Monthly Archives: July 2012

4 Steps For Secure Tape Backups

 Lock data behind walls of encryption and tapes behind layers of physical access protection.

  • Few case studies better illustrate the need to secure media than the mishandling of tapes by South Shore Hospital, which in 2010 sold 473 unencrypted backup tapes containing more than 800,000 patient names, Social Security numbers, financial account numbers, and medical diagnoses. The institution, based in South Weymouth, Mass., did not inform the buyer about the private records on the tapes, and only one of three boxes of tapes actually arrived to the recipient. Still, in May the hospital paid $750,000 to settle a lawsuit alleging that it failed to protect patients’ electronic health information.

    To ensure that your enterprise doesn’t fumble private data, follow four tape backup security steps.

    1. Encrypt data at rest.

    Sounds like Security 101, but just 22% of respondents to our InformationWeek State of Storage Survey encrypt all backup tapes.

    Encryption is not an absolute protection, but it meets most regulatory best-effort standards. By applying bank-level AES 256-bit encryption to data before committing it to tape, you ensure that your security efforts meet the requirements of state data breach laws, like those in California and Massachusetts, that make the custodial data center or IT department responsible for the loss of personally identifiable information. While 512-bit encryption is available, “using it adds too much time to the encryption and decryption process to be practical,” said Matt Brickey, director of storage and data protection at Savvis, an enterprise-oriented cloud services provider.

    Encrypting data before sending it to tape enables a faster backup process than encrypting data on the fly during backup.

    “We use native–Microsoft SQL, Windows–and third-party–Symantec Backup Exec–tools to encrypt and compress data,” said Robert Boorman, IS manager for financial advice firm The Rich Dad. “These tools now support 256-bit encryption, so it’s not a complex process.”

    When saving to disk prior to tape, back up to an encrypted file system like Windows EFS. “We use a separate set of hard drives in each of our disk backup products,” said Boorman. And don’t drop the ball on key management.

    2. Use a consistent, documented backup schedule.

    For example, perform full backups weekly, differential backups daily, and monthly backups at the end of the month. After three months, perform a quarterly backup. After 12 months, complete a yearly backup. “At each major step we reuse tapes,” said Boorman. “At the yearly backup, we reuse the quarterly backup tapes or destroy them.”

    3. Handle and store tapes securely.

    Purchase new, sealed tapes, and label them properly. Serial and bar coding are better than simple handwritten labels. Use a tape library that supports a pass code, for locking the physical device. “We recommend using this pass code and any software-based security in the backup program as well,” Boorman said. “We also audit all security.” Once the system writes to a tape, place a sticker over the lock window. If that is torn, someone has tampered with it.

    By layering the physical security of the backup tape, it and its attendant data are no longer low-hanging fruit. “Our tapes are physically located within our server rack, locked behind several layers of physical security–badges, eye retina, and other biometric devices,” Boorman said.

    When sending tapes off site, use a bonded courier. Ship tapes in a lockbox to which only the enterprise and the security officers at the storage facility have access. The courier should not be able to get into the lockboxes.

    4. Destroy tapes at the end of the life cycle.

    Destroy, do not sell, used tapes in accordance with a documented data disposition policy. Either incinerate tapes using a licensed facility or shred the media using tape shredders.

    Shredding is the best way to destroy tapes and meet audit requirements, said Brickey. “People want to see reports that someone shredded the specific tapes, by serial number,” he said. “They want to see a signature on a form.”

    Finally, don’t use tape as an archival system. There are better ways to do long-term data preservation, as we discuss in this report.

    Retrieved from InformationWeek

Climategate cops: We’ll NEVER solve email leak hack riddle Probe axed after inside job ruled out

Detectives have shelved an investigation into the high-profile hacking of computers at the University of East Anglia’s Climatic Research Unit (CRU).

The so-called Climategate attack led to 1,079 messages and more than 3,800 documents being leaked online in November 2009. Critics of the unit’s work seized upon the messages to suggest the team had misled the public and scientific community about its research into climate change, a charge scientists at the CRU were quick to deny.

A subsequent parliamentary study cleared the boffins of misconduct although mildly criticised their lack of transparency and sharing of data.

