 Welcome here. I'm very glad to see so many people in here. And I'm also glad to see that there's not a lot of sunglasses on and not a lot of people holding their heads from last night. So, yeah, welcome. Okay, so what we're talking about today is the cyber-terrorism and cyber-warfare kind of thing. A lot have been said about, you know, cyber-terrorism. There's a lot of stuff that can be said about it. There's a lot of people that say cyber-terrorism is not a reality today and that we don't really know that it can be effective. So what we're trying to do here today is not answer that question, but rather find out if there's a way to build a little bit of a framework that we can use to make these kind of attacks more effective. So let's go on to the next slide. Okay, you know, people say, you know, a packet can't fly a plane. Cyber-terrorism isn't really something that would instill terror in people. And I tend to agree with it, you know, it's easier to blow up a building than to have a nicely coordinated kind of attack. Typically what we're seeing today with... when you start reading about cyber-terrorism, that kind of thing, typically what you're seeing today is people talking about denial of service attacks. So they're saying, yeah, you know, we can dust the whole network of the Internet and the other kind of approach that they have is saying, well, we can break into, let's say, a power grid of a large energy provider and thereby disabling the power or we can act in some way and do some stuff there and affect critical kind of infrastructure. Now, to me, that's kind of, I don't know, it's not really that effective for a couple of reasons. First of all, there's a lot of companies and manufacturers and sectors, business sectors, that kind of thing that doesn't really lie that much on the Internet being up and running, correct? If you dust, let's say, Ford Motor Car manufacturer, they're still going to have cars coming out of the production line if they're not connected to the Internet. They don't need to ping IP address in order to generate a car. So really, when you take the network down, you're really just only affecting maybe the fact that they can't send porn anymore around and they can't chat to their friends on MSN. You're not really affecting something internal to that company. So that's the first thing with Denial of Service Attacks. Whoa, dude, you're jumping ahead. Okay, the second kind of attack that says we can break into a network and we can disable, let's say, the power grid for a specific area. Well, I think that is, dude, you're jumping ahead. Okay, so the problem with breaching the perimeter, I think it could maybe be possible to breach a critical kind of infrastructure perimeter and possibly disable some kind of power grid somewhere. What we need to keep in mind there is that there's a lot of redundancy in these systems. If you look at power providers in America, there's hundreds of electrical power suppliers and they can switch between different kind of setups quite easily. So the only way that you're going to make that effective is if you have like 6,000 hackers and we have 6,000 people here at DEF CON, hack into all of these networks at the same time effectively and coordinate it. And I don't see that happening quite soon. So I don't see that happening quite soon. And what you must realize is in some cases the control systems of these critical infrastructures is air-gapped from the rest of the IP network. So they don't connect the two together. So it starts to become a little bit difficult to actually coordinate some kind of a strike that will really have an impact on the country as such. So if we look at the, no, go back. So if we look at the kind of attacks, the denial of service attack on the one end and the breaching of the perimeter on the other end, we see, first of all, it does not hurt enough if we do a denial of service attack. And if we breach the perimeter, it's not going to be that effective. So what we need, what we really need is attacks that are very kind of focused towards a specific industry or a specific country, really nicely targeted. It must be closely coordinated, which means we want to see all of this happening at the same time. If you blow up a building, it doesn't help if you want to destroy a building. It does not help if you take one brick every day and move it away. After a while, people are going to find out that you're taking away one brick at a time. And after a couple of few days they're going to say, you can't take this building away. You have to have it in one go. You have to get the thing destroyed in one go. And the same with this kind of thing. You need to have something that is nicely coordinated and that happens at the same time. You also want it wide enough so it can really cripple a country or have a make a dent in the economic kind of infrastructure in a country. You need it to be effective, so it needs to run very kind of targeted, very quick. It needs to work all the time. And the last part that's very important for us, it needs to be very fast. We don't want to have people being able to stop this thing once it's started. It needs to run real quick. And the only way that we're going to get that working is by doing it automated. So we're saying too fast for human intervention, we need it automated. So when you're looking at something that's automated, the first thing that comes to mind is, next slide, is a really nasty kind of worm. So I want to talk about a worm quickly. What we find is that external networks, perimeters are actually quite difficult to breach. There's firewalls in there, you've got IDS in there. There's all sorts of interesting technology that's available today that makes it very difficult to break through external network. While if you look at the internal network, you find that normally the internal network is like soft and cozy. There's a whole lot of vulnerabilities around there that we can find and that we can exploit. And the reason for that is that system administrators tend