Who’s Watching You?

Posted on 17, May | Posted by Emily Liner

Predators could be spying on you through your computer’s webcam. Criminals are now able to hack in and watch your every move – without you ever knowing it. Scary, right?

webcam

We’re all guilty of it: we use our computer, get distracted with something, and just walk away. We forget the computer is still on – and this is the key action criminals are counting on. Now they can access your webcam remotely, watching your most intimate moments from the kitchen to the privacy of your own bedroom. The worst part is, you may never even know.

Not only must we remain aware of our surroundings in public or walking through parking lots and decks, now we must stay vigilant in the privacy of our own home. Though there is little we as the public can do to fight crime against hacking, we are not completely helpless to this threat. The basics solutions are all ones we’ve heard before. Have good anti-virus software on your computer. Do not click any links in your email – especially the ones from “Facebook”. Because Facebook has so many users worldwide, it’s the perfect cover to trick people into thinking the link is legitimate.

The best advice is to learn more about webcam hacking to better understand the risks. Luckily, just like many other appliances and technology, there is a light or another indication that the device is on or in use. Watch your webcam light to know if it has been activated. When it is not in use, cover the lens. This physically stops hackers from watching and recording your activities.

Continue reading

What is Sextortion?

Posted on 19, Nov | Posted by Michael R. Longmire, MPA

text conversationSextortion refers to the category of sexual exploitation in which threatened release of sexual images or information is the means of coercion (Source: Wikipedia).

In recent months, we have been hired to assist clients who have made the mistake of hitting the send button and wishing there was some way to “get that photo back.” These cases normally involve men who for one reason or another engage in progressively suggestive text messaging or other digital communications with someone they believe to be an interested female, only later to find themselves paying to keep the communications from being circulated on the Internet or to friends and family members.

Typically, there is no actual intimate contact, and the request for money starts with a small loan sent through a coded Western Union payment. These amounts incrementally increase, as do the threats to expose the client’s indiscretions if the demands for payment are not met.

Federal and local law enforcement report an alarming increase in these criminal extortion cases, but find the victims unwilling to pursue criminal charges. More alarming are those cases where the victims are minors enticed in to actual sexual encounters with a pedophile who threaten them after posing as a peer interested in exchanging photos.

Successful investigations require the use of computer forensics, intelligence gathering, surveillance, and effective interviewing skills… and the greed of the suspect who will continue the sextortion until deterred.

Continue reading

RMA Attends InfoSeCon

Posted on 18, Oct | Posted by RMA

Rusty Gilmore attended the eighth annual Triangle InfoSeCon held at the McKimmon Center.

Keynote speakers were Chris Nickerson, Lead Security Consultant at Lares, Stan Waddell, Executive Director and Information Security Officer at UNC Information Technology Services (ITS), and Lance Spitzner, Certified SANS Instructor and Founder of the Honeynet Project.

The Raleigh ISSA Chapter fall conference is a great opportunity to learn more about information security, talk with companies who provide security products and services, and network with fellow information security professionals.

The conference goal is to educate attendees about information security, including executives responsible for regulatory compliance and security, information security professionals, software developers, and anyone who wants to know more about information security.

Continue reading

Apple Unique ID Numbers

Posted on 5, Sep | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

iPad and iPhoneHackers have posted online the unique ID numbers for more than one million Apple devices. As claimed in news reports, the file was obtained through phishing. A hacker intercepted an email sent to several dozen FBI agents. In the header of the email were all of the agents’ email addresses. The hacker crafted emails that appeared to come from legitimate FBI email addresses and sent the email to other FBI agents in hopes of gaining access to the unsuspecting FBI agent’s computer. All that the victim (FBI agent) had to do was open the email and click on a link.

The FBI has denied this event took place or that they even possessed the list. The issue will get muddied because the primary concern will not be who hacked the FBI laptop but why the FBI had the list in the first place or why the list even exists. Until March of last year, 160 million iOS devices had been sold. The hacked list contains information on about 12 million devices and their users. Links to two news stories with more information are provided below.

