Monthly archives for June, 2017

WA Auditor General able to guess database administrator passwords

A WA Auditor General’s report probed applications at five government entities and found none were completely satisfying his information security benchmark, with the Chemistry Centre’s passwords easily cracked.

Western Australia’s Auditor General has expressed his disappointment that government agencies in the state are not taking simple steps to protect IT systems.

In his ninth annual Information Systems Audit Report [PDF], Colin Murphy probed five government agencies and highlighted his frustration in repeating remarks he has made in previous audits.

“Disappointingly, I must again report that many agencies are simply not taking the risks to their information systems seriously,” Murphy’s overview reads. “I continue to report the same common weaknesses year after year and yet many agencies are still not taking action.”

Murphy said he is “particularly frustrated” with agencies in the state, given that many issues he has previously raised can be easily addressed. These include poor password management and ensuring processes to recover data and operations in the event of an incident are kept updated, he explained.

“A pressing issue that must be acknowledged and addressed across the sector is for agencies’ executive management to engage with information security, instead of regarding it as a matter for their IT departments,” Murphy continued.

“As recent high profile malware threats have shown us, no agency or system is immune from these evolving and ongoing threats.

“The risk to agency operations and information is real and needs to be taken seriously.”

The report reviewed key business applications at five agencies: The Western Australian Police Force’s Image and Infringement Processing System (IIPS); Navigate from the Department of Racing, Gaming and Liquor; the Chemistry Centre’s Laboratory Information Management Systems (LIS); the Case Management and Intelligence System (CMIS) of the Corruption and Crime Commission; and the Department of Finance’s Project and Contract Management (PACMAN).
The Auditor General then reviewed the systematic processing and handling of data across policies and procedures, backup and recovery, and the audit trail, in addition to others, as part of its probe.

The report highlights that all five applications had control weaknesses which were mostly related to poor information security, policies, and procedures. It made 65 findings across the five applications, rating four as significant, 53 as moderate, and eight as minor.

The four significant concerns related to the security of sensitive information, backup and recovery, and data processing.

The Chemistry Centre’s LIS had the highest number of concerns, with the Auditor General making 22 findings, with 32 percent stemming from its weak security policies and procedures.

While ChemCentre applies many technical controls to ensure the security of its applications and information, the report said many controls may not meet security objectives, as the policies are lacking or outdated.

“The password policy, last reviewed in 2010, allows users to set simple passwords such as ‘password’ or ‘12345678’. In addition, the policy does not require stronger passwords for highly privileged network, database, and application accounts,” the report says.

“As a result, we were easily able to guess passwords for the database system administrator account and for accounts within ForLIMS.”

As a result, Murphy made six recommendations that ChemCentre should adopt by August 2017, which includes developing new, and reviewing existing, security policies; updating its risk management framework and conduct a risk assessment; conduct a business impact assessment and develop a disaster recovery plan; and develop an IT strategic plan, software development process, and update application documentation to ensure appropriate controls are in place to protect sensitive information.

The Auditor General made similar recommendations to the other four government entities, asking Police to review the process for managing security vulnerabilities, software updates, and patches, and to consider automating its manual processes for on the spot infringements.

He also recommended the Department of Racing, Gaming and Liquor look into automating its manual processes and that it better define access management for its systems.

The Auditor General also conducted an investigation on the general computer controls (GCC) within government entities to determine whether computer controls effectively support the confidentiality, integrity, and availability of information systems.

GCC include controls over the IT environment as a whole, computer operations, access to programs and data, program development and program changes, focusing on the management of IT risks, information security, business continuity, change control, physical security, and IT operations.

“We reported 441 GCC issues to the 46 agencies audited in 2016, compared with 454 issues at 45 agencies in 2015,” the report says. “There was also a decrease in the number of agencies assessed as having mature general computer control environments across all six categories of our assessment.”

Only seven agencies met the Auditor General’s expectations for managing its computer environments effectively, compared with 10 in 2015.

The results for information security and business continuity were flagged as disappointing by Murphy, with 61 percent of agencies failing to achieve a level three or higher in information security, with 73 percent failing to meet level three or higher in business continuity.

However, Lotterywest, the Department of the Premier and Cabinet, and Racing and Wagering Western Australia were flagged as consistently demonstrating good management practices across all areas assessed.

