joe yeager, security engineer spi dynamics, inc. – london, england

Joe Yeager, Security EngineerSPI Dynamics, Inc. – London, England

2

Overview

• Background– Secure Software Forum (SSF)– SPI Dynamics– Web applications and their vulnerabilities

• Offense– Case studies– Examples

• Cross Site Scripting (XSS)• Cross Site Request Forgery (CSRF)• SQL Injection• Blind SQL Injection

• Defense– Trustworthy Computing – Security Development Lifecycle– Application Security Assurance Program (ASAP)

3

Secure Software Forum (SSF)

• Started February 2005• Annual education series dedicated to secure software• Leading security experts collaborate on education

initiatives• Yearly programs include:

– February kick-off event at RSA– Free workshop series– Executive dinner series

• http://www.securesoftwareforum.com/

4

SPI Dynamics Overview

• Founded January 2000 by Web application and security experts

• The leader in Web application security assessment throughout the lifecycle

• Eight patents pending or issued

• 1000+ customers all over the World

• Strong in F500, all industries and government

• 2006 Inc. 500 list of fastest-growing private companies

• 2005 Deloitte Technology Fast 500

• 2005 Deloitte Georgia Technology Fast 50 Annual Revenue

History of Application Security

6

The Evolution of Web Applications

A typical web application in 2000:

• Basic static HTML pages

• Informational applications

• Not mission critical functions

Static web Page

Static web Page

Static web Page

Static web Page

Static web Page

7

The Evolution of Web Applications

Browser Web Server

Simple, single server solutions

8

Web Application Architecture of Today

Browser

Web Servers

Presentation Layer

Media Store

Database Server

Customer Identification

Access Controls

Transaction Information

Core Business Data

Wireless

Web Services

Application Server

Business Logic

Content Services

9

Web Applications Breach the Perimeter

Internet DMZ Trusted Inside

Corporate Inside

HTTP(S)

IMAP FTP

SSH TELNET

POP3

Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server.

Any – Web Server: 80

Firewall only allows applications on the web server to talk to

application server.

Firewall only allows application server to talk to database server.

IIS

SunOne

Apache

ASP.NET

WebSphereJava

SQL

Oracle

DB2

http://www.samba.org/samba/vendors/qube.jpg

10

Network Attacks

Layered Model of Security

Network LayerExposed Hosts/Protocols

Operating SystemKnown Vulnerabilities - Misconfigurations

Web ServerKnown Vulnerabilities - Misconfigurations

Web ApplicationCode - Content - Implementation

OS Attacks

Web Server Attacks

Web Application Attacks

11

Vulnerability Characteristics

• Extremely easy to exploit– Sometimes requires nothing more than a Web

browser– Orders of magnitude easier than buffer overflows

• Difficult to deal with at the perimeter– SSL Encrypted Traffic, huge volume– Rules granular to each input on each page, change

as app changes

12

CustomVulnerabilities

CustomTesting

CustomFix

NoNotification

UniformVulnerabilities

Vulnerability Remediation

GlobalNotification

SingleSource

Fix

StandardizedTesting

Current State of the Industry

14

Compelling Evidence

“Over 70 percent of security vulnerabilities exist at the application layer, not the network layer”Gartner

“The battle between hackers and security professionals has moved from the network layer to the Web applications themselves“ Network World

“Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money”Counterpane Internet Security

“64 percent of developers are not confident in their ability to write secure applications”Microsoft Developer Research