FBI denies report hackers leak 1 million Apple device IDs
FBI denies link to leak of 12 million Apple codes

How does this affect you? I would not worry about whether or not your iPhone or iPad is on the list. Since the list reportedly contains information on over 12 million devices, I suspect Apple will address the issue in due time. I suggest waiting until the story unfolds and more information is available.

What may happen that is even more of a concern is that you may now start seeing emails about securing your iPhone, providing “instructions” on how to check if your device is hacked, or claiming that your iOS device is on the list. Many of these will be phishing attempts. Under no circumstances should you respond to an email that says you are on the list, not even if the email appears to be from Apple. I would take any concern you have about your device to an Apple representative. Do not rely on an unknown “Good Samaritan” offering to help you by email.

Continue reading

Communication

Posted on 4, Sep | Posted by Kevin M. McQuade, CPP

The last few years have brought about remarkable technologies in the way we communicate with one another. There are the old standbys – voice mail, email, and texting – but now people are using Twitter, Facebook, and Youtube just to name a few. These are all wonderful tools to communicate with others, but how secure are they? Nothing upsets me more than hearing that a relative of mine – or anyone for that matter – has updated their Facebook page with information like “we’re going to the beach this weekend” or “I just got home and the husband and kids are out to a movie.” If this isn’t an invitation for a crime I don’t know what is.

Is it that important to let everyone know your business all of the time? When I question these folks, they often tell me that I am just not “with the Now Generation” and I think the worst in everyone. The fact is that these social media forms of communicating are simply not as secure as a phone or face-to-face conversation. There is no way to know who is monitoring you. If you really need to let someone know your whereabouts, try something different – pick up the phone and talk to them. It’s simple, it’s secure, and it’s worked for many years.

Continue reading

Keep pace with legal requirements as mobile devices inundate offices

Posted on 30, May | Posted by RMA

securing smartphonesBy Elizabeth Johnson
Originally published in Business North Carolina’s Law Journal, May 2012 issue

With 87% of employees confirming they use personal electronic devices for work, designing a workable “bring-your-own-device” program is probably overdue. BYOD is a tricky issue; 48% of companies claim they would never authorize employees to use personal devices for work, but 57% acknowledge that employees do it anyway. The wave of mobile devices has already flooded your offices. It’s time to figure out what to do about it.

Talent recruitment and cost concerns
Almost half of college students and young employees say they would accept lower pay in exchange for flexibility on device choice, social media and mobility, indicating it will be difficult to compete for new talent without adopting a BYOD policy. Your business may be able to save on device purchases and information technology support, but all that savings could be wiped away if a lost personal device results in a reportable security breach (average response cost is over $5 million) or if sanctions result because contents of the device are considered discoverable in litigation but cannot be produced.

Productivity and social media
Let’s be realistic: Your employees already use Facebook during work time, and blocking the site won’t help since we’ve already established that they use personal devices at work. Think of BYOD as a means to retrieve some of those lost hours. Seventy-two percent of employees regularly check their emails from personal devices outside normal business hours, and 42% check even when out sick.

If you enable BYOD, social media use may go up, but temper your zeal to prohibit or monitor that use. In recent years, employers have been repeatedly dinged by the National Labor Relations Board for overly broad social-media policies, were found liable for accessing employees’ social-media communication in unauthorized ways, and scaled back reviews of social-network sites due to Fair Credit Reporting Act liability. Employers should revisit their social-media policies to make sure they are not already running afoul of this rapidly evolving list of pitfalls.

Information security and compliance
Here are a few examples of the potential impact of BYOD on security and compliance:

  • Device loss or theft could result in a security breach that must be reported to regulators and affected individuals if personal information is involved and potentially to business partners if confidential information is involved. Loss of access credentials can jeopardize enterprise security.
  • Almost three-quarters of Americans report they have no malware protection on their mobile devices. You can almost hear data slithering off the devices.
  • Access controls are nonexistent or may be purposely defeated by employees who share their devices with their households.
  • Transmission security will be ad hoc or nonexistent if not provided by the enterprise. For health-care companies, financial institutions and other highly regulated industries, compliance challenges arise, such as encryption, access controls, authentication and password management.

