About these ads

Archive

Archive for June, 2011

2011 Cyber Attacks (and Cyber Costs) Timeline (Updated)

June 28, 2011 6 comments

Update: Cyber Attacks Timeline Update for July 2011

As already suggested, I considered the original 2011 Cyber Attacks Timeline graph by Thomson Reuters not enough complete since it did not show some important attacks occurred during this tremendous 2011. This is the reason why I decided to draw an enhanced version which shows, according to my personal opinion (and metric),  the list of 2011 major  cyber attacks both for size and impact. Moreover in this version I added the cost of the breaches (where possible), and the alleged kind of attack perpetrated.

All the data were taken from the bulletins or statements released by the victims, or from the tweets released by the attackers.

Costs were calculated, where possible, using the indications from the Ponemon’s insitute: the average cost of a Data Breach is US $214 for each compromised record, if the targeted company decided to respond immediately the cost is around UD $268 for each compromised record, which drops to US $ 174 if the company takes longer to react.

The Total Cost is an incredible number: nearly US $ 18 billion.

Useless to say, Sony achieves rank #1 with US $ 13.4 billion. In this unenviable chart, Epsilon gains the second place with an estimated cost for its breach, of US $ 4 billion.

The others breaches, although not comparable with the previous ones, if summed, allow to achieve the grand total.

Even if smaller in size, and apparently in importance, I decided to insert in the chart also the attack to Comodo Certificates, happened in March, the 24th. In this annus horribilis, it came immediately after the RSA affaire and it has decreed, together with the RSA breach, the fall of the modern bastions of Strong Authentication (in few days tokens and certificates have proved to be vulnerable). Moreover I consider the message of the author a memorable declaration of Cyberwar. On the trail of the RSA breach the wave of attacks towards US contractors is noteworthy as well.

Hackers focused on Media Sites (Fox, PBS, Sony, Sony BMG), with a clear message against censorship (and probably the neverending problem of copyright). Interesting the second attack to PBS made to show the poor skill of LuzSecs by Warv0x, one of their enemies. In the last part of June Videogame industry was the preferred target (also Epic suffered a breach) with different intentions: LulzSec attacked Nintendo and Bethesda (the second attack resulted in data breach for the victim), but offered to avenge Sega (the manufacturer of Dreamcast), after the disastrous breach.

Direct attacks to governments focused essentially on LOIC based DDoS, albeit some infamous breaches to related sites (as in case of Infoguard/FBI and NATO) lead to Data Breaches.

Last but not least, please notice the intense activity from LulzSec in their intense “50 days of living dangerously”, just before the sudden dissolution of the group happened on June, the 25th.

Related articles

About these ads
Categories: Cyber Attacks Timeline, Security Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Home Made Mobile Warfare

June 26, 2011 Leave a comment

David has shown me another example of the strict connection between real warfare and mobile warfare come from Afghanistan. Few days after the revelations about the Internet in Suitcase project funded by the Obama Administration and aimed to deploy a “shadow” Internet and an hidden mobile phone network to be used by dissidents, an indipendent, but somehow similar project has been implemented in Afghanistan. It is called FabFi and it is essentially an open-source, FabLab-grown system using common building materials and off-the-shelf electronics to transmit wireless ethernet signals across distances of up to several miles. Said in few words, the main component of this home made network can be built out of trash.

The Afghan city of Jalalabad has built a high-speed DIY Internet network with main components built out of trash found locally. A FabFi node can be buolt out of approximately $60 worth of everyday items such as boards, wires, plastic tubs, and cans that will serve a whole community at once.

SInce January 2009, the Jalalabad FabLab demonstrated the capability of the FabFi system by bringing high-speed internet to a village, hospital, university, and a non-governmental organization in Jalalabad, Nangarhar Province, Afghanistan. These low-cost, locally-produced networks can be easily spread across isolated villages and towns, placing them in touch with the outside world and facilitating socio-economic development from the ground up.

Jalalabad’s longest link is currently 2.41 miles, between the FabLab and the water tower at the public hospital in Jalalabad, transmitting with a real throughput of 11.5Mbps (compared to 22Mbps ideal-case for a standards compliant off-the-shelf 802.11g router transitting at a distance of only a few feet). The system works consistently through heavy rain, smog and a couple of good sized trees.

