Wednesday, January 17, 2007

Laying a New Year’s Course for Security

C.J. Kelly


January 15, 2007 (Computerworld) December was a complete blur for me. After being away for training and a vacation, I’m having a difficult time getting my head into what needs to be done at work in this new year. Things aren’t much better at home, where the Christmas tree stands almost bare, waiting to be put out of its misery, and unwrapped presents are still scattered about. At least I cleaned my office before I went away.

But my orderly desk disguises the fact that all the things that were not completed last year are awaiting my attention. Managing both IT and security gives me a lot of infrastructure components to think about, but I like it that way. I can take a more holistic approach.

Let’s see: I have to prepare the IT spending plan for the state agency, complete the employee reviews, decide on a document management vendor, define a comprehensive encryption initiative, bring the virtual private network online among our branch offices, prepare another security-awareness training module, decide whether dual-core technology has a place on the desktop, prepare for Vista (or not) and consider whether NAC (Cisco’s Network Admission Control technology) is worth pursuing, as well as how NAP (Microsoft’s Network Access Protection) fits into the picture. Oh, and this is the month the state auditors will peek into our infrastructure.

I need to prioritize, but that isn’t easy when everything seems equally important. Some people get stuck in the details, but I seem to get stuck on the big picture. Making decisions about information and security technologies is similar to solving a riddle or a puzzle. The clues have to be examined and the pieces have to fit together to find the best solution possible. Even then, the rate of technology change can invalidate carefully made decisions.

But I’ve learned that there always comes a point when you have to say, “All right, I’ve reviewed as much information as is reasonable. Now I have to make some decisions, right or wrong.” So, right or wrong, here’s what I see for us this year:

  • We are not going to upgrade to Vista.
  • We are going to upgrade to dual-core technology.
  • We are going to encrypt network traffic, file systems and databases.
  • We are going to find a document management system that is secure and easy to use.
  • We are going to get a handle on log file management.
  • We are going to investigate unified threat management systems.
  • We are going to provide security awareness training in a fun, informative and consistent way.
  • We are going to understand NAC vs. NAP and evaluate our choices.

A Closer Look

I don’t know yet exactly how we are going to accomplish these things. And it’s not clear which technologies we will choose. There are dozens of vendors out there whose products promise to solve our problems.

For instance, do we go with AMD or Intel for dual-core technology? We’ve standardized on AMD processors, but Intel seems to be storming ahead. Will any of our current applications make use of dual-core technology, or are we just preparing for a future that may actually include quad- and even eight-core processors?

Vista is at least a year away for us. We hope this isn’t a mistake. With Microsoft, it has always been better to wait and see how things go before jumping to a new operating system. And we will have to understand Microsoft’s licensing agreements. From what I’ve heard, Microsoft is making it difficult to not upgrade to Vista. We shall see.

We want to better secure our network and access to it, so do we follow along with Cisco or prepare ourselves for Microsoft’s NAP? From what I can tell, NAP isn’t ready for prime time, since it requires Vista and the new “Longhorn” Windows server, which hasn’t been released.

Cisco’s NAC seems closer at hand, but it would require us to add server hardware and client software — a Cisco Secure ACS server and a desktop agent (Cisco Trust Agent) — in addition to making router configuration changes and integrating the system with antivirus and software distribution servers.

The good news is that Cisco and Microsoft have collaborated and cross-licensed their technologies. This will make migrating to a network access technology doable in the future.

Grasping what needs to be done in the encryption arena is like grabbing a tiger by the tail. Since our agency handles electronic protected health information, we must tame this tiger. We currently protect data using access controls, but they can be circumvented by a sophisticated hacker, and encryption provides another layer of defense for data at rest and in transit.

Then there are log files. We store system logs on a secured file server. If we’re going to be cognizant of suspicious events, the logs have to be manually inspected on a daily basis, but we are far from doing that. And that brings us to threat management.

When I say “unified threat management,” I mean a method of bringing together all the data our systems write to log files and correlating the information so that we can spot potential threats to the infrastructure in a timely manner. That’s a mouthful and a challenge. We plan to look at what Cisco can do for us in this area.

