Home Tags Pakistan

Tag: Pakistan

Not for the first time, Microsoft’s fonts have caught out forgers

If yoursquo;re going to pretend a document is from 2006, you should use Times New Roman.

Hajime, the mysterious evolving botnet

Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks.
In this blogpost we outline some of the recent ‘improvements’ to Hajime, some techniques that haven’t been made public, and some statistics about infected IoT devices.

Dramatic new discoveries illuminate the lost Indus civilization

This urban society in South Asia survived a weather apocalypse 4,000 years ago.

Mozilla wants infosec activism to be the next green movement

Chief Mozillan calls for grass roots movement akin to 1960s' environmental awakenings Mozilla has issued a prototype of its first internet health report in a bid to make humans give security and privacy the same level of attention they devote to climate change. The prototype report details rising breaches affecting healthcare and medical industries but largely serves as a pulpit from which the browser baron and enemy of surveillance can preach privacy. Mozilla Foundation executive director Mark Surman explains, in a post dubbed "Calling all citizens of the internet", that the web has changed from a digital permaculture in the 1990s to a place where blind users wander about under the gaze of hackers and intelligence agencies. "When I first fell in love with the internet in the mid-1990s, it was very much a commons that belonged to everyone: a place where anyone online could publish or make anything … it made me — and countless millions of others — very happy," Surman says "Similarly, when I read about hackers turning millions of home webcams and video recorders into a botnet army, I wonder whether this precious public resource can remain safe, secure and dependable? Can it survive? "We have started work on The Internet Health Report at Mozilla for exactly this reason." Surman says environmentalists faced a similar problem in the 1960s as internet privacy and security advocates do today in that few people outside of specialist circles know of the dangers posed. "They built a global movement that helped the public understand nerdy topics like the ozone layer and renewable energy, eventually changing laws and sparking a swath of industries committed to green business," he says. The report reveals countries that lack comprehensive data protection laws, including the United States, African nations, China, and Pakistan. Secure site browsing has skyrocketed with half of all those on the internet using HTTPS, up 10 per cent in the last 12 months. It cites a 2015 study revealing that millions of Facebook users do not realise the social network is on the internet in what it indicates as unhealthy digital literacy. ® Sponsored: Continuous lifecycle London 2017 event.

DevOps, continuous delivery and containerisation. Register now

Terrorists are winning the digital arms race

Terrorist groups are embracing a huge number of digital tools to recruit members and plan attacks, putting them a step ahead of governments trying to combat them, a group of counterterrorism experts said. Twitter removed about 250,000 accounts connected with ISIS in one year, but the terrorist group uses 90 other social media platforms, Rob Wainwright, the director of Europol said Tuesday.

Terrorist groups have begun to live stream their attacks, and they are using the internet to launch “innovative crowdfunding” campaigns, he said at the World Economic Forum in Davos-Klosters, Switzerland. “The technology is advanced,” Wainwright added. “They know what to do, and they know how to use it.” It’s imperative that countries start working more closely together to combat terrorism and to develop an online counternarrative that dissuades potential members from joining groups like ISIS, said members of a panel on terrorism in the digital age. Governments need to trust each other more and be willing to share their terrorism intelligence, said Prince Turki bin Faisal Al Saud, former director of national intelligence in Saudi Arabia. “Terrorist is a cancer,” he said. “The terrorist cell uses these online methods to metastasize.” Raheel Sharif, former chief of staff for the Pakistani army, called for a combination of tough penalties for violent terrorists and deradicalization education efforts for others. Pakistan, in recent years, has cut the number of terrorist attacks in the country dramatically, he said. But Prince Turki emphasized the need for a stronger counternarrative, on the internet and in schools, churches, and mosques.

Tough penalties for terrorists need to avoid collateral damage to innocent people, he said.

Counterterrorism efforts cannot “eliminate the terrorist and create 10 others,” said Prince Turki, now chairman of the King Faisal Center for Research and Islamic Studies. Counterterrorism efforts cannot “eliminate the terrorist and create 10 others,” said Prince Turki, now chairman of the King Faisal Center for Research and Islamic Studies. Some panelists suggested that a culture of free speech online complicates efforts to fight terrorism.

The international community needs to find a balance between freedom of expression and safety, said Yemi Osinbajo, vice president of Nigeria. “Each person has a ... digital device, and it has tremendous power,” he said. “They don’t even require any formal agreements. [Anyone] can reach millions of people.” Europol’s Wainwright also seemed to suggest some limits on free speech. “We want to enjoy, we want to protect the freedom of the internet, but not to such an extent that there are absolutely no rules of governance,” he said. Panelists disagreed about the effectiveness of current online efforts to craft a counterterrorism message.

Efforts in the U.S. and elsewhere to counter online terrorism campaigns have been “singularly unsuccessful,” said Louise Richardson, vice chancellor at the University of Oxford. But Wainwright disagreed, saying some counternarrative efforts appear to have reduced the number of Europeans and U.S. residents joining ISIS.

But more efforts are needed to counter the “fake news” terrorist groups are putting out about themselves, he added.

If You Thought 2016 Was an IT Security Disaster, Just Wait...

NEWS ANALYSIS: Constant bad news about Russian hacking and the increasing prevalence of ransomware made 2016 an IT security disaster. However, 2017 promises to be even worse. As I'm writing the news is circulating that outgoing President Barack Obama ...

An update on all the legal cases we thought would be...

EnlargeCary Bass-Deschenes reader comments 3 Share this story As a tumultuous 2016 draws to a close, one case distilled contemporary law enforcement, terrorism, encryption, and surveillance issues more than any other: the case popularly known as “FBI vs.

Apple.” The ordeal began on February 16 when a federal judge in Riverside, California, ordered Apple to help the government unlock and decrypt the seized iPhone 5C used by Syed Rizwan Farook.

Farook had shot up an office party in a terrorist attack in nearby San Bernardino in December 2015. Specifically, United States Magistrate Judge Sheri Pym mandated that Apple provide the FBI a custom firmware file, known as an IPSW file, that would likely enable investigators to brute force the passcode lockout currently on the phone, which was running iOS 9.

This order was unprecedented. Apple refused, and the two sides battled it out in court filings and the court of public opinion for weeks. But the day before they were set to argue before the judge in Riverside, prosecutors called it off.

They announced that federal investigators had found some mysterious way to access the contents of Farook’s phone, but provided hardly any details.
In April 2016, Ars reported that the FBI paid at least $1.3 million for a way to access the phone.