The project is important from a double perspective: from a technological point of view it allows high speed connectivity for war zones, or rather zones lacking conventional broadband. From a sociological point of view it confirms the strict relationship between Internet and Democracy, and, (in)directly it also confirms that the Internet is a fundamental weapon for fights in favor of the democracy, what we called the Mobile Warfare.

I could not help noticing, by tweeting with my colleague David:

@cencio4 if you make a parallelism with real warfare, it is like building home made weapons for guerrilla.

And, as a matter of fact, in order to further emphasize the parallelism, he replied:

@paulsparrows that’s exactly what rebels did in Libya with parts of helos on Mad Max-like vehicles

Take the examples of Afghanistan and Libya, invert respectively the terms Internet Connectivity and Weapons, and result is exactly the same.

Related articles
Categories: Mobile Tags: , , , ,

Haul Down the Flag!

June 26, 2011 4 comments

Somewhat unexpected after 50 days of, apparently unstoppable chaos, the LulzSec Hacker group decided to haul down the flag of war and navigate to calmer shores, in which they will likely not attack other vessels in the sea of ​​Internet.

The alleged dissolution of the group, leading the cyber-attacks at the CIA, U.S. Senate, Nintendo, Sony, SOCA, NATO and others, was announced in a statement, entitled 50 days of lulz in which the group has taken responsibility for the events, reviving the glory days of the AntiSec Movement, while claiming not to be permanently tied to the identity of LulzSec.

For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others – vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It’s what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.

Probably this decision was also a consequence of the increasing attention attracted by the group, not only by CIA and FBI (which arrested an alleged 19 years old member of the group, Ryan Cleary, whose real involvement however, is yet to be shown), but also by other hackers: @th3j35t3r, @On3iroi, Web Ninjas and Warv0x (who hacked PBS a second time, just to show that “…LulzSec are just a bunch of script kiddies…”. Against those, in the last days, LulzSec was fighting a war with no holds barred, as in a modern cyberversion of a spaghetti western: on one side the so called good guys trying to unmask the identity of the bad guys with IRC logs leakages, DDOS attacks and anti-LulzSec PHP scripts; on the other side the bad guys claiming the futility of enemy attacks, their poor detective capabilities, and also their “horrible coding” (read this pastebin with the LulzSec fixed version of the PHP script used to scan their domains). At this link the possibile identities of the LulzSec members.

As their last goodbye the LulzSec released a final torrent with data taken from AOL, AT&T, NATO & others.

The motivations of the group can be shared or not, but one thing is certain: the ease with which classified information has been leaked should make us think ….

Related articles
Categories: Security Tags: , , , , ,

Is Your Credit Card Stolen?

June 24, 2011 Leave a comment

Are you an hardcore Playstation gamer hit by the infamous PSN Breach? (the infamous PSN Breach not the (In)famous PS3 hit… Or rather are you a Citi Card Holder afraid that your card, not yet replaced, has been compromised?

You can sleep peaceful sleep since you may check right now, for free, if your credit card has been compromised. Simply surf to:

http://www.ismycreditcardstolen.com/
 

Insert your Credit Card and check. All for free!

Done? Ok!, now click on the “About” link on the page to discover that this is a mere provocation done by some coders to educate users about the dangers of phishing which will revamp after the numerous breaches of sensitive data which are characterizing this 2011.

In any case better to be careful when playing with CC numbers, most of all from mobile devices… If you still have any concerns about the leakages by Lulzec and Anonymous, you can always check if your email addresses and passwords are safe

Thanks to my colleague Massimo Biagiotti for reporting the CC link!

Related articles
Categories: Security Tags: , , , , , ,

Switch Off The Revolution (With An Infrared Sensor)

June 23, 2011 Leave a comment

Just a couple of months ago, in writing the first post about Mobile Warfare (which should have later become Consumerization of Warfare) I expressed some considerations about the growing need for illiberal government to prevent the use of mobile devices as preferred media for the rioters to capture live images of the events, and to spread the information all around the Globe by mean of Social Networks.