Only 39 percent of agencies met the Auditor General’s benchmark for effectively managing information security, which was down 1 percent from the previous year.

Murphy made six recommendations to state government agencies in December, after it was found six agencies had previously been the target of malware campaigns.

The Department of the Attorney General, Department of Mines and Petroleum, Department of Transport, Main Roads Western Australia, and the Office of the Government Chief Information Officer (OGCIO) were found to be under constant threat, which the Auditor General said highlighted the need for improved central governance arrangements to identify, warn of, and prevent attacks.

Under the careful watch of the OGCIO — established in July 2015 — Murphy said previously he wanted to see the WA public sector consider methods to foster “collaboration, information, and resource sharing” between agencies. He also suggested the public sector gather information to properly understand the threat posed by malware and other cyberthreats to the state government.

The Queensland Audit Office (QAO) also tabled a report this week, focused on the Security of critical water infrastructure in the state.

The report [PDF] found water control systems in Queensland were not as secure as they should have been, noting the age of many of the control systems, combined with more recent integration with corporate networks, had resulted in higher risks that had not always been recognised and tested by the entities themselves.

“Security controls did not sufficiently protect them from internal or external information technology-related attacks,” the report says, noting all entities probed were susceptible to security breaches or hacking attacks due to weaknesses in processes and controls.

Of concern to the QAO is the potential for attacks to disrupt water and wastewater treatment services, as well as related services that rely on the entities’ IT environments.

“There was a risk to public health and appreciable economic loss in terms of lost productivity, not only to water service providers but also to citizens and businesses,” the QAO wrote.

The audit found that while all entities audited had the capability to respond to information security incidents if detected, they weren’t well prepared to respond to cyber attacks as they had not planned or tested response and recovery from a malicious or cyber incident.

The QAO was alarmed that entities had reported they could operate smaller plants or parts of their larger water treatment plants manually in the event of disruption to computer systems, but had not demonstrated such capability.

As a result, the report recommends water service providers identify risks of information technology security breaches, implement controls to protect systems, and monitor and review the effectiveness of the controls.

“While entities we audited have taken steps in recent years to improve their information technology security, the results of this audit shows that management needs to do more in terms of oversight, leadership, and direction,” the report says.


Security services investigate cyberattack against UK Parliament after emails hacked

Parliamentary personnel using ‘weak passwords’ have had email accounts compromised, and it remains unclear whether MPs, Lords and their staff use two-factor authentication.

Security services are investigating whether hackers stole data from UK politicians after a cyberattack breached a number of online accounts belonging to Parliament personnel.

The attack, which took place on Friday, compromised up to 90 accounts and saw MPs, Lords and their staff cut off from remote access to emails and some other Office 365 services, in order to protect users.

As of Monday morning, the parliamentary system was not fully up and running, leaving MPs working outside of Westminster without the ability to respond to constituent queries.

“Parliament’s first priority has been to protect the parliamentary network and systems from the sustained and determined cyberattack to ensure that the business of the Houses can continue,” a spokesperson told ZDNet.

Under one percent of the 9,000 accounts on the parliamentary network have been compromised by attackers and those that have been hacked were “compromised as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service”.

“Investigations to determine whether any data has been lost are under way,” the spokesperson said, adding that affected users are being required to change their passwords and are being “proactively reminded” of best cybersecurity practice advice.

Parliament is working with the National Cyber Security Centre – the cybersecurity arm of GCHQ – and the National Crime Agency to investigate the attack.

“The NCSC is aware of an incident and is working around the clock with the UK Parliamentary digital security team to understand what has happened and advise on the necessary mitigating actions,” the NCSC said in a statement.

Parliament “like all responsible organisations, takes cybersecurity extremely seriously”, a spokesperson told ZDNet, adding: “We have made a series of technology changes to increase user account security and will continue to assess and improve our risk mitigation measures”.

Parliament didn’t respond to a query as to whether two-factor authentication was enforced as standard by the Parliamentary Digital Service. However, if those affected by the cyberattack had been using two-factor authentication, it could’ve prevented outsiders from hacking their accounts.

All eyes have turned to determining who carried out the cyberattack, although the NCSC told ZDNet that the investigation is still in its early stages and more evidence is needed before making a “sensible assessment” about the nature of the attack and the culprit.