But getting into the phone seems to have resulted in little, if any, meaningful benefits. The underlying legal issue remains unresolved.
In May 2016, FBI Director James Comey noted that the government would likely bring further legal challenges in the near future.

The law is clearly struggling to keep up with the current realities of encryption.

These issues impact not only national security cases, but also more run-of-the-mill crimes. In short, many of the most profound questions of our time have yet to be resolved.

These include: what measures can the government take in order to mitigate encryption? What tools can the government employ in order to conduct legitimate investigations? Can a person or a company be compelled to hand over a password or fingerprint to unlock a phone or create new software to achieve that end? In years past, Ars has tried to predict what privacy-related cases would reach the Supreme Court.

Given that our track record has been abysmal, we’re going to take a slightly different approach this year.

Today, we’ll update the five surveillance-related cases that we thought would become huge in 2016.

Tomorrow, we’ll expand our outlook to include other important legal cases still ongoing in 2017 that touch on important tech issues. Not exactly an angel on top Case: United States v. MohamudStatus: 9th US Circuit Court of Appeals rejected appeal in December 2016 As with last year, we’ll begin with the story of a terrorism suspect who was convicted of attempting to blow up a Christmas tree lighting ceremony in Portland, Oregon, in 2010.

That case involved a Somali-American, Mohamed Osman Mohamud, who became a radicalized wannabe terrorist. Mohamud believed that he was corresponding with an Al-Qaeda sympathizer, and he was eventually introduced to another man who he believed was a weapons expert.

Both of those men were with the FBI. Mohamud thought it would be a good idea to target the ceremony on November 27, 2010. He was arrested possessing what he believed was a detonator, but it was, in fact, a dud. Earlier this month, the 9th US Circuit Court of Appeals rejected an effort to overturn Mohamed Osman Mohamud’s conviction on the grounds that the surveillance to initially identify the suspect did not require a warrant. Mohamud went to trial, was eventually found guilty, and was then sentenced to 30 years in prison. After the conviction, the government disclosed that it used surveillance under Section 702 of the FISA Amendments Act to collect and search Mohamud's e-mail.
Seeing this, Mohamud’s legal team attempted to re-open the case, but the 9th Circuit disagreed. As the 9th Circuit ruled: "The panel held that no warrant was required to intercept the overseas foreign national’s communications or to intercept a U.S. person’s communications incidentally." From here, Mohamud and his legal team could ask that the 9th Circuit re-hear the appeal with a full panel of judges (en banc), or they could appeal up to the Supreme Court.
If either court declines, the case is over, and the ruling stands. Slowly turning wheels of justice Case: United States v. HasbajramiStatus: Appeal pending in 2nd US Circuit Court of Appeals Similar to Mohamud, another notable terrorism case revolves around Section 702 surveillance.

As we reported at this time last year, Hasbajrami involves a United States person (citizen or legal resident) accused of attempting to provide support for terrorism-related activities.

According to the government, Agron Hasbajrami, an Albanian citizen and Brooklyn resident, traded e-mails with a Pakistan-based terror suspect back in 2011.

The terror suspect claimed to be involved in attacks against the US military in Afghanistan.

After he was apprehended, Hasbajrami pleaded guilty in 2013 to attempting to provide material support to terrorists. After he pleaded guilty, the government informed Hasbajrami that, like with Mohamud, it had used Section 702 surveillance against him, and the case was re-opened. Many cases that have tried to fight surveillance have fallen down for lack of standing. Hasbajrami’s case is different, however, because he can definitively prove that he was spied upon by the government. As his case neared trial in mid-2015, Hasbajrami pleaded guilty a second time.

But shortly thereafter, he moved to withdraw the plea again, which the judge rejected.
So the case progressed to the 2nd US Circuit Court of Appeals. Earlier this year, when we expected to see Hasbajrami’s first appellate filing, his new lawyers filed an application with the judge.

They asked that the case be held “in abeyance,” which essentially puts a kind of stay on the appeals process.

The 2nd Circuit agreed. The reason? Because US District Judge John Gleeson, then the judge at the lower-court level, issued a classified opinion “which directly relates to and impacts the issues to be raised on appeal.” United States v. Hasbajrami was delayed when Judge Gleeson stepped down from the bench in late February. While Judge Gleeson’s opinion was released (in a redacted form) to the defense attorneys, by September, defense attorneys argued again in filings to the new judge that they possess adequate security clearance and should be given access to this material, unredacted. As they wrote: In that context, the government repeatedly fails—in its argument as well as the authority it cites—to distinguish public release of the redacted portions from providing security-cleared defense counsel access to that material. Here, all Mr. Hasbajrami seeks is the latter.

Thus, the dangers of dissemination beyond to those already authorized to review classified information simply do not exist, and the government’s contentions with respect to national security serve as a red herring. The most recent entry in either the appellate or district court docket is an October 31 filing.
In it, defense attorneys inform the 2nd Circuit that they are still waiting for Chief US District Judge Dora Irizarry to rule on receiving the unredacted version. One of Hasbajrami’s attorneys is Joshua Dratel.

Dratel is famous for having defended (and still defending) Ross Ulbricht, the convicted mastermind behind the Silk Road drug marketplace website. The Free Encyclopedia Case: Wikimedia v. NSAStatus: Appeal pending in 4th US Circuit Court of Appeals Of course, Section 702 is just one of many ways the government is conducting surveillance beyond its intended target. Wikimedia v. NSA is one of several cases that has tried to target the “upstream” setup that allows the NSA to grab data directly off fiber optic cables. Wikimedia, which publishes Wikipedia, filed its case originally in March 2015.
In it, the company argues that the government is engaged in illegal and unconstitutional searches and seizures of these groups’ communications. But, in October 2015, US District Judge T.S.

Ellis III dismissed the case. He found that Wikimedia and the other plaintiffs had no standing and could not prove that they had been surveilled.

That action largely echoed a 2013 Supreme Court decision, Clapper v.

Amnesty International
. The plaintiffs filed their appeal to the 4th US Circuit Court of Appeals immediately.
In their February 2016 opening brief, which was written by top attorneys from the American Civil Liberties Union, they argue essentially that Wikipedia traffic had to have been captured in the National Security Agency’s snare because it’s one of the most-trafficked sites on the Internet. They wrote: In other words, even if the NSA were conducting Upstream surveillance on only a single circuit, it would be copying and reviewing the Wikimedia communications that traverse that circuit.