Cutting off the Internet has been the first clumsy countermeasure applied by Egypt and Syria, but it is really unlikely that this kind of massive preventive block will be applied again by other countries because of the huge dependence of Internet, which characterizes our epoch, and consequently, as a collateral damage, would stop other vital activities.

As a consequence, I hypothesized that possible future countermeasures will aim to make unusable directly the source of information (read mobile devices), and the media for sharing them (read social networks), relying upon a new generation of Cyber-warfare among which:

A massive Denial of Service for mobile devices through massive exploit of vulnerabilities (more and more common and pervasive on this kind of devices), through massive mobile malware deployment or also by mean of massive execution of mobile malware (as, for instance, Google did in order to remotely swipe the DroidDream malware). Honestly speaking I consider the latter option the less likely since I can easily imagine that no manufacturer will provide cooperation on this (but this does not prevent the fact that a single country could consider to leverage this channel).

No manufacturer will provide cooperation on this? Maybe… Too many times reality surpasses imagination, and when it comes to reality that surpasses the imagination, then surely it comes from Apple. This time, unfortunately, not in the sense that we’re used to (admiring products years ahead of the competition, which previously did not exist not even in our imagination), but in the sense that a patent recently filled by Apple could implicitly provide cooperation for illiberal governments to prevent smartphones to take live images of protests.

It looks like that Apple is Apple is developing software that will sense when a smartphone user is trying to record a live event, and then switch off the device’s camera (only the camera, the other functions will not be affected) by mean of infrared sensors directly installed on the device. The real reason is probably the need to prevent concertgoers to post footage of events on YouTube or other similar sites (at the expense of the organizers which sometimes sell sell their own recordings of the events), which could potentially allow Apple to negotiate better conditions with labels when dealing for placing music on sale on iTunes (and could also potentially provide another source of revenue by charging people to film live events).

But besides commercial considerations, there is another important aspect (a collateral damage I would say). The events of recent months have shown us that the concerts were not the only places where the phones have been used to capture live images. In North Africa and Middle East they have been used to document repression and illiberality. But what would have happened if this technology had really been developed? Probably it would have limited the effect of the winds of change in Tunisia, Egypt, Syria and Libya, since Mobile Devices (and their cameras) played (and are playing) an important role to witness the real entity of the events.

Imagine if Apple’s device had been available to the Mubarak regime earlier this year, and Egyptian security forces had deployed it around Tahrir Square to disable cameras just before they sent in their thugs to disperse the crowd.

Would the global outcry that helped drive Mubarak from office have occurred if a blackout of protest videos had prevented us from viewing the crackdown?

This is more than speculation. since thousands of cellphone cameras in the Middle East and North Africa have been used to document human rights abuses and to share them with millions via social media. I went in Libya approximately a month before the beginning of the revolution and I was astonished by the number of iPhones noticed over there.

This is more than speculation also because the role of mobile technologies for the above mentioned events has been recognized also by Mr. Obama during his speech on Middle East.

As correctly stated, Smartphones like the iPhone and Droid are becoming extensions of ourselves. They are not simply tools to connect with friends and family, but a means to document the world around us, engage in political issues and organize with others. They literally put the power of the media in our own hands.

Apple’s proposed technology would take that power away, that is the reason why the community is moving in order to urge Steve Jobs to pull the plug on this technology.

Related articles
Categories: Mobile Tags: , , , , , , , , , , ,

2011 CyberAttacks Timeline

June 22, 2011 5 comments

Update June 29: 2011 Cyber Attacks (and Cyber Costs) Timeline (Updated)

I found this interesting graph from an original Thomson Reuters post, showing the timeline of the major 2011 CyberAttacks.

The graph shows all the main Cyber Events of this tremendous 2011 up to June, the 16th. Actually to be perfect it should include also the infamous Epsilon Data Breach, happened on March, the 30th. Probably it had a major impact on the U.S. rather than in Europe, but it is clear that the aftermaths of this breach will last for years in terms of spear-phishing attacks tarteting the affected users.

Moreover, to be “ultra perfect”, it shpould also include the other attacks discovered against U.S. Defense Contractors (L-3 on April, the 6th, and Northrop Grumman on May, the 26th) should be considered as well.

Even if some attacks are missing, the graph is useful (and meaningful) to show the easiness with which our data are at risk.