15

Prevalence of Web App Vulns

16

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

XSS

Buffe

r Ove

rflow

SQL

Injec

tion

Direct

ory

Trave

rsal

PHP File

Inclu

sion

Info

rmat

ion

Leak

age

DoS M

alfor

med

Inpu

t

Symbo

lic L

ink

Format

Stri

ng

Crypto

graph

ic Erro

r

2006

``

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

XSS

Buffe

r Ove

rflow

SQL

Injec

tion

Direct

ory

Trave

rsal

PHP File

Inclu

sion

Info

rmat

ion

Leak

age

DoS M

alfor

med

Inpu

t

Symbo

lic L

ink

Format

Stri

ng

Crypto

graph

ic Erro

r

2005

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

XSS

Buffe

r Ove

rflow

SQL

Injec

tion

Direct

ory

Trave

rsal

PHP File

Inclu

sion

Info

rmat

ion

Leak

age

DoS M

alfor

med

Inpu

t

Symbo

lic L

ink

Format

Stri

ng

Crypto

graph

ic Erro

r

2004

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

XSS

Buffe

r Ove

rflow

SQL

Injec

tion

Direct

ory

Trave

rsal

PHP File

Inclu

sion

Info

rmat

ion

Leak

age

DoS M

alfor

med

Inpu

t

Symbo

lic L

ink

Format

Stri

ng

Crypto

graph

ic Erro

r

2003

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

XSS

Buffe

r Ove

rflow

SQL

Injec

tion

Direct

ory

Trave

rsal

PHP File

Inclu

sion

Info

rmat

ion

Leak

age

DoS M

alfor

med

Inpu

t

Symbo

lic L

ink

Format

Stri

ng

Crypto

graph

ic Erro

r

2002

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

XSS

Buffe

r Ove

rflow

SQL

Injec

tion

Direct

ory

Trave

rsal

PHP File

Inclu

sion

Info

rmat

ion

Leak

age

DoS M

alfor

med

Inpu

t

Symbo

lic L

ink

Format

Stri

ng

Crypto

graph

ic Erro

r

2001

Mitre CVE Statistics

17

The State of Application Security

'Phishing' scams on the rise, survey finds

Criminals are able to dodge spam filters and other defensive tactics

ReutersUpdated: 2:20 p.m. ET Sept. 25, 2006

POSTED: 9:56 a.m. EST, January 23, 2007

Study Find Flaws on

Web Sites of Major

BanksInternet security experts

have long known that

simple passwords do not

fully defend online bank

accounts from

determined fraud

artists.

By Brad Stone, NYT

February 5, 2007, Monday

MySpace Sues SpammerLawsuit claims Richter spoofed login pages to steal usernames and passwords in a "phishing" scam.

Web ApplicationVulnerability Overview

19

Web Application Vulnerabilities

Administration

Platform

Application

Web application vulnerabilities occur in three major areas:

20


Platform• Known vulnerabilities can be

exploited immediately with a minimum amount of skill or experience – “script kiddies”

• Easiest to defend against among web application vulnerabilities

• Must have streamlined patching procedures

• Must have inventory process

Examples: IIS UNICODE Apache chunked encoding

Platform

21

Administration• More difficult to correct than known

issues

• Require increased awareness

• Remnant files can reveal applications and versions in use

• Backup files can reveal source code and database connection strings


Examples: Extension Checking Common File Checks Data Extension Checking Backup Checking

Administration

Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing

22


Examples: Application Mapping Cookie Manipulation

Application• Coding techniques do not include security• Input is assumed to be valid, but not

tested• Inappropriate file calls reveal source code

& system files • Unexamined input from a browser can

inject scripts into page for replay against later visitors

• Unhandled error messages reveal application and database structures

• Unchecked database calls can be ‘piggybacked’ with a hacker’s own database call, giving direct access to business data through a web browser

Application

SQL Injection Hidden Web Paths Forceful Browsing

Custom Application Scripting

Parameter Manipulation

Cross Site Scripting (XSS)

24

Case Study - Google

Impact Fix References Cause Case Study

Demo

Google fixes security flaw in Reader

Google said it fixed a security flaw in Google Reader on Wednesday that could have allowed a hacker to steal sensitive information from Web surfers.

By Elinor MillsStaff Writer, CNET News.comPublished: July 5, 2006, 5:36 PM PDT 03:00 PM PDT

A Google RSS feed addition tool was vulnerable to a cross-site scripting attack, a poster to the Ha.ckers.org blog wrote on Tuesday. Such attacks involve an attacker embedding HTML scripts in Web postings or input fields on a Web site.

"What are the implications of this attack for Google?" the blog posting asked. "Well, for starters, I can put a phishing site on Google. 'Sign up for Google World Beta.' I can steal cookies to log in as the user in question...I can steal your phone number from the /sendtophone application...get your address because maps.google.com is mirrored....The list of potential vulnerabilities goes on and on. The vulnerabilities only grow as Google builds out their portal experience."