But the government has acknowledged monitoring multiple internet circuits—making it only more certain that Wikimedia’s communications are being copied and reviewed. Moreover, the NSA’s own documents indicate that it is copying and reviewing Wikimedia’s communications.

Taken together, these detailed factual allegations leave no doubt as to the plausibility of Wikimedia’s standing. The government, for its part, countered by saying that the 4th Circuit should uphold the district court’s ruling. Why? Because, as it argued in April 2016, Wikimedia’s argument is largely speculative. ... the facts do not support plaintiffs’ assumption that Wikimedia’s communications must traverse every fiber of every sub-cable such that, if the NSA is monitoring only one fiber or even one sub-cable, it still must be intercepting, copying, and reviewing Wikimedia’s communications. Beyond that, the government continued, even if Wikimedia’s communications were intercepted, the plaintiffs have not demonstrated how they have actually been injured, because a large portion of the NSA’s interception is done by machine. The government continued: Indeed, plaintiffs’ complaint generally fails to state a cognizable injury because, whatever the nature of the particular communications at issue, plaintiffs have made no allegation that interception, copying, and filtering for selectors involve any human review of the content of those communications. The two sides squared off at the 4th Circuit in Baltimore on December 8, 2016 for oral arguments.

A decision is expected within the next few months. Fast food, fast crimes Case: United States v.

Graham
Status: Decided en banc at 4th US Circuit Court of Appeals, cert petition filed to Supreme Court This case was a big hope for many civil libertarians and privacy activists.

An appeals court had initially rejected the thorny third-party doctrine and found that, because the two suspects voluntarily disclosed their own location to their mobile carrier via their phones, they did not have a reasonable expectation of privacy. But in May 2016, the 4th US Circuit Court of Appeals, in an en banc ruling, found in favor of the government.

The court concluded that police did not, in fact, need a warrant to obtain more than 200 days' worth of cell-site location information (CSLI) for two criminal suspects. As the court ruled: The Supreme Court may in the future limit, or even eliminate, the third-party doctrine.

Congress may act to require a warrant for CSLI.

But without a change in controlling law, we cannot conclude that the Government violated the Fourth Amendment in this case. This case dates back to February 5, 2011 when two men robbed a Burger King and a McDonald’s in Baltimore.

Ten minutes later, they were caught and cuffed by Baltimore City Police officers.

Eventually, Aaron Graham and Eric Jordan were charged with 17 federal counts of interstate robbery, including a pair of fast food robberies and another one at a 7-Eleven.

They also received charges for brandishing a firearm in furtherance of the crime. A Baltimore City Police detective first sought and obtained a search warrant for the two cell phones recovered during a search of the getaway car. Prosecutors later obtained a court order (a lesser standard than a warrant) granting disclosure of the defendants’ CSLI data for various periods totaling 14 days when the suspects were believed to have been involved in robberies.

The government next applied for (and received) a second application to another magistrate judge for a new set of CSLI data, covering a period of July 1, 2010 through February 6, 2011 (221 days). In August 2012, Graham and Jordan were found guilty on nearly all counts.

They were sentenced to 147 years in prison and 72 years, respectively. Meghan Skelton, Graham’s public defender, has filed an appeal with the Supreme Court, which has not yet decided whether it will hear the case. Who is the Dread Pirate Roberts? Cases: United States v. Ulbricht and United States v.

Bridges
Status: Appeals pending in 2nd US Circuit Court of Appeals, 9th US Circuit Court of Appeals, respectively While Section 702 surveillance and cell-site location information are important, there was one defendant who was defeated largely by snatching his laptop out of his hands: Ross Ulbricht.

The young Texan was convicted as being Dread Pirate Roberts, the creator of the notorious online drug market Silk Road. Later on in 2015, Ulbricht was given a double life sentence, despite emotional pleas from himself, his family, and friends for far less. 2016 kicked off with Ross Ulbricht’s formal appeal to the 2nd Circuit.

Ars described it as a “170-page whopper that revisits several of the evidentiary arguments that Ulbricht's lawyer made at trial.” These included theories that Ulbricht wasn’t Dread Pirate Roberts, and it attributed digital evidence found on Ulbricht’s computer to “vulnerabilities inherent to the Internet and digital data,” like hacking and fabrication of files.

According to the appeal, these “vulnerabilities” made “much of the evidence against Ulbricht inauthentic, unattributable to him, and/or ultimately unreliable.” Plus, corrupt federal agents Shaun Bridges and Carl Mark Force tarnished the case against Ulbricht, claimed his lawyer.

That lawyer is Joshua Dratel, who makes his second appearance on this list. The government responded with its own 186-page whopper on June 17, 2016.

After a lengthy recap of the entire case, United States Attorney Preet Bharara opened his arguments with a notable flaw in Ulbricht’s logic: But nowhere, either below or here, has Ulbricht explained, other than in the most conclusory way, how the corruption of two agents—who neither testified at his trial nor generated the evidence against him—tended to disprove that he was running Silk Road from his laptop. In short, the government argues, Ulbricht was caught red-handed, and the appeals court should uphold both the conviction and the sentence. The following month, federal prosecutors in San Francisco unsealed new court documents that make a strong case that former agent Bridges stole another $600,000 in bitcoins after he pleaded guilty. By August 2016, Bridges’ lawyer Davina Pujari filed what she herself said was a “legally frivolous” appeal to the 9th Circuit on behalf of her client, and she asked to be removed from the case.

Bridges’ case remains pending at the appellate level, and no oral arguments have been scheduled. (Pujari is still Bridges’ lawyer for now.) Bridges remains a prisoner at the Terre Haute Federal Correctional Institute in Indiana, where he is scheduled for release in 2021. Later in August, Ars chronicled the saga of how a San Francisco-based federal prosecutor joined forces with a dogged Internal Revenue Service special agent to bring Bridges and Force to justice. Meanwhile, Ulbricht’s lawyers, led by Joshua Dratel, faced off at the 2nd Circuit against federal prosecutors on October 6, 2016 to challenge Ulbricht’s conviction and sentence.

The court is expected to rule within the next few months.