to not patch machines that are internal. Let's say we know about the RPC vulnerability that was found a couple of weeks ago, but we don't have anything that's internet facing, so the vulnerability really does not matter to us that much. And that's probably true for a lot of the problems that you see nowadays. What you find also is that when there's a vulnerability that affects a package that is internet facing, system administrators tend to patch only the stuff that is internet facing and the internal machines never get patched. The second reason for this is that people add new machines. So they add a whole lot of machines to the network. Those machines never go through a proper QA process. And so we're sitting with a whole lot of machines internal that are quite weak. The other thing to realize that's very, very important is that internal network is highly, is likely not to be segmented. So internal network on a network level is flat. There's no firewalls in the internal network. And later on we will see why that is really helping us a lot. So what you're really looking for is that, what I'm really saying is that a worm that can carry a couple of different payloads in terms of exploits will really make a kind of a killing on an internal net. So let's have a look and see what we have. Thanks, Charles. Okay, so we're looking at something like, and these are really kind of low hanging fruit exploits and problems. You're looking at something like your good old Unicode, WD code, MDAC, you're looking at .printer.adi, Web Dev. And then some stupid stuff. It's not even a problem. It's not a vulnerability in the software, but it's really a configuration problem. Okay, so MS, Microsoft SQL running with a blank SA password, local administrators that has a blank password and sharing C$ out there. We think of things like Slammer, which was the SQL locator service problem in that. You got the Apache chunk encoding stuff, OpenSSL. You know, there's a whole lot of different exploits and a whole lot of different problems out there that we really know. We know how to code them. We know what they are. We know how they sit together. But these problems have been to a large extent being solved on the internet and on the parameters. But in the internal networks, these kind of problems are quite big and large and we know that they are there. And anyone running, anyone here that's an administrator that's got a large network will know that these are problems in your internal network. Okay, so one of the things when you're writing a worm to look at is actually finding more food, what we call it, saying that we want to be able to find new machines to attack. And so when you're looking at an internal network, it's quite another story to get IP addresses there than to get IP addresses on the internet. And it's quite easier to find IP addresses on the internal network. So we're quickly going to have a look and see what there's available to find more food. First of all, the easiest thing that you can do is you can simply look at your IP address and then look at the net mask. If you see your IP address being 10, 15, 17, 2, and your net mask 245, 000, you know that you've got a whole class A network there that's just about all nice and flat. And you immediately got a whole lot of targets that you can look at. The second thing that we can do is we can start looking at SNMP. And we can basically go through the ranges that we now found in the first instance, send SNMP queries to all of those machines, see your respond. We tried with a community name of, let's say public and Cisco and the company name, whatever. And we extract the routes, or as you call it, the routes of these machines. And we easily find all the other networks that's sitting on that internal network. The third thing we can do, and as we progress in here, kind of the effectiveness of these methods is really kind of going down a bit. We can do a trace route to the internet. We can record the routes and see what kind of hops we find there to find out networks that's surrounding the network we are at the moment. And that is given that the IP address where we're executing from is really internal to the network. So just now we're going to see how we're going to get this thing internal to the network. I know it's annoying when this thing goes on and off. It's annoying to me as well. Okay, the fourth thing that we can do is we can start just basically doing ping sweeps around the network and find out what's available. So we go one class C higher, one class C lower. We do a ping sweep. We look at the response times going back. And from the response times we can have a good indication if that machine is sitting on a local network or not. And then last of all, if we're really getting desperate, then we can start doing a brute force and actually try to just run through a couple of IP numbers, ping them and see what we come up. That's not really effective, but I thought it would be nice if I put that in there. Okay, so let's look at the next thing. I don't know if you can see there on the screen quite nicely. The one thing that's interesting for internal networks is when you look at denial of service attacks, the types of denial of service attacks that you can find on internal networks are very much more kind of sophisticated. And there's a couple of more choices that you can have when you're doing denial of service on internal networks than on external networks. Okay, so if I think about it real quick, you must realize that worms that you have on internal network propagate at wire speeds, okay? So you've seen what SLAMR, for instance, does to your Cisco boxes, right? SLAMR didn't have a dedicated denial of service payload, but because it propagated that quick and because it was sitting on an internal network, it was flooding your network to the extent that some of the routers went down. So when we started to build really denial of service attack tools that are dedicated to propagated wire speeds and really dedicated to do flooding on wire