Of course after June, the 16th, another cyber-attack leading to a breach was perpetrated against Sega (to be added to the list of Game Publisher), affecting 1.3 million users.

Following the Sega Breach, in these last two days, after the #Antisec Manifesto and the consequent teaming between LulzSec and Anonymous, several government sites have been hit by massive DDoS attacks, including SOCA in UK, some sites affiliated to PM Silvio Berlusconi in Italy, and some Government Sites in Brazil.

Related articles
Categories: Cyber Attacks Timeline, Security Tags: , , , , , , , , , , , , , , , , , ,

AntiSec Operation Lands in Italy

June 22, 2011 Leave a comment

Update 06/22/2011: Other tweets of Cyberwar: it lools like the Operation #OptItaly is going on. Currently the site http://www.renatobrunetta.it is under DDoS attack and does not reply correctly to connection requests (it takes too much to load and sometimes the page is not open).

It looks like that the #AntiSec Operation has landed in Italy. The Anonymous boats have bulleted their ammunitions against some Web Sites affiliated with PM Silvio Berlusconi and, although the operation started more than ten hours ago, the situation is not completelely back to normal.

Yesterday evening the web sites were invested with an impressive wave of DDos attacks: all the sites were unavailable and right now, http://www.governoberlusconi.it is still not responding.

This is the first (known) example of the #AntiSec (Anti-Security) operation in Italy issued by the hacker group Lulzsec (famous for the repeated attacks to Sony, Nintendo, CIA and FBI-affiliated). The #AntiSec manifesto declares a real cyber war, whose top priority is to steal and leak any classified government information, including email spools and documentation (with banks and other high-ranking establishments declared as Prime Targets) “teaming up with the Anonymous collective and all affiliated battleships.”

For the chronicle the first act of this cyberwar has been a massive DDoS attack against SOCA on June, the 20th, and yesterday a fake declaration was posted on pastebin indicating the next release of the 2011 UK Census.

Moreover, yesterday a joint operation between FBI and Scoltland Yard arrested Ryan Cleary, an 19 years old boy in Essex, claimed to be the head of the LulzSec group. After an initial silence the LulzSec tweets were back indicating the boy arrested was a “simple” Admin of a server used for IRC (here a full story with an amusing perspective from the famous tabloid The Sun) and was in no way affiliated to the group.

The revenge of the group was merciless: LulSec replied leaking personal information of two hackers claimed to have supported FBI and Scotland Yard (defined “FBI & other law enforcement clowns”) for the investigations.

The war is just beginning no holds barred.

Related articles
Categories: Cyberwar, Security Tags: , , , , , , , , , , , , ,

Consumerization Of Warfare 2.0

June 21, 2011 2 comments

It looks like the consumerization of warfare is unstoppable and getting more and more mobile. After our first post of Jume the 16th, today I stumbled upon a couple of articles indicating the growing military interest for consumer technologies.

Network World reports that the National Security Agency is evaluating the use of COTS (Commercial Off-The-Shelf) products for military purposes and is evaluating several different commercially available smartphones and tablets, properly hardened and secured. The final goal is to have four main devices, plus a couple of infrastructure support services. Meanwhile, trying to anticipate the NSA certification process, U.S. Marines are willing to verify the benefits of a military use of smartphones and consequently issued a Request For Information for trusted handheld platforms.

In both cases, the new technologies (smartphones and tablets) are preferred since they are able to provide, in small size and weight, the capability to rapidly access information in different domains (e.g., internet, intranet, secret), geolocation capabilities which are useful in situation awareness contexts, and , last but not least, the capability to connect with different media (eg, personal area network [PAN], wireless local area network [LAN], wide area network [WAN]).

Nevertheless, in a certain manner, the two approaches, albeit aiming to the same objective, are slightly different. NSA is evaluating the possibility to harden COTS in order to make them suitable for a military use, but since this process of hardening, certification and accreditation may take up to a couple of years, which is typically the life cycle of a commercial smartphone or tablet (it sounds quite optimistic since one year is an eternity for this kind of devices), the RFI issued by the Marines Corps is soliciting for system architectures and business partnerships that facilitate low-cost and high-assurance handhelds, where high-assurance means at least meeting the common criteria for evaluated assurance level (EAL) of 5+ or above. From this point of view the Marines’ approach seems closer to (and hence follows) the approach faced by the U.S. Army which is already testing iPhones, Android devices and tablets for us in war (a total of 85 apps, whose development took about $4.2 million, we could nearly speak about a Military iTunes or Military Android Market!).

