afternoon, the State Department issued a press release announcing a settlement it had reached with Interturbine Aviation Logistics Gmbh, Germany, and its Texas branch office, Interturbine Aviation Logistics GmbH, LLC, for alleged violatons of the Arms Export Control Act and the International Traffic in Arms Regulations (“ITAR”). Under the agreement Interturbine agreed to a $1 million dollar fine, $900,000 of which would be suspended provided that these amounts were applied to Interturbine’s ITAR-related compliance programs and measures.

One part of the press release deserves particular attention:

$400,000 [of the suspended $900,000] will be suspended on the condition that Interturbine maintains its self-initiated exclusion from all ITAR regulated activities.

I suspect that I am not alone here in wondering how voluntary or “self-initiated” Interturbine’s self-debarment was. Although I’m certain that the State Department’s Directorate of Defense Trade Controls (“DDTC”) didn’t resort to rubber truncheons, heavy volumes of the phone book, bright lights and sleep deprivation, it wouldn’t surprise me if this self-debarment was strongly urged by DDTC officials while asking Interturbine officials how they thought they would look in orange. This is, after all, the first time I’ve seen a company adopt a lengthy self-debarment as the result of export violations.

The best part of the press release, however, is this:

The Department has determined that an administrative debarment of Interturbine is not appropriate at this time.

That seems to me not far removed from saying that, in light of the defendant’s suicide, the prosecution has decided not to seek the death penalty.

Permalink Comments (3)


Jan
31

Upgrade Blues

Posted by Clif Burns at 6:20 pm on January 31, 2010
Category: General

In upgrading to WordPress 2.9.1 today, I had a bit of a problem and lost some of the files that control how this blog looks. I’ve recreated most of them, but the blog is still looking a little odd and behaving a bit strangely. I should have time to get everything back in working order over the next few days and while I’m doing that I’ll try to add some new features like a search box.

Permalink Comments (0)


Jan
28

A Metaphysical Question

Posted by Clif Burns at 8:49 pm on January 28, 2010
Category: Foreign Export Controls
ADE-651
ABOVE: The ADE-651

On Tuesday my colleague in our London Office, Anita Esslinger, forwarded to me a directive from British export authorities adding “electro-statically powered explosive detectors” to its list of export-controlled items, otherwise known as the 2008 Export Control Order. Anita wondered if the U.S. was planning on doing the same thing. I wrote back that I didn’t think it would need to since explosive detectors were already covered under ECCN 1A004.d.

In fact, I was wrong, because these “electro-statically powered” explosive detectors aren’t covered by ECCN 1A004.d, but not for the reason that you might imagine, but rather for what might be called a metaphysical reason. These detectors aren’t covered by the ECCN because they don’t work, and, thus, aren’t really bomb detectors.  At this point, before you accuse of me having read too much Aristotle, hear the rest of the story.

The British order is directed at the ADE-651, a device marketed by a British company named ATSC, which is run by Jim McCormack from a former dairy farm in Somerset. The device, according to ATSC, can detect explosives from a distance of 1 kilometer.  It can also, allegedly, detect other items such as elephants and dollar bills from the same distance, depending upon whether a card programmed to detect elephants or dollar bills is inserted into the device’s card reader. As a further miracle of modern technology, the device has no power supply but is powered by the static electricity generated by the user, hence, the reference to them as “electro-statically powered” in the amendment to the 2008 Export Control Order.

A BBC Newsnight investigative report (video embedded at the end of this post) examined the device and found that the inside of the device was empty (as in being filled with nothing but air  . . .  literally). The report also discovered that the cards “used” by the device were no more than RFID tags used to deter shoplifting and not specially programmed cards designed to whiff out the essence of elephant or anything else for that matter.

This would be humorous were it not for the fact that the use of these devices may have resulted in death and injury. A recent wave of successful car-bomb attacks in Baghdad has led even some Iraqis to question the efficacy of the device even though Iraq has bought $85 million dollars worth of the non-functional plastic shells at $40,000 to $60,000 per pop.

Jim McCormack has been arrested for fraud and is out on bail.

Permalink Comments (6)


Jan
27

This Isn’t the Transparency You Were Hoping For?