25

Case Study - Google


Demo

26

Case Study - Google


Demo

27

Case Study - PayPal

Phishing Scam Uses PayPal Secure Servers

Scripting flaw makes fake page with valid security certificate possible.Peter Sayer, IDG News ServiceFriday, June 16, 2006 03:00 PM PDT

A cross-site scripting flaw in the PayPal Web site allows a new phishing attack to masquerade as a genuine PayPal log-in page with a valid security certificate, according to security researchers. Fraudsters are exploiting the flaw to harvest personal details, including PayPal log-ins, Social Security numbers, and credit card details, according to staff at Netcraft, an Internet services company in Bath, England. The PayPal site, owned by eBay, allows users to make online payments to one another, charged to their credit cards, and log-in credentials for the service are a prized target of fraudsters.


Demo

28

Case Study - PayPal


Demo

29

XSS Demo Overview

• Definition– Client side scripting languages injected into web page

• HTML• JavaScript• VBScript

• Facilitators– URL spoofing– URL obfuscation

• Mitigating factors– Social engineering


Demo

30

XSS Demo


Demo

31

URL Obfuscation

• Dotted Decimal IP addresses– URL – http://www.google.com– IP – http://216.239.51.99– Decimal - http://3639554915

• 216 * 2563 + 239 * 2562 + 51 * 2561 + 99– Octal - http://0330.0357.0063.0143– Hexadecimal - http://0xd8ef3363

• Hexadecimal encoded– http://%77%77%77%2E%67%6F%6F%67%6C%65%2E

%63%6F%6D• URLomatic (http://www.samspade.org/t/url)• TinyURL (eg. http://tinyurl.com/y8pgom)


Demo

32

Phishing Attack

•Cross-Site-Scripting attack via emailed vector. •Innocent-looking link has embedded client side script


Demo

33

Phishing Attack

No Alarms and No Surprises

• Original legitimate website• No login errors, no changes, user works normally• UserID and Password quietly handed off to remote website• No “<script>” injected

34

Reflected vs. Persistent XSS

Reflected– Embedded script forwarded to victim, generally via

email with script contained in obfuscated URLPersistent

– Permanently embed script into web applications• Blogs• Shared Calendars• Message Boards• Web Forums• System logs

– Convince victim to visit vulnerable web page


Demo

35

XSS Cause

Cause– Unfiltered user input is embedded in web page

Example– Request

• http://www.example.com?name=joe&password=secret

– Response• ASP

– Welcome back <% Response.Write(request.querystring("name")) %>

• PHP– Welcome back <?php echo $_GET[“name"]; ?>


Demo

36

XSS Fix

1. Filter user input Whitelist Blacklist

2. HTML encode user supplied data prior to inclusion in a web page– ASP/ASP.Net

• Server.HTMLEncode (strHTML String)

– PHP• string htmlspecialchars (string string [, int quote_style])


Demo

37

XSS References

Whitepapers• http://www.spidynamics.com/spilabs/education/whitepapers/

CrossSiteScripting.html

FAQs• http://www.cgisecurity.com/articles/xss-faq.shtml• http://www.owasp.org/index.php/XSS

Cheat Sheet• http://ha.ckers.org/xss.html


Demo

Cross Site Request Forgery (CSRF)

39

Case Study - Google


Demo

40

CSRF Demo Overview

• Definition– An attack that tricks a victim into loading a page that contains a

malicious request• Exploits the trust established between a web browser and web app• Performs actions on behalf of the victim• Targets functions that cause a state change on the server

• Synonyms– XSRF, Session Riding, Cross-Site Reference Forgery, Hostile Linking,

One-Click attack (Microsoft)• Facilitators

– Persistent session credentials• Mitigating factors

– Social engineering


Demo

41

CSRF Demo

From: Richard M Scheister

To: Michael Sutton

Subject: HackTel - Final Notification - Service to be Discontinued

Dear Customer,

Due to a missed payment on your account, we are going to be forced to disable your internet access. We trust that this is a simple oversight on your part and would strongly encourage you to visit our customer service center immediately to resolve this matter and continue to remain in good standing.

