Are You Gambling with Your Mission-Critical Security Assets?

You’ve probably met someone like Patrick—the password post-it scribbler. Whenever end-user Pat signs up for an online service, the registration process forces him to create a strong password with special characters. Frustrated with all of the complicated passwords that he has to track, Pat jots the password down on a post-it note, which he sticks to his computer screen—for anyone to find and use.

What would you think if Pat was managing your company’s data security—particularly, if your company must comply with data security regulations such as PCI DSS 2.0, SOX, HIPAA, GLBA, and the European Data Disclosure Act ?

But, you might protest, my IT security professionals have responded diligently to the mandates of these regulations, deploying vast numbers of encryption keys and certificates to secure a wide array of platforms, applications and services. Unfortunately, in these piecemeal deployments, effective management has fallen by the wayside. Keys and certificates are deployed across disparate systems, applications, and business solutions in a stove-piped fashion, accessible to multiple administrators without audit or access control.

Overburdened security professionals, like frustrated Pat, turn to whatever costly and error-prone management processes that they can cobble together, often relying on nothing more than spreadsheets that list deployed keys and certificates with their expiration dates—and little better than a password on a post-it note.

Are you gambling a successful audit on key management processes that fail to measure up? Manual processes leave you vulnerable, either because managers fail to implement best security practices or because they choose to maliciously exploit their knowledge—as 40 percent of IT professionals admit that they could. Lack of management solutions or clear policies have driven administrators to expose private key security and compliance vulnerabilities in several ways:

• Storing multiple keys in a keystore to which many managers have shared access

• Using the same passwords to protect multiple keystores

• Distributing keys widely in even more insecure ways such as USB drives, email, and FTP servers

• Failing to rotate keys periodically

Regulatory bodies recognize this vulnerability and have mandated policies to protect against it. PCI, for instance, in the recently released PCI DSS 2.0 standards, has clarified that encrypted data remains within its auditing scope because encrypted data is only as secure as the key that decrypts it. Just as compliant organizations have implemented processes to secure sensitive data—complete with clearly-defined policies, regulated work flow, access controls, and audit trails—they must now implement processes to secure encryption keys.

You might be tempted to increase the IT staff to enhance manual management processes. However, manual management always leaves vulnerabilities either because managers fail to implement best security practices or because they can, if they choose, maliciously exploit their knowledge. Without automated access and workflow controls, a larger staff only exposes private keys to more people. A recent survey revealed that 40 percent of IT employees admit that they could hold their former employee hostage by withholding a key to which they still have access. With an IT staff turnover that is faster than certificate rotation in many companies, the risks increase.

Manual key management simply does not ensure that keys are securely generated, distributed, deployed, maintained, and rotated as regulations—and best security practices—require.

Hefty, potential fines for failing to comply with regulations are risk enough, but the risks of ignoring these vulnerabilities extend even further:

• Loss of service—If administrators fail to renew a certificate before it expires, the applications that rely on that service fail, often without any prior warning.

• Security breaches—After all, regulations are not designed to give you and your staff headaches; they’re designed to protect you and your customers from security breaches that expose your customers to identity theft and your company to a ruined reputation.

You need an enterprise-focused encryption management solution that cuts across your diverse systems, platforms and applications to manage the key and certificate lifecycle transparently but securely. The solution should leverage existing solutions and automate processes based on your security policies, including:

• Generation, distribution, and management of keys and certificates that comply with company security policies

• Configuration of the applications that use keys and certificates

• Monitoring and reporting on the status of each managed component with logging and audit trails

• Enforcement of workflow and access controls that segment management duties according to company policies and impose dual control for all sensitive keys

Too many IT and risk managers are surprised by security breaches, compromised keys or operational failures that occur from sheer neglect that result when you leave your valuable keys as exposed as a password on a post-it.—but they shouldn’t be and neither should you. You can take steps to protect your encryption assets, or you can let it be your CEO on the evening news.

SOURCE

Read More

If PCI Is Your Whole Security Program, You’re Not Doing Your Job Right

For most CISOs, the pain of an audit is part of the job, but it doesn’t have to be the nightmare that most of the IT community envisions. While attending the SOURCE Boston conference last week, your faithful SecurityWeek correspondent attended a rather frank discussion centered on the pain of a PCI assessment, and why the said pain is completely unwarranted. Here’s a recap of the talk.

