Slashdot Mirror

← Back to Stories (view on slashdot.org)

Software Exploits Aren't Needed To Hack Most Organizations (darkreading.com)

Posted by EditorDavid on from the stupid-passwords dept.

The five most common ways of hacking an organization all involve stolen credentials, "based on data from 75 organizations, 100 penetration tests, and 450 real-world attacks," writes an anonymous Slashdot reader. In fact, 66% of the researchers' successful attacks involved cracking a weak domain user password. From an article on Dark Reading: Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian. Organizations would be far better served by improving credential management and network segmentation...

"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do"... [O]ne stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way.
Similar results were reported in Verizon's 2016 Data Breach Investigations Report.

57 comments

  1. Always one by Calydor · · Score: 2

    [O]ne stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way.

    What if it's the lead system administrator's password? Whitelisting IP addresses/ranges for out-of-the-building connections to allow telecommuting while still making it hard on an attacker?

    --
    -=This sig has nothing to do with my comment. Move along now=-
    1. Re:Always one by PPH · · Score: 3, Insightful

      What if it's the lead system administrator's password?

      Why have you designed an enterprise wide administration process based on a hierarchy? Where an attack on (one of) the top nodes can gain entry into everything?

      --
      Have gnu, will travel.
    2. Re:Always one by Xabraxas · · Score: 1

      In an organization that employs several engineers you should never give all the access to one person. That's just a bad security practice.

      --
      Time makes more converts than reason
    3. Re:Always one by Anonymous Coward · · Score: 1

      If you give full system access to one user (never mind username/password combo), then you'd hope that they wouldn't be so dumb as to open a dodgy attachment.

      In a large org, nobody should have access to everything; it's terrible security practice.

      Even in a small org, system administrators shouldn't be running net-facing software (browser, email, etc) as a privileged user. If they click on something dodgy, they should have to enter a password before it can install itself AT MINIMUM. Even then, they shouldn't have any saved passwords to important accounts, so they would need to have a keylogger resident to get any useful login info.

      Of course, if your "secure" login system is relying on username/password without any kind of fingerprinting, you're doing it wrong anyway. Whitelisting IPs for admin accounts is the most basic thing you can implement in everything.

    4. Re:Always one by aaarrrgggh · · Score: 1

      Compartmentalization is great, but you still need redundancy in privileges to cover employee departures, PTO, etc., leading to a lot of power in a few hands. Smaller organizations it is worse.

      Having secure, unique, and temporal passwords ends up requiring them to be written down, but when you need to enter them 20 times a day, people get lazy... even with best intentions.

    5. Re:Always one by JaredOfEuropa · · Score: 4, Insightful

      Compartmentalization carries its own dangers. The idea is sound: only give people access to the systems and documents they need access to. The problem is that you'll never know beforehand which systems and documents those are. So, you need access to Doc X? "I know it takes 2 weeks to process an access request for this folder, so why don't I just email you the thing. Or I can email my credentials so you can access it with those". If your security measures get in the way of people doing their jobs, they will work around it.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    6. Re:Always one by Anonymous Coward · · Score: 1

      Who cares, the passwords are but a small part of the issue. Even if the SysAdmin account was restricted that compromised account can still send an email to -many-internal users requesting action on a link... More accounts get mooched...

      The real problem is the apps themselves that may have direct kernel access on systems, or allow for a greater amount of code execution than say html which is nye on damn near impossible to produce remote hacks. Allow scripts to run on whitelisted domains ONLY. All other sites can jack it.

    7. Re:Always one by johannesg · · Score: 3, Insightful

      Indeed, one password is not nearly enough. Each file should have its own password! Consisting of at least 38 characters that are randomly generated and consist of lowercase, uppercase, punctuation, digits, Chinese, whitespace, and dingbats! And changing every 24 hours!

      In fact I don't think that's secure enough yet. Maybe we should just not allow any 'files'. That way the hackers can never take them.

      Do security people even understand that one of the primary goals of security must always still be that it must still be possible for work to be done? That, despite everything, they are a _service_, not a goal? That without any work going on, they will also be out of a job?

    8. Re:Always one by cyberchondriac · · Score: 2

      Do you use Directory Services of any kind, eDirectory, Active Directory? There's always at least top level admin user for the Tree with rights to everything.

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
    9. Re:Always one by cyberchondriac · · Score: 1

      I know that feeling. When our security unit was first formed 12 years ago, they were so gung-ho, they effectively made every single port on the rack switches their own DMZ. I mean, same subnet, same DMZs technically, but all the ports were locked down so tight that all servers -within the same DMZ mind you- were cut off from each other by default. Which is antithetical to the whole point of a DMZ. It was a nightmare trying to get systems that needed to communicate to communicate, constant requests to get ports opened, and often, it would take several requests as we banged our heads trying to troubleshoot issues. Certain people retired and moved on, to where today, it's working reasonably.

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
    10. Re:Always one by Tablizer · · Score: 1

      The idea is sound: only give people access to the systems and documents they need access to. The problem is that you'll never know beforehand which systems and documents those are. So, you need access to Doc X? "I know it takes 2 weeks to process an access request for this folder, so why don't I just email you the thing.

      Hillary, welcome to Slashdot! ;-)

      --
      Table-ized A.I.
    11. Re:Always one by PPH · · Score: 1

      Do you use Directory Services of any kind

      Not for anything security related. DNS as an example of a hierarchical database is useful. But if you have to be certain that you are talking to the correct remote host (due to possible corruption of the DNS system) it's better to use an authentication system based on something external to that. And there are better models than hierarchical for managing key and certificate exchange and peer to peer trust.

      --
      Have gnu, will travel.
  2. Management is the biggest vulnerability by Anonymous Coward · · Score: 1

    "What do you mean I have to create a password with 12 characters and at least one non-alphanumeric character? What do you mean I have to change my password once every 3 months? What do you mean my domain account can't be a global root account on every server in our global corporation even though my title is Assistant Project Manager? I'm going to talk to your boss, you puny IT serf."

    Alternatively:

    "What do you mean we need to approve a $2000 purchase request for IT infrastructure including a new domain server because the old one is an IBM x-series server from 2007 and the new version of AD won't run on it? You guys need to figure this shit out on your own, now excuse me while I go to the daily management meeting with $300 worth of catered food."

    1. Re:Management is the biggest vulnerability by guruevi · · Score: 3, Informative

      All of those are perfectly good questions to ask your IT department.
      - Requiring more complicated passwords does not improve security significantly as people start using simpler (to crack) passwords and writing them down (or worse putting them on a cloud-based notepad app)
      - Requiring 3 month changes is likewise going to result in simpler passwords
      - Allowing user domain accounts to have any credentials on any servers unnecessarily results in issues like having a single credential login to SSH on any server. You should only need your accounts authenticate against specific applications and do proper filtering (eg. only authenticate against cn=managers,ou=sales, not your entire LDAP tree).
      - A 2007 IBM server should be able to handle plenty of directory services. LDAP is almost as old as the Internet, it's "light weight" and a single set of servers should be able to handle thousands if not millions of queries per minute. Off course, if you're tied into a single vendor *cough*Microsoft*cough*, you should've calculated the true cost in 2007.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Management is the biggest vulnerability by gweihir · · Score: 1

      Requiring people to regularly change their passwords is an utter fail. Competent security experts have known that for ages. Stupid "security" administrators are still ignorant of the fact.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Management is the biggest vulnerability by Anonymous Coward · · Score: 1

      If you're unfamiliar with the struggle between management and IT when it comes to management accounts having tons of unneeded access, you haven't worked in enterprise IT in a while.

    4. Re:Management is the biggest vulnerability by Anonymous Coward · · Score: 2, Insightful

      I support the concept of annual password changes. Much more than that and you quickly annoy your users, with very little gain in security.

      Password complexity? Yes, but again, don't annoy your users. These arbitrary "must have one upper case and one lower case character, plus one number" BS rules, they aggravate the legitimate people you need on your side! Also, no words from the dictionary? Really? How do you think users remember their passwords?

      If you are going to go full-on user hostile, then random generate huge, algorithmic passphrases. Stop pretending that you care at all about the users and just make them do what you want. Your security will get 0.000001% better and you'll feel good about yourself. In perhaps 3-5 years there will be a user revolt and you'll be out of a job. Congratulations! Then your organization will go too far the other way and the password "12345" will be allowed, as will "password" and "sex".

    5. Re:Management is the biggest vulnerability by jellomizer · · Score: 1

      Security needs to be top priority.
      Lets face it a proper secured environment is slightly inconvenient to the end user. That includes management, However if security had been a priority than management will need to think in terms of security. This means they will need to know what all their employees need to access and how they access them. Be disciplined enough to take a long passwords, and prepared to fully explain why an exception is needed and what additional safety precautions will be build around it.

      Proper IT security isn't the blame of any one part of the organization. That SQL injection that the developer put in, because it was designed for 2 internal users, and told by management it needed to be coded in under 1 week. Which then became more popular and put out on the entire web, from a different unit who never reviewed the code, because the CEO wanted that feature to the customers.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    6. Re:Management is the biggest vulnerability by Anonymous Coward · · Score: 0

      What? We're allowing sex now?

  3. New rule passwords must be changed each week by Joe_Dragon · · Score: 1

    New rule passwords must be changed each week

    1. Re:New rule passwords must be changed each week by Calydor · · Score: 2

      "Okay, so my password this week is Password ..." *flips through calendar to check week number* "... Password31."

      --
      -=This sig has nothing to do with my comment. Move along now=-
    2. Re:New rule passwords must be changed each week by JustAnotherOldGuy · · Score: 1

      New rule passwords must be changed each week

      Better yet, hourly. And no reusing any of the characters you used in the last 20 passwords.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    3. Re:New rule passwords must be changed each week by clovis · · Score: 5, Funny

      New rule passwords must be changed each week

      And it has to be written on a post-it on your monitor so we can check.

    4. Re:New rule passwords must be changed each week by Xabraxas · · Score: 1

      Pfff. I will never bend to their will. I keep my post-it note under the keyboard.

      --
      Time makes more converts than reason
    5. Re:New rule passwords must be changed each week by Anonymous Coward · · Score: 0

      Change it to 30 seconds and give yourself a pat on the back, you just created a 2-factor auth token!

    6. Re:New rule passwords must be changed each week by Anonymous Coward · · Score: 0

      Finally, a valid use for Unicode. -PCP

    7. Re:New rule passwords must be changed each week by Anonymous Coward · · Score: 0

      It's far more practical to implement one-time-passwords (OTP) systems. There are a few commerical ones that integrate directly with AD or act as a RADIUS back-end. Additionally, implementing Google PAM plugin was actually surprisingly simple and allowed us to implement two-factor-authentication (a combination of PIN/PASS+OTP) at every perimeter entry point.

      We're testing now with using OTP on our authenticating proxy to ensure that unauthenticated traffic does not exfiltrate any comprimised data.

    8. Re:New rule passwords must be changed each week by Anonymous Coward · · Score: 0

      Currently July2016, when it needs changing it'll be September2016.

    9. Re:New rule passwords must be changed each week by Larry+Lightbulb · · Score: 1

      I did work briefly at a place where the "IT Department" would generate passwords every month and leave them in an envelope on your desk. You couldn't change them and they were long random strings, so you kept the paper rather than try to remember them. Of course the director who imposed the rule had his own password which was shorter, simpler, and never changed.

  4. Next up..... by Xabraxas · · Score: 1

    The sky is blue!

    --
    Time makes more converts than reason
  5. Nicolas Cage's response: by Anonymous Coward · · Score: 0

    You don't say?

    1. Re: Nicolas Cage's response: by Anonymous Coward · · Score: 0

      Put the bunny back in the box.

  6. So... by frootcakeuk · · Score: 1

    What actually is classified as a "weak" password these days? I don't mean to ask a silly question, but not being a mathematician or even working in this field, I just don't know. With lastpass compromised what is a good password 'rule' in 2016?

    --
    Remember kids: What's right isn't as important as what's profitable.
    1. Re: So... by Anonymous Coward · · Score: 1

      http://world.std.com/~reinhold/diceware.html

  7. The wall is only as good as the men on it! by Anonymous Coward · · Score: 0

    The wall is only as good as the men on the wall.. - ghengis khan

    1. Re:The wall is only as good as the men on it! by Anonymous Coward · · Score: 0

      And they are only good when fed correctly!!

  8. Stop applying patches? Then you'll be in trouble. by complete+loony · · Score: 5, Insightful

    exploiting software doesn't even rank among the top five plays in the attacker's playbook

    Only *because* you've been "Playing whack-a-mole with software vulnerabilities". If you stop applying patches, using exploits would be more productive.

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  9. Stronger passwords won't help by Solandri · · Score: 4, Interesting

    Research has shown that between 48% and 70% of people will tell you their password in exchange for a bar of chocolate.

    1. Re:Stronger passwords won't help by andrewbaldwin · · Score: 1

      Do you know if they're telling the truth?

      If approached by a researcher I may thell them *a* password in exchange for chocolate - whether it's a valid one or not would be a matter for my conscience [is my deception greater than theirs? are the consequences of my lie better/worse than their planned action? ...]

    2. Re:Stronger passwords won't help by Anonymous Coward · · Score: 0

      Yes, my password is always a variant of '12345', now give me some candy.

      Well, the ones that demand excess range of characters, I convert a few digits. Something like 'Ab#45' to meet their silly requirements. Now you owe me another chocolate bar for the road.

  10. [malicious] link is faulty by Anonymous Coward · · Score: 0

    I click on it and nothing happens?

  11. Segementation of the Users themselves by DFDumont · · Score: 4, Interesting

    Any security tech worth their salt will tell you the same thing. The network needs to be protected from the users themselves. They are the primary way bad things enter the environment. To that end you need to do several things.
    1. Segment off the entire gamut of user PCs and apply the same access restriction methodology you do to the Internet feed. Use a white list approach. Yes, they can reach more services internally. No, they cannot obtain administrative access. The user in front of the PC has no bearing on the PC's access.
    2. Remove the ability to administer anything directly. Create a set of 'jump' or 'hop' boxes which employ some form of two-factor authentication, from which all administrative functions originate. And this includes everything from networking gear to application administration. No PC should be able to obtain any form of administrative access to anything, anywhere.
    3. Use end node segmentation. Every server and network device must have a separate, non-routable management interface. The primary IP address, the one with the configured default gateway, is the one used to provide services. The management interface has a disjoint IP address, as in it can't be derived from the schema used to create the primary addresses. It has no routing capability, as in it can't communicate outside of its configured subnet. The Hop-box through which it is managed is housed on the same subnet. Hop-boxes provide the service of 'management' to the environment and employ the same addressing and routing scheme. In this way remote, or off-site administration is accomplished through normal routing to the hop-box, not to the device's management interface.
    4. Management applications use a VDI methodology housed on the hop box. This includes even SSH clients to the networking devices. They only display on the PC, they don't run in its memory space. As a best practice, all of your applications similarly run as VDI services for the same reason. The end PC becomes much closer to a 'terminal' or portal to the applications, and its memory space and CPU are used only to draw on the screen and communicate with the VDI service. There is a financial advantage as well to loading software only onto VDI servers, instead of a set of desktops. This also aids in writing the firewall rules for user PC's as the only services they need are for Internet access, and the VDI protocol itself. This is a thin-client kind of design without using actual thin client hardware.
    5. Eliminate the use of local storage. This includes thumb drives but is really focused on documents. For the most part laptop hard drives are not part of any backup process, and at some point some middle manager will complain about a key spreadsheet they lost because the only copy was on their laptop hard drive that just went belly up. Avoid that. Put everything onto a file server which has access controls and a backup schedule. If you need transfer capabilities, use any number of secured file transfer methodologies. Yes you will require a network connection to access your files. No this isn't really a problem anymore, and why would you be updating your business critical spreadsheet held on a thumb drive you can lose?

    Among other things this alleviates the need for draconian Internet filtering policies. Let the users browse Facebook or even dark web sites. They are treated as the security cesspool they are and they cannot achieve a secure stance no matter what is running one them.

    Another thing this eliminates is the need to control local admin rights to the PC's. Let anyone load whatever software they like. Heck, let the web link load malware. It won't accomplish anything. You can keylog all you want, it won't get you any access.

    The final advantage this has is more operational in nature. Given that there is nothing critical contained on the PC, then any PC will do. If one goes belly up or is compromised by malware, then simply replace it with another from spares and the user continues on their way. Mean Time To Resolution becomes the time it takes to dispatch a replacement, and the failed/corrupted device can be examined offline and without impact to the user.

    1. Re: Segementation of the Users themselves by nehumanuscrede · · Score: 3, Insightful

      All the security you can come up with can be undone instantly if you offer the right person enough money.

      Bribe the Tacacs server admin and you're golden. They'll set you up with access to anything and everything.

      Pay them some more and they would probably disable logging for you.

      Pro tip: Treat your IT folks well because they hold the keys to your entire Kingdom.

  12. Pointless Debate by nehumanuscrede · · Score: 1

    You can gain access to ANY corporations network on the entire planet, regardless of who they are using one simple time proven exploit.

    Money.

    Find an underpaid employee of your target company and offer them a crazy amount of money if they'll help you out.

    Many will turn you down, but you'll always find one who won't.

    For a State actor with an unlimited budget, this is trivial.

    1. Re:Pointless Debate by Tablizer · · Score: 1

      Better yet, hire somebody desperate but eager from the 3rd world for whom $500 means living well for a year...or even just living for a year.

      --
      Table-ized A.I.
  13. Inside attacks by itsecoddities · · Score: 1

    Notice that all attacks listed are (generally speaking) once you are inside the network. If you are looking to penetrate a network from the outside, I would say software vulnerabilities are your best option for a first try. If that doesn't work then phishing. But if I would agree with the conclusion to secure your soft-n-chewy security once inside, Identity and Access Management is a better start if your resources are that constrained.

    1. Re:Inside attacks by Anonymous Coward · · Score: 0

      Phishing is the easiest and fastest way into an environment from the outside. From there you can pivot using the techniques we discuss in the report

  14. Underlying model is broken by Anonymous Coward · · Score: 0

    How bad does it need to get before enterprise folks wake up to the fact that windows domains are a fundamentally broken concept?

    Sure you can use OTP or TFA, but you'll still need domain admin accounts for just about everything, and you can't restrict the privileges of those accounts.

    The whole thing feels like it was built to make IT like being in an episode of mad men.

    1. Re:Underlying model is broken by Anonymous Coward · · Score: 0

      Gotta call you out on this one. A large domain can be broken up into a hierarchy of smaller domains, and trust relationships can be established between the domains without actually granting access. You may have no reason for the domain admin of the HR department to be administering group policies for the accounting department's machines. Or maybe you'd isolate the domain admins by geographic area; perhaps by data centers. These lower level domain admins would be subordinate to the Enterprise domain. Require these lower level domain admins to perform their work on a secured host kept in an isolated segment that only talks to domain controllers. At the Enterprise level, you'd have a few top level admins being your most senior people, working in a figurative clean room to do their work. (Despite multiple OS releases, Windows is still susceptible to Pass the Hash.) Ensure every point of access from any level of domain admin is locked down. Dedicated terminal on an isolated segment, 2FA, isolated special purpose domain admin accounts with shared-secret passwords and two person access rules, etc. The only things they'd be allowed to do with an Enterprise level domain admin account would be to maintain the trust relationships with the various lower hierarchy domain admin accounts; and everything would be audited multiple different ways by your risk management team. Never grant any level of domain admin to a normal user account; all domain admins at every level should have special purpose domain-admin-only accounts in addition to their regular accounts. The domain admin accounts shouldn't be granted log on rights to any of the ordinary machines.

      You also have to enforce RBAC across the enterprise. Never grant user accounts rights to a machine, only grant group memberships to users. Configure machines to only trust groups, not users. Continually audit your machines to make sure that no user accounts have access. And have the right people audit all your groups and group memberships on a frequent basis.

      It can be done and done well, but at a cost. For a large enterprise, not only can they afford that cost, they can't afford not to. Unfortunately, the only way most companies seem to learn how to do this effectively is to suffer a breach, at which time they bring in the experts they should have hired a decade ago.

    2. Re:Underlying model is broken by Anonymous Coward · · Score: 0

      Gotta call you out on this one. etc

      Agreed. The poster above you has no clue. The only thing domain admin rights are needed for is administering the domain.

      Server admins do not need domain admin rights. Not storage admins, not print server admins, not backup server admins, nor TS nor Citrix admins
      DBAs do not need domain admin rights.
      App support people do not need domain admin rights.
      Programmers do not need domain admin rights unless they are writing code to run on DCs or administer the domain, and then they get admin rights to the test domain only.

      No one in HR. Especially no one in HR.

      I don't know about the Exchange mail admins; I think they need domain admin rights, but the Exchange system should be running in its own domain and authenticating through a trust relationship to the domains the user accounts live in.

      And especially what you said here:

      Never grant any level of domain admin to a normal user account; all domain admins at every level should have special purpose domain-admin-only accounts in addition to their regular accounts. The domain admin accounts shouldn't be granted log on rights to any of the ordinary machines.

      And the admin account has no associated email account.

  15. Huh? Most are software exploits by dwheeler · · Score: 1

    Their argument mostly disproves their claim. I agree that security is much more than eliminating software exploits, but at least 3 of their "top" 5 examples ARE software exploits (because of either a fault in the implementation or in its spec). 1. abuse of weak domain user passwords -- used in 66% of Praetorian pen testers' successful attacks The software should prevent bad passwords by default, but for the sake of argument I'll grant them that one. 2. broadcast name resolution poisoning (like WPAD) -- 64% That's a software exploit. If your protocol is vulnerable to poisoning, your protocol has a problem. 3. local admin password attacks (pass-the-hash attacks) -- 61% Software exploit. Hashes are supposed to *not* be equivalent to the password they were derived from. This is a well-known software exploit. 4. attacks on cleartext passwords in memory (like those using Mimikatz) -- 59% If an untrusted program can see cleartext passwords in memory, there's a software exploit, they're not supposed to do that. 5. insufficient network segmentation -- 52% Okay, that's not a software exploit. So #5 is not a software exploit, #1 is arguably not a software exploit (though it suggests a software problem), and the rest (#2, #3, #4) are software exploits (there's a software vulnerability in the protocol or its implementation). I would agree with them that security is much more than software, but software has an important role to play. The *REASON* that #2, #3, and #4 are problems is because people weren't paying enough attention to security.

    --
    - David A. Wheeler (see my Secure Programming HOWTO)
  16. Stall ability to click malicious links via by Anonymous Coward · · Score: 0

    APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...

    Ads rob speed, security (malvertising), privacy (tracking).

    Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively.

    Works vs. caps & PUSH ads.

    Avg. page = big as Doom http://www.theregister.co.uk/2... & ads = 40% of it.

    Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)

    Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity.

    Compliments firewalls (blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load).

    Gets data via 10 security sites.

    APK

    P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "seen the code & it's safe" http://forum.hosts-file.net/vi... )