Most of these controls are required even for less regulated industries, especially given the increased risks posed by BYOD.

Privacy concerns
Like it or not, employees have some privacy rights not impacted by your dusty old electronic-communications policy that undoubtedly warns they have no expectation of privacy when using your equipment. Although you can revise the scope for BYOD, your employee owns the device and is clearly entitled to make personal use of it. Similarly, that device essentially tracks their whereabouts 24/7 and reflects all manner of activities, such as websites visited, items purchased, books read, games played, photos taken, apps used and calls and messages sent and received. Your business needs to decide the extent to which it needs to know such information and plan accordingly.

e-Discovery and departing employees
Inevitably, if employees store work-related information locally, device retrieval may be necessary in legal discovery or when an employee leaves the company. For litigation, strict protocols providing for immediate preservation before employees modify or delete files are crucial. BYOD will add expense and delay to discovery and to the employee-departure process.

Get back in control
Having considered a variety of issues raised by an increasingly mobile workforce, let’s consider solutions that will put you back in control.

Security framework
Perhaps the greatest perils posed by BYOD are the security risks. There are several options to mitigate those risks, but some are better than others.

  • Good – device-level security. At minimum, require device-level security such as strong passwords, up-to-date malware protection, encryption, time-outs following inactivity and remote-wiping capabilities.
  • Better – mobile-device management. MDM essentially provides employees with a secure tether to the office from which they access resources remotely using an application on the device. MDM solutions improve upon simple reliance on device-level security by minimizing the risk of data loss and preserving data integrity and access control with containerized solutions.
  • Best – virtual-desktop infrastructure. With VDI, applications and data are stored centrally, unlike MDM where some data and apps live locally on the device. Maintaining secure access credentials and effective user authentication are paramount, but the device itself contains no work-related data to be lost or breached.

To determine which approach or mix of approaches is best, consider inventorying your business units, their activities and their use or proposed use of mobile devices. Units that need regular access to sensitive business or personal information and travel or work from home may warrant a more cautious approach.

Policy document
No matter how you address security, a written policy is needed to establish privacy boundaries and set security expectations. You also should review existing security policies to ensure you have not set contradictory requirements. Your social-media policy likely also deserves an update once BYOD is in place. Training and reminders are useful to help employees remember the requirements and risk and will help your organization establish legal compliance.

Terms of use
When your organization does not own user devices, strong and effective terms of use are necessary to preserve your rights. Key terms include the employee’s agreement to adhere to security requirements, immediately report potential breaches, submit to compliance audits and allow the employer to wipe the device without prior notice if the device poses a security threat to the organization.

These suggestions only temper the risks posed by BYOD. Ensuring that your organization is prepared to deal with worst-case scenarios, particularly security breaches, is still necessary. With careful planning and implementation, the gains inherent in BYOD should outweigh the risks.

Elizabeth Johnson’s practice in the Raleigh office of Poyner Spruill focuses on privacy, information security and records management. Her comprehensive, practical approach to privacy law is reflected by the diversity of her clients, which hail from a variety of industries including health care, financial services, insurance, retail, telecommunications, utility, technology, consumer goods and client services. She received her law degree from Duke University.

Continue reading

FBI warns travelers to beware attacks via hotel Wi-Fi

Posted on 10, May | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

business laptopIn today’s economic environment, all companies are looking for opportunities to increase their customer base and grow their market share. Technology and the effective use of technology is critical to all businesses, from the small “mom & pop” to the large Fortune 100 firm doing business around the globe. As Americans we love technology and can’t get enough of it.

What is your business doing to protect the technology that contains the intellectual property that is your economic advantage?

We love the flexibility, ease of use, and ability to stay connected 24/7, but do we understand the trade-off? Security of your company’s economic advantage relies on awareness, training, policies and procedures, and physical security measures. Too often companies learn the hard way that electronic security alone does not protect their valuable assets. Do not wait until it is too late; protect your critical assets with awareness campaigns, training, policies and procedures, and physical security. What do you have to lose?