Presented by Michelle Klinger, a Sr. Consultant with EMC, and Martin Fisher, the Director of Information Security for WellStar Health System, the talk looked at the PCI assessment process from the perspective of a former QSA and an active security manager.

The goal was to highlight some basic processes that business leaders can follow in order to get through the assessment with as little stress as possible, a task that seems harder than it actually is.

Making the best of the situation

The talk started with a simple fact. Most of what those in the IT community think they know about PCI assessments is wrong.

“Horror stories that you’ve heard about assessments are generally that – horror stories,” Fisher said, expanding on his statement.

“Like most stories there’s two sides to it. Most of the horror stories that I’ve personally experienced, eighty percent of the blame went on the CISO at the time, and with the way he tried to manipulate the situation.”

At the same time, when the experience is a positive one, this too can be placed at the feet of the executive that is leading it. No matter what, the general tone of the process is set before the assessment starts.

Before The Assessment

One of the first things that a QSA will look to accomplish is the establishment of an initial rapport with the organization’s leadership and their teams. The idea is to discover what it is that the company is looking for. Obviously, Klinger explained, they want a compliant ROC (Report on Compliance), but what if there’s more? Organizations that are clear on what it is they hope to accomplish, such as using the ROC to push various security initiatives, will be helping themselves as well as the QSA in the long run.

The other side to this helpfulness is documentation. Assessments can sometimes require lots of documentation. Having the proper documents in place can mean the difference between a useless assessment, and one that actually gets stuff done, Klinger explained.

It isn’t as if the documents a QSA needs or how the validate the PCI process are a secret, it’s well documented. Yet this area sometimes causes problems, as organizations come to the table unprepared, which in turn leads to issues further on.

With that said, prior to the QSA arriving onsite, make sure that an agenda has been discussed previously and make sure that all the people need for the meeting are available and documents are in order to prevent time being wasted, Klinger added. The documentation itself should have timestamps and dates whenever possible, especially if they are screenshots.

The documentation should be as close to real time as possible, as to show what is going on in the organization’s environment.

Even better, when the documentation is collected, present it to the QSA as a map. This will enable the organization to show the QSA that document X is looking to satisfy requirement Y. In the long run, the document map is a timesaver and will benefit both sides of the process.

“From a CISO perspective, if you don’t start this process well you’re going to be hosed,” Fisher said. “While as a CISO or a director, you might not be able to pick the QSA firm... you do have the ability to choose who the individual assessor is. This is a critical, key first step.”

CISOs should interview potential QSA candidates as if they were interviewing an employee. For example, Fisher added, use hypothetical questions and situations. “If their personality is one that will rub everybody on your team wrong, don’t use that person.”

Another thing for CISOs to consider is the truth.

“You need to be honest as a CISO. I’m not saying it’s like walking into a confession booth, ‘forgive me assessor for I have sinned,’ and just lay everything out. I’m not advocating that at all. But don’t lie. Because once you’ve lost your credibility with the QSA, their only recourse is to do a fishing expedition. It’s ugly and it’s painful, and you don’t want to be there,” Fisher explained.

“You also need to make sure that your team understands that lying to the QSA, is going to give them the opportunity to add value to other organizations – other than your own – very quickly. Don’t tolerate it from your staff.”

During the Assessment

One of the things a QSA will look for is inconsistencies. This isn’t that they are searching for lies, but they are looking for communication breakdowns between policy makers and those with “boots on the ground.”

This is why making sure that the documentation is prepared, and the correct people with the relevant information are available from the start. It’s also why honesty is important. Communication breakdowns happen, and often no one is aware of them, so this provides an opportunity to correct them and better strengthen the organization.

“I can’t tell you how many times I’ve been stood up for meetings,” Klinger said. “The QSA, you have to understand, as well as the people being interviewed, want this to be done.”

Planning meetings with a QSA and then canceling them at the last moment or not showing up entirely wastes time, and time can translate into money. Cancelations are expected, but if a meeting has to be canceled, then there should be as much notice as possible and an alternative date and time proposed in order to reschedule.

It’s basic politeness in many cases, but it can go a long way towards keeping the assessment process smooth. The last thing an organization or its staff needs is a QSA hunting people down. Most times these meetings can be painful, which in some cases are why they’re avoided. But, Fisher added, the CISO should make it clear that the meetings are important and the pain from the meeting is nothing compared to the pain that could come from blowing them off or neglecting them.