Attackers use ancient zero-day to pop Asian banks, govts

Flawed desktop publishing tool for readers of Urdu and Arabic phlayed with phishing Attackers are compromising government and banks across Asia by exploiting a years-old zero day vulnerability in desktop publishing application InPage, which targets users working in Urdu or Arabic. Kaspersky Labs analyst Denis Legezo found the attacks and reported the zero-day to InPage, which he says ignored his disclosures. Legezo says InPage has some 19 million users, 10 million in Pakistan, six million in India, two million in the UK, and one million in the US. If someone wants to deploy attack modules into regional press-related companies, an InPage exploit would work well. "We don’t observe any public mentions of [the InPage] exploit so we consider it a zero day. Lengezo found live attacks, likely from multiple groups, utilising the zero day vulnerabilities against unnamed banks and governments in Myanmar, Sri-Lanka and Uganda. Criminals are attaching multiple InPage files and also exploiting old bugs through attached .rtfs and xxx.doc files. The analyst found several keyloggers and backdoors within the phishing emails used to attack InPage users. He says the parser within the proprietary InPage file format contained a vulnerability that allowed attackers to gain control of instruction flow and then remote code execution. "By all appearances, this newly discovered exploit has been in the wild for several years," Lengezo says. Hackers have previously targeted regionally-specific software.
Several exploits have been found in the Hangul Word Processor almost exclusively used in South Korea in what Lengezo says are attacks against Korean interests. ® Sponsored: Customer Identity and Access Management

InPage zero-day exploit used to attack financial institutions in Asia

In September 2016, while researching a new wave of attacks, we found an interesting target which appeared to constantly receive spearphishes, a practice we commonly describe as a “magnet of threats”.

Among all the attacks received by this magnet of threats, which included various older Office exploits such as CVE-2012-0158, one of them attracted our attention.

This file, which was also uploaded to a multiscanner service in September 2016, had an extension that we were unfamiliar with – “.inp”.

Further investigation revealed this was an InPage document.
InPage, in case you are wondering, is publishing and text processing software, mostly popular with Urdu and Arabic speaking users. InPage user groups from vendor official site Since no exploits for InPage have previously been mentioned in public, we took a closer look to see if the document was malicious or not.

Further analysis indicated the file contained shellcode, which appeared to decrypt itself and further decrypt an EXE file embedded in the document.

The shellcode appeared to trigger on several versions of InPage. We don’t observe any public mentions of such exploit so we consider it a zero-day.

All our attempts to contact InPage so far have failed. Discovery and analysis InPage is an interesting vulnerable software selection as it’s widely used within the Indian Muslim population, as well as in Pakistan.

This, of course, includes local mass-media and print shops, governmental and financial institutions (banks).
If someone wants to deploy attack modules into regional press-related companies, an InPage exploit would work well. Due to its wide range of technologies, it wasn’t perhaps surprising to see that Kaspersky Lab products already detect the exploit with the generic rule HEUR:Exploit.Win32.Generic.

This detection is triggered by the presence of the shellcode inside a Microsoft Compound Storage file (OLE), which works extremely well for a wide category of Office-based exploits, going back to 2009. The good news is that Kaspersky Lab users have been protected against this attack for quite some time – and the protection worked well in the past when it blocked a number of malicious InPage documents. Between the various phishing campaigns relying on this exploit, one particular attack attracted our attention.

The targets of this attack were special, since they were banks in Asia and Africa.

The payload and C&C servers are also different from the recent attacks we’ve observed, meaning there are probably several actors utilizing this zero-day exploit at the moment. Technical details Spearphishing e-mail with several malicious attachments.

The .inp contains the zero-day exploit
In their attacks, the threat actors often use more than one malicious document.

During spearphishing, the actors attached InPage files as well as .rtfs and .docs with old popular exploits. Looking through all the related documents we could find, we counted several different versions of keyloggers and backdoors written mostly in Visual C++, Delphi and Visual Basic. One such keylogger we analysed (MD5 hash: 18a5194a4254cefe8644d191cb96da21) was written in Visual C++.

After gaining control, the module decodes several internal strings. One of them is the C2 domain name visitorzilla[.]com.

This backdoor maintains persistence by creating “C:\Documents and Settings\<USER>\Start Menu\Programs\Startup\DataABackup.lnk“.
Similar to the other campaign modules, it uses SetWindowsHook() with WH_KEYBOARD_LL hook to gather keystrokes.

To gather keystroke data, the module uses two files on disk: C:\Documents and Settings\<USER>\Application Data\DataBackup\sed.ic and me.ic (located in the same directory). Inside weaponized documents InPage uses its own proprietary file format that is based on the Microsoft Compound File Format.

The parser in the software’s main module “inpage.exe” contains a vulnerability when parsing certain fields.

By carefully setting such a field in the document, an attacker can control the instruction flow and achieve code execution. The shellcode has three main parts: Pattern searcher (so-called “egg hunter”) before the decoder, Decoder. Downloader. The pattern searcher looks through all of the virtual memory space attempting to find the pattern “68726872”. Once the searcher identifies this pattern it starts the next stage of exploit – the decoder. Shellcode decryptor The small decoder obtains the instruction pointer and uses FLDPI + FSTENV instructions (an old and uncommon technique).

The decoder is using an arithmetic NOT followed by a XOR 0xAC operation to decrypt the next stage. Next, the downloader fetches a remote payload using InternetReadFile() and runs it using the WinExec() function in the %userprofile% directory.

This functionality is very common and we’ve seen it with many other exploits.
It’s the choice of vulnerable software that is interesting in this case and, for sure, the appearance of an exploit for software that is popular mostly in India and Pakistan. The final payload is a Trojan written in Visual Basic 6.
It defines a hook using the SetWindowsHook() function with the WH_MSGFILTER parameter.
It communicates with its C2 server at 195.189.227.26 on port 8080. During the initial session the C2 server sends “Pass” and host replies with “Auth<username>@<hostname>\#/<OS version>\#/<IP address>\#/-” In addition to b4invite[.]com this same Trojan was also spread using a configuration with the C2 server relaybg[.]com. Victims So far, victims of these attacks have been observed in Myanmar, Sri-Lanka and Uganda.

The sector for the victims include both financial and governmental institutions. Conclusions By all appearances, this newly discovered exploit has been in the wild for several years.
In some way, it reminds us of other similar exploits for Hangul Word Processor, another language/region-specific text processing suite used almost exclusively in South Korea. HWP has been plagued by several exploits in the past, which have been used by various threat groups to attack Korean interests. Despite our attempts, we haven’t been able to get in touch with the InPage developers.

