Tech Law Journal Daily E-Mail Alert
March 24, 2011, Alert No. 2,208.
Home Page | Calendar | Subscribe | Back Issues | Reference
Comodo Reports Hacking Activity By Iran

3/24. Comodo released a document titled "Report of incident on 15-MAR-2011". It describes a thwarted cyber attack involving the fraudulent issuance of digital certificates for domains held by Google, Yahoo, Skype, and others. Comodo concludes that Iran was behind the attack.

Comodo is an internet security company that sells digital certificates. That is, it is a certificate authority, also known as certification authority, or CA. Its founder and CEO is Melih Abdulhayoglu.

Comodo disclosed that it issued, but promptly revoked, nine certificates for domains to some person or entity which Comodo believes to be in Iran. This person or entity does not represent the holders of these domains.

Here is the gist of the scheme. For online purchases, and any online transactions that involve financial, account, or other confidential information, web users need to know that the web site with which they are dealing is in fact the web site that they understand it to be, and not a fraudulent imposter web site. Web users rely upon trusted third party CAs that issue certificates that enable their web browsers to ascertain that the web site is what it purports to be. The system is based upon public key cryptography. The system fails, however, if the operator of an imposter web site can obtain certificates for the real web sites. This is what occurred in the present matter.

For more technical explanations, see Wikipedia entries for Certificate Authority (CA), Public Key Certificate, and Online Certificate Status Protocol (OCSP).

Comodo stated that "The attacker was well prepared and knew in advance what he was to try to achieve. He seemed to have a list of targets that he knew he wanted to obtain certificates for, was able quickly to generate the CSRs for these certificates and submit the orders to our system so that the certificates would be produced and made available to him." (CSR is certificate signing request.)

Comodo continued that "We know that they definitely received one of the certificates. All certificates were revoked immediately on discovery. Our systems indicate that when this one certificate was first tested it received a 'revoked' response from our OCSP responders."

Comodo offered this conclusion: "The circumstantial evidence suggests that the attack originated in Iran. The perpetrator has focussed simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might). The perpetrator can only make use of these certificates if it had control of the DNS infrastructure. The perpetrator has executed its attacks with clinical accuracy. The Iranian government has recently attacked other encrypted methods of communication. All of the above leads us to one conclusion only: -- that this was likely to be a state-driven attack." (Parentheses in original.)

Schapiro Addresses Hacking Threat to Automated Securities Trading

3/23. Mary Schapiro, Chairman of the Securities and Exchange Commission (SEC), gave a speech in which she addressed, among other things, automated trading technology, the flash crash of May 6, 2010, and hackers.

She said that one source of risk is "systems and technology that may break down when volume surges, or which may be vulnerable to intrusion from outside."

Mary SchapiroSchapiro (at right) also said that "with risks including algorithm-generated volume surges and malevolent hackers still very much with us, I believe the SEC should consider making ARP compliance mandatory." (ARP is automation review policy.)

She added that "Such a regulation would require market participants to meet adequate standards for the capacity, resiliency, and security of their automated systems. These rules could apply to exchanges, alternative trading systems handling appreciable volume, clearing agencies, depositories and securities information processors."

House Subcommittee Holds Hearing on Cyber Security

3/16. The House Homeland Security Committee's (HHSC) Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies held a hearing titled "Examining the Cyber Threat to Critical Infrastructure and the American Economy".

Rep. Dan Lungren (R-CA), Chairman of the Subcommittee, stated that "most of these attacks are motivated by financial or intellectual property theft, disruption of commerce, or intelligence collection". He also referenced attacks by and on governments. He also said that last year "Google and twenty other major companies were the targets of highly sophisticated attack to steal their intellectual property and user accounts. This attack allegedly emanated from China."

Philip Reitinger, Deputy Under Secretary for the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD), wrote in his prepared testimony [PDF] of that "We currently cannot be certain that our information infrastructure will remain accessible and reliable during a time of crisis. We face persistent, unauthorized, and often unattributed intrusions into Federal Executive Branch civilian networks. These intruders span a spectrum of malicious actors, including nation states, terrorist networks, organized criminal groups, or individuals located here in the United States."

See also, prepared testimony [PDF] of Greg Wilshusen (GAO), prepared testimony [PDF] of James Lewis (Center for Strategic and International Studies), prepared testimony [PDF] of Phyllis Schneck (McAfee), and prepared testimony [PDF] of Mischel Kwon.

SEC Charges IBM with Violation of FCPA in Korea and PRC

3/18. The Securities and Exchange Commission (SEC) filed and settled a civil complaint [PDF] in the U.S. District Court (DC) against IBM alleging violation of Foreign Corrupt Practices Act (FCPA) in connection with payments by IBM subsidiaries to government officials in Korea and the People's Republic of China (PRC) to secure the sale of IBM products.