Regards,Richard M. Scheister,VP Customer ServiceHackTel Communications Inc.


Demo

http://londonamp:81/PayBill.aspx?__EVENTTARGET=&txtPayment=555&cboPaymentMethod=VISA&btnSubmit=Submit

42

CSRF Impact


Demo

• Actions are performed on behalf of the victim which were not intended– Posting to message board– Transferring funds– Changing password– Etc.

• Non-repudiation – victim cannot prove that the actions were not performed intentionally

43

CSRF Cause

• Cause– Actions are performed without forcing human

interventionor

– Source of request not confirmed• Example

– GET http://site.com/trade?stock=goog&no=500&action=sellor

– POST /trade HTTP/1.1Host: site.com...Cookie: SessionID=w5l3xp55viao1455aqkqsajistock=goog&no=500&action=sell


Demo

44

CSRF Fix

Countermeasures that do NOT work– Secret cookies

• All cookies are transmitted when requests are made– Using POST instead of GET request

• Numerous options for crafting POST requests Countermeasures that do work

– Server side• Per-request nonce for URLs/forms

– ASP.Net - <%@ Page EnableEventValidation="true"%>– J2EE – CSRF Guard (http://www.owasp.org/index.php/CSRF_Guard)– PHP CSRF Guard (http://www.owasp.org/index.php/PHP_CSRF_Guard)

• Force human intervention– Secondary login– Confirmation email or SMS message– CAPTCHA

– Client side• Always log out of applications when finished


Demo

45

CSRF References

Whitepapers• http://www.isecpartners.com/files/XSRF_Paper_0.pdf

FAQs• http://www.cgisecurity.com/articles/csrf-faq.shtml• http://www.owasp.org/index.php/CSRF• http://www.owasp.org/index.php/Testing_for_CSRF


Demo

SQL Injection

47

Case Study - RI.gov


Demo

Hackers steal credit card info from R.I. Web site

Dibya Sarkar

Published on Jan. 27, 2006

A Russian hackers broke into a Rhode Island government Web site and allegedly stole credit card data from individuals who have done business online with state agencies.

The story was first reported by The Providence Journal this morning and comes two days after state and local government officials released national surveys indicating they need more cybersecurity guidance and help in strengthening their systems.

48

Case Study - RI.gov


Demo

49

Case Study - CardSystems


Demo

Credit card breach exposes 40 million accounts

In what could be the largest data security breach to date, MasterCard International on Friday said information on more than 40 million credit cards may have been stolen.

By By Joris Evers Staff Writer, CNET News.comPublished: June 17, 2005, 4:38 PM PDT

A Of those exposed accounts, about 13.9 million are for MasterCard-branded cards, the company said in a statement. Some 20 million Visa-branded cards may have been affected and the remaining accounts were other brands, including American Express and Discover.

MasterCard and Visa both say they have notified their member banks of the specific accounts involved so the banks can take action to protect cardholders. "In sheer numbers, this is probably one of the largest data security breaches," said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, Calif.

50



Demo

51



Demo

52



Demo

53

SQL Injection Demo Overview

• Definition– User input is concatenated into SQL queries

• Verbose – Server provides detailed error messages• Blind – Error messages are suppressed

• Facilitators– Majority of websites are database driven

• Mitigating factors– Database ACLs can limit access to data


Demo

54

SQL Injection Demo


Demo

55

Sample SQL - Authentication

POST /hacktel/Login.aspx HTTP/1.1Host: [email protected]&txtPassword=password

“SELECT * FROM Customers WHERE Email = '{0}' andPassword = '{1}'", txtEmail.Text, txtPassword.Text)