By comparison, the Hangul developers have been consistently patching vulnerabilities and publishing new variants that fix these problems.

The best defense against exploits is always a multi-layered approach to security. Make sure you have an internet security suite capable of catching exploits generically, such as Kaspersky Internet Security.
Installing the Microsoft EMET tool can also help, as well as running the most recent version of Windows (10).

Finally, default deny policies, also known as whitelisting can mitigate many such attacks. The Australian Signals Directorate Top35 list of mitigation strategies shows us that at least 85% of intrusions could have been mitigated by following the top four mitigation strategies together.

These are: application whitelisting, updating applications, updating operating systems and restricting administrative privileges. Kaspersky Lab has technological solutions to cover the first three of these (i.e. all the technology-based strategies) as well as most of the others from Top35 ASD’s list. Kaspersky Lab detects this exploit as HEUR:Exploit.Win32.Generic. More information about this exploit, associated campaigns and attacks is available to customers of Kaspersky Intelligence Services.

Contact: intelreports@kaspersky.com
Indicators of compromise: Hashes f00e20ec50545106dc012b5f077954ae – rtf729194d71ed65dd1fe9462c212c32159 – inpc9e7ec899142477146d4f7f83df3f63f750ed4f79496dee1d624a7b508f83f4eB43aa5ea4ff5292fd92d416bb2b41c3a4d508e44c5f3028a36a5206383cf235c53c3503d3193bf14a93dc3ac248294905a9a8502b87ce1a6a608debd1076195 C&Cs used in the samples dropped by the weaponized InPage documents: Relaybg[.]comB4invite[.]comLeastinfo[.]comtropicmig[.]comDigivx[.]comGigatrons[.]comkinohata[.]ruVisitorzilla[.]comAmbicluster[.]comAliasway[.]com <- SINKHOLED by Kaspersky LabXynoder[.]comBy4mode[.]comStringbit[.]comEncrypzi.comGigsense[.]comI3mode[.]com

Internet-based and open source: How e-voting works around the globe

The Australian Capital Territory uses an open-source e-voting solution.Elections ACT reader comments 128 Share this story Another election day in the US is rapidly approaching (Tuesday, Nov. 8—mark your calendars!). Millions of Americans will take to the postal system or head out to local polling places in order to file physical ballots, but why is that custom still in place despite our increasingly connected and mobile society? To that end, we're resurfacing our close examination of e-voting around the world from the last election cycle (November 4, 2012). I live in one of the most wired parts of the United States—the San Francisco Bay Area—but for the presidential election, I’ve already voted by mail. On a piece of paper.

From the comfort of my living room.

Between folks like me who vote by mail and everyone else who votes by marking paper in some way, we comprise about two-thirds of all American voters.

Approximately 25 percent of all Americans, however, will use paperless and electronic voting machines to cast their ballots on November 6. Around the world though, these percentages don't hold.

An increasing number of countries are beginning to tackle e-voting with gusto.

Estonia, Switzerland, Spain, Brazil, Australia, India, Canada, and a handful of other countries have all held elections through the use of electronic voting machines in recent years. E-voting in the US While many developing countries are expanding the use of voting technology, many computer scientists, cryptographers, and public policy analysts worldwide are coming to the same conclusion already decided upon in the US: unverified e-voting devices are unreliable at best and dangerous at worst. Read more about the debate stateside in Timothy Lee's piece, "Paper prophets: Why e-voting is on the decline in the United States."E-voting was supposed to solve many of the problems inherent in traditional paper voting: it’s difficult for illiterate people to vote, it’s difficult to get physical paper out to all corners of a country (voters abroad can submit their ballot much more easily), tabulating the results takes too much time, physical ballot stuffing or ballot swapping can occur with little or no verification. With an electronic ballot, it’s also, of course, easier to tweak ballots in other languages or to make them available to blind or deaf voters.

As recently as August 2012, advocates in Pakistan and the Philippines called for the expansion of e-voting in their respective countries. Currently, there are four major types of e-voting around the world that are worth keeping an eye on: Brazil’s homegrown direct recording electronic (DRE) setup, Australia’s open-source software, Estonia’s Internet voting, and a Spanish startup’s efforts to expand what’s been called "crypto-voting." Each of these approaches has its own unique set of problems, but the primary obstacles they present for many voting officials and computer scientists is their lack of ability to verify source code and expense. From dictatorship to e-voting in just over a decade Enlarge / This urna, as photographed in 2005, has been a workhorse of Brazilian elections for almost two decades. Wikimedia Commons Surprisingly, Brazil has one of the world’s oldest electronic voting systems, dating way back to 1996. While Brazil certainly is a vibrant (and huge, at 195 million people) democracy, it’s a rapidly developing country—you do know it’s the B in BRIC, right? Brazil has gone through significant economic and political change in recent decades.
It wasn’t until 1985 that the country was rid of its military dictatorship, yet, just over a decade later, the country had implemented a locally designed and produced electronic voting system. As recently as 1996, the country still had 15 percent of the country that could not read or write.

That meant a significant portion (over 23 million Brazilians at the time) of the country were effectively disenfranchised from voting. The DRE machine, known locally as an urna, is about the size of two or three stacked hardback books, and it has a small screen on one side with a keypad on the other side.

The machine displays a list of candidates, along with their pictures and the numbers associated with them.
Voters use the keypad to type in their preferred number—the device only allows one number to be pressed at a time. Voters then receive a printed stub confirming that he or she voted.

Each DRE device has two flash cards, which store a digital record of the vote count.

The cards are removed at the end of the election and the vote totals are sent electronically to the Regional Electoral Office, where national vote counts are tallied within just several hours. "Nowadays we have 450,000 digital ballot boxes in Brazil," Antonio Esio from the Regional Electoral Office in Sao Paulo, told the BBC in 2008. "We are making more each year because the number of voters is increasing around six percent every election." Before the electronic system, voters were required to hand-write the complete names of the candidates and their parties—something many illiterate people were unable to do. "By adopting it, you are enfranchising voters who might be disenfranchised by complicated ballots," Tiago Peixoto, a Brazilian researcher with the ICT4Gov program at the World Bank, told Ars. However, by 2002, some critics in Brazil countered that by relying on an electronic device, there was little actual voter verification.

To use industry parlance, there was no way to verify that the vote was cast as intended and counted as it was cast.
So printers were added, which showed the vote on a piece of paper protected behind plastic.