speeds, I think we can get some more interesting kind of numbers out there than with something that didn't have a dedicated denial of service payload. Something else that you can do on internal networks that you can't do on external networks is ICMP route redirection. You can start playing with the op tables of machines internal, something you can't do on the Internet because you're not local to the network. You can start doing some trickery on the MAC addresses like assign every IP address to your MAC address. There's a couple of things we can do there. We can do DHCP least exhaustion attacks whereby we basically emulate the DHCP server until all the leases have expired. And there's a couple of things that we can do on the internal network that's really bad. You know what happens when you choose your IP address to be the same as your firewall. The whole damn subnet goes down. We can even do something on a network where if we can sniff the traffic that we can do hijacking of TCP connections, that's not that effective but in an unswitched kind of network it could do wonders. And while we're there, while we're sitting on the machine itself, we can somehow start and delete files. So we can corrupt all the dock files on the machine, all the XLS files. We can look for zip files, insert some bytes into the zip file thereby correcting it. We can see if we can flash the BIOS of the machine so that when someone reboots the machine all the BIOS settings are lost. We can do pop-up messages all around on all the machines that's been affected thereby, let's say with a pop-up message of something like your machine has been infected, please contact your system administrator and read the following 25 characters to your system administrators. And then you put in the A $0, 2, 5, whatever. The reason for that is that it's basically going to disable the help desk to the extent that the PABX will be flooded and you're really going to keep your administrators quite busy. Something else that we can do is we can look at the routers that's surrounding the network and we can have a module that will try to log into the routers and thereby disable all the interfaces on the machine itself. I know there's no default password for Cisco boxes but some of the other three-comps switches, some of that stuff has got default passwords. You can kind of guess passwords and see if you can actually get into the machine and disable the interfaces. What will happen then is that your administrator won't be able to get to the affected machines at all and they need to physically go to the router and plug a cable in there. I imagine it doesn't sound that bad but if you think about a network with like 50,000 machines on there and let's say 1,000, 2,000 different routers, it starts to become a little bit of a nightmare. I know you can't see a lot there because it's a little bit too lighting here but that's typically what a design of such an internal worm would look like. We've got basically three modules. The first module does the reconnaissance, the second module does the actual exploitation and the third module in there does the denial of service. Now of course the one thing to keep in mind here is that denial of service attacks and a kind of biological agent that propagates through the network does not match very well. If you have an instance of this worm starting off doing denial of service attack straight away, you might disable the whole of the network and it means you're not going to propagate into all the machines that you need to. You can understand what I'm saying. On the one end you have someone that's killing everyone and on the other end you want to infect everyone. Those two things, they don't work together quite well. So we worked out a kind of a model to get that right. We define a machine as a neighbor. Now remember what I said, the network is flat. So if the network is flat we can get communications between different instances of this worm going. That makes it very interesting for us. We'll put something on the website on scenespost.com that would explain exactly how we're going to do that. I'm not going to go into too much detail of that now. It's quite intricate. If you're interested you can ask me afterwards. I'm just watching the time as well. I've got a lot more that I want to show you. So now we talked about this thing, this Uber kind of worm and if we run it some way it's going to take out everything in its way. But how do we get it into the internal network? It's actually much, much easier than you think it is. I'm not going to show you any kind of zero day silent delivery in Outlook or any of that. What you do is you use the correct language. Say if you're attacking a French kind of company you write your email in French and you mail it from marketing and the company name that you have with a subject that says new screensaver for company name click here. And then you don't really attach the EXE to the mail because your content level filter is going to pick it up and shut it out. So you send a link to the actual EXE and you make sure that that EXE is located on a site that supports HTTPS. That's SSL enabled. The reason for that is easy. If we put something on a site that's setting up what's going to happen? Your browser is going to set up an encrypted tunnel to an encrypted session to that web server, thereby all your content level stuff is not going to pick up what's going past the white. You could be surfing porn or you could be downloading this nasty EXE. And what we do is we also put a, we kind of obfuscate the URL. So we call it intranet.companyxxx.com and then we have a little add sign there and then we put a in hex. We encode the rest of the URL. That's the actual URL. Obviously you know that the part in front of the add sign is actually a username that's being passed on and the part behind the add sign is the real site. Now you know this, right? But your marketing department, they do not know this. And the kind of management department, management structure they don't know