The cyberattack against Parliament comes just over a month after large swathes of the National Health Service were hit by the WannaCry ransomware epidemic. However, WannaCry wasn’t a targeted attack against the NHS specifically, but rather its worm-like nature saw it spread to any system around the world it could compromise.


This sneaky malware will cause headaches even after it is deleted from your PC

The QakBot/Pinkslipbot banking trojan can still cause headaches even after it’s been removed from your system.

A form of banking Trojan malware has evolved a new attack technique and is using infected machines as control servers – even after its ability to steal data has been removed by security products.

Qakbot is a worm which can spread through the networks and is capable of stealing credentials, opening a backdoor on the infected computer and downloading additional malware – all while using a rootkit functionality to stealthily remain hidden.

The Trojan was first discovered in the late 2000s, but over a decade on its still regularly causing new problems and now it has found a new way of carrying out malicious activity, even if the malware is removed from an infected network.

Researchers at McAfee Labs discovered a new form of the banking Trojan – also known as Pinkslipbot – which uses infected machines as HTTPS-based proxies for the actual control servers.

Pinkslipbot harvests banking credentials using password stealers, keyloggers, man-in-browser attacks and more to steal information, mainly from US financial institutions. In total, the malware controls a botnet of over 500,000 machines and researchers say it steals half a million records every day.

Now researchers have discovered that a number of IP addresses associated with the malware consist solely of infected machines that serve as HTTPS-based proxies to the actual control servers in an effort to hide them. It does this by using universal plug and play (UPnP) to open ports, allowing incoming connections from anyone on the internet.

“As UPnP assumes local applications and devices are trustworthy, it offers no security protections and is prone to abuse by any infected machine on the network. We have observed multiple Pinkslipbot control server proxies hosted on separate computers on the same home network as well as what appears to be a public Wi-Fi hotspot,” the researchers said.

“As far as we know, Pinkslipbot is the first malware to use infected machines as HTTPS-based control servers and the second executable-based malware to use UPnP for port forwarding after the infamous Conficker worm in 2008,” said anti-malware researcher Sanchit Karve.

Researchers are still determining the exact procedure used to determine if an infected machine can become a proxy, but three factors are thought to play a role; an IP address located in North America, a high-speed internet connection and the capability to open ports on an internet gateway device using UPnP.

Once a suitable machine is selected, the malware author issues a control server command to the infected machine to download a Trojan binary which creates the proxy component. When launched, it creates port-forwarding rules allowing the infected machine to be used as a control server over HTTPs and can perform requests for new Pinkslipbot infections.

“The port-forwarding rules created by Pinkslipbot are too generic to remove automatically without risking accidental network misconfigurations. And as most malware do not interfere with port-forwarding, antimalware solutions may not revert such changes. Unfortunately, this means that your computer may still be vulnerable to outside attacks even if your antimalware product has successfully removed all Pinkslipbot binaries from your system,” warned the researchers.

Ultimately, it means that even if the victim has removed Pinkslipbot/Qakbot from their system, the machine may be serving as a proxy control server for the malware – and making it vulnerable to other forms of online attack due to the open ports.

McAfee has released a tool to look for Pinkslipbot control server proxy infections and remove malicious port mappings.

Nonetheless, researchers warn that the rise of the Internet of Things could lead to this type of attack becoming a much bigger threat in the near future.

“Many Internet of Things devices work over UPnP and are steadily being installed and used by more people every day. As they become more ubiquitous, cybercriminals will see opportunities to use UPnP maliciously. We recommend that users keep tabs on their local port-forwarding rules and disable UPnP on their home routers unless they need it,” said Karve.


Pirates dance around AACS 2 encryption to offer UHD Blu-Ray movies online

Available over the last few weeks, questions remain as to whether the encryption protocol has been cracked.

Pirates have ramped up the game with the release of never-before-seen UHD Blu-Ray video which, only a few weeks ago, was considered out-of-bounds due to strong encryption.

As reported by TorrentFreak, three Ultra HD Blu-Ray copies of popular movies have recently been released on pirate websites.

While it is common for camera-based (CAM), HD, and Blu-Ray films and television shows to be uploaded and shared online — to the exasperation of copyright holders — Ultra Blu-Ray has long been considered an area outside of a pirate’s grasp.