Two years later, Brazil eliminated the printers, as they were too costly.

The printers were slated to be back (Google Translate) for the 2014 election, but they have since been suspended a second time. By 2008, the entire software running on the DRE machines was rewritten by developers contracted by the Brazilian Superior Electoral Court.
Six months prior to any election, people who have been accredited by the Court are allowed to come in-person, "in an environment controlled by the Superior Electoral Court," where experts can examine the source code, under a nondisclosure agreement. Diego Aranha, a professor of computer science at the University of Brasilia, was one such expert.

But, he said, he and his team were only given five hours in which to examine millions of lines of code—nowhere near adequate to perform a proper audit. One major flaw he found was that the digital votes are randomly shuffled, as a way to provide extra security while in storage. However, the algorithm to provide that randomness is given a non-random seed: the timestamp. "I made this assumption because I know how many times people have got this wrong," he told Ars. "They used a really, really bad pseudo-random number generator available: the seed was a timestamp in seconds.

This is mission-critical software! This is our software for our democracy." Despite these problems, so far, Brazil has used its DRE system in its various iterations for nearly two decades without any major political dispute over their use. In an academic paper published in a forthcoming book, Aranha concluded: "The necessity of installing a scientifically sound and continuous evaluation of the system, performed by independent specialists from industry or academia becomes evident and should contribute to the improvement of the security measures adopted by the voting equipment." Looking inside the black box Down Under Enlarge / The ACT remains the only Australian territory or state to use the open-source e-voting model. Elections ACT "It's a black box." So goes the common refrain from computer scientists and cryptographers who work on electronic voting.
In other words, no one can be completely certain the computer code running on a given device does exactly what it’s said to. Worse still, no one can ever know the software running on the voter’s computer is precisely the same version of the software that was initially certified. But for over a decade, the Australian Capital Territory has figured out a way to solve this problem (in use across a handful of voting locations): just make the software open source.

The software runs on older PCs running Linux and offers ballots in 12 languages.

There are also ballots available for illiterate, blind, or deaf voters. Each voter receives a barcode that is read by a scanner attached to the computer. Once the code is scanned, it resets the software to be ready to receive a vote. Once the ballot is complete, the card is swiped a second time to cast that ballot.

The barcodes are not connected to an individual voter, but the software is designed to only allow one vote per voter.

The votes are counted electronically, digitally signed, and sent to a server on a local network. "We wanted to make it something that people would find trustworthy," said Phillip Green, the electoral commissioner for the territory, in a recent interview with Ars. "We've likened it to a normal election process where if you're doing it by hand, everything is available to scrutiny," Green said. "We shouldn't have a black box, where you don't know what it does. Open source code was the way to solve the transparency issue.
So we get the code audited by a professional company and they're looking for areas in the code that what comes in doesn't come out and that there's nothing in there that would allow someone to maliciously change votes." In addition, there’s a software keylogger making sure what’s typed in actually matches the votes that were recorded, as a way to prevent fraud.

Green added the IT faculty at the Australian National University in Canberra use the source code frequently as a security auditing exercise for its students.

This system has run more or less without any problems since 2001. But if it’s so great, why don’t other states and territories Down Under use it? There’s no real reason, but like in the United States, state and territory voting laws and regulations are set at the state level.

The ACT has chosen to go open-source, and there’s nothing stopping the country’s bigger states, like Victoria or New South Wales, from doing the same. The decision largely has to do with size and expense.

The ACT, Australia’s smallest territory by population, is home to about 365,000 people. (My home city of Oakland, California is bigger!) Only about two-thirds of the population are voters. Nationally, the country has around 15 million voters—so ACT voters represent less than three percent of all voters nationally. "There's no practical reason why it couldn't work these, but it's a hardware [question]," Green added. "We're getting out of our system cheaply by borrowing hardware. We're part of [the] ACT government computer system and we get monitors that are coming off refresh cycles. We either get the new ones before they get them or the old ones coming off; we're borrowing monitors. We get out of it pretty cheaply by trying to find cheap and innovative ways, and because we've only got five voting locations, we can get away with that. [Other states] might want 50 to 60 sites, and would have difficulty borrowing equipment.
It’s several thousand dollars per machine by the time you get the hardware together." Still, despite the success of the open-source e-voting setup, Green says its days may be numbered.

Even though he has his doubts about the security and openness of Internet-based setups, he believes that it, not open-source e-voting, will "be the way of the future." After all, Internet-based systems can reduce the cost of hardware by allowing people to just use their own computers. "We’re looking at it for 2016," he said in a resigned tone. Internet voting in Estonia Enlarge / All Estonians can vote online using their digital ID card. European Parliament Perhaps the most famous example of Internet-based voting, though, comes from Estonia. This tiny, post-Soviet country in the northeastern corner of Europe reclaimed its independence in 1991. Within less than a decade, the country was already making progress toward a digital ID card project.

The cards, which look very similar in size to other European Union ID cards or American drivers licenses, possess a front-facing chip that can be read by a small handheld device.

By 1999, the Estonian parliament passed an important amendment to the "Identity Documents Act" and created the "Digital Signatures Act." This legislature established that such cards and corresponding signatures would be legal in the country. The Digital ID card became available in 2002 and led to a number of "e-services" that all Estonians could take advantage of.

Through the use of open-source public key-private key encryption software (upgraded in 2011 to 2048-bit), various government agencies have enabled citizens to not only engage in digital contracts, but also to perform various secure functions connected with their identity.

These include financial transactions, public transportation tickets, and student university admissions records. "What we have in Estonia and have had for eight years is that we have universal notion of digitally signed files," Tarvi Martens told Deutsche Welle, Germany’s international broadcaster, in 2010. (Martens was one of the leaders of the Estonian digital ID card project at the Estonian Certification Center.) "If you sign something digitally with your Estonian ID card, it universally replaces a paper written signature and this can be applied anywhere—terminating contracts, creating contracts—everywhere.

Everywhere you'd need a paper signature you can replace it with an electronic signature," he added. With that infrastructure in place, the Estonian government began testing Internet-based voting in local elections in 2005.

Two years later, it was expanded out to national elections.
In the 2009 elections for the European Parliament, 15 percent of all votes cast were submitted online.

