Vermelding onderdeel organisatie May 25, 2015 1 Security and Technology (WM0823TU) Lecture 5-6:...

Vermelding onderdeel organisatie

April 18, 2023

1

Security and Technology (WM0823TU) Lecture 5-6: Information and ICT Security, threats, cybercrime risks and how to deal with them

Jan van den Berg

Faculty of Technology, Policy and Management

April 18, 2023 2

Course overview (still provisional…)

Week # Date Subjects Lecturer

35 (1) Tuesday August 31 introduction: the risk society and the goals of the security & technology course

JvdB

36 (2) Monday September 6 refresh first lecture; financial risks: dealing with market risk: Assignment 1

JvdB

36 (3) Wednesday September 8 financial risks cont.: dealing with credit risk, operational risk, …

JvdB

37 (4) Monday September 13 risk analysis of the infrastructure Internet, an analysis framework: Assignment 2

JvdB

37 (5) Wednesday September 15

information security: an introduction JvdB

38 (6) Monday September 20 information security: threats, cybercrime, and how to deal deal with them: Assignment 3

JvdB

38 (7) Wednesday September 22 a topic from safety science Ben Ale

39 (8) Monday September 27 information quality in public safety networks NB

39 (9) Wednesday September 29 securing the supply chain: some case studies JvdB/YT??

40 (10) Monday October 4 calculation techniques for risk analysis in river- and coastal engineering

PvG

40 (11) Wednesday October 6 reliability of software, human factors, and their lessons for the management of the Maeslant storm surge barrier

JvdB

41 (12) Monday October 11 wrap-up, preparation for the final examination JvdB

April 18, 2023 3

Motivation: role of ICT in our society• ICT is an enabling technology for data /information

provision: delivery of the right data and information at the right place, at the right time, to the right person (e.g., in finance, supply chain security, dealing with crises, public safety, …) information security (the term ‘information safety’ is not in use)

• Certain ICT-facilities, including the Internet, can be considered as a critical infrastructure, the security and safety of which should be conserved Internet security

• ICT is of importance for individuals and for society as a whole: in economics, information is sometimes even termed the 4th production factor (ex.: news steers stock price dynamics!)

• Summarizing, there is a need for information and ICT security management (including the Internet)

April 18, 2023 4

Agenda

• Background and Conceptualization• Information Security• ICT Security

• Intentional threats = Hacking attacks: how does it work?• Other cybercrime threats• Dealing with the threats

• Information Security Measures & Management• Internet Security Measures & Management

• Assignment of the week• References

Information Security defined

• Most common definition: Information Security = Computer Security = ICT Security (this is different from SRMBok book!!)

• Information Security (IS) is about the safety & security features/requirements/values (CIAA)

• Confidentiality (access to information for authorized entities/identities only)

• Integrity (safeguarding accuracy and completeness of information and processing methods)

• Availability (ensuring access to data and information when required)• Accountability (ensuring that each action is linked unambiguously to its

initiator) (accountable = verantwoordelijk)• Note: this a very technical perspective: content/meaning of

information are not considered! issues like correctness of source data, their effectiveness, human privacy, etc. are outside the scope of IS.

April 18, 2023 5

Information Security defined, SRMBoK

Section 7.5: ICT security•7.5.5 focuses on ICT security defined in terms of the preservation of CIA (like the BS7799 and its followers) •7.5.6 discusses some basic threats

Section 7.6: Information security•7.6.1 focuses on Information security defined in terms of the preservation of CIA and, in addition, utility or usefulness, authenticity or non-repudation (= accountability), and control or possession•7.6.2 discusses the information lifecycle:•7.6.3 discusses some vulnerabilities•7.6.4 discusses classification of information, also important in non-ICT world

April 18, 2023 6

7.6.4 Information Classification

• Information should be classified in a certain way such that people are only authorized to access (read, write and execute) certain data, information and programs

• Big organizations often apply role-based access control where rights are linked to the different roles people do have: a hard problem to keep it simple (why?)

• In governments and military organzations, a hierarchical model like Bell-La Padula model is often applied with strict read and write rules in a hierarchical setting of document flows: ‘no read-up’ and ‘no write down’ are two basic principles (can you explain them?).

