SECURITY
Prepared by: Cathlene L. BabaranSara Johanna Glenn S. Bucayu
Polina Valerie G. CorbeJun Arvie T. Rivo
Ricajoy O. Turqueza
1. Computer Security THREATS
a. Computer Security Conceptsb. Threats, Attacks and Assetsc. Intrudersd. Malicious Software Overviewe. Viruses, Worms and Botsf. Rootkits
2. Computer Security TECHNIQUES
a. Authenticationb. Access Controlc. Intrusion Detectiond. Malware Defensee. Dealing with Buffer Overflow Attacks
SECURITY
COMPUTER SECURITYTHREATS
COMPUTER SECURITY CONCEPTS
Computer SecurityThe protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources.
1. Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
• Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals.
• Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.
THREE KEY OBJECTIVES that are at the of computer security:
2. Integrity: Guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity.
• Data integrity: Assures that information and programs are changed only in a specified and authorized manner.
• System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.
THREE KEY OBJECTIVES that are at the of computer security:
3. Availability— Ensuring timely and reliable access to and use of information.
THREE KEY OBJECTIVES that are at the of computer security:
THE SECURITY REQUIREMENTS TRIAD
ADDITIONAL CONCEPTS
Authenticity: The property of being genuine and
being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.
Accountability:The security goal that generates the
requirement for actions of an entity to be traced uniquely to that entity.
BACK
THREATS,ATTACKS ANDASSETS
1. Unauthorized DisclosureA circumstance or event whereby an entity gains access to data for which the entity is not authorized.
2. DeceptionA circumstance or event that may result in an authorized entity receiving false data and believing it to be true.
FOUR KINDS OF THREAT CONSEQUENCES
3. DisruptionA circumstance or event that interrupts or prevents the correct operation of system services and functions.
4. UsurpationA circumstance or event that results in control of system services or functions by an unauthorized entity.
FOUR KINDS OF THREAT CONSEQUENCES
(Unauthorized disclosure) 1. Exposure: Sensitive data are directly released to an unauthorized entity.
2. Interception: An unauthorized entity directly accesses sensitive data travelling between authorized sources and destinations.
KINDS OF ATTACKS
3. Inference: A threat action whereby an unauthorized entity indirectly accesses sensitive data by reasoning from characteristics or byproducts of communications.
4. Intrusion: An unauthorized entity gains access to sensitive data
KINDS OF ATTACKS
(Deception)1. Masquerade: An unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity.2. Falsification: False data deceive an authorized entity.3. Repudiation: An entity deceives another by falsely denying responsibility for an act.
KINDS OF ATTACKS
(Disruption)1. Incapacitation: Prevents or interrupts system operation by disabling a system component.2. Corruption: Undesirably alters system operation by adversely modifying system functions or data.3. Obstruction: A threat action that interrupts delivery of system services by hindering system operation.
KINDS OF ATTACKS
Usurpation1. Misappropriation: An entity assumes unauthorized logical or physical control of a system resource.
2. Misuse: Causes a system component to perform a function or service that is detrimental to system security.
KINDS OF ATTACKS
THREATS AND ASSETS
Assets of a computer can be categorized as:
• Hardware • Software• Data• Communication Lines and Networks
BACK
INTRUDERS
1. Masquerader: An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account.
2. Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges.
THREE CLASSES OF NTRUDERS
3. Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.
THREE CLASSES OF NTRUDERS
• Performing a remote root compromise of an e-mail server
• Defacing a Web server• Guessing and cracking passwords• Copying a database containing credit card
numbers
EXAMPLES OF INTRUSION
• Viewing sensitive data, including payroll records and medical information, without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated software and music files
• Dialing into an unsecured modem and gaining internal network access
EXAMPLES OF INTRUSION
• Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password
• Using an unattended, logged-in workstation without permission
EXAMPLES OF INTRUSION
• Hackers• Criminals• Insider Attacks
INTRUDER BEHAVOR PATTERNS
INTRUDER BEHAVOR PATTERNS - HACKERS
INTRUDER BEHAVOR PATTERNS - CRIMINALS
INTRUDER BEHAVOR PATTERNS – INSIDER ATTACKS
BACK
MALICIOUSSOFTWAREOVERVIEW
VirusMalware that, when executed, tries to
replicate itself into other executable code; when it succeeds the code is said to be infected. When the infected code is executed, the virus also executes.