SqlDataAdapter adapter = new SqlDataAdapter(sql, connection);DataSet ds = new DataSet();adapter.Fill(ds);

if (ds.Tables[0].Rows.Count > 0){

…


Demo

56

SQL Injection Impact

• Confidentiality– SELECT

• Data integrity– INSERT, DROP, DELETE

• Authentication bypass– ‘ OR 1=1 --

• System compromise– Stored procedures– Extended stored procedures


Demo

57

Database Driven Page

•Page reads ErrorCode from request

•Uses ErrorCode in a SQL Query

•Writes the results of the query


Demo

58

Common Database Query

sSql = "select ErrorMessage from ErrorMessages where ErrorCode = " & Request("ErrorCode")

select ErrorMessage from ErrorMessages where ErrorCode = 2

Query parameter appended to query

Query written as text string


Demo

59

Problem: Unvalidated Input

•Invalid character entered is used in query•Resulting back-end query results in an ODBC error message

select ErrorMessage from ErrorMessages where ErrorCode = 2’


Demo

60

Piggybacking queries with UNION

Values entered into the parameter ErrorCode now have the ability to modify the query itself ( instead of just being a parameter to the query) :

select ErrorMessage from ErrorMessages where ErrorCode = 9 union select name from sysobjects where xtype=‘u’

UNION keyword tells SQL to combine two statements into one


Demo

61

Enumerate all tablesin the database

Sysobjects stores names of tables in database

Name = name of table

Xtype = type of table (system, user)

Xtype=‘u’ = all user tables, no system tables.


Demo

62

A SubQuery Enumerates Columns in the Table

• Columns are stored in syscolumns• Keyed on ID• Subquery against ID in sysobjects for the table you want

Select name from syscolumns where id=(select id from sysobjects where name=‘table’)


Demo

63

Select the data from the column

4 HTTP packets to your data

1. Find the injection2. Select tables from sysobjects3. Select columns from syscolumns4. Select data from column


Demo

64

Stored ProceduresExtended Stored Procedures


Demo

• xp_cmdshell– exec master..xp_cmdshell ‘dir’

• xp_regread– Read registry keys

• xp_makecab– Build compressed archives

• xp_terminate_process• sp_addextendedproc

– Custom extended stored procedures• sp_makewebtask

– Export results to web page

Blind SQL Injection

66

Blind SQL Injection Demo


Demo

67

SQL Injection Fix

1. Harden SQL server2. Filter user input

Whitelist Blacklist

3. Parameterized SQL queriesSqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PasswordTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader();


Demo

68

SQL Injection References

Whitepapers• http://www.spidynamics.com/spilabs/education/whitepapers/SQLinjection.html• http://www.spidynamics.com/assets/documents/Blind_SQLInjection.pdf• http://www.nextgenss.com/papers/advanced_sql_injection.pdf

FAQs• http://www.cgisecurity.com/development/sql.shtml• http://www.owasp.org/index.php/SQL_injection

Cheat Sheets• http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/• http://www.jungsonnstudios.com/blog/?i=14&bin=1110


Demo

Managing Software Assurance

70

Web Application Security Programs

2000 2006

Web application security programs• Enabled across the software development lifecycle (SDLC)• Leverage automated assessment software• Involve cross functional teaming• Require executive sponsorship

NetworksSecured,

Applications Vulnerable

Early AdoptersBegin Manual Application

Testing

Certain industriesmake automated

application assessments

standard practice

These early adopter industries establish application security

programs

71

Policies are a good start…

• Policies can:– Give guidance and articulate what is

expected during the software lifecycle– Can mandate verification

• VISA PCI• HIPAA, SOX, GLBA, Privacy policies

• Polices do not– Take the place of a mature SDLC– Ensure that application are secure

72

NSA using Persistent Cookies

73

White House using Persistent Cookies

74

Requirements Development QA Test Design Release Support

& Services

Security and the SDLC

• Problems are a part of the way we build software

• Solutions need to be part of the process

SECURITY

75

People: Providing guidance on secure application

development

Tools: Providing the most innovative tools

Process: Security cannot be an afterthought

Elements that Drive Change

76

EducationTrain every Developer and IT Professional on security

Patterns & PracticesDedicated team focused on security

guidance

MSDN and TechNetSharing whitepapers and “how tos”

People: Education As a Driver

77

Process: Security Development Lifecycle (SDL)

• Reduce the number of security errors• Reduce the severity of any security errors not found• Reduce the attack surface