April 18, 2023 7

7.6.5 Intellectual Property Rights

• Intellectual property is a term referring to a number of distinct types of creations of the mind for which property rights are recognised—and the corresponding fields of law.

• Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible assets, such as musical, literary, and artistic works; discoveries and inventions; and words, phrases, symbols, and designs.

• Common types of intellectual property include copyrights, trademarks, patents, industrial design rights and trade secrets in some jurisdictions.

April 18, 2023 8

April 18, 2023 9

Information Security: why and how?• Why information security? (as part of Business Continuity)

• To prevent/reduce/minimize damage to the ‘business’~minimize expected losses: often hard to quantify!

• To be compliant: SOX, Basel II, Tabaksblat,…• Solution: What can we do?

• Physical/Logical (20%), and Organizational measures (80%)of preventative, corrective and repressive characterat a strategic, tactic and operational level

• Implementation of ISM: how to do it in practice? • Using Best Practices like ISO-17799, ITIL, COBIT, SPRINT, …

(not available for free: BS7799 is on BB!) which include all above-given types of measures…

April 18, 2023 10

Framework of Thinking: repetition

• Information Security (IS) is about the four generic safety & security features/requirements/values (CIAA)• Confidentiality (access to information for

authorized entities/identities only) • Integrity (safeguarding accuracy and completeness

of information and processing methods)• Availability (ensuring access to data and

information when required)• Accountability (ensuring that each action is linked

unambiguously to its initiator)

April 18, 2023 11

Framework of Thinking, cont.

• Security Services (SSs) are functions that enhance the security requirements of an information system (i.e., the probability that an IS is in a secure state)

• Example SSs are identification, authentication, authorization, (role-based) access control, certification, digitally signing, time stamping, non-repudiation, data hiding, availability enhancement

• A threat is a potential violation of information security which, by exploitation of vulnerabilities, may result into security incidents

• Intentional actions that could violate IS are often termed attacks

• Initiators of attacks are termed attackers, crackers, script-kiddies, white hats, black hats, … see further below

April 18, 2023 12

Security requirements and some security services for enabling secure communication

April 18, 2023 13

Framework of Thinking, cont.

• A security mechanism or control (preventive, detective or corrective) is a measure/method/tool or procedure for implementing a security service

• Examples are login software, encryption/decryption tools, segregation of duties, defining a security policy, incident management procedures, identification of risks from a third party, user training, physical entry controls, backing-up of data, clear desk/screen policy, controls against malicious software, user registration, forcing correct use of passwords, intrusion detection, system recovery procedures

• Security is only as strong as the weakest link in the chain, so security is a matter of degree: there is no 100% secure system!

Example: implementing access control• Security service Access Control at a computer system,

banking system, public transport system, etc. is built up from several other security services 1. Identification using user id (implemented by security

mechanisms like a login name, email address, banking or other pass), usually not secrete

2. Authentication: implemented by security mechanisms like ‘what you know’ (e.g., password), AND/OR ‘what you have’ (e.g., chipcard, banking pass, digipass), AND/OR ‘what you are’ (fingerprint, iris scan, DNA-string), AND/OR ‘where you are’…

3. Authorisation: giving the authenticated user (possibly, in a specific role) access to system services based on a security mechanism like a (possibly role-based) ‘authorization matrix’

• Other example will follow below (in section “dealing with the threats”)

April 18, 2023 15

ICT as infrastructure: from Internet to WWW and Semantic Web• ARPA network: network with basic communication

functionality (like TCP/IP) in the ’60ies of previous century• 1991: Tim-Berners Lee at CERN (Geneve) has the idea of

connecting information sources using links (defined by URLs); this results into the World Wide Web

• Business/government/individuals take up the challenge e-business, e-government, social networks, etc.

• Development of the browser made Internet accessible to anyone; this includes accessible for hackers

• Future: Semantic Web making the WWW a smart Web for data, information and knowledge exchange (http://en.wikipedia.org/wiki/Semantic_Web )

April 18, 2023 16

Agenda

• Background and Conceptualization• Information Security• Internet Security

• Intentional threats = Hacking Attacks: how does it work?• Other cybercrime• Dealing with the threats



April 18, 2023 17

Hackers terminology [2]

• White hackers, gurus or wizards: hackers having specialist IT-knowledge to be used legally with best intentions (e.g., information security experts)

• Black hats or crackers: hackers with illegal intentions (e.g., distribution of copyrighted software, trying to shut down systems with distributed-denial-of-service (ddos) attacks)

• Script kiddies• (often young) people without technical knowledge having bad

intentions; • use available cracking software, often just for fun

• Grey hats or ethical hackers: illegal activities with best intentions (e.g., penetration in systems and making this public)

April 18, 2023 18

Hacking: how does it work?

From a technical perspective• Internet software (TCP/IP) uses so-called ports for connection

purposes • Actually, more than 65000 port numbers are in use: e.g., email

uses port 25, web pages use port 80 (behind ports you often find servers that answer requests from clients like a browser)

• Port scanners check (by sending IP-packets) whether certain ports have open access: see e.g. www.insecure.org/nmap/

• Vulnerability scanners look for vulnerabilities like in the software used (old software that has not being patched): see e.g. www.nessus.org

• Packet sniffers (or protocol analyzers) look at the content of incoming/outgoing IP-packets: see e.g. www.ethereal.com, e.g. look for passwords

April 18, 2023 19

Hacking : how does it work?, cont.

• Best known vulnerability is buffer overflow: a short program is placed in an unprotected memory location such that the computer starts to execute this code…

• Identification of ‘all known exploits’ (techniques to exploit vulnerabilities) is not difficult: available on the Ethical Hacker Network

• Virus and other malicious programs (malware) may exploit these vulnerabilities: there exist many types!

• Password guessing software discovers passwords of users

April 18, 2023 20

Malicious programs [3]

April 18, 2023 21

Malicious programs, cont.

• There exist malicious software of many types, often • as part of other software and • distributed via the WWW

• A taxonomy of malicious software:• independent replicating bacteria: they just reproduce

exponentially taking up all resources• independent worms: once active, they replicate themselves

using email, remote login or remote execution software; in

addition, they perform a ‘certain action’• zombies: a zombie is a program that secretly takes over

another Internet-attached computer to launch difficult to trace attacks

April 18, 2023 22

Dependent malicious software

• Dependent software need a host program:• trap doors: gain unauthorized access using a

certain input sequence (built-in by programmers: ctrl-alt-del is a good, secure example);

• logic bombs: embedded code that ‘explodes’ under special circumstances (a time or date e.g.)

• Trojan horses: embedded code in an apparently useful routine

• viruses: infect other executables, the corresponding code is embedded (resulting into an identifiable piece of code)

• For more details, see [3]

April 18, 2023 23

Other technical hacking practices

• war driving: looking for non-encrypted WIFI networks using a laptop and a car: see e.g. http://wifiscanner.sourceforge.net/

• social engineering is about misleading people (here by letting them activate certain pieces of software or providing sensitive data including passwords) based on• pretending authority (being responsible computer system

manager) or being a friend or colleague• flirting and flattering

using personal conversation, spam (see slide 27), phishing and/or pharming (see next slide), …

April 18, 2023 24

Phishing and Pharming

• Phishing• Ask for confidential data like passwords• Ask for clicking on a hyperlink that imitates a well-

known bank or other system’s website where user has to fill in confidential data

• Very many phishing attacks do currently occur

• Pharming (sophisticated type of phishing)• Even if user types correct name like www.abnamro.nl,

user is re-routed without knowing this…

April 18, 2023 25

Hacking : having entered, what’s next?

• White hackers are done… (they have got their kick from being capable of entering the system)

• Black and ethical hackers start collecting valuable information

• Script kiddies are often just interested in ‘defacing web sites’…

• Professional hackers remove traces and/or create a back door for future use…

April 18, 2023 26

Agenda


• Intentional threats = Hacking attacks: how does it work?• Other cybercrime threats• Dealing with the threats

• Information Security Measures & Management


April 18, 2023 27

Spam

• Sending spam is cheap and success rate is not low: +/- 20% of people have at least once bought stuff based on spam email [2]

• First spam was already sent in the 70ies…• Collecting email addresses is facilitated by spiders (see, e.g.,

www.massmailsoftware.com/extractweb ) • Measures against spam (not always very effective…!)

• Filtering against blacklist (refuse) and white list (accept)• Bayesian filtering: look for similarities• …

• Penalties can be high: up to 20.000 euro in the Netherlands!

April 18, 2023 28

DoS attacks, mail bombs and more

• 90-ies: Internet would make the world a better place…

• March 2000: dotcom bubble bursts (by non-technical threats): NASDAQ collapses from 5048,62 till 1114,11 on October 2002 (did we forget something in the recent history??)

• Anyway, the Internet is simply not a safe place: dos (denial-of-service) attacks by• sending many packets: IP-spoofing (other computers are

requested to send messages to one single computer, example of distributed dos (ddos) attacks)

• destabilization: packets that make computers crashing• true warfare: physical bombs or bullits

April 18, 2023 29

Attacking crucial parts of the Internet

• Domain Name System: originally 13 root servers (see http://www.root-servers.org/ for those and other important servers; see also http://www.isoc.org/briefings/ )

• October 21 2002: 9 of 13 root servers suffered from a ddos attack!!

• Are we approaching ‘zero day’? Some experts do thing so, see e.g. http://www.pewinternet.org/Infographics/The-Future-of-the-Internet-I.aspx

• Another ‘single-point-of-failure’: Amsterdam Internet Exchange (AMS_IX), 2nd biggest Internet junction in the world http://nl.wikipedia.org/wiki/Amsterdam_Internet_Exchange

Cybercrime in the Netherlands [2]

• August 1985, phone number database of PTT (KPN) is entered by two Dutch hackers: 008-database is protected with the easy-to-guess password ‘008’…

• 1989: 1st publication of techno-anarchistic journal ‘Hack-Tic’

• 1992: ‘Hack-Tic’ decides to become an ISP based on telephone lines hired from the ‘enemy’, the PTT (KPN)

• 1994: ISP activities of Hack-Tic are bundled in XS4ALL• 1998: KPN Telecom buys XS4ALL, the anarchists have

changed their role from hackers to business men…

April 18, 2023 31

Agenda


• Intentional threats = Hacking Attacks: how does it work?• Other Cybercrime• Dealing with the threats

• Information Security Measures & Management


April 18, 2023 32

IS Management = set of best practices

• No ready-to-use solution is available!• Concerns a set of best practices, e.g., the BS7799 [1]

(now an ISO standard with # 17799): “BS 7799-1 was first issued in 1995 to provide a comprehensive set of controls comprising best practices in information security”

• BS7799 distinguishes 10 categories: security policy, security organization, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management, compliance

April 18, 2023 33

Information security: risk analysis and response

• preventive measures relate to• taking away threats (e.g., hackers)• minimization of vulnerabilities (e.g., repairing software errors, use of strong keys when using encryption)

• detective measures relate to• discovery of IS incidents (e.g. virus scan, intrusion detection) in order to minimize the impact based on relieving measures (e.g., data saving & system shut down)

• corrective measures relate to• return to business-as-usual state (based on repair or use of backup facilities)

Threat

Incident

Damage

Recovery

Preventive measures

Corrective measures

Detective measures

Risk analysis in the business: look at information dependence of the critical processes

Basic steps of an information security maturity assessment:

Hacking: taking measures• Preventively taking away threats caused by hackers knowing that

• hackers act anonymously on the Internet• collect their hacking software from the same Internet• no worldwide central authorities exist, • Internet crime is often part of the ‘organized crime’, …

is a hard task and sometimes impossible • Next to preventive, we need many detection and recovery measures• Some things we can do:

• secure the systems (e.g., separate internal network from Internet): see below • make their users aware of risks (see also below)• start investigations to understand the problems: bureaus digitale expertise

(experts within Dutch police organization)• start forensic research (concerns ‘truth-finding in criminal proceedings’) e.g.,

by the ‘mining’ of all kinds of data sources (NFI)• involve society: meldpunt computercriminaliteit• deter hackers by imposing high penalties and long imprisonments: wet

computercriminaliteit

April 18, 2023 36

Technical Security Measures(from the BS7799 categories)

• Physical security (not elaborated here)

• System and Network (S&N) Security• Access control (identification, authentication,

authorization)• Development (~ software engineering) and

Maintenance (not elaborated here)

April 18, 2023 37

System & Network Security

• IT Systems' security is part of information security management; it consists of a balanced set of controls based on best practices, e.g.,• IT-infrastructure (software and hardware): how to keep

the systems up and running, e.g., against earthquakes and DDOS-attacks?