it either. And sales, oh shit, they don't know anything. Okay, so you might say, well, this is really not that effective and I don't see this really working. I'll ask you this. All of you get a whole lot of spam messages, you know. And you delete it, right? You delete it without even looking at the content correct. But if you were to get an email that's coming from marketing at your company name it's got your company name in there, coded perfectly in there. And it says new screensaver for your company name, perfectly spelled okay. And it's in your language that you speak. Then you're probably going to have a look at it, right? You might not execute this stuff because you people here are more kind of security aware. But it's actually a nice way of getting it in there. So let's look at stats. So we wanted to do this and see what it would get to. And we couldn't really find someone that would let us test it. So at the end of the day, we got a bank in South Africa that allowed us to send it to the security team. Okay, it's 13 people of the security team. Now here's the stats. Because we the payload that we sent in this case was a modified version of the Trojan that we talked about last year. And what it basically did is it pulled out the username of the environment and then it reported the username to us. Okay, so we can see exactly who was downloading the thing. And we can exactly see who executed this thing. So here's the stats. 13 people, we mailed 13 people in the group. Eight of them downloaded the EXE. We can see that in our patchy logs, right, they clicked on the thing. And five of them executed it. Now because we had this specialized payload, it didn't really do anything. It was just like, you know, sending out the username back to us. So the one guy clicked on it three times. He really wanted that screen server. Okay, now you appreciate that when we do this in a large company we only need one person to be able to open that mail. Well, to basically download that thing and open it, correct? And I know you're going to say, well, you know, the EXE itself was sitting on a site that SSL enabled. The browser's going to complain about this thing. I know. But people go like, you know, the browser goes, the certificate that's presented to you are signed by unknown authority. Now, okay, you're going to download the EXE now and you really want to run it. Yes. That's the way it works. So you don't need a zero-day to get the stuff in there. You simply need to sound convincing. Okay, so now we got this way of basically, okay, I'm going to go through this real quick. We got a way to basically find mail people at a company. How do we find someone at a company name? You have a friend. You don't know where they are. You go to Google, right? You put in the company name in there and you see if you can find if that person ever emailed anything. So if we do a Google for at companyxxx.com minus www.company.companyxxx.com and we scrape it. We basically take all the results coming back and we extract all the email addresses. It works really nice. Now, for example I used some kind of newspaper. I read yet newspaper in Turkey just as an example. You run it and you get 83 different email addresses of people. Now, these are people that typically ever emailed any forum, ever mailed to a news group or to a mailing list or signed a guest book or this. But those email addresses exist. They sit there on the internet that can be mined. This is how you get all your junk mail through people that does the same thing and then send you junk mail. So we're basically just doing a kind of interesting spam exercise here. So now we want to make it a little bit more wider. So we want to look at the whole country, right? So what we do is we said we can extract email addresses from companies. Now what we need to do is we need to find the companies, correct? We need to find all these different companies. And we're going to target the following sectors within a country. We're going to look at telecom. We're going to look at all the different energy providers, hydro, oil, nuclear, fossil fuel, that kind of thing. We're going to look at government and military. We're going to look at media providers. Why are we going to look at media providers? The reason we look at media providers is you all love the press, right? You do something small, they make it into something big. So as part of the kind of hysteria that we want to generate with this kind of attack, we're going to attack the press as well. And once the press is attacked, they're going to say this is the end of the world, right? We can just go and hide in our bunkers because they kind of always make things bigger than it really is. We're looking at the financial services, banks, insurance companies, that kind of thing. We look at prominent businesses. The reason we look at prominent businesses is that in some countries, the, let's say 60 or 70 or 80% of the country's GDP is generated by one company. So we want to find that one company and take it out as well. And we look at emergency services in the online demo that we're showing you just now. We're not looking at emergency services. And we look at transport. And for transport, we look at airlines and we look at railway. Okay, so how do you find companies or departments within these different sectors? Well, let's split it up in private, the private sector and the public sector. The private sector is actually quite difficult to find. You can't go to Google and say give me all the top companies, give me all the telecom companies in this country. The online directories just doesn't work that well. So the way to go there is to actually find specialized directories. So you can go to Google, you type in there, give me a list of telecom companies in a certain country and you will find that there's one list that lists all the telecommunications companies in the world. And there's another list that lists all the airlines in the world. What we need is obviously we need the domain, right, the DNS domain. So I