In addition to the article below, the Defense Security Service, a DoD agency, has developed a brochure that focuses on the vulnerabilities of Foreign Travel.

FBI warns travelers to beware attacks via hotel Wi-Fi
By Stewart Mitchell

Hackers are targeting foreigners’ laptops using hotel Wi-Fi, the Internet Crime Complaint Centre and FBI have warned.

According to an intelligence note from IC3, the malware is spread via pop-up windows during login, with the code download disguised as a legitimate software update.

“Analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an internet connection in their hotel rooms,” the IC3 said.

Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack

“In these instances … the pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available. If the user clicked to accept and install the update, malicious software was installed on the laptop.”

The officials didn’t explain what the malware actually did, but the FBI warned that anyone travelling overseas, and particularly on governmental or private-sector business, should take extra care when abroad and plan a pre-departure update schedule.

“Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack,” the note said.

“The FBI also recommends that travelers perform software updates on laptops immediately before travelling, and that they download software updates directly from the software vendor’s website if updates are necessary while abroad.”

Continue reading

Digital Message Resonance and Its Impact on Economic Advantage

Posted on 25, Apr | Posted by Christine L. Peterson, CPP, ISP

Using Social Media Monitoring and Analytics to Protect Human Capital, Company Property, and Your Brand

Social Media is a relatively new term that has become ingrained in our consciousness and language, but do you know what it means or encompasses? If you answered no, then you are in the majority. Everyone talks about Social Media, but few really understand it. Here is what Wikipedia, itself a social media site, has to offer us on the subject:

Definition: Social media includes web-based and mobile technologies used to turn communication into interactive dialogue. Andreas Kaplan and Michael Haenlein define social media as “a group of Internet-based applications that build on the ideological and technological foundations of Web 2.0, and that allow the creation and exchange of user-generated content.” (Source: Wikipedia)

As the Wikipedia authors explain, social media interaction is not just conversation: it is the
“super-set” of social dialogue. Social media is not news – it is a data set that describes public consciousness. “Enabled by ubiquitously accessible and scalable communication techniques, social media has substantially changed the way organizations, communities, and individuals communicate.” (Source: Wikipedia)

The Forms of Social Media

As the experts have outlined the subject, social media technologies take on many different forms including magazines, Internet forums, weblogs, social blogs, microblogging, wikis, podcasts, photographs or pictures, video, rating and social bookmarking. By applying a set of theories in the field of media research (social presence, media richness) and social processes (self-presentation, self-disclosure) Kaplan and Haenlein created a classification scheme for different social media types in their Business Horizons article published in 2010. According to Kaplan and Haenlein there are six different types of social media: collaborative projects (e.g., Wikipedia), blogs and microblogs (e.g., Twitter), content communities (e.g., YouTube), social networking sites (e.g., Facebook), virtual game worlds (e.g., World of Warcraft), and virtual social worlds (e.g. Second Life). Technologies include blogs, picture-sharing, vlogs, wall-postings, email, instant messaging, music-sharing, crowdsourcing and voice over IP, to name a few. Many of these social media services can be integrated via social network aggregation platforms.

What Does Social Media Mean To You?

Social media has changed and continues to change the world as we know it. Is that true? Let’s consider the facts:

Service Users or members Content, data, or usage
Facebook 845 million active users 50% log in on any given day
Twitter 140 million users; 460,000 join daily 340 million tweets daily
LinkedIn® 150 million registered users Roughly 2 new members every second
YouTube™ 800 million unique users per month Over 4 billion videos are viewed a day
Flickr ® 51 million registered members More than 6 billion images
Google+™ 25 million users About 1 million visits per week
Wikipedia® 16 million users, 300,000 editors Hosts 19 million articles
Data current as of April 2012.  
   

Including the thousands of other chat rooms, blogs, forums, newsgroups, and user groups, there are millions of additional social media users around the world. The people who are utilizing social media are your employees, customers, competitors, family, friends, activist groups, governments, and others. This technology is so powerful that it is used for everything from keeping in touch with friends to starting revolutions.