• Firewalls and Intrusion Detection systems (problem of false positives)

• Access control and Authorization• Email and Web Security • Critical updates• Anti-virus software and vulnerability testing• Back-ups and overtaking places

April 18, 2023 38

Infrastructure: segmentation

• Demilitarized Zones (DMZs), at least one• Situated between 'hostile' outside network (Internet)

and internal network: protected by firewalls and monitored

• Access to each DMZ should be explicitly authorized• DMZs can be structured in a multi-level hierarchy

• first level: publicly accessible services like web server, DNS, mail servers

• second level: database services only accessible to application servers from the first level DMZ

• Internal network may be protected by a separate firewall

April 18, 2023 39

Example architecture

April 18, 2023 40

Connections' control

• Here done by a firewall having 5 network interfaces• Depending on the security policy implemented using

• source and destination of requests • protocol used• firewall should (not) admit specific data traffic

• Correct and save firewall configuration is essential• Preferably, firewalls apply Network Address Translation

where internal addresses are used in the internal network(see: http://www.vicomsoft.com/knowledge/reference/nat.html )

April 18, 2023 41

Access Control and Authorization

• Usually three steps• Identification, e.g., an id or name (sometimes on a card)• Authentication, usually based on

(i) what you know (a key word or access code) and/or

(ii) what you have ( passport or other (e-)card) and/or

(iii) who you are (finger, iris, dna) and/or

(iv) where you are (each moment in time), (e.g., you cannot be at one place at the same time nor travel faster then the velocity of light …)

• Authorization, e.g., based on role-based access control matrix where you current role defines your current access rights

April 18, 2023 42

Dealing with spam

• Sending spam is cheap and success rate is not low: +/- 20% of people have at least once bought stuff based on spam email [2]

• First spam was already sent in the 70ies…• Collecting email addresses is facilitated by spiders (see, e.g.,

www.massmailsoftware.com/extractweb ) • Measures against spam (not always very effective…!)

• Filtering against blacklist (refuse) and white list (accept)• Bayesian filtering: look for similarities• …

• Penalties can be high: up to 20.000 euro in the Netherlands!

April 18, 2023 43

Role of Cryptography, some examples

• Authorization: cryptography can help to verify correctness of pincode or passwords by applying ‘message digest’: passwords (together with id-information) are stored in a ‘hashed way’ (so original pincode is nót stored!!); more details are here

• Cryptography can also be used to implement confidentiality, integrity, non-repudiation by using• private key cryptography usually in combination

with• public key cryptography

April 18, 2023 44

Public and Private Key Cryptography

• Private key cryptography: two communications parties encrypt and decrypt data using the same, secrete key

there is a key distribution problem• applications: ensuring C and I (from CIAA)

• Public key cryptography: two communications parties encrypt and decrypt data using two complementary keys, one public key for encryption and one secret key for decryption or digital signing• applications: secret key exchange for applying private

key cryptography, digitally signatures need for digital certificates binding public keys uniquely to individuals (signed by trusted third parties)

• For more details, see e.g. [3]

45

Symmetric-key algorithms

• In conventional cryptography, one key k is used both for encryption (E) of plaintext P and decryption (D) of ciphertext C:

• Examples: old DES algorithm and new AES algorithm

)(PEC k )(CDP k

46

Public-key Cryptography: theory

• More formally:

where • the private key k' cannot be derived from the public

key k• the private key k' cannot be found by a ‘chosen

plaintext attack’• However, they did not offer an implementation! • In 1977, Rivest, Shamir and Adleman (RSA) offered a

successful one (see below)

, )(PEC k )(' CDP k

• In 1976, (code rebels) Diffie and Hellman proposed the idea of using different keys for encryption and decryption

47

Advantages of PK Cryptography

• Communication partners not knowing each other (like you and ‘Amazon’) can send secure messages to each other provided• the secrete key is really kept secret by its owner• the public key is unambiguously linked to its

owner(can be established based on a chain of trust: remember the way you are unambiguously linked to the person mentioned in your passport!!)