The complaint alleges that "IBM lacked sufficient internal controls designed to prevent or detect these violations of the FCPA". It further alleges that "IBM failed to make and keep books and records that accurately reflected the improper payments made in South Korea and China. Instead, these payments were recorded as legitimate business expenses."

15 U.S.C. § 78m provides, in part, in subsection (b)(2), that "Every issuer which has a class of securities registered pursuant to section 78l of this title and every issuer which is required to file reports pursuant to section 78o(d) of this title shall -- (A) make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer; (B) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that ... transactions are executed in accordance with management’s general or specific authorization ..."

Simultaneously, IBM consented to the entry of judgment, under which it is enjoined from violating the FCPA, and required to pay a fine (nominally disgorgement, interest, and civil penalty) of $10 Million. IBM admitted no wrongdoing. See, SEC release.

This case is SEC v. International Business Machines Corporation, U.S. District Court for the District of Columbia, D.C. No. 1:11-cv-00563, Judge Richard Leon presiding.

More News

3/23. Ben Bernanke, Chairman of the Federal Reserve Board (FRB), gave a speech in San Diego, California, about community banking. He said that "The IBM computer program Watson may play a mean game of Jeopardy, but I would not trust it to judge the creditworthiness of a fledgling local business or to build longstanding personal relationships with customers and borrowers."

3/17. The Government Accountability Office (GAO) released a report [19 pages in PDF] titled "Information Technology: Investment Oversight and Management Have Improved but Continued Attention Is Needed".

About Tech Law Journal

Tech Law Journal publishes a free access web site and a subscription e-mail alert. The basic rate for a subscription to the TLJ Daily E-Mail Alert is $250 per year for a single recipient. There are discounts for subscribers with multiple recipients.

Free one month trial subscriptions are available. Also, free subscriptions are available for federal elected officials, and employees of the Congress, courts, and executive branch. The TLJ web site is free access. However, copies of the TLJ Daily E-Mail Alert are not published in the web site until two months after writing.

For information about subscriptions, see subscription information page.

Tech Law Journal now accepts credit card payments. See, TLJ credit card payments page.

Solution Graphics

TLJ is published by David Carney
Contact: 202-364-8882.
carney at techlawjournal dot com
P.O. Box 4851, Washington DC, 20008.

Privacy Policy
Notices & Disclaimers
Copyright 1998-2011 David Carney. All rights reserved.

In This Issue
This issue contains the following items:
 • Comodo Reports Hacking Activity By Iran
 • Schapiro Addresses Hacking Threat to Automated Securities Trading
 • House Subcommittee Holds Hearing on Cyber Security
 • SEC Charges IBM with Violation of FCPA in Korea and PRC
 • More News
Washington Tech Calendar
New items are highlighted in red.
Thursday, March 24

The House will be in recess Monday, March 21 through Friday, March 25. It will next meet on Tuesday, March 29.

The Senate will be in recess Monday, March 21, through Friday, March 25. It will next meet at 2:00 PM on Monday, March 28.

12:00 NOON. The Cato Institute will host a panel discussion titled "Beyond Exports: A Better Case for Free Trade". The speakers will be Daniel Ikenson (Cato), Scott Lincicome (White & Case), Donald Boudreaux (George Mason University), Brandon Arnold (Cato). See, notice and registration page. This event is free and open to the public. Lunch will be served. Location: Room B-369, Rayburn Building.

Friday, March 25

Supreme Court conference day (discussion of argued cases, and decision on cert petitions). Closed.

Saturday, March 26

12:00 NOON - 6:00 PM. The Federal Communications Bar Association's (FCBA) Young Lawyers Committee will host an event titled "Wine Tasting Adventure". For more information, contact Justin Faulb at Faulb at Lojlaw dot com or Mark Brennan at Mark dot Brennan at hoganlovells dot com.

Monday, March 28

The House will not meet.

The Senate will return from its March recess. At 2:00 PM it will resume consideration of S 493 [LOC | WW], the "SBIR/STTR Reauthorization Act of 2011".

8:00 AM - 5:30 PM. Day one of a two day meeting of the National Science Foundation's (NSF) National Science Board's (NSB) Task Force on Data Policies. The agenda for this meeting includes discussion of "Data-Intensive Science" and "High Performance Cyberinfrastructure". See, notice in the Federal Register, March 21, 2011, Vol. 76, No. 54, at Pages 15349-15350. Location: NSF, 4201 Wilson Blvd., Room 1235, Arlington, VA.

Deadline to submit reply comments to the Federal Communications Commission (FCC) in response to its Notice of Inquiry (NOI) [31 pages in PDF] regarding how dynamic access radios and techniques can provide more intensive and efficient use of spectrum. The FCC adopted and released this NOI on November 30, 2010. It is FCC 10-198 in ET Docket No. 10-237. See, notice in the Federal Register, December 28, 2010, Vol. 75, No. 248, at Pages 81558-81559. See also, story titled "FCC Adopts NPRM and NOI on Spectrum Innovation" 2,168, December 4, 2010.