In this white paper we will discuss the state-of-the-art technology and tools that monitor social media for business intelligence purposes, including but not limited to the identification and monitoring of threats to the business and its personnel. Some organizations have already begun to harness the power of this technology in an attempt to exploit a market that is more often than not misunderstood.

While Google Alerts™, Google Web Search™, and low-level social media monitoring tools are of some use as a research aid in risk management, the most professional tools in this area are highly advanced and focus on analyzing information in near real-time from sources on the web.

Why are you in business?

As a business manger or owner, your business exists today because your customers’ expectations are in alignment with the value proposition or economic advantage that they expect to receive as part of the transaction with your firm. What is your value proposition or economic advantage?

  • Proprietary information (secret sauce)
  • Intellectual property
  • Customer/project information
  • Plans and specifications (marketing, R&D, financials)
  • Logistics
  • Human capital, “talent and experience”
  • Brand and reputation
  • Partners and suppliers
  • Physical assets

We know that businesses are leaking economic advantage every day through elicitation and social engineering, the exploitation of cyber vulnerabilities, and internal and external theft and sabotage. Traditionally, leakage has been in the form of a verbal, written, or e-mail disclosure which can and does wreak havoc for businesses every day. The new paradigm of leakage uses social media to communicate a message to an exponentially larger audience at the touch of a button. This is digital message resonance – or the ability of a message to continue propagating or resonating across the Internet and social media sphere long after the initial message was sent. Leakage in the traditional sense can have devastating effects, but it moves slower and is easier to track and contain. In the new era of digital message resonance, a single message can be transmitted to literally millions of people around the globe in a matter of seconds or minutes.

Traditional Model of Leakage New Paradigm of Leakage
   

As a security, HR, marketing, management, or finance professional, you may believe that a comprehensive security and compliance program utilizing traditional methods of perimeter control, access control, lighting, casual surveillance, security communications, identification, accountability, and training should apply to this new threat. To that, we would also agree – to a point. The traditional tools are critical to the protection of economic advantage and company assets. We would also assert that the world has changed. There are additional security threats and tools to mitigate those threats, but they are cutting-edge and have to remain dynamic. Can your business afford to take a “wait and see” position with respect to social media?

Beyond Monitoring: The Next Step

Social Media Business Intelligence, as applied to business groups, refers to the tools and practices used by organizations to aggregate social media data, gathered via social media monitoring tools and social analytics engines, with existing data and integrate with systems of records and real-time analytics engines. The results are actionable insights that provide businesses with new information on their customers, products, competitors, employees, and even their marketing campaigns that can be used to protect assets and economic advantage while improving the value proposition offered to customers and potential customers. Using this information to proactively predict and anticipate customers’ needs while protecting assets in near “real time” is the value of Social Media Business Intelligence.

The RMA solution allows you to scour the web for mentions of your company and effectively analyzes, processes and stores this data to implement it with existing business processes. It enables businesses to harness the power of social media to support corporate compliance, current threat intelligence, operational security, and event security. At the same time this information will assist management across departments and division to better understand their “value add” proposition with their customers, employees, vendors, community as it relates to their economic advantage.

The RMA solution uses social media business intelligence software to monitor what people are saying about your business in social media, primarily for the purpose of anticipating and mitigating security threats before they occur and for responding to security related issues effectively and efficiently to minimize losses and maximize productivity. At the same time, it can also be used to monitor what people are saying about your brand, industry, and competition.

The RMA solution uses intelligence gathering software that computes dozens of dimensions including sentiment, passion, volume, and much more. It provides access to business intelligence that will allow you to lead – not follow – the conversation and fix those small issues before they grow into big problems.

Summary

Social media and web-based analytics provide powerful tools to conduct 24/7 monitoring of existing and emerging threats for Risk Management Associates, Inc. clients.

The RMA solution provides “cutting-edge” scalable technology and analytics. Technology cannot replace training and experience, but it does create an effective method of gathering pertinent information quickly that can be validated and or discounted effectively.

Your businesses can then harness the power of social media to manage corporate compliance, current threat intelligence, operational security, and event security.