So, that’s my list. Drawing it up gets my engine going. The next step is to pull the team together and share my vision. Then I’ll shut my mouth and listen for a long time. Sure, I have been thinking all year about what our next steps are going to be, but so has the team. We need to arrive at a consensus about what can and can’t be done with our available time and resources. Ready? Go.

What Do You Think?

This week’s journal is written by a real security manager, “C.J. Kelly,” whose name and employer have been disguised for obvious reasons. Contact her at, or join the discussions in our security blogs: To find a complete archive of our Security Manager’s Journals, go online to

NSA Helped Microsoft Set Security for Vista

Spy agency, vendor teamed to sync OS with standards

Robert McMillan   Today’s Top Stories    or  Other Security Stories  


January 15, 2007 (Computerworld) --

Microsoft Corp. and the National Security Agency confirmed last week that the intelligence agency helped the company configure Windows Vista so it meets the Pentagon’s security requirements.

NSA spokesman Ken White said the agency has provided guidance on securing Windows XP and Windows 2000 in the past. But this is the first time the NSA has worked with Microsoft or any vendor prior to an operating system’s release, White added.

By getting involved early in the process, the NSA ensured that there would be a version of Vista that is secure enough for the U.S. Department of Defense and compatible with federal software, he said. Now the NSA can guarantee that Vista’s off-the-shelf security configuration “is at a level that meets our standards,” White said.

Microsoft declined to make any executives available to comment about the NSA’s help. In a statement, the company said that it had asked a number of government entities to review Vista, including the NSA, the National Institute of Standards and Technology and NATO.

Alarm Raised

Still, the NSA’s involvement raised red flags for some privacy advocates. “Some bells are going to go off when the government’s spy agency is working with the private sector’s top developer of operating systems,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington.

Rotenberg and other privacy advocates said it would be tempting for the NSA to push for a way to gain access to data stored on Vista-based systems.

But White said the NSA didn’t open any back doors into the new operating system. “This is not the development of code here,” he said. “This is assisting in the development of a security configuration.”

The work with Microsoft was done in accordance with the NSA’s mandate to protect the nation’s information systems, White said. “This is the other half of the NSA mission that you never hear much about,” he said. “All you ever hear about is foreign signal intelligence. The other half is information assurance.”


Six ways to protect your systems in a merger

Bert Latamore


January 16, 2007 (Computerworld) Mergers and acquisitions present extra challenges for IT network security. Inevitably, a merger combines security organizations with different security philosophies, policies, technologies and needs. "If one company has a policy that all security needs to stay in-house and the other has outsourced its security apparatus, obviously they have a conflict," says Chris Ellerman, national security practice director at Dimension Data North America.

And that presumes that the merging organizations are in the same vertical industries. When the merger crosses verticals, the differences can be even greater and in some cases aren't completely reconcilable. "I've seen mergers that resulted in two divisions permanently operating on different security levels on a single IT backbone due to the requirements of their vertical industries," Ellerman said.

Ellerman offered the following tips for organizations that are either preparing for possible mergers in the coming year or are now involved in a merger process.

1. Do not approach a merger of security systems lightly. The large number of security device vendors in the market guarantees that each partner in the merger will have a very different mix of security devices and technologies, even if their business structures and IT infrastructures are otherwise similar.

"Security is often linked directly to specific applications," Ellerman said. "Disrupting those security systems can shut down vital business services, possibly bringing the business of one of the acquisition partners to a halt. Obviously, you cannot do that." Instead, he recommends that the two organizations continue to operate separately, possibly with extra security in the links between their IT organizations, while a security team that should include experts from both organizations evaluates the situation.

2. Enter the merger with a plan. "Companies like Oracle that are experienced in handling acquisitions have a plan that they can put into effect the day the merger is finalized," Ellerman says. "Based on the size of the acquisition, they can call their vendors and order the devices they need as soon as they are notified of the merger. The speed with which these organizations can absorb a new acquisition can be astounding."

3. Start with a self-assessment that focuses on identifying business drivers. When global consultant Dimension Data is called in to aid in the process, it begins by facilitating a daylong self-assessment that focuses first on identifying the business drivers in each of the merger partners. Usually key members of senior business and IT management from both partners -- including both CIOs and representatives from both CEO offices -- are among those involved.