Exercise: prove this statement!• Messages can be electronically signed enabling the

implementation of non-repudiation (see below)

48

RSA (1)

• Rivest, Shamir, and Adleman proposed the first public key algorithm, termed the RSA algorithm:

1. Choose two large primes, p and q (typically > 10^120, sic!) Simple example: p = 3, q = 112. Compute n = p x q and z = (p - 1) * (q - 1) Here, n = 33, z = 203. Choose a number called d, ‘relatively prime’ to z, i.e., d and z may not have common factors Here, we choose d = 7

49

5. Encryption is done by calculating To do so, plaintext is 'coded', e.g., a =1, b=2,

c=3, d=4, e=5, etc. To encrypt an ‘e’, we calculate 5^3 (mod 33) = 125 (mod 33) = 26 = cipher text C

6. Decryption is done by calculating Here: 26^7 (mod 33) =8031810176 (mod 33) = 5 = P, so we recovered the ‘e’!!

)(modnPC f

)(! )(mod PnC d

RSA (2)

4. Find an f such that f x d = 1 mod z, i.e., dividing f x d by z should yield a remainder of 1 Here, solve 7f = 1 mod 20 f =3.

April 18, 2023 50

Install critical updates

• Weaknesses in Operating Systems (Windows) and Applications are common download critical updates automatically

• Activate "Automatic Updates":

April 18, 2023 51

Install critical updates, cont.

April 18, 2023 52

Anti-virus/anti-malicious software

• Install McAfee/AVG/… software• Let system automatically look for new anti-virus

updates: the standard of today

April 18, 2023 53

Apply vulnerability testing

• Playing the role of white hacker, attacker or script-kiddy:

April 18, 2023 54

Apply vulnerability testing, cont.

April 18, 2023 55

Back-ups

• The need of making back-ups needs no further explanation

• Outsourced Automatic Back-up services are available

• Idem: need for 'overtaking places' = back-up systems

April 18, 2023 56

Intrusion detection

• Network-based and Host-based Intrusion Detection • Two general approaches

• statistically anomaly detection: threshold based (using frequency of occurrences) or profile based (compare credit card fraud)

• rule-based detection: anomaly = deviation from previous used patterns

• Intelligent intrusion detection is still a very hard problem:• need for learning systems• need for decision making based on multi-sensor data

to avoid too many false positives

Last but not least: execute awareness programs

• All technical measures (may) fail in case users are not aware of the risks and behave accordingly…(do you also lock your computer when leaving the room?)(do you have a clean desk policy?)

• Awareness programs concern 40% of the informtion security investment costs

April 18, 2023 58

Research topics related to Information and Internet Security• Ideally: Integrated Security in a Networked World• Technical topics

• managing your private information• biometric authentication• security of mobile applications• security on the Semantic Web• implementing role-based access control

• Organizational topics• costs-benefits analysis of security programs• where to save biometric data?• from accountancy to e-accountancy• efficiently estimating the security level needed• governance of Internet: a hot topic of research! (see ECP.nl)

April 18, 2023 59

Agenda


• Intentional threats = Hacking Attacks: how does it work?• Other Cybercrime• Dealing with the treats



Assignment 3: choose one of the following small group assignments1. Explain the working of the RSA algorithm by constructing an

example: show all calculations by using excel. Also describe a) the strength of this algorithm (which relates to the length

used for the keys) and b) the underlying mathematics

2. To implement digital confidentiality, integrity and non-repudiation, etc. a Public Key Infrastructure (PKI) should be set up based on certificates and Certifying Authorities. Describe the structure and working of a PKI, and analyse critically the chain of trust of examples of PKIs that are in use.

Assignment 3, cont.

3. Do a literature review to collect information on how the NLs and/or European community deals with the hacking problem: describe threats, vulnerabilities and all kinds of measures that are taken at national and international level: find your own scope

4. Like above #3.: focus on the work by the police and international security organizations (like the AIVD in the NLs) to track and trace hackers (individuals and members of the organized crime like the maffia)

April 18, 2023 62

Agenda


• Intentional threats = Hacking Attacks: how does it work?• Other Cybercrime• Dealing with the treats



April 18, 2023 63

References

[1] BS7799: available in BlackBoard under “Course Documents”

[2] Arjan Dasselaar, “Handboek Digitale Criminaliteit, over daders,

daden en opsporing”, Van Duuren Media, 2005[3] William Stallings, “Network Security Essentials”, 2nd ed.,

Prentice Hall, 2003

Date post:	18-Dec-2015
Category:	Documents
Upload:	buddy-scott
View:	214 times
Download:	0 times