Another thing for organizations to remember, particularly the CISO, is the importance of managerial support. CISOs need to be supportive of their teams during the process and encourage them to work with the QSA, not against them. Again, being honest and open will play a large role in this.

However, on the other side of support is influence. CISOs that try to strong arm the QSA, or improperly influence the process, will cause more harm than good. In short, this is a career-ending move in some business segments.

Never let the QSA to be in charge. They need scope and boundaries, and the CISO needs to enforce this. If the QSA doubts the CISO or his staff’s honestly, “you’re done,” Fisher explained.

“Their not going to believe anything you say. The assessment will take longer, and instead of giving you the benefit of the doubt on something that’s on the cusp – you’re toast.”

The bottom line is that given the fact that one cannot improperly influence the QSA or even appear as if they’re doing so, should there be a problem with the QSA, the CISO needs to address this with the QSA’s boss. However, if the QSA was interviewed previously, this shouldn’t be an issue.

After the Onsite Assessment

Before the QSA leaves, get a meeting with them to offer an overview of the major items that they’ve identified. This helps management get an idea on the level of effort needed for remediation. It also helps with identifying potential discrepancies.

In addition, the organization needs to make sure that outstanding items are delivered in a timely fashion. Outstanding items happen. This is part of the process, but it’s something that must be addressed sooner rather than later. Also, make sure that the QSA sends a list of findings is delivered.

CISOs should just expect this, but make sure that it’s clear to the QSA that this is to be delivered ASAP. The QSA is relying on the organization to review the findings and discuss them. As remediation begins, keep the QSA in the loop and communicate with them periodically as changes are made.

“The biggest mistake that too many CISOs make is they don’t realize the ROC is negotiable,” Fisher said.

“Now I’m not saying that you can bend reality. I’m not saying that at all. But for example, in certain industries, certain words [have different meanings]... If in your conversation with the assessor, if they keep using a word that to them is a middle sized problem, but in your world it means the four horsemen are saddling up, explain to them the cultural context of that word...”

Doing so, will the ROC to represent language that the organization’s board of directors and senior leadership understands. It also enables the CISO to ensure that the ROC is accurate.

From there, the CISO needs to use the ROC and determine where the organization “needs to go from here,” Fisher adds. However, while it is vital that the CISO form a plan, they cannot use the list of remediation items as their plan.

“If you do that, you suck,” he said. “PCI is not your whole program. If PCI is your whole program, you’re not doing your job right.”

In the end, assessments can be heaven or hell. “You either get a Scotch that’s warm and peaty or you get a warm bottle of Zima,” Fisher humorously concluded.

The quality of beverage (and the assessment) and the level of pain, is completely in the hands of the organization. With a little effort and some focus, it’s entirely possible for CISOs and their teams to not only survive a PCI assessment, but also survive it with their sanity intact.

SOURCE

Read More

6 Steps to Acing Your Next Firewall Audit

Certainly we are no strangers to increased regulations, standards and internal policies, and the resulting audits that impact most organizations – often multiple times per year. 

While regulations and ensuing IT audits go beyond firewalls and firewall policies, these devices are often a good place to start when it comes to becoming "audit-ready" and gaining continuous visibility of what's going on in your network. 

Here are six steps to ensure you ace your next firewall audit:

Step 1: Gathering Pertinent Information Before You Undergo an Audit

Without understanding what’s in your network, you have no chance for success come audit time. So prior to undergoing an audit, make sure you can collect all relevant security policies and firewall logs (then you can analyze the logs against the firewall rule base to understand what is actually being used). Make sure you have a diagram of the current network and firewall topologies. Gather all documentation from previous audits, including firewall rules, objects and policy revisions. Review relevant firewall vendor information including OS version, latest patches and default configuration. Understand what servers and information repositories are in the network as well as their relative value to the company.

Once you’ve gathered this information, it is imperative that you can aggregate and update this information in something better than a spreadsheet because you're most likely going to have multiple audits per year and spreadsheet compliance usually ends up badly. 

Step 2: Review Your Firewall Change Management Process

Poor documentation of changes, including why the change is needed, who authorized the change, etc. and poor validation of the impact on the network are two of the most common issues when it comes to firewall change management. As time goes on, this challenge is exacerbated by staff turnover - that internal knowledgebase of why a change was made disappears and then you're left wondering what you should do – and poor documentation. Make sure you have regular reviews of the procedures for rule-base maintenance and that you can determine:

• If there is a formal and controlled process in place to request, review, approve and implement firewall changes.

• Whether or not all of the changes have been authorized. If you discover unauthorized rule changes, flag them for further investigation.

• If real-time monitoring of changes to the firewall is enabled and access to rule change notifications is granted to authorized personnel. Taking these recommendations into account will get you off to a good start with solidifying your firewall change management processes and ensuring continuous compliance. 

Step 3: Audit Your Firewalls' Physical and OS Security

Make sure you can define and enforce corporate baselines... and report against them so you know where you stand. By reporting against these baselines that you determine, you will always be "in the know" of your firewalls' configuration status and how they stack up to the policy. Ensure your firewalls and management servers are physically secured with controlled access and that the OS passes common hardening checklists. 

Step 4: Cleanup and Optimize Your Rule Base

Over time, firewall policies have more and more rules added, removed and changed, and oftentimes with little documentation for the what, why, who, etc. This creates unnecessary overhead in the audit process and slows down firewall performance. Identify and remove unused rules and objects as well as covered rules, consolidate similar rules and tighten overly permissive rules (i.e. “ANY” in the source address). 

Step 5: Conduct a Risk Assessment and Remediate Issues

When reviewing firewall rules and configurations, you want to be able to identify any potentially “risky” rules. What is “risky” can be different for each organization depending on the network and the level of acceptable risk, but there are many frameworks and standards you can leverage that provide a good reference point, in addition to your own definitions of course. Risky rules should be prioritized by severity. Once you've gone through your list of risk analysis questions, then it is time to document and assign an action plan for remediation of risks and compliance exceptions found in risk analysis. Once you've conducted remediation efforts, make sure you document those as well and verify that these efforts and any rule changes have been completed correctly. 

Step 6: Ensure Ongoing Audit-Readiness

When it comes to your firewall configurations, building audit-readiness must be a business process that is maintained over time. "Manual" and "audits" just don’t mix. I've personally spoken to customers who prior to leveraging an automation tool spent 2-3 weeks to perform an audit of just ONE firewall, whereas with automation, that painstaking audit process was under a minute or as one customer told me "a push of a button". Additionally, proper documentation and a solid change process are instrumental pieces to ensuring audit-readiness at the drop of a hat. 

A final consideration is that while this article has focused on firewalls, there are different types of firewalls (traditional, next-generation, etc.) as well as secure web gateways, VPNs and other security devices typically found within an organization's network. Make sure that your audit process covers all of these devices as well. Good luck on your next audit.

SUMBER

Read More

zeus banking trojan targeting five

Zeus continues to strike online bank accounts and users, and technology designed to thwart these Trojan attacks continually fails to keep up. Symantec recently came across a new Zeus file targeting five major banks in Japan.

The malware, which has caused serious problems to banking customers in Europe and the U.S, now having maximum concentration on Japanese banks. Target information was reveled by Symantec after decryption of configuration file from new sample. The attacker uses Blackhole exploit kit in order to install Zeus.

Zeus, a financially aimed malware, comes in many different forms and flavors. It can be tweaked to hijack personal PCs, or come in the form of a keylogger that tracks keystrokes as users enter them.

But once installation over, Zeus malware aims to steal online-banking credentials, and phishing schemes and drive-by downloads are most often the avenues hackers use to spread this increasingly sophisticated and evolving Trojan.

In this case, the functionality is the same as that of other Zeus variants. Once infected, Zeus monitors the Web browser visiting the targeted banks and injects HTML code that displays a message in Japanese that states in English: "In order to provide a better service to our customers, we are updating our personal internet banking system. Please re-enter the information that you provided when you first registered.".

Zeus gained notoriety in 2006 as being the tool of choice for criminals stealing online banking credentials. If your are one of the victim of Zeus, we recommend that you change your passwords for your online accounts and if you have used your credit card while Zeus Trojan was on your computer, contact the bank and let them know that you might be be victim of a phishing attack.