78

Tools facilitate creating secure applications

Tools: Innovation and AutomationTools: Innovation and Automation

Static AnalysisStatic Analysis

Scan your code for Scan your code for security security

vulnerabilitiesvulnerabilities

Seamless create Seamless create applications for a applications for a

custom zonecustom zone

Create non-admin appsCreate non-admin apps Secure by Secure by DefaultDefault

Use features like Use features like the /GS switch and the /GS switch and

SafeCRT libraries to SafeCRT libraries to create secure appscreate secure apps

Nurturing the Partner Ecosystem

79

5555

1717

455455

Engineering ExcellenceFocus Yielding Results

Application Security Assurance ProgramMaturity Model & Best Practices

81

Application Security Assurance Program (ASAP)

TECHNOLOGY PEOPLE PROCESS

Organizational Silos

Cross-Functional

Teams

Management

Executive Buy-in,

Integrated Organization

Integrated Development &

QA Tools

Security Department

Testing Tools

Policy-driven Secure SDL

Developer Awareness

Technical & Management Curriculum

Proactive &

Strategic

Reactive &

Tactical

• ASAP Maturity Model is about defining a roadmap and execution of the SDL• Organizations should implement their own Trustworthy Computing Initiative tailored to

their own needs• Describes the programs needed to integrate security throughout the software

development lifecycle and throughout the production lifespan of the application• A holistic program providing end to end lifecycle coverage while spanning People,

Process and Technology

82

Proactive &

Strategic

Reactive &

Tactical

ASAP Maturity Model

Level 1: Reactive & Tactical


Security Department

Testing Tools

Characterized By:

• Security team finds application vulnerabilities from initial scanning efforts

• Most vulnerabilities require development fixes

• Vulnerability reports sent to development

• Development pushes back due to short timelines & business impact of security rework

• Due to a lack of application security training, issue acceptance and resolution is difficult


83

Proactive &

Strategic

Reactive &

Tactical

ASAP Maturity Model

Level 2: Planned & Purposeful



Cross-Functional

Teams


QA Tools

Security Department

Testing Tools

Developer Awareness

Characterized By:

• Security team conducts assessment

• Developers trained on security

• Vulnerabilities still require development fixes

• Vulnerability reports sent to development

• Now, developers understand the issues

• The development process still doesn’t include proactive secure development.

84

Proactive &

Strategic

Reactive &

Tactical

ASAP Maturity Model

Level 3: Proactive & Strategic



Cross-Functional

Teams

Management

Executive Buy-in,

Integrated Organization


QA Tools

Security Department

Testing Tools

Policy-driven Secure SDL

Developer Awareness

Technical & Management Curriculum

Characterized By:

• Vulnerability management software used across SDLC

• Security processes in place across SDLC

• Security integrated into entire development lifecycle

• All levels of the organization committed to security

• Complete security curriculum standard practice

85

Requirements Development QA Test Design Release Support

& Services

Regulatory Compliance

Infrastructure assessment

Automated assessment tools

Security services

Pen Testing

Security training

Security kickoff

Infrastructure Design

Developmentassessment

tools

QAassessment

tools

Create development standards

Threat Modeling

Secure codelibrary

Source code review

ASAP Best Practices

Proactive &

Strategic

Reactive &

Tactical

86

Design

1X

Development

Static Analysis

6.5X

Testing

Integration Testing

System/Acceptance Testing

15X

Deployment

Customers In the Field

100X

Cost of Fixing Vulnerabilities

Source IDC and IBM Systems Sciences Institute

87

Questions?

88

Workshop Overview (slides and URLs)http://www.securesoftwareforum.com/sutton

Secure Software Forumhttp://www.securesoftwareforum.com

Bloghttp://portal.spidynamics.com/blogs/msutton

Whitepapershttp://www.spidynamics.com/spilabs/education/whitepapers.html

– SQL Injection– Blind SQL Injection– Cross-Site-Scripting– LDAP Injection – SOAP Attacks

Joe Yeager – Me (SE)[email protected] Buckley – [email protected]

Resources Contact Information

joe yeager, security engineer spi dynamics, inc. – london, england

Documents