The question of who was behind the hack prompted almost as many conspiracy theories as the debate on global warming. Norfolk police were called in to investigate the breach, however two years into probe the force has admitted it’s hit a dead end. There is little prospect of making any arrests before the three-year statute of limitation expires for the offences at the centre of the case, the cops admitted.

In a statement, Detective Superintendent Julian Gregory, the senior investigating officer, said:

Despite detailed and comprehensive enquiries, supported by experts in this field, the complex nature of this investigation means that we do not have a realistic prospect of identifying the offender or offenders and launching criminal proceedings within the time constraints imposed by law.The international dimension of investigating the World Wide Web especially has proved extremely challenging.

However, as a result of our enquiries, we can say that the data breach was the result of a sophisticated and carefully orchestrated attack on the CRU’s data files, carried out remotely via the internet. The offenders used methods common in unlawful internet activity to obstruct enquiries.

DS Gregory was at least able to dismiss early speculation that the hack might be an inside job.

“There is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime,” he said. The investigation, codenamed Operation Cabin, was backed by computer crime specialists from the Metropolitan Police.

In a statement, the vice-chancellor of the university and the unit’s boss together the expressed disappointment that police effort had failed to apprehend a culprit. Prof Phil Jones, research director of the CRU, vowed to continue his work.

Prof Jones said: “I would like to thank the police for their work on this difficult investigation and also for the personal support they offered me. I am obviously disappointed that no one has been prosecuted for this crime but hope today’s announcement will draw a line under the stressful events of the last two and half years. My colleagues and I remain committed to the research CRU undertakes to illuminate the globally important issue of climate change.”

An analysis of the possible hacking techniques used to pull off the Climategate breach, and steps used to anonymously upload the swiped data, can be found in a blog post by Rob Graham of Errata Security here. The article, written in the days immediately after the data raid, stated that the hacker used “open proxies” to disguise his or her identity, and took issue with the conclusion that the techniques used were sophisticated.

What’s not in dispute is that the trail to the Climategate hacker has long since gone cold.

Graham Cluley, a senior technology consultant at net security firm Sophos, commented: “Unless someone associated with the hack owns up to their involvement, it seems that the story of Climategate may remain a mystery.” ®

Retrieved from The Register

Congress warned about dangers of hacked drones

US lawmakers yesterday heard that there needs to be more regulation and security surrounding the use of private drones.

Witnesses – including Todd   Humphreys, the University of Texas professor who successfully hijacked such a drone last month – told a House subcommittee yesterday that it would be easy to take control of such drones and use them for terrorism.

Because such drones use unencrypted GPS information, they’re vulnerable to spoofing, with hackers faking their own GPS signals to take control.

“What my nightmare scenario would be is looking forward three or four years where we have now adopted the UASs in the national airspace without addressing this problem – and now the problem is scaling up, so that we’ve got more heavy UASs, more capable UASs,” he testified.

It’s the job of the FAA to ensure that UASs fly safely in US airspace. But no federal agency is developing the relevant policies and guidelines for their use, despite the fact that four years ago the Government Accountability Office recommended that the DHS examine the security implications of future, non-military UAS operations in the national airspace system and take any actions deemed appropriate.

“We still think that our recommendation is valid and needing to be addressed,” testified Gerald Dillingham of the GAO.

The FAA has already granted more than 200 Certificates of Authority to operate drones to more than 100 entities. Those numbers are expected to reach the thousands within five years.

“DHS seems either disinterested or unprepared to step up to the plate to address the proliferation of drones, the potential threats they pose to our national security, and the concerns of our citizens of how drones flying over our cities will be used including protecting civil liberties of individuals under the Constitution,” said the subcommittee chairman, Congressman Michael McCaul.

“What most Americans don’t want to see is eyes in the sky spying on the American people.”

Retrieved from TG Daily

California to Get Tough on Behalf of Online Privacy

California’s top legal official has put the tech industry on notice that she intends to get tough on behalf of digital privacy.

Attorney General Kamala Harris said Thursday she is forming a new group within the state’s Justice Department, the Privacy Enforcement and Protection Unit, to oversee privacy issues and prosecute companies that run afoul of the state’s strict privacy laws.