 

SUMBER

Read More

Ensure Your Network Is Secure

Twenty-four hours a day, seven days a week, 365 days each year – it’s happening. Whether you are awake or asleep, in a meeting or on vacation, they are out there probing your network, looking for a way in. A way to exploit you; a way to steal your data, a place to store illegal content, a website they can deface, or any of a hundred other ways to mess with you for the simple joy of it all. And they can do this with relative ease, even in an automated fashion, with simple tools that are readily available to all.

I’m talking about network scanners. The bad guys use them all day every day to assess networks around the world because a network scanner is one of the easiest and most efficient ways to find the cracks in your armor. If you want to see your network the same way an attacker would, then you want to use a network scanner.

Network scanners perform automated tests of systems over the network. They don’t require agents or any other software to be installed on the “target” machines. They assess a system based on what they can get from it over the network. It’s the same sort of reconnaissance that is performed against your network around the clock, and that is why you want to do it too. Here are five checks you should perform regularly using your network scanner.

1. Vulnerability assessments

Network scanners can use databases of known vulnerabilities to check for anything that might present a risk to your systems. Update that database regularly since new vulnerabilities are discovered all the time.

2. Port scans

A port scanner is a very fast way to determine what sort of systems are running on your network, and are probably the most common sort of recon you will see. Determine what should be accessible on your network from the Internet, validate that with a port scanner, and then use a combination of firewall rule cleanup and system hardening to shut down anything that doesn’t belong.

3. Default password access

There’s a reason there are tens of thousands of default password lists on the Internet-they make for a very easy way to get in. Don’t make it easy for an attacker. Make sure everything on your network has been configured with a strong password to prevent unauthorized access.

4. Running services

To compromise a service, it first has to be running. Every server has to run certain services, otherwise it’s just a space heater, but many run unneeded services either because they are on by default, or the admin who set it up didn’t know any better. Use your network scanner to find all running services, and then shut down the ones that are not needed.

5. Remote access

Speaking of default passwords, in about half of the security audits I have performed for customers, I have found remote access software that they didn’t know about, running on systems that made it very easy to get in. Use your network scanner to find all of the Telnet, SSH, RDP, GoToMyPC, LogMeIn, PCAnywhere and other applications that can provide remote access to a system, and shut down all the ones that shouldn’t be there. Finding all those “secret” ways in, and closing up the unapproved ones, will greatly reduce the risks to your network.

Using a network scanner, set up a regular schedule of scanning your systems for these five critical checks. Scan from the outside to see what the firewall cannot stop, and scan from the internal network so you understand just how much damage an inside threat can cause. Knowing your systems the way an attacker will, helps you to ensure everything is safe.

This guest post was provided by Casper Manes on behalf of GFI Software Ltd. Learn more about the importance of network scanning by downloading the free eBook: A first aid kit for SysAdmins. All product and company names herein may be trademarks of their respective owners.

SUMBER

Read More

The use of password in a technological

Every day we read about an incredible number of successful attacks and data breaches that exploited leak of authentication mechanisms practically in every sector. Often also critical control system are exposed on line protected only by a weak password, in many cases the default one of factory settings, wrong behavior related to the human component and absence of input validation makes many applications vulnerable to external attacks.

Today I desire to focus the attention of a report published by the consulting firm's Deloitte titled “Technology, Media & Telecommunications Predictions 2013” that provide a series of technology predictions, including the outlook for subscription TV services and enterprise social networks. The document correctly express great concern of the improper use of passwords that will continue also in 2013 being causes of many problems, it must to be considered that value of the information protected by passwords continues to grow attracting ill-intentioned.

 

The report focuses the need to reconsider password management processes in the light of technological contexts that we will before Duncan Stewart, Director of TMT Research, declared: "Passwords containing at least eight characters, one number, mixed-case letters and non-alphanumeric symbols were once believed to be robust,” “But these can be easily cracked with the emergence of advance hardware and software.”

“Moving to longer passwords or to truly random passwords is unlikely to work, since people just won't use them,” Stewart said.

“An eight character password chosen from all 94 characters available on a standard keyboard33 is one of 6.1 quadrillion34 (6,095,689,385,410,816) possible combinations. It would take about a year for a relatively fast 2011 desktop computer to try every variation. Even gaining access to a credit card would not be worth the computing time. However, a number of factors, related to human behavior and changes in technology, have combined to render the ‘strong’ password vulnerable.”

