Archive for June, 2010


Jun

19

Malware Spam Uses OFAC as Bait


Posted by at 12:02 pm on June 19, 2010
Category: OFAC

OFAC SpamCommercial computer security firm Sophos reports the recent appearance of spam emails that attempt to get the recipient to click on an Excel file attachment described as a “report of the declined deposit by OFAC.” If the attachment is opened, it delivers as its payload a variant of the Koobface malware which, once it installs itself on the victim’s computer, attempts to harvest financial and other confidential data and allows the computer to be controlled remotely as part of a botnet. The sender’s address is often spoofed and appears to be coming from the Treasury Department.

Most readers of this blog, however, would probably have had their suspicions alerted by the description of the attachment as a “report of the declined deposit by OFAC.” OFAC, of course, doesn’t decline deposits. Banks and financial institutions do. OFAC’s only role is to penalize banks that fail to decline or block deposits when required to do so by OFAC’s rules.

So now you can add malware protection to the list of the many invaluable services provided by this blog to its readers!

Permalink Comments (5)

Bookmark and Share


Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jun

16

France Prohibits Export of Flight Control Software to European Rocket Program


Posted by at 9:23 pm on June 16, 2010
Category: Foreign Export Controls

Vega RocketA report in Space News reveals that French export officials have prevented export of French-developed flight control software that was intended for the Vega rocket. The Vega rocket, a joint launch vehicle project of the European Space Agency and the Italian Space Agency, is destined for Arianespace SA. As you probably know, Arianespace SA is a French company founded in 1980 as the first private launch company. France also is a 15 percent participant in the Vega rocket program, making France the largest participant in the program after Italy, which is a 65 percent participant.

France did grant an exemption for the software to be used on the first flight and possibly on the second flight depending upon the status of development of new software to replace the yanked French software. Apparently all involved in the Vega program were blindsided by the French action:

[ESA Launcher Director Antonio] Fabrizi said he is not certain exactly what transpired in the case of the Vega flight-control system. Other French technology, in particular the filament-wound P-80 first stage, was subject to export approval and received authorization without a hitch.

“I have been told that it could have been a problem with the way the export license application was made, or its timing,” Fabrizi said.

Although French bureaucratic stubbornness is second to none, I’m not buying Fabrizi’s story that the French blocked export of the flight control forever because the application was too late or violated some procedural rule. More likely, the French stopped the export because of the technology itself.

That France denied the export even though it is knee-deep in the Vega program itself is perplexing. The only conclusion that can be drawn from this is that the United States isn’t the only country that has used export controls to shoot itself in its own foot.

Permalink Comments (1)

Bookmark and Share


Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jun

15

So Easy Even a Kingpin Can Do It


Posted by at 7:51 pm on June 15, 2010
Category: OFAC

Bad GeckoYesterday when I posted on the latest release of civil penalty information by the Office of Foreign Assets Control (“OFAC”), I promised to do a second post on the $11,000 penalty paid to OFAC by GEICO General Insurance Company (“GEICO”). The penalty was paid to settle charges that GEICO provided an automobile insurance policy to a Specially Designated Narcotics Trafficker (“SDNTK”).

There is no indication whether this violation was voluntarily disclosed. My cynical guess (not based on a single fact) is that the whole deal came to light when the SDNTK ran into someone. GEICO then suddenly discovered its insured was an SDNTK and tried to use that as an excuse not to pay out for the damages to the other driver.

But here’s what is most interesting about OFAC’s announcement of the GEICO penalty settlement. The agency noted:

The settlement amount reflects OFAC’s consideration of the following General Factors: GEICO does not screen its existing policyholders database for SDNs as the SDN list is updated but only on an annual basis. GEICO has committed to making improvements to remedy this gap in its OFAC compliance program.

Based on this statement, it would appear that the SDNTK was listed as such by OFAC after GEICO had issued the policy. Because GEICO screened its database of customers annually, it continued to provide insurance for a period of time after the designation. Bad gecko.

But this is a problem that bedevils every compliance program. How often should customer lists be scanned? Based on this statement from OFAC, annually is not enough. Instead the agency seems to suggest that every company must rescan its customer list each and every time OFAC adds someone to the SDN list. This seems overly burdensome and not justified by any significant benefit. A better policy would be for OFAC to establish a safe harbor for companies that rescan their customer lists at specified intervals, such as monthly or bi-weekly.

Permalink Comments (7)

Bookmark and Share


Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jun

14

Two Packages to Sudan Net $5k Fine for KLM


Posted by at 7:59 pm on June 14, 2010
Category: OFACSudan

Khartoum AirportWhile I was traveling earlier this month, I missed the latest release of civil penalty information by the Treasury Department’s Office of Foreign Assets Control (“OFAC”). Both KLM and Geico were fined. We’ll look at the KLM case today and GEICO tomorrow because both penalty cases raise interesting issues.