UHD Blu-Ray is protected by Advanced Access Content System (AACS) 2 encryption, developed and used by IBM, Intel, Microsoft, Panasonic, and Sony, among others, to protect content.

It has generally been considered as extremely difficult to crack, if not impossible at today’s computing standards, but now with the release of a third UHD Blu-Ray film to the pirate community, questions have arisen as to how this has been made possible.

The first movie to be released in this format was Smurfs 2, and this has now been followed by Patriots Day and Inferno, the latter of which have been released by the TERMiNAL uploader group.

While not recommended for download as it is most certainly illegal, leechers can expect to wait a while for each movie as file sizes are around the 50GB mark.

At the time of the first release, the theory of how the copy was made available surrounded the title’s AACS 2 encryption keys.

It was believed that perhaps the keys linked to that film alone had been stolen or compromised, but it would follow that no more UHD Blu-Ray titles could be cracked using the same code.

Now two more have followed suit, there may indeed be a crack available for the encryption protocol. With the latest generation of UHD Blu-Ray films also containing bus encryption, however, this would mean pirates would need to crack two keys for a single film, making this explanation rather unlikely.

Alternatively, the uploaders may have somehow acquired a source for the keys required to decrypt new movie titles.

Speaking to the publication, an unnamed source also suggested that a private exploit in Intel’s SGX system may be at the heart of the issue.

“If SGX has a loop, that will enable people to read PowerDVD’s memory,” the source said. “That will then allow them to copy the decrypted data from the UHD Blu-Ray drive 1:1.”


Linux server attack: Patch Samba or risk cryptocurrency mining malware

Criminals hit Linux servers to mine cryptocurrency at someone else’s expense.

Attackers are free-riding Linux servers with an unpatched Samba bug to mine for the monero cryptocurrency.

Now would be a good time install a patch released by open-source project Samba on May 25. Security firm Rapid7 found over 100,000 Linux machines open on the internet via ports 445 and 139 that were running versions of Samba vulnerable to remote code execution.

Samba provides file- and print-sharing services between Windows and Linux machines using the SMB protocol. That the Samba bug was wormable drew comparisons to the WannaCry ransomware outbreak, which relied on a flaw in the Windows implementation of SMB to rapidly spread on networks.

There hasn’t been an equivalent outbreak of ransomware using the Samba bug but attackers began to exploit it for profit almost immediately after the patch was released, according to researchers from Kaspersky Lab.

Instead of installing ransomware, the Samba attackers install a cryptocurrency miner to turn a profit from Linux machines in the form of the monero, an alternative to bitcoin that is less computationally demanding to mine.

In the wake of WannaCry, security researcher Kafeine discovered malware called Adylkuzz that used the same SMB exploit to infect Windows machines for the purpose of mining monero. And last week security firm Doctor Web uncovered what appeared to be an early experiment to recruit Raspberry Pi devices into a monero-mining botnet.

The Samba-led mining scheme appears to be having moderate success at generating money, although Kaspersky does not know how large the network of infected machines is.

Over a month, the attackers have gained 98 moneros (XMR), worth about $5,500. That’s far less Adylkuzz, which generated tens of thousands per month with over 150,000 infected Windows machines.

Nonetheless, according to Kaspersky, the monero-mining Linux botnet is growing. Initially it was generating about one XMR per day, but by early June it was generating about five XMR per day.

“This means that the botnet of devices working for the profit of the attackers is growing,” note Kaspersky Lab researchers.

The Samba attackers exploit the flaw to install a malicious Samba plugin that runs with super-user privileges. However, the attackers must guess the path where files can be stored on the drive to execute as a Samba server process.

Exploit modules for the bug were appearing on Rapid7’s open-source Metasploit framework soon after the patch. This location appears to be where criminals sourced the Samba exploit for the new cryptocurrency mining botnet.

“It’s worth noting that a similar payload can be found in the implementation of the SambaCry exploit in Metasploit,” Kaspersky researchers note.


Russian malware controls hiding in plain sight — on Britney Spears’ Instagram page

The hacking group was able to direct malware by leaving comments on a specific Instagram post.

A notorious hacking group is using a novel (albeit not new) approach to commanding and controlling malware it uses to launch attacks against governments and militaries — by leaving specially crafted comments on Britney Spears’ Instagram account.