By the end of the day, they have a clear understanding of the key elements of each organization's security policies and standing, including their weak points, and the business logic behind those infrastructures. This becomes the basis for the definition of a goal-state for the eventual merged security operation. Senior management is open to participating in this exercise because they want the results to reflect the needs of their postmerger business plan.

4. Identify key security personnel from the acquired organization and get them on the team. This is not and should not be allowed to degenerate into an "us vs. them" war of internal politics. "After all, who knows the acquired entity's security architecture, and its weaknesses, better than their CSO?" Ellerman said. "You certainly hope that the goal of the acquisition for the IT organization is more than just acquiring more equipment. You want to integrate the best people from both organizations to create the strongest possible IT department, and that includes the security group."

Outsourcing IT security is a common strategy today, and if one of the organizations is outsourced, then the service provider's security team obviously needs to be involved at this point. These individuals are usually very experienced due to the nature of the outsourcer's position providing security for numerous clients, often in different verticals, and this knowledge can be very valuable.

Often in this case the merged company ends up outsourcing security for both parts of the acquisition, provided that the service provider has good relations with the organization it originally worked with. However, that is not the only possible strategy, and management should evaluate taking security in-house or leaving the situation as it is, with one organization's security outsourced and the other's not, before making a final decision.

5. Proceed with caution. It's not uncommon for the two organizations in a merger to be operating at different security levels. One, for instance, may require two-factor authentication to access its network, while the other uses simple password authentication. Until the security infrastructures can be merged and the organization with the lower security brought up to the higher standards -- presuming that is the eventual plan -- the company will want to put extra security in the links between the two organizations, treating the organization with the lower security level as a semitrusted partner.

If the two organizations are going to remain as separate divisions and not be merged -- and particularly if they operate in two different verticals with different security needs -- this arrangement may become permanent. If the two organizations are to be merged at the operational level, the team will want to impose a standard set of security technologies wherever possible. However, they need to be careful to minimize disruption to business processes during the transition.

6. Evaluate the impact of planned changes in security procedures and levels before implementing them. Security is always a trade-off between protection of and access to the information and applications that the business needs in order to operate. The most secure system, as security experts are wont to remark, is one that is totally disconnected from everything in a locked vault that no one can access. But such a system does the business little good.

When evaluating security policies, levels and technologies, it's important to ask some key questions: How much disruption will this cause in the business? How much will the extra time and effort required to access IT resources cost the company? Is the added protection worth the price in terms of its impact on how the business operates? Is higher security justified by the extent of the risk or by compliance issues, despite the disruption it may cause?

Just because one of the merger partners operates at a higher security level than the other, that doesn't automatically mean the higher level is the better option for the merged organization. Management must evaluate all the sides of security issues to make the best overall decision for the company.

Bert Latamore is a journalist with 10 years' experience in daily newspapers and 25 in the computer industry. He has written for several computer industry and consumer publications. He lives in Linden, Va., with his wife, two parrots and a cat.


VoIP Soon to Be a Target for ...

Mark Hall


January 15, 2007 (Computerworld) ... hackers, and it won’t be difficult to hit. In Hacking Exposed VoIP, which hit bookshelves last month, authors David Endler and Mark Collier argue that voice-over-IP technology “is about to hit critical mass” and will become a favorite security hole for hackers to slip through to disrupt IT operations. Endler and Collier hope their book can show not just how to crack a VoIP network — which it will — but also how to lock one down.

According to Endler, who is director of security at 3Com Corp.’s TippingPoint division in Austin, hackers have begun to use VoIP in phishing exploits that emulate the interactive voice response systems of legitimate companies. “The rate of vulnerabilities will increase,” says Collier, chief technology officer at SecureLogix Corp. in San Antonio. Distributed denial-of-service attacks are likely and could be devastating to VoIP systems, Collier says, noting that even a modest DDoS attack could make it all but impossible to make VoIP calls because of quality-of-service issues.

Then there’s the problem of privacy. “It’s extremely easy to listen in on a call,” Endler says. It isn’t that much harder to inject noise or even spam into VoIP communications. And speaking of unwanted messages, spam over Internet telephony, or “spit,” is another looming problem. As Collier observes, “There’s nothing today to prevent you from getting as much voice spam as e-mail spam.” Endler says it’s possible to deploy a secure VoIP system, but it’s tough to do it right. So if you’re engaged in a VoIP rollout or are thinking about one, read their book. If you’re not, maybe you should consider yourself lucky.