The new unit’s impact could extend beyond California, because it will police not just companies based in the state but all companies that do business there.

“This means that their privacy practices are going to be scrutinized a lot more by the Attorney General’s office,” Travis LeBlanc, special assistant attorney general for technology, said in an interview.

“We are going to do outreach to companies, to make sure they know their obligations,” he said. “And make sure that when there are violations of California privacy laws, we will enforce them.”

The unit will also perform outreach and education campaigns for state residents.

California has some of the strictest privacy regulations in the U.S., and unlike in many other states, the right to privacy is spelled out in the state’s constitution.

“Typically, we’ve been a bellwether state,” said LeBlanc. “We were the first state to pass a ‘do not call’ list and the first to pass a law requiring data breaches are notified to consumers.”

Formation of the unit puts California ahead of other states when it comes to online privacy, said Justin Brookman, director of consumer privacy at the Center for Democracy and Technology. Brookman worked in the New York Attorney General’s office from 2004 to 2009.

“One advantage the states have is they can move more quickly on issues [than the U.S. Federal Trade Commission],” he said.

The FTC will generally take time to consider issues in detail, and that can mean it is more likely to get things right, but the states have the advantage when it comes to awarding large fines, he said.

State law often allows companies to be fined for each infraction they make, whereas the FTC will usually fine a company only after it has been found guilty and re-committed the same violation, said Brookman.

The unit will be part of the California Justice Department’s electronic crimes unit, and its staff will include six prosecutors who specialize in privacy enforcement. Some staff have already been hired, and LeBlanc said he expects the unit to be fully staffed in a few months.

Announcement of the unit comes five months after the California attorney general said she had reached an agreement with Apple, Google, Research In Motion, Amazon, Hewlett-Packard and Microsoft, to ensure that users can read the privacy policies on all mobile applications before downloading and installing the apps. The group was joined by Facebook in June.

One of the unit’s first tasks will be a check-in with the companies to see how they have lived up to the agreement.

“In terms of enforcement, we have targeted our efforts in the mobile space,” said LeBlanc. “We’re seeing lots of privacy concerns there. Some people see it as the wild, wild West. We intend to start enforcing the California Online Privacy Act.”

In terms of the unit’s impact beyond state borders, it could face challenges from companies under U.S. federal interstate commerce laws if it tries to make too big a change on digital business practices, said Brookman.

Retrieved from  PCWorld

Psst, UK software devs: Up for a Cyber Security Challenge?

Future Stuxnet-style attack defenders wanted

A new Cyber Security Challenge UK competition aimed at finding people to protect the country against future Stuxnet-style attacks was launched on Wednesday.

Previous Cyber Security Challenge competitions focused on crypto-cracking, penetration testing and malware forensics – but this is the first competition in the challenge that will test devs’ wits on software security. The two-year-old public- and private-funded programme is now looking for software and application developers with the security know-how to keep business and critical national infrastructure safe from the latest online attacks. Defence contractor QinetiQ and training body (ISC)² have teamed up to devise the challenge.

Why devs?

Software applications are increasingly being developed for very open, highly distributed environments, often involving elements of outsourcing and many suppliers. Traditionally, developers operate under tight deadlines to introduce new functionality and security has been a secondary concern. Competition sponsor (ISC)² said it had identified software vulnerability as the number one online threat in its survey of information security professionals. It said that the majority (73 per cent) of respondents had fingered it as the main problem.

The challenge aims to test the competitors’ knowledge of security requirements, as well as their “instincts” for anticipating and resolving security vulnerabilities as they develop their own software. The best candidates will then be invited to QinetiQ at the start of next year for a “hands-on experience of writing secure code to move physical devices” and and exercise in protecting a “top secret facility from real life cyber-attacks”.

John Colley, managing director of (ISC)² EMEA, explained: “Security instincts will be just as important as technical skills, as candidates prove they can effectively research and anticipate requirements for security at the same rapid rate at which software is developing.

“Those with the right instincts have a significant opportunity to demonstrate new skills that are incredibly relevant today. We hope this competition will attract, identify and nurture new talented individuals to work in this field,” he added.