Security researchers at Eset found that the hacking group, known as Turla, is leveraging recently discovered backdoor found in a fake Firefox extension by leaving social media comments for everyone to see. The comments, left on the Instagram account, may appear benign to most people, but are crafted in such a way that allows the malware to learn the location of the roving command server without rousing suspicion.

Once the comment is left, the backdoored extension knows where to look on the internet to look for instructions of what to do next — such as to deliver ransomware or steal passwords, for example.

This is the latest hacking endeavor of Turla, a decade-old advanced persistent threat group thought to be associated with Russian hackers, with a penchant for targeting foreign embassies. To date, the group has infected hundreds of networks systems in the past few years across dozens of countries, including China, Vietnam, the US — and even Russia.

But the group was faced with a challenge. In order to avoid detection, the command server can’t stay in one spot for too long, but the malware still needs to know where to find it. Rather than hard-coding the address of the command server into the malware, the extension will calculate the address of the command server using a formula.

The researchers explained:

“The extension uses a URL to reach its [server], but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post,” the researchers said.

“The one that was used in the analyzed sample was a comment about a photo posted to the Britney Spears official Instagram account,” they added. “The extension will look at each photo’s comment and will compute a custom hash value.”
In other words, the malware looks for a particular unsuspecting comment on an Instagram post, which when converted to a cryptographic hash, can be converted into the web address where the command server is located.

“The fact that the Turla actors are using social media as a way to obtain its [command servers] is quite interesting,” the researchers said. “This behavior has already been observed in the past by other threat crews such as the Dukes.”

The researchers added that it makes it difficult to spot, firstly because the traffic looks like anybody else’s, and secondly because of the flexibility of changing the address to the command server, and erasing any trace of it.

At the time of initial publication, the link had just 17 clicks, which the researchers say “might indicate that it was only a test run.”

“While we believe this to be some type of test, the next version of the extension — if there is one — is likely to be very different. There are several APIs that are used by the extension that will disappear in future versions of Firefox,” the researchers said.


Singapore to collaborate with Australia on cybersecurity

Both countries have signed a two-year agreement to cooperate closely on cybersecurity, which will include information exchange, training, and joint exercises focused on critical information infrastructure.

Singapore and Australia have inked an agreement to cooperate closely on cybersecurity, including information sharing, training, and joint exercises to safeguard critical information infrastructure.

The two countries signed a Memorandum of Understanding (MOU) on Friday during the second Singapore-Australia Leaders’ Summit in the city-state, which was witnessed by prime ministers of both nations–Singapore’s Lee Hsien Loong and Australia’s Malcolm Turnbull.

The two-year agreement encompassed collaboration across several key areas, including information exchange on cybersecurity incidents and threats, sharing of best practices to drive cybersecurity innovation, and training in relevant skillsets. Both countries also would participate in joint cybersecurity exercises focused on safeguarding critical information infrastructure and partner on regional cyber capacity buildouts.

The initiative would be led by Singapore’s Cyber Security Agency (CSA), which was responsible for the country’s cybersecurity operations, and marked the sixth of such bilateral agreements including India, France, the Netherlands, UK, and US.

Singapore and Australia also would work to promote “voluntary norms of responsible state behaviour in cyberspace”. To kickstart this, both nations would host an Asean workshop aimed at reducing cyber risks in end-2017.

CSA Chief Executive David Koh said: “Singapore and Australia share close bilateral relations and both countries have a shared vision that cybersecurity is an enabler that supports innovation, economic growth, and social development.

“This MOU shows our commitment to work together to build a secure and resilient cyberspace that will contribute to the progress of both countries,” Koh said.

Turnbull also was in Singapore for the annual Shangri-La Dialogue, which gathered defence ministers from across Asia-Pacific to discuss global and regional security issues.

Singapore last October launched the Asean Cyber Capacity Programme in a bid to galavanise the regions efforts in cybersecurity and fund resources, expertise, and training to help nations build up the necessary infrastructure. These would include workshops, seminars, and conferences as well as consultancy efforts in forming national cybersecurity strategies and related legislations.