Deadline to submit initial comments to the Federal Communications Commission (FCC) in response to its Notice of Proposed Rulemaking (NPRM) regarding extending to June 30, 2012, the current freeze of jurisdictional separations category relationships and cost allocation factors. This NPRM is FCC 11-34 in CC Docket No. 80-286. The FCC adopted and released it on March 1, 2011. See, Federal Register, March 14, 2011, Vol. 76, No. 49, at Pages 13576-13579.

Tuesday, March 29

The House will return from its March recess.

8:30 AM - 12:30 PM. Day one of a two day meeting of the National Science Foundation's (NSF) National Science Board's (NSB) Task Force on Data Policies. The agenda for this meeting includes discussion of "Data-Intensive Science" and "High Performance Cyberinfrastructure". See, notice in the Federal Register, March 21, 2011, Vol. 76, No. 54, at Pages 15349-15350. Location: NSF, 4201 Wilson Blvd., Room 1235, Arlington, VA.

2:00 - 3:30 PM. The Department of Justice's (DOJ) Antitrust Division will host a presentation titled "Coordinated Effects in the 2010 Horizontal Merger Guidelines". The speaker will be Bob Marshall (Penn State) co-author of a paper [PDF] with the same title. For more information, contact Thomas Jeitschko at 202-532-4826 or atr dot eag at usdoj dot gov. Location: Liberty Square Building, 450 5th St., NW.

4:00 - 6:30 PM. The House Intelligence Committee (HIC) will hold a closed hearing. Location: Room HVC-304, House Visitor Center.

The Federal Communications Commission (FCC) will commence Auction 91, regarding certain FM Broadcast Construction Permits. See, September 21, 2010, FCC Public Notice (DA 10-1711 in AU Docket No. 10-183) and notice in the Federal Register, October 6, 2010, Vol. 75, No. 193, at Pages 61752-61756.

Deadline to submit comments to the Copyright Office (CO) in response to its Request for Information regarding commercial television broadcast stations that qualify as as specialty stations. See, notice in the Federal Register, January 28, 2011, Vol. 76, No. 19, at Pages 5213-5214.

Wednesday, March 30

10:00 AM. The Senate Judiciary Committee (SJC) will hold a hearing titled "Oversight of the Federal Bureau of Investigation". The witness will be Robert Mueller (FBI Director). The SJC will webcast this event. See, notice. Location: Room 226, Dirksen Building.

12:30 - 2:00 PM. The DC Bar Association will host a lunch. The speaker will be Austin Schlick, General Counsel of the Federal Communications Commission (FCC). This event is closed to reporters. See, notice. The price to attend ranges from free to $209. For more information, call 202-626-3463. Location: DC Bar Conference Center, 1101 K St., NW.

1:00 - 4:00 PM. The Federal Communications Commission's (FCC) Technological Advisory Council will meet. See, notice in the Federal Register, March 15, 2011, Vol. 76, No. 50, at Pages 14009-14010. Location: FCC, Commission Meeting Room, 445 12th St.,  SW.

2:00 PM. The House Appropriations Committee's (HAC) Subcommittee on Financial Services and General Government will hold a hearing on the Federal Communications Commission (FCC) FY 2012 budget request. The witness will be Julius Genachowski, FCC Chairman. See, HAC schedule for week of March 28. Location: Room 2359, Rayburn Building.

2:00 PM. The House Appropriations Committee's (HAC) Subcommittee on Homeland Security will hold a hearing on the Department of Homeland Security (DHS) science and technology FY 2012 budget request. The witness will be Tara O’Toole, Under Secretary for Science & Technology Science & Technology. See, HAC schedule for week of March 28. Location: Room 2362-A, Rayburn Building.

2:00 PM. The Senate Judiciary Committee (SJC) will hold a hearing titled "Nominations". The SJC will webcast this event. See, notice. Location: Room 226, Dirksen Building.

2:00 PM. The USTelecom will host a webcast panel discussion titled "FCC Insight on USF and Intercarrier Compensation Reform". The speakers will be Rebekah Goodheart (FCC), Carol Mattey (FCC), and Jon Banks (USTelecom). See also, FCC NPRM [289 pages in PDF] adopted on February 8, 2011. It is FCC 11-13 in WC Docket No. 10-90, GN Docket No. 09-51, WC Docket No. 07-135, WC Docket No. 05-337, CC Docket No. 01-92, CC Docket No. 96-45, and WC Docket No. 03-109. Free. See, notice.