How it works

The initial phase of the competition will involve an online exercise challenging competitors to write their own secure code. Between 15 and 30 of the best candidates will then progress to the face-to-face phase of the competition, next February. All participants at this stage will be awarded an training module, with the overall winner receiving a special prize. Winners from this event will then be invited to attend the Masterclass Final and awards weekend next March.

“Cyber criminals are increasingly developing the capabilities to manipulate the software used to control key security systems,” says Neil Cassidy, practice lead in cyber defence at QinetiQ. “Attacks like Stuxnet highlight the fundamental impact which these attacks can have on national infrastructure, from power stations to military installations.

“At QinetiQ’s face-to-face stage of this competition, competitors will be responsible for securing the systems protecting a simulated top-secret facility. They must identify vulnerabilities in command software systems and work to anticipate security breaches to avoid attack. Through this Challenge we aim to provide the software developers of the future with experience of what it takes to secure software systems and the impact any failures can have.”

The competition is open to software developers and students, with entry via a registration page here. Those already working in information security are not eligible.

Upcoming competitions in the ongoing security challenge scheme will include a packet-capture analysis competition, run by the SANS Institute, that will involve the analysis of network and web application attacks, as well as a linked-based competition, to be run by Sophos. The Cyber Security Challenge UK is now in its third year. ®

Retrieved from The Register

Russian Parliament’s upper house approves Internet ‘censorship’ bill

The upper house of the Russian Parliament passed a bill on Wednesday that the nation’s IT industry believes has high potential to lead to Internet censorship.

The bill, including amendments to several laws, was adopted by the upper house of the Russian Parliament, the Federation Council of Russia. The adoption of the bill makes it easier to block sites that host child pornography, promote drugs and provide instructions about how to commit suicide, as well as other information that affects health and development, the Council said. In particular, the law includes the creation of mechanisms for the rapid removal of web pages that contain materials prohibited from circulation within Russia, the Council said.

IT companies in Russia however, have been warning that the law can have negative effects and lead to censorship because there is a risk that legal content can be blocked more easily too, mainly because it amends the law “On information, information technologies and information protection” to allow the blocking of websites through IP and DNS blockades.

It also looks as though Roskomnadzor, the Russian Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications, will gain the power to blacklist websites without a court’s consent as of Nov. 1, Vladimir Medeyko, director of Wikimedia Russia, the organization that runs the local version of Wikipedia, said via instant message.

One of the amended laws leaves the opportunity to blacklist whole domains when only part of the hosted content is illegal. For instance 1.3 million blogs hosted on Blogger are blocked in Russia as a result of a court ruling that ordered the blocking of access to extremist blog posts, Google Russia said earlier this month. And in another lawsuit in 2010, a court ordered a local Internet provider to block the entire YouTube domain because the court deemed one of the hosted movies illegal, according to Google. The company said the new law is a threat for the Internet.

Presenting the bill to the Council, Senator Lyudmila Narusova said that the Internet community has certain worries, particularly regarding the risk of unjustified blacklisting of websites, and that it is necessary to constantly monitor enforcement of the amended law. However, she also pointed out that many European countries, including Germany and the U.K., and also the U.S. have certain mechanisms in place to block websites, adding that the fight against illegal information on Internet is strong in the world, a Council statement said.

Amendments to the law “On information, information technologies and information protection” should not have been made so hastily, said Vladimir Isaev, Manager of International Media Relations at Russian search engine Yandex, via email.

“Yandex is ready to accept official invitations to discuss the Bill or to commit our vision and opinion to government authorities,” he said. The effects on the Russian online industry are hard to gauge at the moment, he said adding: “All of us are waiting for subordinate regulatory acts and regulation instructions.”

The bill moved through the lower and upper house within a period of two weeks, giving the industry little time to protest the legislation. After Wikipedia became aware of the bill and its potential it decided to block access to its site for 24 hours. The English version of Wikipedia, along with websites including Reddit and Craigslist, conducted a similar protest against the U.S. Stop Online Piracy Act (SOPA) by blocking access to their sites last January. Other Russian online businesses including Yandex, social network VK.com and the Russian version of Live Journal posted banners or blog posts to protest the bill.