Stop Web surfers from hurting ...
... themselves and your company. It’s wise, of course, to stop internal users from visiting recognized porn or gambling sites from your company’s PCs. But what about legitimate sites that harbor hidden malware? It’s a growing trend.

For example, according to IDC Denmark, companies in that country were afflicted for the first time last year with more malware originating from Web sites than from e-mail. You could put a filtering appliance on your network that checks for evil exploits buried in Web pages, but you’d likely encounter end-user complaints about latency when the appliance got hammered under heavy loads, says Dan Nadir, vice president of product strategy at ScanSafe Services LLC in San Mateo, Calif.

Nadir argues that only a managed service, such as the one his company offers, can handle peak-demand periods. ScanSafe has a dedicated server farm analyzing everything on Web pages before browsers hit them. Nadir says the company analyzes billions of pages every month. This year, he expects more e-mail filtering services, such as Postini Inc.’s, to offer Web filtering capabilities.

Don’t let your database dictate ...
... the availability of your Web content management system. Cascade Server, an online content management system offered by Atlanta-based Hannon Hill Corp., has many of the same bells and whistles that other CMS tools do. Its role-based access lets end users edit only material they’re authorized to. Its workflow processes can leverage e-mail, RSS and other notification methods. And it can check whether your Web pages meet the needs of handicapped users.

But David Cummings, Hannon Hill’s CEO, thinks Cascade Server’s focus on “aggregating content in a vendor-neutral format” is what really ought to intrigue you. The software achieves vendor independence and ensures high availability by attaching database records associated with each Web page to the page itself. If your database crashes, Cascade still tracks edits, additions, deletions and other changes within the file itself and can be synchronized with your database later. Pricing starts at $40,000 per processor. On March 1, Hannon Hill plans to ship Cascade 5.0, which will include improved site analytics as well as integration with applications from vendors like

Call, don’t write, when you need ...
... technical support. John Ragsdale, vice president of research at the Service & Support Professionals Association, regularly polls SSPA members about IT support trends. One he recently found interesting is that many vendors say they aren’t investing in e-mail response tools, despite an increased volume of e-mail to their support desks. Ragsdale thinks IT staffers are using the phone on matters of some urgency and relegating the use of e-mail to “noncritical issues.” Of course, phone calls are more expensive to handle, which in turn fuels increases in service and support costs. So even if you have an 800 number to dial, it could be a toll call in the end. 


The Surprising Security Threat: Your Printers

Deb Radcliff


Click here to find out more!

January 15, 2007 (Computerworld) The Blaster worm hit McCormick and Co. hard and fast. It entered the famous spice company through a service provider connection and ripped across plants and offices in a matter of hours. What was most vexing, however, was that the virus kept coming back on disinfected network segments.

Upon further investigation, it turned out that Blaster, as well as some instances of the Sasser worm, were trying to repropagate from infected network printers.

“Printers were just one of several types of systems contributing to the nightmare at the time,” says Michael Rossman, who’d just taken over as global director of IT services and information security at McCormick at the time of the worm outbreak in 2003. “Blaster went to all our PCs, our radio frequency units, our handhelds. And, we learned belatedly, it also spread to our printers.”

Blaster and Sasser gave IT execs some religion about the vulnerabilities network printers can introduce to corporate networks, Rossman says. Since then, however, there has been little evidence of printer-based attacks spreading across large networks. Corporate IT shops haven’t been concerned about printer security. Instead of patching and hardening printers, they have been complacent. Security experts say that printers are loaded with more complex applications than ever, running every vulnerable service imaginable, with little or no risk management or oversight.

If these systems aren’t hardened, users may soon find their printers rendered inaccessible by attackers, their valuable documents heisted or their printers turned into remote-controlled bots — launching pads for further attacks.

The problem, of course, is that printers aren’t on the agendas of many security managers. “It’s been my experience that these devices have been completely overlooked from a risk management perspective,” says security researcher Brendan O’Connor. “They’re installed. They work. And nobody pays them any attention until it’s time to install a new paper tray or print cartridge.”