2:30 PM. The Federal Trade Commission's (FTC) Bureau of Competition will host a presentation titled "Bye, Bye, Miss American Pie? The Supply of New Recorded Music since Napster". The speaker will be Joel Waldfogel (University of Minnesota), author of a paper [PDF] with the same title. For more information, contact Loren Smith at lsmith2 at ftc dot gov or Tammy John at tjohn at ftc dot gov. Location: Room 8089, 1800 M Street Building.

6:00 - 8:15 PM. The Federal Communications Bar Association (FCBA) will host an event titled "Spectrum Valuation Issues in the Context of The FCC’s National Broadband Plan". The speakers will include Rebecca Hanson (FCC's Media Bureau). The price to attend ranges from $25 to $150. CLE credits. See, notice. Location: Covington & Burling, 1201 Pennsylvania Ave., NW.

Deadline to submit initial comments to the Federal Communications Commission (FCC) in response to its Notice of Proposed Rulemaking (NPRM) [71 pages in PDF] regarding changes to the Form 477 data program. The FCC adopted and released this NPRM on February 8, 2011. It is FCC 11-14 in WC Docket Nos. 07-38, 09-190, 10-132, 11-10. See, notice in the Federal Register, February 28, 2011, Vol. 76, No. 39, at Pages 10827-10852.

Thursday, March 31

10:00 AM. The Senate Judiciary Committee (SJC) will hold an executive business meeting. The agenda again includes consideration of Goodwin Liu (to be a Judge of the U.S. Court of Appeals for the 9th Circuit) and John McConnell (to be a Judge of the U.S. District Court for the District of Rhode Island). Both face substantial opposition. The agenda also includes consideration Kevin Sharp (USDC/MDTenn), Roy Dalton (USDC/MDFl), Claire Cecchi (USDC/DNJ), and Esther Salas (USDC/DNJ). The agenda also includes consideration of S 410 [LOC | WW], the "Sunshine in the Courtroom Act". The SJC rarely follows its published agendas. The SJC will webcast this event. See, notice. Location: Room 226, Dirksen Building.

10:00 AM. The House Appropriations Committee's (HAC) Subcommittee on Commerce, Justice, Science, and Related Agencies will hold a hearing on the Office of Science and Technology Policy (OSTP) FY 2012 budget request. The witness will be John Holdren, OSTP Director. See, HAC schedule for week of March 28. Location: Room H-309, Capitol Building.

10:00 AM. The House Appropriations Committee's (HAC) Subcommittee on Homeland Security will hold a closed hearing on the Department of Homeland Security (DHS) cyber security and infrastructure protection FY 2012 budget request. The witnesses will be Rand Beers (Under Secretary of the National Protection & Programs Directorate) and Phil Reitinger (Deputy Under Secretary of National Protection & Programs Directorate). See, HAC schedule for week of March 28. Location: Room H-405, Capitol Building.

1:00 PM. The USTelecom will host a webcast panel discussion titled "Optical Network Edge". The speaker will be Kevin Morgan (Adtran). Free. See, notice.

Target date for the Office of the U.S. Trade Representative (OUSTR) to conclude its review of the operation, effectiveness, and implementation of and compliance with various telecommunications agreements, including the World Trade Organization (WTO) General Agreement on Trade in Services. See, notice in the Federal Register, November 18, 2010, Vol. 75, No. 222, at Pages 70770-70771.

Deadline to submit nominations to the U.S. Patent and Trademark Office (USPTO) for the award of the National Medal of Technology and Innovation (NMTI). See, notice in the Federal Register, December 30, 2010, Vol. 75, No. 250, at Page 82378.

Deadline to submit comments to the National Institute of Standards and Technology's (NIST) Computer Security Division (CSD) regarding its draft SP 800-131 C [12 pages in PDF] titled "Transitions: Validating the Transition from FIPS 186-2 to FIPS 186-3".

Deadline to submit comments to the National Institute of Standards and Technology's (NIST) Computer Security Division (CSD) regarding its draft SP 800-131 B [11 pages in PDF] titled "Transitions: Validation of Transitioning Cryptographic Algorithm and Key Lengths".

Deadline to submit comments to the Department of Commerce's (DOC) National Telecommunications and Information Administration (NTIA) in response to its Notice of Inquiry (NOI) regarding Internet Assigned Numbers Authority (IANA) functions. See, notice in the Federal Register, February 25, 2011, Vol. 76, No. 38, at Pages 10569-10571.

Deadline to submit comments to the Copyright Royalty Judges regarding the motion filed by the Broadcast Music, Inc. (BMI), American Society of Composers, Authors and Publishers (ASCAP), SESAC, and Harry Fox Agency (HFA) for partial distribution of the digital audio recording technology (DART) musical works funds for 2005 through 2008. See, notice in the Federal Register, March 1, 2011, Vol. 76, No. 40, at Pages 11287-11288.