These protests were followed by changes to the proposed amendments to legislation. Among the changes the Russian security service FSB (successor to the KGB) and the Ministry of Internal Affairs were excluded from the list of government bodies that would be allowed to blacklist sites, before the lower house of Parliament, the State Duma, approved the bill, Medeyko said last week. Wikimedia Russia was also allowed to partake in a working group overseeing the bill and its implementations.

Since last week, little has changed, said Medeyko, who added that he had not expected the Council to reject the bill. “I’m still optimistic,” he said, adding that he hoped the industry would be able to limit effect of the bill through other legislation or regulations.

Now the Senate has passed the bill, it is on its way to the President to be considered for his final signature, said Isaev.

Russian IT companies are not the only ones concerned about the law. Navi Pillay, U.N. High Commissioner for Human Rights, said in a statement posted online on Wednesday that she was concerned that the legislative amendments in the Russian Federation would have a seriously negative impact on human rights in the country.

Given the many concerns raised about the bill by the Presidential Council on Human Rights, civil society and human rights experts, a full independent public review of this law should be conducted, said Pillay, adding that it is “very disappointing” that laws are being passed in Russia that are restricting civil society space instead of ones designed to create an environment that would help civil society enhance human rights promotion and protection.

Retrieved from ComputerWorld

Internet Defense League to save the web from evil governments

Holy global web censorship takedown, Batman!

Not for profit rights group Fight for the Future will on Thursday launch the Internet Defense League, a new initiative designed to help internet stakeholders fight back whenever their rights are threatened by the man.

The League will launch tonight in San Francisco, Washington DC, New York, London and, bizarrely, Ulaanbaatar, Mongolia, by shining its trademark cat logo into the sky.

Fight for the Future’s hope is that the League will spring Batman-like into action whenever internet rights are threatened, as the following blurb on its web site explains:

The Internet Defense League takes the tactic that killed SOPA & PIPA and turns it into a permanent force for defending the internet, and making it better. Think of it like the internet’s Emergency Broadcast System, or its bat signal!

When the internet’s in danger and we need millions of people to act, the League will ask its members to broadcast an action. (Say, a prominent message asking everyone to call their elected leaders). With the combined reach of our websites and social networks, we can be massively more effective than any one organisation.

The success or failure of such a plan, of course, will depend on the reach of its members, but the group seems to have done pretty well to get the likes of Mozilla, WordPress, Reddit, the Cheezburger Network and a host of online rights groups signed up already.

Given the propensity for governments over the past year or two, especially in Asia, to tighten their grip on web freedoms, it’s probably not going to be long before we see what the League can do, and how many of those signed up actually decide to participate actively.

However, as we have seen recently in China, Thailand, Pakistan and elsewhere, what governments tend to do is espouse a slow, insidious creeping towards greater censorship and control rather than one specific SOPA-like cause which the masses can rally against.

So far the group is concentrated almost exclusively in the West. It will have to engage a lot more with internet stakeholders in Asia if it’s truly going to make a difference. ®

Retrieved from The Register

Huge spam botnet Grum is taken out by security researchers

A botnet which experts believe sent out 18% of the world’s spam email has been shut down, a security firm said.

Skull and crossbones computer key

Grum’s control servers were mainly based in Panama, Russia and Ukraine.

Security company FireEye and spam-tracking service SpamHaus worked with local internet service providers (ISPs) to shut down the illegal network.

                                                The Grum botnet was made up of more than 
                                                120,000 infected computers, researchers said

A botnet is a network of computers that has been hijacked by cybercriminals, usually by using malware.

“Grum’s takedown resulted from the efforts of many individuals,” wrote Atif Mushtaq, a security researcher with FireEye.

“This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”

‘Bad news’Mr Mushtaq wrote that on Monday he learned that a Dutch server involved in Grum had been shut down. He said it “at least made a dent” in the botnet.

On Tuesday, the command and control servers (CnCs) in Panama had been shut down.

“This good news was soon followed by some bad news,” he explained.

“After seeing that the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine.

Spam in an inbox

“So at one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations.”

He noted that in the past Ukraine has been something of a “safe haven” for bot herders.

“Shutting down any servers there has never been easy.”

Disabling Grum is just one of many high-profile efforts to neutralise botnets worldwide.