WormA computer program that can run independently
and can propagate a complete working version of itself onto other hosts on a network.
TERMINOLOGY OF MALICIOUS PROGRAMS
Logic BombA program inserted into software by an
intruder. A logic bomb lies dormant until a predefined condition is met; the program then triggers an unauthorized act.
Backdoor (trapdoor)Any mechanisms that bypasses a normal security
check; it may allow unauthorized access to functionality.
TERMINOLOGY OF MALICIOUS PROGRAMS
Trojan HorseA computer program that appears to have a
useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the Trojan horse program.
TERMINOLOGY OF MALICIOUS PROGRAMS
Mobile CodeSoftware (e.g., script, macro, or other portable
instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.
ExploitsCode specific to a single vulnerability or set of
vulnerabilities.
TERMINOLOGY OF MALICIOUS PROGRAMS
DownloadersProgram that installs other items on a machine
that is under attack. Usually, a downloader is sent in an e-mail.
Auto-rooterMalicious hacker tools used to break into new
machines remotely. Kit (virus generator)Set of tools for generating new viruses
automatically.
TERMINOLOGY OF MALICIOUS PROGRAMS
Spammer programsUsed to send large volumes of unwanted e-
mail.
FloodersUsed to attack networked computer systems
with a large volume of traffic to carry out a denial-of-service (DoS) attack.
KeyloggersCaptures keystrokes on a compromised system
TERMINOLOGY OF MALICIOUS PROGRAMS
RootkitSet of hacker tools used after attacker has
broken into a computer system and gained root-level access.
Zombie, botProgram activated on an infected machine that
is activated to launch attacks on other machines.
TERMINOLOGY OF MALICIOUS PROGRAMS
SpywareSoftware that collects information from a
computer and transmits it to another system.
AdwareAdvertising that is integrated into software. It
can result in pop-up ads or redirection of a browser to a commercial site.
TERMINOLOGY OF MALICIOUS PROGRAMS
A multipartite virus infects in multiple ways. Typically, the multipartite virus is capable of infecting multiple types of files, so that virus eradication must deal with all of the possible sites of infection.
A blended attack uses multiple methods of infection or transmission, to maximize the speed of contagion and the severity of the attack. Some writers characterize a blended attack as a package that includes multiple types of malware.
MULTIPLE-THREAT MALWARE
BACK
VIRUSES, WORMS andBOTS
VirusesA computer virus is a piece of software that can “infect”
other programs by modifying themNature of Viruses
A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is running.
Infection Mechanism – the means by which a virus spreads, enabling it to replicate.
Trigger – event or condition that determines when the payload is activated or delivered.
Payload – what the virus does, besides spreading
THREE PARTS OF COMPUTER VIRUS
Dormant Phase – the virus idlePropagation Phase – the virus places an identical copy of itself into other programs or into certain system areas on the diskTriggering Phase – the virus is activated to perform the function for which it was intended.Execution Phase – the functioned is performed.
FOUR PHASES OF VIRUS
Virus Structure - A virus can be prepended or postpended to an executable program, or it can be embedded in some other fashion.
Initial Infection - Once a virus has gained entry to a system by infecting a single program, it is in a position to potentially infect some or all other executable files on that system when the infected program executes.
Boot sector infector – infects a master boot recordFile Infector – infects files that the OS or shell consider to be executableMacro Virus – infects files with macro code that is interpreted by an application.