Data gathered can be communicated for application across departments and divisions. The RMA solution provides current intelligence that has applicability in multiple departments and divisions within the organization. This provides better understand of “value add” proposition with their customers, employees, vendors, community as it relates to economic advantage.

The RMA solution uses intelligence gathering software that provides clients with an additional tool to protect and demonstrate compliance in this age of digital resonance. Economic advantage like reputation is elusive and once lost very difficult to reclaim. The RMA solution provides an additional tool and layer of security. It provides access to current business intelligence that allows leaders to lead – not follow – the conversation, fix those small issues before they grow into big problems, and preserve evidence that has a short life span.

Risk Management Associates, Inc. utilizes the best technology and the best practices in web-based and social media monitoring, analysis and business intelligence. We look forward to answering any questions you may have about the topics presented in this paper or other security issues that are important to you.

Continue reading

Fake Caller ID Attacks on The Rise

Posted on 23, Mar | Posted by Tasha D. Dyson

caller IDThese kinds of phony calls have existed for years, but the sophistication has increased to combat our increased vigilance. Use the same cautions that you would use when opening an email that appears to be from your bank or other institution. When you receive a call or email from your bank, the safest course of action is to initiate the contact with the bank yourself. If a caller claims to be from your bank, do not provide account information or identifying information. Instead, thank the caller, hang up, and call the bank directly. Do not rely on a number provided to you by the original caller, as this could be false information. If you need the number, most banks print a customer service number on debit and credit cards, and all banks list contact information on their website. Use those sources to initiate contact with the bank to determine if there is actually a problem.

Fake Caller ID Attacks on The Rise
“Vishing” attacks increased by 52 percent in the second half of last year
By Kelly Jackson Higgins

What if your caller ID showed an incoming call from your bank, but it was really from criminals posing as your bank? That’s what’s happening en masse, with a major surge in voice-call phishing, or vishing, attacks in the second half of 2011.

A new report from enterprise anti-phone fraud firm Pindrop Security found a 52 percent increase in vishing attacks in the U.S. between July and December 2011. There were 124,258 phony calls reported by banks in July, and some 189,439 in December, according to the report.

The numbers even surprised Pindrop, which had caught wind of such incidents from its enterprise customers. “The sheer breadth of these phishing incidents surprised us, and volume was increasing rapidly. We had an indication that a significant number of incidents was happening, but we didn’t realize how quickly it was progressing” until we actually measured it, says Vijay Balasubramaniyan, founder and CEO of Pindrop Security.

According to the report, the top five U.S. banks were all targeted by vishers, and 30 of the top 50 banks as well. The attackers’ weapon of choice: voice-over-IP, which accounted for 57.6 percent of the phone fraud attacks, followed by landline phones, 37.4, and then mobile, 5 percent.

The proliferation of VoIP has contributed to the rise in phone fraud, Balasubramaniyan says, as has the increased security of online banking systems. “Attackers move to the weakest link,” which is posing as a bank and asking the caller to provide his banking information over the phone, he says.

Attackers basically automate scripts to dial multiple people and, like any mass phisher, cast a wide net that ultimately catches a few unsuspecting customers of the bank they have spoofed. The attackers can download CallerID software that allows them to show whatever phone number they want to, Balasubramaniyan says.

“They are targeting both consumers and businesses. The end goal is to steal money — get identity information and then convert it to cash,” he says.

Among the top cities for vishing attacks are New York (22,500 incidents), Washington, D.C. (21,000 incidents), Phoenix (19,500 incidents), Portland, Ore. (18,500 incidents), and Seattle (18,000 incidents), between July and December 2011. Los Angeles, Atlanta, Chicago, Houston, and Kent, Wash., round out the top 10 cities prone to vishing.

How do they select their targets? It’s actually quite simple: They start with the area code and exchange for a particular region and blanket-dial a group of numbers, Balasubramaniyan says. “They do blanket calling and hope you are a bank’s customer.”

While most of these attacks are asking victims to provide their credit card or other account information, others are using actual credit card codes to dupe customers. They may use the digits that a specific bank uses for its credit cards as a lure, for instance, using “your credit card starting with the numbers 123,” for instance.

“Then they could see who’s falling for it, and that will start leading them to which areas bank with which banks more, and they can start spear-phishing customers,” for instance, Balasubramaniyan says.

So who’s behind these attacks? Pindrop says these are large criminal gangs. The company’s honeypot has collected around 300,000 phone numbers used by attackers, and one of the biggest gangs operates with 4,000 different phone numbers.

Even so, vishing is still nowhere near as widespread as phishing. “I would say give it time,” Balasubramaniyan says.

Continue reading

FedEx Settles Charges of Causing, Aiding and Abetting Unlicensed Exports

Posted on 2, Mar | Posted by Christine L. Peterson, CPP, ISP

cargo planeIn 2010, Michael R. Epperly, Esq. who heads RMA’s Corporate Compliance consulting arm, wrote an insightful article that addressed the corporate compliance challenges that American companies face in the global marketplace. Through his experience as legal counsel, investigator, and consultant he is acutely aware of the importance of a solid corporate compliance program to an organization and the penalties that can result from not having an effective program. In today’s business environment, your company’s corporate compliance program also needs to include vendors and partners.

To read Mike’s original article, go to Corporate Compliance & Ethics.

FedEx Settles Charges of Causing, Aiding and Abetting Unlicensed Exports

WASHINGTON – The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) announced today that FedEx Express (FedEx), Memphis, TN, has agreed to pay a $370,000 civil penalty to settle allegations that it committed six violations of the Export Administration Regulations (EAR) relating to FedEx’s provision of freight forwarding services to exporters.

BIS alleged that on two occasions in 2006, FedEx caused, aided and abetted acts prohibited by the regulations when it facilitated the attempted unlicensed export of electronic components from the United States to Mayrow in Dubai, United Arab Emirates. The exports to Mayrow were thwarted when delivery was halted at BIS’s direction. On June 5, 2006, BIS had issued a General Order imposing a license requirement with a presumption of denial for the export or reexport of any item subject to the EAR to Mayrow General Trading and related entities. The General Order was issued based on information that Mayrow and the related entities were acquiring electronic components and devices that were being used in Improvised Explosive Devices deployed against Coalition forces in Iraq and Afghanistan.

BIS also alleged that in December 2005, FedEx caused, aided and abetted acts prohibited by the regulations when it facilitated the unlicensed export of flight simulation software to Beijing University of Aeronautics and Astronautics, a/k/a Beihang University, an organization listed on the U.S. Department of Commerce’s Entity List and located in the People’s Republic of China. The Commerce Department’s Entity List contains a list of names of foreign persons – including businesses, research institutions, government and private organizations, and individuals – that have been determined through an interagency review process to have engaged in activities contrary to U.S. national security and/or foreign policy interests. These persons are restricted from receiving items subject to U.S. jurisdiction.

Lastly, BIS alleged that on three occasions in 2004, FedEx caused, aided and abetted acts prohibited by the regulations when it facilitated the unlicensed export of printer components from the United States to end users in Syria. Facilitating the export of commodities to Syria without the required U.S. Department of Commerce export license was prohibited under General Order No. 2 as set forth in Supplement 1 to part 736 of the EAR.

The Commerce Department Assistant Secretary for Export Enforcement David W. Mills said, “It is vital that every stakeholder in the U.S. exporting chain remain vigilant in its efforts to prevent prohibited transactions that may be detrimental to our national security, and each will be held accountable if it fails to do so.”

Continue reading
« Older entries

Blog Topics

Tag Cloud

access control Anti-terrorism/Force Protection ATFP background investigations background screening blast mitigation business continuity campus security Clery Act community improvement computer forensics corporate compliance CPTED crime crime prevention through environmental design criminal record checks crisis management disaster planning embezzlement employee theft executive protection fraud information security integrated security investigation key control lighting mail and package screening mail bombs master plan package bombs personal security planning policies premises liability procedures security plan security program small business system design technology theft training vulnerability assessment workplace violence
Sign up to receive our Email Newsletter