Month: August 2015

The Washington Post’s Ellen Nakashima reports that under the direction of the Obama administration, US government officials are planning “a package of unprecedented economic sanctions against Chinese companies and individuals” who have profited from trade secrets stolen from US companies by Chinese government-sponsored hackers.

The talk of sanctions comes just weeks before the arrival of Chinese president Xi Jinping for a state visit, and it may just be talk—a final call on whether to impose sanctions will likely be made within the next two weeks, according to the Post’s unnamed administration sources. While the Justice Department announced indictments against members of China’s People’s Liberation Army for the electronic theft of trade secrets last year, the indictments were largely symbolic. The sanctions under discussion would likely include the seizure of economic assets of Chinese companies making use of what officials allege to be data stolen from US companies—and elevate tensions with China further as the governments continue to face off over other economic and military issues.

The sanctions will not, apparently, include action over the theft of US government employee data from the Office of Personnel Management. The administration’s concern is greater over economic espionage, including the theft of “everything from nuclear power plant designs to search engine source code,” Nakashima reported. The Federal Bureau of Investigations reported last month that the number of economic espionage cases being investigated had jumped by 53 percent in the last year—and most of that growth was attributed to China’s aggressive use of computer and network espionage against US companies.

On Monday, a federal appeals court ruled that the Federal Trade Commission (FTC) has the power to take action (PDF) against companies that employ poor IT security practices. The ruling, from the United States Court of Appeals for the Third Circuit, came as part of a lawsuit between the FTC and Wyndham Worldwide Corporation, which manages a collection of hotels throughout the US.

In 2008 and 2009, Wyndham suffered three different breaches of its network, ultimately losing payment card information for more than 619,000 customers and causing $10.6 million in loss due to fraud. The FTC sued Wyndham in 2012 for failing to protect its customers from hackers, and Wyndham countered by saying that it was a victim of the hack itself and should not be penalized by the FTC for the breach.

The Philadelphia-based appeals court allowed the FTC’s case against Wyndham to go forward in district court, and it noted that the FTC could use its authority to pursue “cybersecurity” cases under 15 U.S.C. Sec.45, part of a 1914 law that gives the FTC the power to prohibit “unfair or deceptive acts or practices in or affecting commerce.” The court also noted that the FTC didn’t have to spell out the specific security practices that Wyndham fell short of to bring a case against the company. However, the FTC did that in this instance, claiming that Wyndham allowed its partner hotels to store credit card information in plain text, allowed easily guessable passwords in property management software, failed to use firewalls to limit access to the corporate network, and failed to restrict third-party vendors from access to its network, among other things.

The National Security Agency is advising US agencies and businesses to prepare for a time in the not-too-distant future when the cryptography protecting virtually all e-mail, medical and financial records, and online transactions is rendered obsolete by quantum computing.

Quantum computers have capabilities that can lay to ruin all of the public-key cryptographic systems currently in use. These capabilities, which aren’t known to be present in the classical computers of today, include the ability to almost instantly find the prime factors of extremely large numbers, using a method called Shor’s algorithm. Quantum computing is also believed to be capable of tackling other mathematical problems classical computers can’t solve quickly, including computing discrete logarithm mod primes and discrete logs over elliptic curves.

The difficulty of factoring and computing discrete log primes and elliptic curve discrete logs play an essential role in cryptographers’ confidence in RSA, elliptic curve cryptography, and other public-key crypto systems. When implemented correctly, most scientists and cryptographers believe that the crypto can’t be defeated with today’s computers before the end of the universe.

Carlos Garza, a former employee of a now-collapsed Bitcoin mining company, must respond to a subpoena as part of an ongoing fraud investigation by the Securities and Exchange Commission, a federal judge in Massachusetts ruled on Tuesday.

The implosion of GAW Miners marks yet another example of incompetence and possible criminal behavior associated with a number of firms selling hardware to mine new bitcoins. Previously, CoinTerra, Butterfly Labs, and HashFast have also faced similar legal battles.

The SEC alleges millions of dollars in possible fraudulent sales by GAW Miners—the case could also expand to criminal charges.