VIRUS CLASSIFICATION by target
Encrypted virus – a typical approach is as follows. A portion of the virus creates a random encryption key and encrypts the remainder of the virus.Stealth virus – a form of virus explicity designed to hide itself from by antivirus software.Polymorphic virus – a virus that mutates with every infection, making detection by the “signature” of the virus impossible.Metamorphic virus – a virus mutates with every infection. The difference is that it rewrites completely at each iteration, increasing the difficulty of detection.
VIRUS CLASSIFICATION by concealment strategy
Virus Kits – another weapon in the virus writers’ armory is the virus-creation toolkit
Macro Viruses – is platform independent– infect Microsoft Word documents or other Microsoft Office documents.– infect documents, not executable portions of code– are easily spread. A very common method is by electronic mail.
E-Mail Viruses – a more recent development in malicious software is the email virus
If the recipient opens the email attachment, the Word macro is activated. Then
1. The e-mail virus sends itself to everyone on the mailing list in the user’s e-mail package.
2. The virus does local damage on the user’s system.
It is a program that can replicate itself and send copies from computer to computer across network connections.
WORMS
A bot (robot), also known as a zombie or drone, is a program that secretly takes over another Internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the bot’s creator.
BOTS
Distributed denial-of-service attacks: a DDoS attack is an attack on a computer system or network that causes a loss of service to users.
Spamming: with the help of a botnet and thousands of bots, an attacker is able to send massive amounts of bulk e-mail (spam).
Sniffing traffic: bots can also use a packet sniffer to watch for interesting cleartext data passing by a compromised machine.
USES OF BOTS
Keylogging: if the compromised machine uses encrypted communication channels, then just sniffing the network packets on the victim’s computer is useless because the appropriate key to decrypt the packets is missing.
Spreading new malware: botnets are used to spread new bots.
Installing advertisement add-ons and browser helper objects (BHOs): botnets can also be used to gain financial advantages.
USES OF BOTS
Installing advertisement add-ons and browser helper objects (BHOs): botnets can also be used to gain financial advantages.Attacking IRC chat networks: Botnets are also used for attacks against Internet relay chat (IRC) networks.Manipulating online polls/games: online polls/games are getting more and more attention and it is rather easy to manipulate them with botnets.
USES OF BOTS
BACK
ROOTKITS
Rootkit- a set of programs installed on a system to maintain administrator (or root) access to that system.
Rootkits can be classified based on whether they can survive a reboot and execution mode.
A rootkit may be:
1. Persistent: Activates each time the system boots. The rootkit must store code in a persistent store, such as the registry or file system, and configure a method by which the code executes without user intervention.
2. Memory based: Has no persistent code and therefore cannot survive a reboot.
3. User mode: Intercepts calls to APIs (application program interfaces) and modifies returned results. For example, when an application performs a directory listing, the return results don’t include entries identifying the files associated with the rootkit.
4. Kernel mode: Can intercept calls to native APIs in kernel mode. The rootkit can also hide the presence of a malware process by removing it from the kernel’s list of active processes.
Rootkit Installation - unlike worms or bots, rootkits do not directly rely on vulnerabilities or exploits to get on a computer.
The following sequence is representative of a hacker attack to install a rootkit.
1. The attacker uses a utility to identify open ports or other vulnerabilities.
2. The attacker uses password cracking, malware, or a system vulnerability to gain initial access and, eventually, root access.
3. The attacker uploads the rootkit to the victim’s machine.
4. The attacker can add a virus, denial of service, or other type of attack to the rootkit’s payload.
5. The attacker then runs the rootkit’s installation script.
6. The rootkit replaces binaries, files, commands, or system utilities to hide its presence.
7. The rootkit listens at a port in the target server, installs sniffers or keyloggers, activates a malicious payload, or takes other steps to compromise the victim. BACK
COMPUTER SECURITY
TECHNIQUES
AUTHENTICATION
User Authentication- is the fundamental building block and
the primary line of defense in most computer security environments. It is the basis for most types of access control and for user accountability.