But the adoption of consumer technologies does not stop here and will probably soon involve also the use of technologies closely resembling the Cloud. As a matter of fact, the NSA plans to develop in the near future a secure mobile capability, referred to as the “Mobile Virtual Network Operator,”, which will be be able to establish a way to provide sensitive content to the military and intelligence “in a way that roughly emulates what Amazon does with Kindle”, as stated by said Debora Plunkett, director of the NSA’s information assurance directorate, speaking at the Gartner Security and Risk Management Summit 2011 (but the NSA will not be the first to pilot this kind of technology since the NATO is already adopting Cloud Computing).

Probably this is only one side of the coin, I’m willing to bet that the consumerization of warfare will soon “infect” armies belonging to different countries and consequently the next step will be the development of weapons (read mobile military malware) targeted to damage the normal behavior of the military smartphones and tablets. On the other hand the Pentagon has developed a list of cyber-weapons, including malware, that can sabotage an adversary’s critical networks, so it is likely that these kind of weapons will soon affect mobile devices…

Related articles
Categories: Security Tags: , , , , , , , , , , , ,

Consumerization of Warfare

June 16, 2011 7 comments

Written by Andrea Zapparoli Manzoni and Paolo Passeri.

As predicted a couple of months ago, NATO admitted to use Twitter in Libya for receiving information from rebels pertaining coordinates and movement s of the loyalist troops of Colonel Gaddafi.

Thanks to the famous six degrees of separation and the viral propagation model, Twitter ensures a rapid spread of information, but since it is far from a reliable medium, in the specific circumstance NATO indicated to “authenticate” the tweets of war by mean of more traditional media such as satellite images. This allowed, before taking any military action with missiles, to verify the consistency of the information received.

Whether we are aware or not, this is the dawning of a new age in warfare and, especially for the role played by new technologies (Mobile and Social Networks). An era brilliantly summarized by the term “Consumerization of Warfare” coined by Andrea Zapparoli Manzoni, which emphasizes the role of new consumer technologies (Social Network and Mobile) in a new war format (actually I coined the term Mobile Warfare, but unfortunately I have to admit that this term does not expresses the concept with the same completeness).

The issue is considerably more complicated than a simple tweet or a Facebook status update (a method that, although unconfirmed, is said to have been used by the Syrian Government to distribute DdoS software to its supporters for attacking adversary sites), and hides the (usual and well known) Social Network security issues, which are projected in a military dimension extending them in a much larger and dangerous scale both for senders and recipients of the tweets.

The main security concern relies in reputation, a bless and a curse for Social Networks. As already mentioned, in the specific circumstance the tweets of war were checked with “traditional” methods (anyway this is already an advantage since it is easier to check the veracity of a received information, rather than probing satellite  images search for enemy outposts), but, generally speaking in absence of verification means, there is no guarantee concerning the truthfulness of a tweet, which, for instance might have been modified or manipulated up to the point of reversing the original content.

Moreover, the distribution channel  is not what one would define “a reliable channel” and the chronic lack of privacy (which on one hand ensures a rapid spread of the tweets and/or status updates to a wider audience as possible) makes the tweets easily interceptable by the adversary, which is then able to implement adequate countermeasures, before the recipient has the time to act (on the other hand is rather easy to create a fake profile for following the tweets or status updates of the enemies ). Probably, in order to create some sort of encrypted channel between the peers, would be more effective to establish a priori a code and not to be too explicit in the indications (such as those found here), but from a theoretical point of view nothing prevents a conceptual step forward for thinking about encrypted and authenticated tweets (shifting the problem to the key exchange, but that’s another story). Without flying too much with imagination, all this delineates a real war strategy through Social Networks that the Armies of the (very near) future will have to seriously take into consideration.