Not So Dumb

In essence, networked printers need to be treated like servers or workstations for security purposes — not like dumb peripherals.

At the Black Hat conference in Las Vegas in August, O’Connor delivered a blow-by-blow presentation on how to bypass authentication, inject commands at the root level and create shell code to take over printers in Xerox Corp.’s WorkCentre line of printers, which run on Linux operating systems. He described the kinds of mischief you could do with a compromised printer, including password-catching, password-snarfing (changing passwords), hijacking functions, grabbing print jobs and playing with a billing program.

O’Connor, who says he has proved in his research lab that these hacks are possible, showed a video of himself exploiting these vulnerabilities in his lab during his Black Hat presentation.

“There are actually a quite a few attack vectors in these printers,” says O’Connor, who by day is a security engineer at a Midwest financial services company he wouldn’t name. “I shared a couple in my talk, and I released a couple others privately to Xerox.”

Xerox thanked O’Connor for his research and issued a patch, according to the IDG News Service, though O’Connor says vulnerabilities remain.

The question remains how many IT departments apply security patches to their printers. “One of the reasons this is a particularly nasty problem is that people don’t update their printer software,” security technologist Bruce Schneier wrote in his blog. “And what about printers whose code can’t be patched?” asked Schneier, who is chief technology officer at BT Counterpane Internet Security Inc. in Mountain View, Calif.

The apathy toward printer security isn’t surprising, since printer attacks have been few and far between in recent years. That’s mostly because, right now, it’s easier just to hack PCs and laptops, says Dean Turner, senior manager for security response at Symantec Corp.

But as those systems become more secure through tougher security standards and best practices, attackers will turn their tools to the next low-hanging fruit, Turner says. And unprotected printers are a logical target.

Last year, Symantec logged 12 new security vulnerabilities for five network printer brands: Brother, Canon, Epson, Fujitsu, Hewlett-Packard, Lexmark and Xerox. Twelve may seem like an insignificant number, but keep in mind that it’s greater than the number of printer-specific vulnerabilities found in 2005 (10). And the number of such vulnerabilities found in the past two years account for nearly half of all printer vulnerabilities identified since 1997 (52). This means we’re in the preattack stage with printers, says Chris Wysopal, former director of research and development at @Stake Inc., a security vulnerability assessment firm that was acquired by Symantec. Printers, he says, are on the radar screen of the hacking community, so it’s only a matter of time before PCs and workstations get hardened and attackers start delivering attacks to printers. Wysopal recalls that while working in the vulnerability research lab at @Stake, he hacked into a printer through the infrared port and changed the administrator password.

There’s a common impression that printers are vulnerable to attacks only from inside a company’s LAN or via remote log-in to a company’s virtual private network, researchers say. But that’s not true, says Alan Paller, research director at the SANS Institute in Bethesda, Md.

“Five years ago, four HP Jetdirect printer controllers were used in a denial-of-service attack that took down an ISP in New Mexico,” says Paller. “And more recently, shared printers have become back doors that allow attackers to bridge from low-security areas to high-security areas.”

All it takes is any remote code-execution vulnerability, such as a buffer overflow or cross-site scripting weakness, to spread a bot to the printer or use the printer as a launching pad for other attacks, says Lamar Bailey, senior operations manager of X-Force, a threat analysis service of Atlanta-based IBM Internet Security Systems. ISS keeps a dozen printers in its security lab so it can test new vulnerabilities.

And, despite opinions to the contrary, network printers are also already at risk of direct Internet attacks, say researchers. The first, and most obvious, link is when organizations put network printers outside the corporate firewall to make remote printing easier for employees. This is something O’Connor, Wysopal and Turner all say they have seen too frequently in their vulnerability assessments for clients.

Furthermore, online print-from-anywhere services are also direct points of attack from the Web. Some of these interfaces include embedded Web servers and/or Web pages with IP addresses. This is why, as part of its risk management policy, McCormick turns off remote print services, says Rossman.

Patch Management

Of all protective measures to be taken on these embedded devices, system hardening and patch management are the most critical, according to security experts. McCormick relies on its printer vendors to distribute firmware updates and software patches, says Rossman, while other administrative chores are handled in-house. But Paller says vendors, in their attempt to offer more services and uses to their customers, actually make it hard to turn off default services and change passwords.