(RFC 2828 definition)
- the process of verifying an identity claimed by or for a system entity.
An authentication process consists of two steps:
• Identification step: Presenting an identifier to the security system.
• Verification step: Presenting or generating authentication information that validates the binding between the entity and the identifier.
• The password is kept secret (known only to Sara and to the system).
• Sara’s user ID and password enables administrators to set up Sara’s access permissions and review or check her activity.
IDENTIFICATION (example)
User User Identifier PasswordSara Bucayu SJGSBUCAYU 12345
Identification
is the means by which a user provides a claimed identity to the system.
User authentication
is the means of establishing the validity of the claim.
AUTHENTICATION
4 General means of authenticating a user’s identity, which can be used alone or in combination:
MEANS OF AUTHENTICATION
1. Something the individual knows:Examples: password,personal identification number (PIN),or answers to a prearranged set of
questions
2. Something the individual possesses:Examples: electronic keycards,smart cards, and physical keys.
3. Something the individual is(static biometrics):
Examples: recognition byfingerprint, retina, and face.
4. Something the individual does(dynamic biometrics):
Examples: recognition by voicepattern, handwriting characteristics,and typing rhythm.
MEANS OF AUTHENTICATION
The system compares the password to a previously stored password for that user ID, maintained in a system password file. The password serves to authenticate the User ID of the individual logging on to the system.
PASSWORD-BASED AUTHENTICATION
USER ID Stored Password Password Input
Sara ●●●●●● ●●●●●●
The User ID provides security in the following ways:
• The ID determines whether the user is authorized to gain access to a system.
• The ID determines the privileges accorded to the user.
• The ID is used in what is referred to as discretionary access control.
PASSWORD-BASED AUTHENTICATION
A widely used password security technique is the use of hashed passwords and a salt value. This scheme is found on virtually all UNIX variants as well as on a number of other operating systems.
THE USE OF HASHED PASSWORDS
UNIX PASSWORD SCHEME
Salt Value
Password
ae08wi930ks…Slow Hash Function
0219sjgbucayu
UNIX PASSWORD SCHEME
The salt serves three purposes:
• It prevents duplicate passwords from being visible in the password file.
• It greatly increases the difficulty of offline dictionary attacks.
• It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them.
THE USE OF HASHED PASSWORDS
User ID Salt Value Password Hashed Password
Sara 3982 12345 ae02thd403odk..
Rica 3210 12345 jd893sjs1qjz63j..
Since the original development of UNIX, most implementations have relied on the following password scheme:
*The most secure version of the UNIX hash/salt scheme was developed for OpenBSD, another widely used open source UNIX. This scheme uses a hash function based on the Blowfish symmetric block cipher.
Scheme Max Password length No. of Encryptions Salt Value (Length)
Hash Value (Length)
DES Algorithm 8 characters 25 12 bits 64 bits
MD5 Secure Hash Algorithm
No limitation 1000 48 bits 128 bits
Blowfish symmetric block cipher
55 characters 128 bits 192 bits
UNIX IMPLEMENTATIONS
Tokens - Objects that a user possesses for the purpose of user authentication.
1. Memory CardsMemory cards can store but not process data.
The most common such card is the bank card with a magnetic stripe on the back. A magnetic stripe can store only a simple security code, which can be read by an inexpensive card reader.
TOKEN-BASED AUTHENTICATION
Potential drawbacks for memory cards:• Requires special reader - This increases the
cost of using the token and creates the requirement to maintain the security of the reader’s hardware and software.
• Token loss - A lost token temporarily prevents its owner from gaining system access.
• User dissatisfaction - Although users may have no difficulty in accepting the use of a memory card for ATM access, its use for computer access may be deemed inconvenient.