Posted by Clif Burns at 8:39 pm on January 27, 2010
Category: OFAC

Locked HornsMy colleague Stan Marcuss points out that the Office of Foreign Assets Control (“OFAC”) appears to have changed course in treating Freedom of Information Act (“FOIA”) requests and has decided to hand out OFAC license applications willy-nilly to anyone who can afford a postage stamp. Several years ago, after someone requested copies of all licenses to ship food, medicine and medical devices to Iran, OFAC sent letters to the affected parties asking them if they wished to assert protection under Exemption 4 of the FOIA which exempts from disclosure confidential commercial information. If a licensee asserted the exemption, OFAC normally would withhold the license from disclosure.

Now, citing the new administration’s policy of transparency, OFAC has sent letters indicating that these licenses will be released to the public. The filing of such a license, and the contents thereof, will be freely disclosed over the objection of the licensee even though such disclosure may discourage some from filing these licenses in the future, clearly in contravention of the Trade Sanctions Reform and Export Enhancement Act of 2000 which clearly sought to encourage the export of such humanitarian supplies to sanctioned countries. Even if we don’t like the government of Iran, Congress passed TSRA because it did not want to see the people of Iran deprived of food and life-saving medicines and medical devices. Those requesting TSRA licenses, of course, don’t really have those interests in mind.

At least two things make OFAC’s new position more than a little absurd. OFAC is still using FOIA Exemption 6 to black out the names of any individuals mentioned in disclosed documents. The absurdity here is that this policy is even used to withhold the names of terrorist and other specially designated nationals (“SDNs”) when releasing information on enforcement actions against companies that have engaged in transactions with SDNs. That means, of course, that Osama Bin Laden has more protections under OFAC’s interpretation of the FOIA than an exporter shipping food to a sanctioned country.

Worse, when an agency promises transparency, one might reasonably assume that transparency would extend to providing information on export enforcement cases that might actually assist exporters in trying to interpret and to understand the scope of OFAC’s vaguely worded regulations.   Not so.   OFAC continues to release as little information as possible about enforcement actions.  That sort of transparency would prevent the OFAC from being able to use ambiguities in its own regulations to deter certain exports — a practice I like to call in terrorem regulation.

Apparently, what’s transparent for the goose isn’t really transparent for the gander.

Permalink Comments (3)


Jan
25

BIS Is from Mars and DDTC Is from Venus

Posted by Clif Burns at 8:40 pm on January 25, 2010
Category: Arms ExportBISDDTCPart 129

Locked HornsThere has never been a seriously-advocated rational reason for the U.S., unlike most other countries, to have one export agency regulating exports of weapons and a separate export agency regulating exports of dual use items. A new regulation adopted by the Bureau of Industry and Security (“BIS”) last May, and which I hadn’t noticed at the time but which was pointed out today by an astute reader, is a perfect example of the confusion sown by this split personality approach to export regulation.

The regulation created a new, and frankly obtuse, ECCN designated as 0A919 which, to the extent any sense can be made of it, covers military items produced outside the United States which incorporate certain thermal imaging devices and which are “not subject to the International Traffic in Arms Regulations.” Don’t go rushing now to your copy of the ITAR to find a definition of items “subject to the ITAR,” because you won’t find it. The Export Administration Regulations (“EAR”) administered by BIS talks about “items subject to the EAR” but the ITAR at times focuses instead on what people are subject to its jurisdiction, particularly in respect to Part 129’s brokering regulations which intersect uncomfortably with the new ECCN.

Let’s now look at a specific example and see what happens. Consider a military vehicle which incorporates a thermal imaging camera controlled by BIS and which was manufactured outside the United States. If a U.S. person sought to export that vehicle from its country of manufacture to another country, that person (depending on the value of the vehicle and its export destinations) could be required to get permission from the Directorate of Defense Controls (“DDTC”) which regulates brokering in Part 129 of the ITAR. And given the new ECCN, that person might also require an export license from BIS (depending, of course, on the destination of the exported vehicle).

BIS tries unsuccessfully to avoid this overlapping jurisdiction with an awkwardly worded note to the new ECCN:

Brokering activities (as defined in 22 CFR 129.9) of military commodities that are subject to the ITAR are under the licensing jurisdiction of the Department of State.

That note doesn’t work because under part 129 all defense articles, irrespective of U.S. content, “are subject to the ITAR.” The brokering regulations in part 129 cover U.S. persons and foreign persons in the United States or otherwise subject to U.S. jurisdiction if they engage in brokering a defense article even if not one single component of that article was produced in the United States.