Russian Georgiy Avanesov was in May sentenced to four years in jail for being behind the Bredolab botnet which was believed to have been generating more than £80,000 a month in revenue.

Microsoft has been working to disrupt Zeus, another huge network responsible for, researchers said, millions of pounds in theft.

‘Keep on dreaming’FireEye collaborated with other experts in the worldwide security industry to apply pressure to local ISPs to suspend the illegal operation.

Mr Mushtaq said more than 20,000 computers were still part of the botnet, but that without the active CnCs they would soon be rendered ineffective.

Grum’s closure was an encouraging development in clamping down on botnets across the world, he said.

“When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders.

“There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones.

“We have proven them wrong this time. Keep on dreaming of a junk-free inbox.”

Retrieved from BBC

Phishing Websites Reach All-time High

The number of phishing websites detected reached an all-time high earlier this year, a sign that making fake websites spoofing real ones is still a lucrative trade for cybercriminals.

In its latest report, the Anti-Phishing Working Group (APWG) said 56,859 phishing sites were detected in February, beating the previous record high in August 2009 by nearly 1 percent. APWG is a nonprofit consortium composed of banks, security vendors and others with a stake in tracking cybercrime trends.

Phishing sites are websites that look nearly identical to the legitimate ones and often mimic known brands. Leveraging the trust users put in the legitimate companies, cybercriminals succeed in tricking victims into divulging logins, passwords and other sensitive information.

The APWG noted in its report that the increase in the number of phishing websites was in part due to new technology that it began using earlier this year to detect fraudulent sites.

More than 38 percent of the fake websites were related to financial services, according to the APWG’s report. The second most spoofed market vertical was payment services, followed by retail and other service sites. The sites spoofed 392 brands, also a new record.

“All manner of commerce is transacted online today and in that are opportunities for new and provocative scams, leveraging some part of the customer-enterprise relationship that is unique to the domain,” said Peter Cassidy, secretary general of the APWG. “People are tougher to fool with phishing, but they still can be in the hands of a creative scam artisan.”

The U.S. hosted the most fake sites. About half of the phishing sites for the first quarter of 2012 used some form of a brand in their URL, which often tricks people.

On the bright side, though, phishing sites are being taken down faster than ever due to better security technologies. But “the problem is a lot of campaign schemes are built around deployment of lots of landing websites for a single campaign to complicate the work of putting down the attacks,” Cassidy said.

Retrieved form PC World

Megaupload Pushes for Dismissal of Indictment

Lawyers for Megaupload filed another motion on Wednesday asking a federal court to dismiss its criminal case, continuing its argument that the company can’t be served a summons since it was headquartered outside the U.S.

Megaupload wants the U.S. District Court in the Eastern District of Virginia to hear oral arguments on its request for dismissal of the charges, which the Department of Justice (DOJ) opposes. A court date for oral arguments is set for July 27.

DOJ attorneys argued in a response released Tuesday it was “unprecedented and unjust” that Megaupload could not be served since it “purposefully avoided establishing an office in the United States.” The file-sharing site is accused of encouraging users to upload material under copyright, earning upwards of US$175 million in advertising and subscription fees, the DOJ alleges.

Founder Kim Dotcom and six others were indicted in January on criminal copyright violations and fraud along with two companies, Megaupload and Vestor Limited.

Individuals located outside the U.S. can be served a criminal summons, but Megaupload’s lawyers contend a corporation cannot be served. It is not clear what the impact of a dismissal against Megaupload as a corporate entity would have on the case.

The closely watched court battle took a surprising turn earlier this week when a New Zealand judge recused himself from further extradition hearings involving Kim Dotcom and his colleagues.

North Shore District Court Judge David Harvey was reported to have made a comment referring to the U.S. as an “enemy” during copyright and trade talks last week at the NetHui Internet conference held in Auckland. The extradition hearing, planned for August, has been rescheduled for March 2013.

Dotcom, known for his prolific activity on Twitter, wrote on the social networking service earlier this month that he would voluntarily go to the U.S. for trial if the DOJ released funds frozen when he was arrested. Dotcom has said he has been unable to pay his legal fees.

Retrieved form PCWorld