TOKEN-BASED AUTHENTICATION
2. Smart Cards
• Physical characteristics Smart tokens include an embedded microprocessor. A
smart token that looks like a bank card is called a smart card. Other smart tokens can look like calculators, keys, or other small portable objects.• Interface Manual interfaces include a keypad and display for human/token interaction.• Authentication protocolThe purpose of a smart token is to provide a means for user authentication.
TOKEN-BASED AUTHENTICATION
Three categories of authentication protocols used with smart tokens :
1. StaticWith a static protocol, the user
authenticates himself or herself to the token and then the token authenticates the user to the computer.
TOKEN-BASED AUTHENTICATION
2. Dynamic password generatorThe token generates a unique password
periodically. This password is then entered into the computer system for authentication, either manually by the user or electronically via the token.
3. Challenge-responseIn this case, the computer system
generates a challenge, such as a random string of numbers. The smart token generates a response based on the challenge.
TOKEN-BASED AUTHENTICATION
A biometric authentication system attempts to authenticate an individual based on his or her unique physical characteristics
Different types of physical characteristics for users authentication:
1. Facial characteristics
Facial characteristics are the most common means of human-to-human identification.
BIOMETRIC AUTHENTICATION (STATIC)
2. Fingerprints
Fingerprints have been used as a means of identification for centuries, and the process has been systematized and automated particularly for law enforcement purposes.
3. Hand geometry
Hand geometry systems identify features of the hand, including shape, and lengths and widths of fingers.
BIOMETRIC AUTHENTICATION (STATIC)
4. Retinal patternThe pattern formed by veins
beneath the retinal surface is unique and therefore suitable for identification.
5. IrisAnother unique physical
characteristic is the detailed structure of the iris.
BIOMETRIC AUTHENTICATION (STATIC)
6. SignatureEach individual has a unique style of
handwriting, and this is reflected especially in the signature, which is typically a frequently written sequence.
7. VoiceVoice patterns are more closely tied to
the physical and anatomical characteristics of the speaker.
BIOMETRIC AUTHENTICATION (DYNAMIC)
BACK
ACCESSCONTROL
An Access Control Policy dictates what types of access are permitted, under what circumstances, and by whom.
Access control policies are generally grouped into the following categories:
• Discretionary access control (DAC) Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do.
- Implemented using Access Control List (ACL).
- Default access control mechanism for most desktop operating systems
Windows ACL
• Mandatory access control (MAC)Controls access based on comparing security
label with security clearances. This policy is termed mandatory because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource.
• Role-based access control (RBAC)Controls access based on the roles that users
have within the system and on rules stating what accesses are allowed to users in given roles.
• Mandatory access control (MAC)Controls access based on comparing security
label with security clearances. This policy is termed mandatory because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource.
• Role-based access control (RBAC)Controls access based on the roles that users
have within the system and on rules stating what accesses are allowed to users in given roles.
Users, Roles, and Resources
ROLE-BASED ACCESS CONTROL
ACCESS CONTROL POLICIES
BACK
INTRUSIONDETECTION
Security intrusionA security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system without having authorization to do so.
Intrusion detectionA security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real- time warning of, attempts to access system resources in an unauthorized manner.
IDSs can be classified as follows:
• Host-based IDSMonitors the characteristics of a single host and the events occurring within that host for suspicious activity
• Network-based IDS:Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity
INTRUSION DETECTION SYSTEM
An IDS comprises three logical components:
• Sensors – responsible for collecting data
• Analyzers – receive input from one or more sensors or from another analyzer
• User Interface– enables a user to view output from the system or control the behavior of the system.
INTRUSION DETECTION SYSTEM
Basic Principles of IDS:
INTRUSION DETECTION SYSTEM
False positives – authorized users identified as intrudersFalse negatives – intruders not identified as intruders
Two General Approaches to ID:
• Anomaly detection - Involves the collection of data relating to the behavior of legitimate users over a period of time
Threshold detection Profile based
• Signature detection- Involves an attempt to define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder.