That number grew to almost 25 percent for the 2011 domestic parliamentary elections. As a security precaution, voters can submit their ballot as many times as they like during the e-voting window open during the week before election day. "I-voting is possible only during seven days of advance polls—from the tenth day until the fourth day prior to Election Day," the Estonian National Electoral Committee states on its website. "This is necessary in order to guarantee that in the end only one vote is counted for each voter.

To ensure that the voter is expressing their true will, they are allowed to change their electronic vote by voting again electronically during advance polls or by voting at the polling station during advance polls." Domestically, courts have upheld the use of Internet voting.
In 2011, the Estonian Supreme Court’s Constitutional Review Chamber rejected the petition of an Estonian student who alleged that the voting software—which is not open-source—could be maliciously tampered with so as not to count votes accurately. Barbara Simons is a computer scientist and former president of the Association of Computer Machinery.
She's an outspoken activist against e-voting and told Ars that because the Estonian government has never conducted post-election auditing, it can’t be 100 percent sure it works as advertised. "We don’t know how the Estonian system is working," she said. "We do know that the second largest party thinks that the voting was rigged in 2011.

The reason they think it was rigged was that the ballot counts online were different than the paper version.

There are possible explanations, but I couldn’t say that it was rigged—there’s no way that anyone can prove anything. [The Estonian government] won’t let independent security experts review it without signing a nondisclosure agreement." Simons points out a common refrain by many people who are used to Internet banking—that is, if we can bank online, why can’t we vote online? In short, it's mostly because of responsibility and attribution. With banking, you want to know—and have an extensive record—of what actions were taken when, and you associate them with a certain person.
Voting, however, requires secrecy, and separation from a person and a specific identity.

Furthermore, with banking, there is insurance and other precautions put into place to reassure customers against fraud. "I do online banking because I know the bank will cover it," she says. "You can’t do voting online—nobody can cover it." Or, as two UK-based computer scientists put it in a recent op-ed: "This is like running your bank account without getting statements or receipts, and trusting the bank to keep track of your balance accurately." Crypto-voting abounds Enlarge / Scytl, a Spanish e-voting startup, has made inroads around the world. l_anella Despite these different approaches, there’s one company that has been getting a lot of attention, a Spanish company with a rather unique name: Scytl. The company was founded by a Barcelona-based computer science professor, and partially funded initially by Spain’s Ministry of Science and Technology.
It's now making significant inroads with various government agencies around the world, including Norway, Mexico, India, Spain, and many others.

The company offers not only on-site DRE-style e-voting, but also (most controversially) Internet-based voting.
In fact, during the first week of September, West Virginia said it would provide "electronic ballot delivery" to overseas and military voters in the state for the November 2012 election, joining other jurisdictions in states of Alabama, Arkansas, Mississippi, New York, and Dallas County, Texas. It’s important to note that for the American market, Scytl does not offer true, Estonia-style online voting. Rather, it provides a way for the ballots to be securely sent to the individual. "The ballot comes back to the local election jurisdiction and is tabulated in the same way in the local jurisdiction," explained Michelle Shafer, a company spokesperson. The company claims that for the locations where Internet-based voting is offered, its systems are true end-to-end encrypted solutions.

This, for example, is currently being tested in local elections in Norway and is scheduled for a nationwide deployment across the country in 2017. But the company declines to reveal exactly how its setup works on its website. "Votes are encrypted in the voters' voting device before they are cast," the company’s FAQ states. "Only the Electoral Board can decrypt the votes by reconstructing the private key.

The decryption of the votes is carried out in an isolated and physically secured computer by applying a mixing technique that breaks the correlation between the voters' identity and the clear-text votes in order to guarantee voters' privacy." In a set of slides dated 2011 that were presented at a cryptography conference in Spain, the company alludes to the specific techniques that it is using.

The slides refer to various advanced cryptographic techniques, including homomorphic tallying, which allows for encrypted values to be added, then have the end result decrypted without revealing each individual value. Scytl’s setup appears to be similar to other cryptographic voting systems pioneered by Ron Rivest, Josh Benaloah, Olivier Pereira, and others with backgrounds in related research and e-voting systems. "That slide set reads like a bunch of existing crypto voting techniques thrown together with a Scytl logo on it," e-mailed Ben Adida, a cryptographer and co-creator of Helios.

That's another similar crypto-voting system that was tested in a Belgian university election in 2009. "It's not clear to me at all that this described technology is actually used in their system, since from the little I've seen of folks using Scytl, none of this end-to-end verifiability is visible." The company does say on its site, however, that "transparency is an integral part of security." It explains that election authorities and independent auditors designated by those authorities are given access to the source code.

Authorities can verify this is digitally signed to make sure that the same software that was audited is the same one that is actually used during an election.
So why isn’t the source code given to the public to vet? "[Voters] don’t have the ability to review the source code of their [online] banking either," Shafer, the company spokesperson, added. The slow march of democracy Despite much of the hoopla (and hundreds of millions of dollars spent) surrounding e-voting over the last decade, there seems to be a considerable amount of evidence against putting too much faith in a system that can't be verified. With the exceptions of Estonia (which seems to have put domestic concerns to rest) and the Australian Capital Territory (which goes the open-source route), there remain significant concerns with the expansion of electronic voting systems worldwide. In Australia, like the US, there’s also the large problem of a mish-mash of federal and state voting laws. Not to mention, Australia is a large territory that makes deploying computers expensive and, at least for now, seemingly unfeasible. Here in the US, we would certainly do better with a single, unified voting standard that would take power away from state authorities to have differing voting standards—remember Bush v.

Gore
? In short: e-voting is a tall order.
It's difficult to make such systems verifiable (whether through open-source code, an auditable paper trail, and/or cryptography), keep them inexpensive, and maintain the legal backing of the local jurisdiction to support them.

This may be why some voting activists are pushing for "risk-limiting audits." These don’t even attempt to get involved with the actual procedures in voting, but rather just making sure the votes were counted properly using whatever system is on hand. It's a laudable goal to expand democracy as much as possible. Making voting easier, particularly for those who speak different languages or who are blind, deaf, or have other handicaps is certainly admirable. However, without overcoming the multitude of problems that exist in e-voting systems, it's hard to see how they can move forward in a trustworthy way.