The note, and indeed the entire ECCN, only makes sense if whether something was subject to the ITAR depended on U.S. content in the same way that “subject to the EAR” under the EAR’s definition depends on the amount of U.S. content. And that’s apparently what somebody at BIS was thinking. If we had one export agency handling both dual use items and military items, this kind of basic confusion would be much less likely to occur.

Permalink Comments (1)


Jan
21

DDTC Updates Firearms and Ammunition Export Guideline

Posted by Clif Burns at 9:41 pm on January 21, 2010
Category: Arms ExportDDTC

Guns and AmmoOn Tuesday, the website of the Directorate of Defense Trade Controls announced that it had updated its “Guidelines for the Permanent Export, Temporary Export and Temporary Import of Firearms and Ammunitions.” Although DDTC did not identify or explain the changes in the guidelines, the changes appear to be restricted to one paragraph marked in red. That paragraph, which can be found on page 7, reads:

Where the exporter uses an in–transit point (or points) in a country other than that of the ultimate destination, an authorization issued by the foreign government of the transit country authorizing the transit of the specified items must also accompany each application to export. Where items are temporarily imported into the U.S. for the purposes of transit or transshipment to other OAS countries, an Import Authorization, comprised of either a permit or a certificate issued by the foreign government authorizing the import of specified items, must accompany each application to import.

This paragraph requires that temporary import of firearms through the United States for another member of the Organization of the American States (“OAS”) be accompanied by an import authorization from the destination state. This is clearly an effort to conform to the requirement of Article IX(2) of the OAS Firearms Convention.

The other requirement, that an export license application for firearms that transit another country prior to the ultimate destination must be accompanied by a transit permit from the transiting country, is not restricted to OAS members, although that requirement conforms to Article IX(3) of the OAS convention. It also conforms to the requirement of Article 10(2)(b) of the U.N. Firearms Protocol which hasn’t been signed or ratified by the United States, largely based on fears, unfounded by the text of the Protocol, that the Protocol is an effort by the U.N. to regulate purely domestic sales of firearms in the United States.

Even so, it’s a sensible requirement because failure to obtain a transit license for countries that have signed the U.N. Protocol or which otherwise require transit permits can result in seizures of the firearms as they transit those countries. For other countries that have not signed the U.N. Protocol and which don’t require transit licenses, the provision is a bit more problematic in that it would appear to require obtaining a transit license from countries that don’t issue them. In the case of exports to countries that don’t require import authorizations, the guidelines permit the applicant to submit a statement from the end user or the country of import that no import authorization is required. It’s not clear why a similar procedure doesn’t appear to be available in the case of countries without transit license requirements.

Permalink Comments (2)


Jan
20

U.S. Extradition Request for Export Defendant Heard by French Court

Posted by Clif Burns at 9:03 pm on January 20, 2010
Category: Criminal PenaltiesIran Sanctions
Majid Kakavand
ABOVE: Majid Kakavand

Amir Ardebili, who we posted on here and here, is not the only Iranian being chased by U.S. prosecutors for activities he committed entirely outside the United States and which were legal in the country where they took place. Majid Kakavand, on whom we previously posted here, used a company of his in Malaysia to order electronic components from U.S. companies and then transshipped those components to Iran. He was provisionally arrested in France in March 2009 at the request of the United States and is currently in France, out of jail but unable to leave France, awaiting the French court’s decision on the U.S. extradition request.

According to this article in the New York Times, a hearing was held last week by a French court on the extradition request. Kakavand’s lawyers argued that Kakavand’s activities did not violate any laws of France or the European Union and that the items were innocuous items that were not useful in the defense industry. Because these items could be legally shipped to Malaysia without an export license and because the U.S. criminal information against Kakavand did not allege that the items in question were on the Commerce Control List or the United States Munitions List, this argument seems to have some force. Another hearing has been scheduled by the French court for February 17.

And as with the Ardebili case, the Iranians were quick to link the fate of Kakavand with an Iranian trial. In this case, the trial in question is a prosecution brought by Iran against a 24-year-old French academic, Clotilde Reiss, in connection with her alleged participation in opposition protests following the Iranian elections last June. Apparently, the concept of a fair trial is so foreign to Iran that it hasn’t occurred to the Iranian government that a French court might actually listen to defense arguments and make a decision based on the rule of law.

Permalink Comments (9)


Older Posts »