would say this airline, this airline, that domain, that kind of thing. Some you need to do online because you need to query them online because there's not one big page where you can get everything off. So you basically have to go in, click on the thing, click on that thing and at the end of the time, at the end of the day, you get the result back. And for that we need a little pull script that will interrogate the website as we go along. For some of the others, we can have a nice situation where we have one big page with all the companies listed in the per country and we basically take that and we download it to our site and build a little database. There's pros and cons to both of them. In terms of a static list, your cons there are that if a new company starts doing business in the telecommunications sector in, let's say, Albania, you're not going to know about it, right? Because you have a static list. On the other end, the kind of more online lists have problems that if that list is done, then you can't get the information out there. And it's basically a single point of failure for that particular sector. So the challenge is, in some cases you will find, let's say on business day or one of these kind of newspapers, you will find a list of the top 100 companies within a country. But they only give the company name and you've got to map that to a domain name. And to do that is quite difficult. So you have a company name and you have a country name and you want to have the domain name. Now we basically figured out a way to do that with about, I would say, 75% accuracy. It's in the paper. I'm sure the paper is on the CD. Did anyone have a look? Is it? Okay, excellent. The paper for this is on the CD as well. If you want to find out how we actually got to that, let's say, 75-90% accuracy, the algorithm and all of that is right there in the paper. When we look at the public sector, we're basically looking at government and military. And here's where it starts to become a little more interesting. We all know that most of the countries have, for government, let's say, .gov, .za, right? The problem here is that not all of the countries have actual .gov. Like France, for instance, have GOUV. That's their sub-TLD for government. So we can find that out. It takes a while, but after a while you kind of find all the different governments sub-TLDs that there are. Some countries don't have it. Germany, for instance, I don't think has a .gov.de as such. Maybe you can help me out, although German hackers, that's in here. Okay, so what we can do now, remember we have this Google scraper that will basically go through the Internet and find out email addresses within a specific department, within a specific domain. So if we basically scrape .gov.za, for instance, we're going to find a whole lot of different sub-departments sitting within .gov.za itself. And we can then take those sub-departments. Let's say it says Energy. There's someone mailing from something, someone let's make it Pete at server1.energy.gov.za. Okay, what do we know about that email address? First of all, we know that Energy is now a department within .gov.za, right? So now we can scrape for energy.gov.za again and find out all the different sub-domains in there. And this we can do recursively until we basically found out all the different blocks, all the different blobs of domain names within a specific TLD. Right, when we do the demo you'll see how it works. We can do the same for military as well. The problem for military though is that a lot of the military domains are actually contained within a government domain. So we can't get, we have to, for instance, you will see a domain called mod.com.my which is Ministry of Defense for Malaysia. Now that would be mod.gov.my and that's basically the whole of the defense department in terms of IP space being put into the government sub-TLD. So what we've done at the end of this whole thing is we've also done a little bit of our footprinting algorithms. Anyone was at Black Hat Seattle or in Black Hat Amsterdam would know that we've been doing a whole lot of work on footprinting as well and basically converting these domains into IP addresses. If you want to go for an external attack you would want to have those IP addresses in there as well. So as a kind of an afterthought we also put a little module in there that once you have the domain you can do the footprint in terms of the IP address. Okay, and we know that people love GUIs. So we got a graphical user interface for this thing. We actually didn't want to do it but then at the end of the day this is the thing that really sells. We're not selling this. So what I want to show you quickly is the graphical user interface for this little thing that we built. The first thing you can see there if you scroll down is that you have an updated kind of a sun map of the world and the reason for that is simply because if you are attacking a certain country you want it to be daylight over there right? Why? Because people tend to read more email during the day and now you can see exactly when the sun is coming up in your country of target and you can say okay now is a good time to start the attack. Then at the bottom there you would see there's a couple of continents that we can choose from. So let's just go to North America and we got a little North American thing in there. Let's go to the United States for now and here you have different types of industries that you now can select. What I want you to do Shol is I want you to go to prominent businesses, select prominent businesses for me, select government and select military. Now what it's doing now is it's basically taking the prominent businesses out of the database and in terms of the and what I want to show you there Shol if you scroll down a little bit is that for some of the companies we don't know exactly what that domain name is going to be. Let's take for instance American International. You go down a bit and you'll see that there's a couple of domains that it tried