Shadow Brokers Releases Second Trove of Spying Tools

The new leak appears to disclose NSA tactics. Shadow Brokers, a secretive online group that in August published details of hacking tools allegedly belonging to the NSA, released new leaks this week that appear to expose more of the agency's cyber strategies, as well as those from multiple foreign countries. The leak discloses NSA-style code names, including "Jackladder" and "Dewdrop," the Associated Press reports.
It also appears to offer a list of servers compromised by the Equation Group, a separate hacking organization with ties to the NSA. In a post on Medium in broken English, Shadow Brokers referenced Equation Group twice and suggested that its motivation for exposing the server information was related to the US presidential election.

The post also demands a ransom payment, although it does not suggest a specific amount of money. Named after its penchant for encryption algorithms, the Equation Group has hacked targets in more than 30 countries—including Iran, Russia, Pakistan, Afghanistan, India, and China, according to security firm Kaspersky.
Its focus is on government, nuclear research, military, and nanotechnology organizations, as well as companies developing cryptographic technologies. The hackers' malware can reprogram hard drive firmware, and has been found on devices from Seagate, Western Digital, and Samsung.

The exploit, carried out via physical interceptions like infected USB drives and CD-ROMs, is undetectable and cannot be removed. It is unclear how Shadow Brokers wound up with data from Equation Group.

This week's leak also raises questions about possible ties to Harold Martin, the former NSA contractor who was arrested in August for allegedly stealing more than 50 terabytes of classified data.

Authorities are attempting to prove that the Equation Group got its information from Martin.

ISPs mind their MANRS to block DDoS attacks

The internet permeates our entire lives, for work, play, and everything in between, but it relies on a fragile network of trust spanning the globe. While it may feel like we're just one major attack away from a crippled internet, initiatives like the Internet Society's MANRS (Mutually Agreed Norms for Routing Security) offer some hope for a more secure Internet. The goal is to "restore trust in the Internet," said Andrei Robachevsky, the Internet Society's technology program manager, noting that it's easy for DDoS (distributed denial of service) attacks to exploit the routing infrastructure.
Incorrectly routing network traffic, either accidentally or deliberately, can also cause havoc by making sites and services unavailable. Routing ensures network traffic takes the most direct path between the originating device and the intended destination.

There is no reason why a Canadian Facebook user should have his or her data pass through China before hitting Facebook's servers. Or why ISPs in Pakistan blocking YouTube caused the rest of the world to lose access to the video-sharing service. Under MANRS, member network operators -- primarily ISPs -- agree to implement security controls, such as defining a clear routing policy, enabling source address validation, and deploying anti-spoofing filters, to limit these kinds of abuses. Members certify they have implemented security controls in at least one of the four areas: filtering, anti-spoofing, coordination, and global validation. Most operators who have joined the voluntary program -- the initiative now counts 42 members across 21 countries -- have addressed at least three of those areas, according to the Internet Society. As DDoS attacks get bigger, so does the concern about the kind of damage these attacks can cause.

Encouraging network operators to implement anti-spoofing filters, which prevent attackers from hiding the originating IP address, could dramatically diminish the prevalence and impact of DDoS attacks. For example, French service provider OVH was recently hit by the largest DDoS attack to date -- peaking at more than 1Tbps (terabit per second) of traffic.

The recent attack against security blog Krebs on Security peaked at 620Gbps (gigabits per second) and was disruptive enough that networking company Akamai had to take the blog off its network to protect other customers.

Attackers are getting better at throwing larger volumes of junk traffic at their targets, and they rely on address spoofing to hide the originating IP address so that network defenders can't trace where the attack traffic is coming from.
If the operators can filter out spoofed traffic within their networks, that's junk traffic not reaching the traffic. Blocking spoofed traffic doesn't end the risk of DDoS, but it makes using the devices on the protected network more expensive, Robachevsky said.

The MANRS member is promising to protect the rest of the internet from bad things originating within its network by blocking all packets that give the wrong source IP address. Other controls, such as filtering and validating routing information, also help improve Internet security and resilience.

By defining clear routing policies and creating filters, ISPs can prevent the propagation of incorrect routing information.

This way, mistyped routing rules won't result in networks accidentally hijacking traffic intended for other networks, and up-to-date filters prevent malicious attempts to divert traffic.

By making it clear who owns which routes, operators can more easily communicate with each other when something goes wrong and validate routing information to ensure they are correct. It's akin to "clean your own side of the street," as network operators commit to filter their own route advertisements to catch mistakes. Operators know their networks and know what their customers are doing.
If each operator makes sure they're handling routing announcements and traffic packets correctly, that all adds up across a broader area. MANRS is more than just a list of members and a collection of published routing information.
It's also a framework.

The Best Current Operational Practices document, which outlines the steps network operators need to take to become MANRS-compliant, is currently being drafted and will be available for review at the end of October, Robachevsky said.

Training modules and self-assessment guides also provide network operators with best practices recommendations to add resiliency and security to their routing infrastructure.   MANRS is still in early stages, and there are still areas for improvement. Right now, verifying networks during the initial application process relies heavily on the ISP performing a self-assessment and reporting which controls it has implemented.

The Internet Society is currently reviewing tools like BGPStream and Spoofer to help automate the assessment and verification process. There's currently no mechanism to ensure member operators are continuing with the security controls beyond the initial sign-up process. Right now, it's up to each individual operator to stay on top of configuration changes in their network to make sure the security controls are still effective.

This will have to change, especially as the membership grows, but the current priority is to make it easier to test and verify new members.

At the moment, MANRS relies on the honor system, Robachevsky said. While it's encouraging that more network operators are signing up for MANRS, Robachevsky acknowledged the initiative still has a long way to go before it can be considered successful.

Considering there are roughly 50,000 autonomous systems networks worldwide, the fact that there are 42 members is trifling.

There's a tipping point, and MANRS isn't there yet. However, Robachevksy emphasized having pockets of "clean" Internet can make a difference.

Comcast, one of the world's largest broadband operators, is a member, and claims 33 ASNs have met MANRS requirements across all four areas. Robachevksy's hope is to gain enough members to the point where organizations would start evaluating upstream providers based on whether their networks are MANRS compliant. Many of the commitments MANRS is asking for sounds like common-sense security, but hasn't been implemented because the ISPs may not have seen the cost benefits of taking those steps. Yes, there are costs associated with becoming MANRS compliant, but network operators benefit by making it easier to troubleshoot configuration issues, protect against misconfigurations caused by "fat-fingering" routing rules, and increase opportunities for collaboration with other ISPs.

Eventually, not doing these things may also wind up costing the ISP, both financially and in security.