HOST-BASED INTRUSION DETECTION TECHNIQUES
A fundamental tool for intrusion detection is the audit record. Some record of ongoing activity by users must be maintained as input to an IDS.
AUDIT RECORDS
Two plans are used in Audit Records:
1. Native audit records - virtually all multiuser operating systems include accounting software that collects information on user activity.
Advantage : no additional collection software is neededDisadvantage: may not contain the needed information or may not contain it in a convenient form
AUDIT RECORDS
2. Detection-specific audit records– a collection facility can be implemented that generates audit records containing only that information required by the IDS.
Advantage : it could be made vendor independent and ported to a variety of systemsDisadvantage: extra overhead involved in having, in effect, two accounting packages running on a machine
AUDIT RECORDS
BACK
MALWAREDEFENSE
• The ideal solution to the threat of viruses is prevention.
• The next best approach is to be able to do the following:
DetectionIdentification:Removal
ANTIVIRUS APPROACHES
• GD technology enables the antivirus program to easily detect even the most complex polymorphic viruses while maintaining fast scanning speeds
• GD scanner contains the ff elements:CPU emulatorVirus signature scannerEmulation control module
GENERIC DECRYPTION
• The digital immune system is a comprehensive approach to virus protection developed by IBM and subsequently refined by Symantec.
• The success of the digital immune system depends on the ability of the virus analysis machine to detect new and innovative virus strains. By constantly analyzing and monitoring the viruses found in the wild, it should be possible to continually update the digital immune software to keep up with the threat.
DIGITAL IMMUNE SYSTEM
Two major trends in Internet technology have had an increasing impact on the rate of virus propagation in recent years:
– Integrated mail systems Systems such as Lotus Notes and Microsoft Outlook make it very simple to send anything to anyone and to work with objects that are received.
– Mobile-program systems Capabilities such as Java and ActiveX allow
programs to move on their own from one system to another.
DIGITAL IMMUNE SYSTEM
DIGITAL IMMUNE SYSTEM
• It Integrates with the operating system of a host computer and monitors program behavior in real time for malicious actions.
• It blocks potentially malicious actions before they have a chance to affect the system
BEHAVIOR-BLOCKING SOFTWARE
Monitored behaviors can include:
Attempts to open, view, delete, and/or modify files;Attempts to format disk drives and other
unrecoverable disk operations;Modifications to the logic of executable files or
macros;Modification of critical system settings, such as start-
up settings;Scripting of e-mail and instant messaging clients to
send executable content; andInitiation of network communications.
BEHAVIOR-BLOCKING SOFTWARE
BEHAVIOR-BLOCKING SOFTWARE
Requirements for an effective worm countermeasure scheme:
GeneralityTimelinessResiliencyMinimal denial-of-service costsTransparencyGlobal and local coverage
WORM COUNTERMEASURE
Intrusion Detection SystemDigital Immune System
But the primary objective is to try to detect and disable the botnet during its construction phase.
BOT COUNTERMEASURE
• Rootkits can be extraordinarily difficult to detect and neutralize, particularly so for kernel-level rootkits. Many of the administrative tools that could be used to detect a rootkit or its traces can be compromised by the rootkit precisely so that it is undetectable.
• Another approach is to do some sort of file integrity check. An example of this is RootkitRevealer, a freeware package from SysInternals
• If a kernel-level rootkit is detected, by any means, the only secure and reliable way to recover is todo an entire new OS install on the infected machine.
ROOTKIT COUNTERMEASURE
BACK
DEALING W/BUFFER
OVERFLOW ATTACKS
There is consequently a need to defend systems against buffer overflow by either preventing them, or at least detecting and aborting such attacks.
2 Categories of Implementing Protections:
Compile-time defenses Run-time defenses
BUFFER OVERFLOW ATTACK DEFENSE
Compile-time defense- aims to harden programs to resist
attacks in new programs
Run-time defense- aims to detect and abort attacks in
existing programs
BUFFER OVERFLOW ATTACK DEFENSE
Thank you…