The Singapore government in March 2017 also announced plans to set up a cybersecurity command centre to combat growing threats and boost skillsets in cyberdefence. Operating under the purview of the defence ministry and Singapore Armed Forces, the new Defence Cyber Organisation would be manned by some 2,600 soldiers operating within divisions overseeing cybersecurity operations, policy and planning, vulnerability assessment, and cyberdefence.

The move came after the defence ministry suffered a security breach that compromised the personal data of 850 national servicemen and employees. The breach involved the ministry’s I-net system, which supported web-connected computer terminals its employees and national servicemen used for personal online communications or internet browsing.

In addition, two Singapore universities last month suffered APT (advanced persistent threat) attacks, during which hackers specifically targeted government and research data.


China’s new cybersecurity law rattles tech giants

But look no further than Russia for some idea of how US companies will be affected.

China’s new cybersecurity law has a lot of people scratching their heads, trying to figure out how it affects their businesses — if at all.

The gist of the law seems simple enough. The law will ban the collection and sale of user’s personal information. Companies operating in China will also have to store their customer’s data on servers in the country (which has been delayed until the end of 2018 to figure out some kinks), and customers will have the right to have their data erased. At the same time, individuals will have to register with their real names on messaging apps and social networks.

According to the state-run Xinhua news agency, the new law — approved by the country’s “rubber-stamp” parliament — was introduced in response to the growing threat of cyber-terrorism and hacking, which would replace a large patchwork of different, loosely collected laws.

“Those who violate the provisions and infringe on personal information will face hefty fines,” said the news agency, via Reuters.

But there’s the problem. Nobody seems to know exactly how the law works.

The law is set to go into effect Thursday, but “there’s unfortunately a lot of confusion” about how it work or be enforced, according to Michael Chang, a Nokia executive and vice-president of the European Union Chamber of Commerce in China, speaking to The New York Times.

“We still have a lot of unclarified territory that needs to be addressed as soon as possible,” he said, suggesting Beijing had conveyed “less than half” of the law’s specifics.

Many US and European businesses are already reportedly concerned, according to a letter sent to the Chinese regulator in charge of the law’s enforcement, calling it “fraught with weaknesses.”

That’s because many of the same companies, predominantly data-hungry firms — like software and service providers — are concerned it will prevent Western giants from entering the lucrative Chinese market.

The Chinese regulator denied that was the case, saying the new provisions do “not restrict foreign companies or their technology and products entering the Chinese market,” despite the country’s reduced reliance on Western technologies in the wake of the Edward Snowden disclosures into US mass surveillance. Just as the US has been concerned about Chinese espionage, Beijing has pushed away many US tech giants for fear of US snooping.

But there is some hope. China isn’t the first country to want to rein in its citizens’ data — either for their safety or government surveillance, take your pick.

Russia, last year, introduced a similar law under a similar guise of “preventing terrorism” (read, “increasing surveillance” in a region where speech and expression are already heavily restricted).

Companies operating in the country were told to store Russian citizen data on servers within its borders. Those breaking the rules or refusing to comply would be added to a blacklist.

One such company was LinkedIn, according to several reports, which at the time had six million users in Russia. But many other companies largely acquiesced. Hardware and device makers, like Apple and Lenovo, were among the first to comply — not least because it was easier. And other data-hungry companies, like eBay, Facebook, and Google, took longer to transfer data into the region in order to keep operating — though their current status isn’t known. Some firms, like Spotify, have scrapped plans to enter the country altogether, citing conflict with the rules.

Suffice to say, it’s been a mixed bag of reaction, but on the most part accepted the country’s rules.

While the two sets of cybersecurity laws share similarities, China is a bigger market that most Western companies can’t avoid — even if they have yet to break into the region.

With Russia’s case, even though the rules seemed arbitrary, archaic, and generated legal disquietness, they were at least easy to follow.

Beijing has since tried to defuse complaints and concerns by Western firms over possible disruptions.

But with looming threats of fines and a void where there should be clarity, it’s looking like many multinationals could be in for a bumpy few quarters.


System Requirements

Both OsMonitor Server and Client can work on Windows XP, Windows Server 2003/08/12/2016, Windows 7, Windows 8/8.1, Windows 10. Include 32 bit and 64 bit.

Customer Review

We are now using your monitoring software, OsMonitor. It is a great software, we are able to block non-business website, monitor activities of our users, website visited and even snap shots. Majority of our need is provided by your software.