Vendors have made some advances in filtering, document protection and access controls, but they’ve made little headway in comprehensive patch management and system-hardening processes. O’Connor says vendors aren’t always forthcoming with new vulnerability and patch information, making it difficult for IT to manage what is still mostly a manual process.

Until vendors work these things out and users start treating printers like the points of risk they are, network printers will continue to be sitting ducks, waiting for attackers to pounce.

“Network printers are large print devices with embedded Windows systems that are interacting with the network just like any other Windows-based system,” says Rossman. “They need to be secured.”

Printer Security Risks

Risk: Network printers have more vulnerable services running on them than networked PCs do.

•  Remote code execution

•  Sniffing (for passwords and network information)

•  Capture of intellectual property from documents in queue or in local memory

•  Root control of printer services

•  Disable services you don't need.

•  Use vendor-provided document protection features.

•  Change default passwords and encrypt them.


Risk: Network printer applications have a growing number of vulnerabilities.

•  Buffer overflows

•  Cross-site scripting and other common attack methods that disable an application and gain root control

•  Perform better code review.

•  Adopt more secure application development processes.


Risk: Web interfaces, Web servers, Web pages and e-mail are opening printers directly to the World Wide Web.

•  Hijacking or impersonating a remote administrator or user session

•  Malicious code injection

•  Remote control of printer

•  Turn off Web connections unless absolutely needed.

•  Use strong authentication for remote administration.

•  Change default passwords.


IT spending for first responders to reach $4.4 billion by 2011

More interesting news from Datamonitor, the erstwhile market analysis company. According to the firm, state and local government spending on IT for first responders is set to rise from $3.2 billion in 2006 to $4.4 billion by 2011. Driving the market is an increased emphasis in interoperability and a growing confidence that, if the money is there, the technology is getting strong enough to catch it. Nevertheless, public safety agencies continue to report insufficient funding -- as well as interagency bickering over communications formats -- as major obstacles impeding the interoperability process. Another contributing factor, according to analyst Kate McCurdy, is "the fact that agencies receive few directives on which technologies will help them enhance interoperability and there emerges a situation where state and local governments recognize the need to improve interoperability but lack the means to do so."


Homeland security sector to continue impressive growth

The homeland security industry has experienced an impressive growth during the past several years as companies have emerged to meet the need for enhanced security of the nation's borders, critical infrastructure, and people. The industry as a whole should be expected to maintain its growth, but some sectors can expect more funding than others, according to the Homeland Security and Entrepreneurship Center (HSIEC) at Northwestern University.

HSIEC director Bret Johnson said that "Homeland Security is a dynamic marketplace that is still developing, and funding organizations are taking a risk-based approach to backing homeland security companies. It's important to understand which sectors are being given the highest priority before looking for funding."

According to Johnson, the technologies which are likely to advance in 2007 include:

  • Homeland security technologies which are close to deployment. Potential technologies with year or multiple year development cycles will receive less attention than new innovations that piggy-back on existing systems or complement existing systems without substantial disruption
  • Innovations which improve the security of critical infrastructure (transportation network; critical assets such as power, water, and food) but also have a dual/commercial benefit of providing operational efficiencies. For example, software technologies that provide tools for emergency planning and response, and also have the commercial benefit of helping to manage the operation of transportation systems will receive greater consideration
  • Intelligence gathering, information analysis, and data analytics tools. There is great interest in companies that provide new tools to integrate and connect various sources of information and data for predictive modeling, threat analysis, and real time collaboration. There also is demand for new hardware for monitoring assets and information
  • Products and services that enhance emergency preparedness, planning, and response for catastrophic threats including influenza epidemics and natural disasters. Companies that help manage property and transportation assets as well as improve interoperable communications should find some traction
  • Cybersecurity products that help improve the security of the nation's existing cyber infrastructure. A strong focus is placed on identifying and assessing vulnerability and protecting the operation of telecommunication, banking, and finance, and large scale processing infrastructure assets
  • Chemical, biological, radiological, nuclear, and explosives monitoring products, including sensors and detection devices that provide high reliability and quick detection or analysis. In contrast to the near-term requirements of other programs, the Domestic Nuclear Detection Office currently is seeking next generation solutions for nuclear detection systems


Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc