Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malicious Code and Intruders Dr. Ron Rymon Efi Arazi School of Computer Science IDC, Herzliya, 2010/11 Pre-requisite: Basic Cryptography, Authentication.

Published byLeon Leonard Modified over 8 years ago

Similar presentations

Presentation on theme: "Malicious Code and Intruders Dr. Ron Rymon Efi Arazi School of Computer Science IDC, Herzliya, 2010/11 Pre-requisite: Basic Cryptography, Authentication."— Presentation transcript:

1 Malicious Code and Intruders Dr. Ron Rymon Efi Arazi School of Computer Science IDC, Herzliya, 2010/11 Pre-requisite: Basic Cryptography, Authentication

2 Overview  Malicious Code (Viruses)  Intrusion Detection and Prevention  Denial of Service

3 Malicious Code (Viruses) Main Sources: Stallings, F-Secure

4 Types of Malicious Code Need Host Program Independent TrapdoorsLogic Bombs Trojan Horses VirusesBacteriaWorms Malicious Code Replicate Bowles and Pelaez Spyware Most current malicious code mixes all capabilities

5 Historical Perspective  Original computer virus idea – Fred Cohen, MIT 1984 –A few primitive virus-like programs existing beforehand  First viruses –Spread slowly, appending to boot sector, programs (Jerusalem 87)  Faster infection –Worms –E-mails, mobile code in browsers  New targets –Mobile viruses – IKEE.B –Devices – Stuxnet  “Commercialization” –Spy and espionage –Harvest information –Cyber terror

6 Trap Doors and Logic Bombs  Trap Door: –Secret part of a program that circumvents normal security procedures –E.g., Undocumented server planted by the developer, Debug code within legitimate application  Logic bomb –A program that is set to explode when certain conditions occur –Examples: when the programmer is fired, on the expiration date of the license  Easter Eggs –Hidden code that is inserted by the software programmers for fun or to show that they control the software (look at eeggs.com) –Usually not destructive (not really a bomb)  Solutions: – Independent QA and code review, Real-time detection (firewall)

7 Spyware (and Adware)  Adware –Started as advertising banners within free software –Can usually remove advertising if you pay software license  Spyware –Usually, some free software will also collect information about you –Primarily surfing habits, cookies, etc. but who knows what else… –Also, sometimes you are essentially running a server on your machine which can serve for further penetration  Spyware-like activity by legitimate software vendors –Designed to facilitate auto-update and version synchronization –Some record various characteristics of the client machine  Corporate spies –Corporate spies may install software that records email, browsing, etc. E.g., Israeli Trojan at major corporations  Solutions: –Use anti-spyware software (independent or part of OS) –Exit-control and information leakage software –Personal firewall can usually catch outgoing messages

8 Trojan Horses  Legitimate user inadvertently lets it in behind perimeter  Malware hidden within another software –usually installed by a privileged user –when invoked may perform the unwanted function  Malware impersonating another software –Replacing/hiding existing OS programs (rootkits)  Malware sent by email that prompts the user to install it  Malware installed when the user visits a web site –Russian mafia broke into legitimate web servers and planted trojans  Examples: keystroke logger, DDoS zombies, NetBus, rootkits  Solutions: anti-virus, host-based IDSs, hardened OS, security policies, personal firewall

9 Example: Triggering Email

10 NetBus Trojan

11 Viruses, Worms, and Bacteria  Programs that replicate themselves over the network –Often try to hide themselves from detection  Viruses: add own code to a host program –Replicates through exchange of programs between systems –May mutate to spread more quickly and avoid detection  Worms: independent program that replicates over network Morris Worm crashed many Unix networks Klez is an email worm Code Red exploited IIS holes, mutated Kelvir spreads in IM networks SQL Slammer attacks MS-SQL servers IKEE.B spreads between iphones over wi-fi  Bacteria: a program that replicates itself –Choke CPU, disk space, etc. –Email bombs are also a type of bacteria

12 Speed of Infection (source: F-secure white paper)

13 Anti-Virus Approaches  Detection modes –Scan incoming information (emails, communication ports, …) –Scan disk and memory for infected files  Detection methodologies –Search for previously identified “signatures” takes time for signatures to be discovered and distributed viruses may compress themselves and the host program polymorphic viruses change their signature –More sophisticated pattern recognition identify parts of virus code and more general patterns identify virus by its actions rather than its structure emulate the execution of the virus until it decompresses itself –identify signature of uncompressed virus –identify virus behavior 75-90% of new (unknown) viruses can be discovered –Maintain cryptographic checksums of important files, to prevent alteration (Tripwire)

14 Anti-Virus Approaches  Newer detection methods –Sandbox approach execute the virus in separate partition entrap the virus to infect and turn itself in –Digital Immune System (IBM – now Symantec) Centralized identification of new viruses Automated distribution of detection and fix to others on network –Market trends: move from Desktop to Server to Both  Removal of the threat –remove the virus from the infected program –quarantine infected programs and content  Prevention –Avoid disks, downloads, from unrecognized / uncertified sources –Use an anti-virus program to scan all new content  Hoaxes –Some hoaxes disguise a virus as a solution

15 Study of Off-the-shelf Anti Virus Software (2006)  Tested by AV-Test against 59000 backdoors, 70,000 bots, and 160000 Trojans –Five vendors scored over 99% –Four tested below 50% –Median only 90.42%  One conclusion: use multi-layers –Outgoing mail –Server side –ISP scanners –And finally client…

16 Intrusion Detection and Prevention Main Sources:Network Intrusion Detection / Northcutt, Novak The Honeynet Project

17 Intruders – Who and Why  Who –Internal users (70% !!) –Opponents (corporate, political) –Vandals –Kids (mentally) –Criminals!  Why –Stealing your money Credit cards, passwords to bank accounts, extortion and blackmail –Other profit: trade secrets, classified information, free usage of service –Vandalism erase / modify information, interruption of service –Show off –Take control of a machine as a stepping stone to attacking another

18 Intrusion - How  Insecure system configuration –default configurations, password cracking, trust between systems, trust between application and database (access control) –Unpatched machines (about half of all PCs) – zero-day attack  Software bugs –buffer overflows, unexpected input combinations, race conditions  Flaws in security protocols or their use –sniffing on wireless communication  Social engineering –Take advantage of human weaknesses  Trojan methods –getting a program running on a privileged user machine

19 A Typical Intrusion Scenario 1.Intelligence 1: collect publicly available information about organization, network, people, email accounts 2.Intelligence 2: scan the network to: which IP addresses are in use what TCP or UDP ports are “open” what operating system / services are in use unpatched systems 3.Run “exploit” scripts against vulnerable nodes 4.Get access to Shell program (ideally as a superuser) 5.Run more exploits install backdoor for future use try not to leave any tell-tales behind 6. Remotely access the system / backdoor

20 Examples of Reconnaissance  Ping sweeps –identify which machines are alive  TCP and UDP scans –identify open ports  ICMP queries –OS identification, including patch versions  Account scans –break into weak user accounts (passwords!)

21 Example: LANGuard Scanning Tool

22 Examples of Exploits  Hackers try to identify any type of service or program that can be exploited  CGI Scripts –pass tainted input to shell, ask for a file  Web server attacks (and SQL server, and other servers) –execute malformed or misplaced file names –buffer overflow  Web client (browser) –execute mobile code –hiding 1x1pixel frames within a trusted web page  SMTP, and IMAP attacks –bugs in sendmail (SMTP) and in IMAP servers  IP Spoofing –DoS attacks, masquerading  DNS Attacks –poisoning through masquerading and abuse of answer caching

23 Intruder Tools: ICMP Scanning  ICMP can be used to identify live hosts and open ports  Scan 1: send range of echo requests –Randomly –To a subnet broadcast IP: usually 255, 0 in BSD  Scan 2: send range of address mask requests –routers will respond with info on the network addressing space  Scan 3: use traceroute to collect “host unreachable” and “port unreachable” responses  Solutions: –disable traffic to broadcast IPs (also helps in DoS attacks) –disable ICMP echo –But, will not have ping, traceroute capabilities

24 Intruder Tools: DNS Attacks (1)  If compromised, DNS can provide a full map of the domain without additional effort  Hackers must first identify the identity of the DNS server, and if possible the version of the BIND (Berkeley Internet Domain Daemon) software it runs –use nslookup to identify name of domain name server –use dig (Domain Internet Groper) to identify BIND version  Older BIND versions may divulge some host information –using a simple query –sometimes allows not just a single query, but a list of all domain records –these records may include host information such as OS, CPU –masquerade as secondary DNS and perform full “zone transfer” to download all DNS information  Or, may try to traceroute using the DNS port 53, if ICMP ports are blocked, looking for “host unreachable” replies

25 Intruder Tools: DNS Attacks (2)  DNS cache poisoning –A query from a compromised host that includes tainted input in the response field can result in DNS poisoning this was used in the Clinton-Giuliani senate race to divert traffic from hillary2000.com to hillaryno.com  Solutions –Upgrade BIND version BIND 8.3 and up includes DNS Security Extensions (DNSSEC), requiring stronger authentication of querying servers –Limit zone transfers to few known servers –Do not fill DNS records with extra information

26 Intruder Tools: Identify OS, Server  Intruders wish to identify the software on the other side, so they can select proper exploits  Stimuli-based OS scanning tools (e.g., nmap ) –telnet, ftp, will sometimes “banner” the OS –unsolicited FIN to open port: some TCP stacks will respond –bogus or no TCP flag values: some OS will keep the flags in reply –extra TCP data  Passive fingerprinting –Examine TCP packets, looking for a specific OS standard practice –Traceroute, with TTL=n-1, to see where coming from –Important when investigating an attack in real-time  Crashing attempts –Using DoS methods  Most of the techniques rely on improper implementations of certain protocols (or incomplete specification)

27 Intruder Tools: Masquerading  Typical scenario –Identify and characterize trust relationship between two systems –Attack one system, e.g. using DoS, or by crashing it –Impersonate the silenced system to perform the crime –Cover the crime scene  Example: the Mitnick Attack –Identified trusted TCP relationship between X-terminal and Server –Silenced the Server using SYN flooding DoS attack –Hijacked TCP connection to x-terminal, by spoofing as Server IP –Changed trusted domain to “all”, so that can access later –Logged out, and stopped Server flooding, to avoid detection  Solutions –Identify and “drop” SYN floods –Avoid trust relationships –Deploy tools that detect changes to critical files (e.g. tripwire)

28 Intruder Tools: Buffer Overflow  A favorite of intruders, taking advantage of ill- implemented protocols and software –Most recent attacks use buffer overflow, e.g., slammer  Scenario: –transfer more data than the receiving party has reserved space for –embed your code, in the hope that it will be placed in the receiver program code space, and subsequently executed (use nops to avoid exact calculation)  A double-whammy for “kiddy” intruders: intrusion success + demonstrated superiority over other programmers  Solutions: –Vendor patches –More importantly: educate programmers and run code reviews –New CPUs allow marking data areas as non-executable

29 Intrusion Detection  Goals: –prevent damage –prevent illegitimate use of resources, access to information, etc. –catch and deter intruders –identify weaknesses to improve defenses  Important to detect before intruder gains access –most detection efforts concentrate on intelligence gathering scans –Common assumption: Intruders behave differently  Unfortunately, easier to identify after the fact (forensic)  Methods: –rule-based detection, using known patterns (signatures) –statistical anomaly analysis –most systems use combination of both –System integrity verifiers (Tripwire), honey pots

30 NIDS and HIDS  Network-based IDSs (NIDS) consist of agents that monitor network traffic  Host-based IDSs (HIDS) consist of agents that monitor a single system  Most deployments consist of –multiple instances of NIDS and HIDS –a centralized Console, as part of Security Operations Center (SOC)  Use baselining to reduce false positives

31 Signature/Rule-based Detection  Hundreds of intrusion signatures have been identified –Maintained by CERT and the like  Features used in signatures (and statistical detection) –Packets cooked in a specific way –Which resources/services are requested –Whether the request is successful –Frequency, order, and length of usage –Concurrent processes of same user and of other users –Time of the day –Who is the user –Physical machine from which a request is made

32 Statistical Anomaly Analysis  Use profiles for individual users  Choose threshold to distinguish  Note: not much data to build profile of intruder

33 Honeypots and Honey Nets  A honeypot is a decoy system that is placed within the internal network and is designed to attract intruders –Usually configured as a characteristic system in same network –May contain decoy and made-up data –A little weaker than other systems –IDS installed, and carefully monitored  Goals: –Deception –Detection and advance warning (usually the actual attack is preceded by intelligence gathering)  Another variation is an externally placed “scout” with bogus information –May identify itself to the outside as any of the network servers –Will continue the exchange with the hacker, and will alert

34 IDS Challenges  Encryption makes it difficult to identify patterns / attack  Number of attempts –Honey nets have shown that unadvertised networks are attacked within a few hours –Most attempts are “standard” (downloaded) exploits, tried blindly  Large number of false positives –In a production environment, legitimate users may exhibit a behavior that matches a signature –Many organizations routinely ignore IDS warnings –Some attempts to model legitimate usage, and exclude rest  False negatives –Many new intrusion techniques are invented continuously  Overhead –IDS adds an overhead to a system –Administrator may choose not to install on a critical system

35 Vulnerability Assessment  Idea: use hacker-like tools to test systems –Point to known weaknesses –Recommend fixes  Security Administrator’s Tool for Analyzing Networks (SATAN) –One of the first research tools –Was later used by hackers  Vulnerability assessment tools use –Various scanning techniques –Code for hundreds of intrusions, DoS schemes –Pointers to fixes  Organizations use routinely penetration testing (“pentest”) –Network and application levels  Common vulnerability Scoring System (CVSS) standardizes vulnerability risks

36 Social Engineering  Conning people into giving up their security –Usually, masquerading as an authorized user –Sometimes, presenting to simple users as administrator –Examples IRC chats calling up helpdesk emails and web messages offering help  Breach IT and sometimes physical security –Installing Trojans, DDoS zombies –Stealing information –Destroying data  Famous BBB – Bribery, Bending, Burglary  Most IT security efforts focus on technology – more shall be spent on training people

37 Audit Trails  Organizations collect and maintain activity logs  Main driver: regulatory requirements  Main goals: –Identify usage patterns and alert to anomalies –Forensic investigation  Platforms and applications regularly log activity  Log management systems –Centralized repository –Correlate for users across systems/apps –Correlate usage patterns and reports on exceptions

38 Prevention Policies and Tools  Stronger and well specified protocols  Stronger implementation of protocols  Strong authentication  Access control policies  Audit and prosecution  Firewalls  Proxies  Vulnerability Assessment Tools  More…  Conclusion: No single solution to security  Very important: education and awareness of staff

39 Denial of Service Main Sources: CMU CERT, Riverhead, Northcutt et al

40 Denial Of Service (DOS)  Interruption: prevent legitimate users access to a service  Typical motives: political hacktivism, show off, blackmail

41 Denial Of Service (DOS)  Typical methods –Flooding of a network –Prevent connection between two or more machines –Prevent connection between one machine (server or client) and other machines –Crash a system, or network configuration  Examples: –Echo, SYN attacks on web servers, and ISPs –Worms aimed at crashing email servers –Attacks on specific application services –DNS attacks that also divert traffic

42 DOS: SYN Attack  Works at TCP layer –Normal TCP 3-way handshake: SYN, followed by SYN/ACK, followed by ACK –After SYN/ACK, server maintains an open connection until ACK is received  Attack: flood server with IP spoofed SYNs until server exceeds the number of open connections allowed –Server will not be able to service legitimate users and may crash  Detection: too many open SYN requests  Prevention: –To protect others, do not allow outgoing packets to have a source that is not from your network (i.e. is spoofed) –Can also be done by the ISP

43 DOS: Echo-CharGen Attack  Works in UDP layer –Echo returns a packet to sender –Chargen generates and returns a character  Attack: connect a CharGen service to an Echo service –Results in a self sustained flood of communications –Sometimes the spoofed address is a broadcast address, resulting in more bandwidth  Prevention: –eliminate unnecessary UDP services –If must provide such services, use firewall to set up acceptable policy

44 DOS: Smurf Attack  A variation on the Echo attack  Attack: send an echo to a subnet’s broadcast address (subnet.255), from a spoofed IP (victim) –As a result, all machines on the subnet respond simultaneously to the victim machine, flooding it  Prevention: –block packets addressed to broadcast from outside the network –Note that the victim can do little, since even if his router blocks the packets, they will still jam the network between the router and the ISP

45 DOS: E-Mail Spamming Attack  Use email servers to clog themselves and other email servers –Code Red, Love Letter  Attack: Send a large email to a large number of recipients –Directly to lists –Email worms  Prevention: –Identify source and block its packets –Prevent large emails, large distribution lists

46 Other DOS Attacks  Crashing a server by using a faulted implementation of a communication protocol –Teardrop uses improperly implemented TCP fragment reassembly –Land sends SYN packets with same source and destination addresses –Ping of Death sends oversized (>65K) ICMP command  Intentionally generating errors that are logged by the server to clog log files and consume disk space  Placing large files on ftp areas or network shared storage  Generating excessive logins until system blocks logins from legitimate users –Many OS will block an account after 3-5 failed login attempts

47 Distributed DOS (DDOS)  Attack: Orchestrated from multiple sources at same time  Solution: Identify packets addressed to attacked server, divert other traffic, and filter “dirty” packets

48 Examples of DDOS  ICMP/UDP floods: TFN, Trinoo  Code Red is a worm that has flood period from 20 th to 27 th of each month  Social engineering is often used to get people to download DDOS daemons (zombies)  In some cases, the attacker collaborate, e.g., coordinated Arab attacks on Israeli sites

49 Example 1: DDoS for Hire

50 Example 2: DDoS Extortion  Extortion letter sent to domain administrators (Aug 2010)  Not clear whether senders are really capable or a simple scam

51 Zombies on innocent computers DDoS Illustration Server-level DDoS attacks Infrastructure-level DDoS attacks Bandwidth-level DDoS attacks Source: Riverhead

52 Riverhead Guard Victim Non-victimized servers Traffic destined to the victim Legitimate traffic to victim “No Dynamic configuration” 5. Forward the legitimate Solution Overview 4. Filter only the bad 6. Non Victim traffic free flows Source: Riverhead

53 Adaptive and Dynamic Filtering Static & Dynamic Filters Anti spoofing Statistical analysis Rate-limiting & DDoS Traffic Shaping Layer 7 http smtp 1 to 1000s of dynamic filters by flow, protocol, … Per flow queues and aggregate rates Block spoof packets: TCP, DNS, UDP Anomaly recognition, Per flow, using a base line. Filter: Drop non-essential traffic. E.g., ICMP, UDP if not essential, etc. Source: Riverhead

54 ISP Perimeter Protection Source: Riverhead

55 ISP Perimeter Protection Source: Riverhead

56 Tempest Attacks

57  Transient ElectroMagnetic Pulse Emanation Standard; or Telecommunications Electronic Material Protected from Emanating Spurious Transmissions  A US Army project in the 1950s, designed to protect against electromagnetic eavesdropping  Idea: eavesdrop on electromagnetic radiation (from monitors,disk drives), to decode the activity/content  Wim Van Eck (1985), shows that this is possible from a distance of up to 1Km.  Anderson & Kuhn (1998) present a method for processing the electromagnetic waves, and also a way to defend against it using Tempest-proof fonts.

58 Tempest Attacks http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf  Today’s monitors emit less radiation, making it harder  US embassies are routinely shielded to prevent Tempest espionage –There are also NATO standard and a commercial one  There probably are easier methods for industrial espionage

Download ppt "Malicious Code and Intruders Dr. Ron Rymon Efi Arazi School of Computer Science IDC, Herzliya, 2010/11 Pre-requisite: Basic Cryptography, Authentication."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google