to actually resolve that too. Some of this stuff is more easier to find some of it is a little bit more difficult to find. Okay, if you go down all the way. So those are all the major businesses in America and we can select all of them basically with one little click and it will go on. I'm not going to do that right now. Just go back and there we see all the different government departments that we now extracted. So you see there CDC.gov, DEST.gov, DOE.gov I don't even know what all those acronyms are, but we can extract them, right? We also got the embassies in there just for fun. All the American embassies and domains associated with them and if we go down to the bottom, you will see there we get to the military and those are departments that we found in the military space. So that's the dot mole space in there. So you see AF, which I guess is Air Force, Defense Link, DESAR, DLL, whatever, Navy.mole and you see there Pentagon.mole as well. So if you can click on Pentagon for me and click on email. So what it's doing now, it's basically going through Google and extracting email addresses that's potential targets for people that's got an address at the Pentagon.mole. We can obviously do it with any of the domains that we want there. It's taking a while, I see. You just realize that on the back end there's a whole lot of different things happening now. Okay, there we go. So there you see a whole lot of email addresses for people at Pentagon. What I want to show you there, which is interesting, is that you see there's sub-domains within the Pentagon as well. So you have OSD, you have AF, you have HQDA, Army, Pentagon, there's JS, Pentagon. Okay, so we can do that recursively and now again zoom in onto that one little sub-domain and see if we can extract email addresses from that again. Okay. So when we select these email addresses and we click on email at the bottom, it's now basically going to send a customized message to all of these people saying, you know, here's a little link, click on it, and you can install the new Pentagon screen saver and you actually just need one of them to click on it and it will basically then crawl within that space over there and try to do as much damage as possible. If you can just click on back, you can just go back, go back again, go back again, go down. If we can get South America up there, South America. Okay, here's South America. If you can click on Venezuela. Okay, we're going to go for telecom providers in Venezuela. Okay, we see there's two main telecom providers there, Digital and something I can't pronounce. If you go to Digital and you click on footprint. Okay, what it's going to do now, it's back in, it's going to implement a couple of algorithms in there that's now going to try to determine what IP addresses are associated with Digital in Venezuela. Do we have anyone from Venezuela here? No? Okay, cool. What I want you to tell, what I want to tell you that's really important is that the stuff is not live, okay? It doesn't work. Just give it a bit. Did it time out? Okay, it actually timed out on the Mac, which is a pity because otherwise you would see exactly the DNS names and the different IP addresses associated with, okay. Okay, stop attacking us. Oh, there we go. Okay, so there we go. So there you see I think that screen is a little bit more clear than this screen. There you see all the IP addresses associated with this particular organization and the DNS names. So if you click on that IP address over there, no, the other one. It's okay. 90. Oh, okay. That's very interesting. Okay, I see GigTools has just moved their thing, their little proxy, whose proxy in the matter of days yesterday or two days ago it was still up. But with these IP addresses, once you have them, you can actually then see exactly what block belongs to them. If we can go back to the slides. Okay, so in conclusion, I think focus kind of cyber attacks are quite possible. I think it can happen. I'm very scared to call it terrorism because there's a whole lot of words associated with terrorism that I don't think is really what we're going to achieve over here. But at least the one thing we can say is that focus kind of attacks are seriously possible. And that once we have implemented something like this, we would highly likely have a negative impact on that network. How does it compete to real-life attacks? I don't know if this would install as much terror as a kind of conventional attack, which is really horrible. And what's the chances of this happening? The one thing I want to really press here is that everything that you've seen here today is not difficult to put together. There's no zero-day indie. There's no kind of super technique in here to get this stuff running. So all of this is really quite easy to put together. And should we worry? Well I think as networks and as critical systems are becoming more and more connected to the internet and as control systems are becoming more connected to internal networks, this would be you know this becomes a much bigger problem for us. Nowadays we tend to say well let's air-gap the critical systems with the internet, which is cool, right? We do that. But we don't air-gap our internal systems with critical systems. People tend to think about cyber-terrorism and cyber attacks more and more along the lines of we have to breach the perimeter and get through the perimeter and then we can do stuff. And because our parameters are safe, it's alright. While the internal networks suffer much. I think the answer to this kind of problem at the end of the day would be 5 minutes. I'm almost done here. At the end of the day the answer to this thing would be really to educate your users, right? If you throw more firewalls at this problem, the problem is not going to go away. If you throw more technology to this, it's really not going to go away. But if you educate your users not to click on a little link, then you're really solving the core of the problem. Thank you for your time and I hope it was interesting. Thanks.