KLM was fined $5,336.26 in connection with two cargo shipments it carried between KLM’s cargo facilities at O’Hare Airport in Chicago and the Khartoum International Airport. One shipment consisted of oil field equipment and the other contained hydraulic hoses. The offending shipments were not voluntarily disclosed to OFAC.M

OFAC’s initial nastygram to KLM (or “Prepenalty Notice” in OFAC-speak) proposed a $6,277.95 penalty. KLM’s reply admitted that its compliance program didn’t mention embargoed destinations but sought clemency from OFAC on the grounds that it had now circulated a notice to all U.S. operations reminding them about “bookings that cannot be accepted.” That delayed stab at compliance, however, did net KLM a savings of $941.69 or about 15% of the originally proposed penalty.

What is interesting here is that it now appears that KLM has circulated a bulletin to all of it’s cargo operations instructing them not to take any packages to Sudan or other embargoed destinations. That, of course, is an excessive, but understandable, response to the OFAC penalty proceeding. Yet, as we all know, not all cargo to Sudan is prohibited. A box of books would be fine under the information exemption. But KLM doesn’t want to have to inspect cargo and determine whether an export license is or isn’t required. And who can blame them?

Yes, yes, KLM broke the rules here, and it’s hard to muster up an abundance of sympathy for a carrier whose compliance program didn’t even mention that whole business of embargoed countries. Yet, yet, busting an airline for something like this (even if the fine is less than a first-class transatlantic ticket) will necessarily result in the airline doing exactly what it did here: overreact. This will make it difficult for shippers to send perfectly legal cargo to the country, violating the spirit, if not the letter, of the Berman Amendment, which established the exception for informational materials.

If OFAC needed a couple of whipping boys here, the shippers were better targets. They, of course, knew what they are shipping and should have known it wasn’t exempt.

Permalink Comments (5)

Bookmark and Share


Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jun

10

Crime and Even More Punishment


Posted by at 8:34 pm on June 10, 2010
Category: BISCriminal Penalties

PunishmentThe last four items posted by the Bureau of Industry and Security (“BIS”) — and which are linked here, here, here, and here) on its list of reported export violations — all involved impositions of export denial orders on individuals already convicted of crimes. Two of the four are currently languishing in federal correctional institutions and one served a two-year sentence of incarceration.

Needless to say, there is nothing (other than, of course, the lapse of the Export Administration Act) prohibiting BIS from piling more punishments on these individuals, even though arguably incarceration, as the harshest penalty short of execution, really should be seen as sufficient punishment. (By the way, I am not suggesting to the export hawks on the hill, who seem to increase penalties every time they get a chance, that the death penalty might be a proper punishment for exporting a teflon-lined valve without a BIS license.) But I think that these add-on, johnny-come-lately penalties ought to be put in proper context by noting that unconscionable breadth of the standard denial order as currently drafted.

For example, after the individual subject to the denial order is released from prison, it is fair to say that employment opportunities are already restricted because of his or her incarceration or conviction. But the denial order, which prohibits the individual from “directly or indirectly” “benefiting in any way from any transaction involving any item exported or to be exported from the United States” further limits those employment possibilities. Taking a job with any company that is involved in any exports would seem to violate the denial order even if the job was a menial job with no connection to the company’s export activities. And what company doesn’t export? Well, I suppose the individual subject to the order could always work for a shoe shine stand or iron shirts in a laundry.

Additionally, the Denial Order effectively prohibits the subject individual from travelling abroad. Travel abroad would result in an export of the individual’s baggage and personal effects (unless, of course, the individual travels in, er, a state of nature). The standard denial order even explicitly denies the subject individual the ability to use the BAG license exception which ordinarily covers personal effects carried with a traveler oversea. The prohibition on using an item that has been exported from the United States arguably prohibits the subject individual from using airplanes, boats and automobiles even for domestic travel if they’ve ever left the United States. Of course, since the person subject to the denial order is working for a shoe shine stand or a shirt laundry, travel of any kind won’t really fit in his or her budget

The standard denial order doesn’t incorporate any of the routine export exemptions, such as those for informational materials. Sending a birthday card to a relative abroad could wind up costing about $250,000 more than the cost of the card or the postage. Arguably the Berman Amendment applies even if the standard denial order doesn’t say so, but by not explicitly exempting informational materials, the order at a very minimum deters the individual from trading information with relatives and friends abroad.

Finally, a person subject to a denial order might wind up with a BIS charging letter as thanks for his or her contributions to U.S. charities sending food, aid, medicine, medical supplies and relief to Haiti or other scenes of catastrophic natural disaster.

Export denial orders may well have a legitimate administrative purpose (assuming that they are subsequently permitted by authorizing legislation), but current export reform efforts provide an opportunity to rewrite the standard denial order to eliminate its excessively broad scope. It also provides an opportunity to consider whether anything is really gained by routinely and automatically imposing a denial order on parties already subjected to substantial criminal penalties.

Permalink Comments (1)

Bookmark and Share


Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)