And that is what is already happening: The U.S. Army already has special corps (a kind of Corps of Network and Security Engineers) dedicated to maintain the Internet connectivity in war zones by mean of, for instance, drones equipped with special antennas to provide 3G or Wi-Fi connectivity: recent events in middle east have shown that social network is an excellent medium for PsyOps operations as well as information exchange. As a further confirmation, few days ago, a scoop from NYT unleashed the project funded by the Obama Administration, for a portable “Internet in a Suitcase” and independent mobile networks, to ensure connectivity in war zones and/or backing dissidents to overtake censorship or Internet filters.

But while we are assisting to a growing use of “consumer ” technologies in war zones (up to the intention by the U.S. Army to use Android equipped devices on the battlefield), we are increasingly getting used to coarse countermeasures deployed by illiberal governments as well. Those countermeasures aim to stop internal protests and movements and span from completely shutting down of the Internet up to filtering social networks. As a consequence we may not exclude “a priori” that in the near future the countermeasures could become more sophisticated: cyber-attacks targeting social networks or tweet spoofing are two possible realistic countermeasures up to “(Mobile) Malware of State” specifically designed to alter or prevent communications from traditional or mobile endpoints . Fantasy? Maybe, even if Social Network has nothing to prove in terms of impact, after some countries preferred to completely shut the Internet, real lifeblood of every nation, in order to stop the spread of unwelcome information made with tweets and status updates (every individual may become a war reporter with a simple mobile device).

Maybe one day (near) the EULA of Social Networks will be modified to disallow the use of social media platforms for actions of virtual guerrilla or Cyberwarfare: certainly Consumerization of Warfare carries on, amplified, all the concerns of consumerization of Information Technology, that we are reporting for two years now, and that are just beginning to show all their malicious effects for security in the enterprise. This might definitely be a huge concern (think to a military devices with a 0-day vulnerability exploitable by the enemy) and for sure it is not a good omen considering that more and more federal agencies are winking to consumer technologies as well.

If you are interested to more information about Consumerization of Warfare (was Mobile Warfare), besides the link in the post:

Tweets Of Democracy: The Obama Speech In Middle East and the role of New Technologies;

Mobile Phones Vs Tanks and Tweets Of Freedom: Social Networks and their role in  Syrian Revolution;

Mobile Warfare In Libya Comes True: Hacking and Hijacking of Libyana Mobile Operator in Libya.

Related articles
Categories: Cyberwar, Security Tags: , , , , , , , ,

When Angry Birds eat Plankton

June 14, 2011 1 comment
Android Market

Image via Wikipedia

What happens when Angry Birds eat Plankton? Simple: they get Sick Birds, go to the Android Market and infect more devices with a bot-like malware.

The last malware inside the Android Market, dubbed Plankton, has been discovered by the same team which discovered DroidKungFu led by Xuxian Jiang, Assistant Professor at North Carolina State University. Although the brand new malware does not root the device, it has the bad habit to hide itself inside familiar apps related to the popular game Angry Birds. The suspected apps were removed on 6/5/2011, but since the malware leverages a new evasion technique which allowed it to stay in the market for more than 2 months without being detected by current mobile anti-malware software, but being downloaed more than 100.000 times.

Plankton is included in host apps by adding a background service: when the infected app runs, it will bring up the background service which collects information, including the device ID as well as the list of granted permissions to the infected app, and send them back to a remote server discovered by Sophos to be hosted in the Amazon Cloud.

The server replies with a URL that is used to download an additional JAR file with custom code that is loaded by the downloader.

Once the JAR file is downloaded, Plankton uses a technique for loading additional code from non-Market websites demonstrated by Jon Oberheide about a year ago, providing a potential attacker with a method of circumventing checks of application functionality by Google or by another Android Market provider.

The downloaded code launches another connection to the Command server and listens for commands to execute.

Although this malware does not root the phone, its approach of loading additional code does not allow security software on Android to inspect the downloaded file in the usual “on-access” fashion, but only through scheduled and “on-demand” scans. This is the reason why the malware was not discovered before.

As a consequence the pressure on Google is building on two fronts: on one side, users are demanding better security and on the other side security vendors are asking for better operating system interfaces to make security software more effective against the ever-increasing tide of Android malware.

Related articles
Categories: Mobile, Security Tags: , , , , , , , , ,
Follow

Get every new post delivered to your Inbox.

Join 1,992 other followers