Using a brute force attack for an 8‑character password with a dedicated password‑cracking machine employing readily available visualization software and high‑powered graphics processing units is possible to discover the password in only 5.5 hours. The cost of such machine is about $30,000 today but as explained in the reports hackers could obtained same computational capabilities from huge botnet.

Not only password length concerns the researchers, also the human factor could expose password management process to serious risks, for example humans never remind long and complex credentials, they tend to adopt password easy to remember and related to their life experience, in many cases the password is re-used and in the time across different services, from movie on line store to banking account. The average user has 26 password‑protected accounts, but only five different passwords across those accounts. According a recent study of six million actual user generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts, an information that gives us an idea of how much vulnerable the password management process.

“Once a hacker has a password, he or she can potentially have the keys to the cyber kingdom based on most consumers’ behavior.”

Deloitte Deloitte predicts that in 2013 more than 90% of user generated passwords, even those considered strong by IT departments, will be vulnerable to hacking with serious consequences, the company predict in fact billions of dollars of losses, declining confidence in Internet transactions and significant damage to the company reputations for the victims of attacks. 

The reports states:

“How do passwords get hacked? The problem is not that a hacker discovers a username, goes to a login page and attempts to guess the password. That wouldn’t work: most web sites freeze an account after a limited number of unsuccessful attempts, not nearly enough to guess even the weakest password. Most organizations keep usernames and passwords in a master file. That file is hashed: a piece of software encrypts both the username and password together. Nobody in the organization can see a password in its unencrypted form. When there is an attempt to log in, the web site hashes the login attempt in real time and determines if the hashed result matches the one stored in the database for that username. So far, so secure. However, master files are often stolen or leaked. A hashed file is not immediately useful to a hacker, but various kinds of software and hardware, discussed in this Prediction, can decrypt the master file and at least some of the usernames and passwords. Decrypted files are then sold, shared or exploited by hackers.”

As described another problem is related to use of passwords on various platforms, let’s consider that the average user takes 4-5 seconds to type a strong ten character password on a PC keyboard, time increases to 7-10 seconds on a mobile devices with a keyboard and to 7-30 seconds on touchscreen devices. As consequence a quarter of the people surveyed admitted to using less secure passwords on mobile devices to save time.

SplashData, which develops password management applications, reveals its Annual “25 Worst Passwords of the Year” enumerating the list of most common password chosen by users.

The three worst passwords haven’t changed respect previous year, they’re “password”, “123456” and “12345678” and new passwords have been introduced in the top list such as “welcome”, “jesus” and “ninja”.

Following the top ten list:

1. password (unchanged)
2. 123456 (unchanged)
3. 12345678 (unchanged)
4. abc123 (up 1)
5. qwerty (down 1)
6. monkey (unchanged)
7. letmein (up 1)
8. dragon (up 2)
9. 111111 (up 3)
10. baseball (up 1)

Have you ever used one of the most popular passwords of 2012 for your own personal accounts? Change it. What could improve password management, SSO systems for represent a good solution to do it for example allowing in simplest way the use of long or random passwords respecting the elementary best practices for password management, of course also this system must be protected from hacking attacks.

The implementation of multifactor authentication processes token based (both software and hardware) represents the best compromise between costs and security, that is also the way that security IT security travels in the future.

 

SUMBER

Read More

SID Retail Pro

Mau sharing tentang aplikasi SID Retail nih. Tulisan dibawah ini saya copas dari beberapa sumber di dunia maya. Semoga bisa bermanfaat dan mohon maaf sebelumnya. 


SN 4690 : N605MCP-7WYND34-MFQ1V21-7328Z18
SN 4876 : 897FXJ5-97H296F-30O6G7S-05ZGRGT
SN 10816 :  9G7YZ93-9SJ784D-A30F56P-40HP3FL
SN 6277 : 497C8R1-W6J0L53-W39XU5B-57WU1X3
SN 7469 : U786F66-29UVS5H-6X42D9Q-8853GXO



Download SID Retail Pro :
https://mega.co.nz/#!V0ZlUYKY!Ie8M3lASF8pZQQD2JQkZgk5xSjxhd1v7F1PvnmezHwg
(14.4 MB)

Download Generate SN :
https://mega.co.nz/#!hx4yybCY!Yg-vFHk9sdj-zdW--x4La2IpXs85I15aqpIZ794IQSI
(608 KB)

Read More