https://secludit.

com/en/blog/six-network-tools-it/
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
WannaCry, EternalRocks

Ransomware is a type of malicious software that blocks access to the victim's data or threatens to publish or delete
it until a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a
knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it
encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.[2][3][4][5] In
a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable
problem - and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making tracing
and prosecuting the perpetrators difficult.

Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is
tricked into downloading or opening when it arrives as an email attachment. However, one high profile example, the
"WannaCry worm", traveled automatically between computers without user interaction.

Starting from around 2012 the use of ransomware scams has grown internationally in June 2013, security software
vendor McAfee released data showing that it had collected more than double the number of samples of ransomware
that quarter than it had in the same quarter of the previous year. CryptoLocker was particularly successful, procuring
an estimated US $3 million before it was taken down by authorities, and CryptoWall was estimated by the US
Federal Bureau of Investigation (FBI) to have accrued over $18m by June 2015.

With the recent influx of ransomware stories seemingly every week, it may be hard to keep track of the different
strains. However, they are typically broken up into major variants. While each of these is spread in a different way,
they generally rely on similar tactics to take advantage of users and hold your data hostage. Let’s take a look at the
common strains:

Cerber: Cerber targets cloud-based Office 365 users and is assumed to have impacted millions of users using an
elaborate phishing campaign. This type of malware emphasizes the growing need for SaaS backup in addition to on-
premises.

Crysis: This form of ransomware can encrypt files on fixed, removable, and network drives and it uses strong
encryption algorithms and a scheme that makes it difficult to crack within a reasonable amount of time.

CryptoLocker: Ransomware has been around in some form or another for the past two decades, but it really came to
prominence in 2013 with CryptoLocker. The original CryptoLocker botnet was shut down in May 2014, but not
before the hackers behind it extorted nearly $3 million from victims. Since then, the CryptoLocker approach has
been widely copied, although the variants in operation today are not directly linked to the original. The word
CryptoLocker, much like Xerox and Kleenex in their respective worlds, has become almost synonymous with
ransomware.

CryptoWall: CryptoWall gained notoriety after the downfall of the original CryptoLocker. It first appeared in early
2014, and variants have appeared with a variety of names, including Cryptobit, CryptoDefense, CryptoWall 2.0 and
CryptoWall 3.0, among others. Like CryptoLocker, CryptoWall is distributed via spam or exploit kits.

CTB-Locker: The criminals behind CTB-Locker take a different approach to virus distribution. Taking a page from the
playbooks of Girl Scout Cookies and Mary Kay Cosmetics, these hackers outsource the infection process to partners
in exchange for a cut of the profits. This is a proven strategy for achieving large volumes of malware infections at a
faster rate.

Jigsaw: Jigsaw encrypts then progressively deletes files until ransom is paid. The ransomware deletes a single file
after the first hour, then deletes more and more per hour until the 72 hour mark, when all remaining files are
deleted.

KeRanger: According to ArsTechnica, KeRanger ransomware was recently discovered on a popular BitTorrent
client. KeRanger is not widely distributed at this point, but it is worth noting because it is known as the first fully
functioning ransomware designed to lock Mac OS X applications.
LeChiffre: "Le Chiffre", which comes from the French noun "chiffrement" meaning "encryption", is the main villain
from James Bond's Casino Royale novel who kidnaps Bond's love interest to lure him into a trap and steal his money.
GREAT name.
Unlike other variants, LeChiffre needs to be run manually on the compromised system. Cyber criminals automatically
scan networks in search of poorly secured remote desktops, logging into them remotely and manually running an
instance of the virus.

Locky: Locky's, approach is similar to many other types of ransomware. The malware is spread using spam, typically
in the form of an email message disguised as an invoice. When opened, the invoice is scrambled, and the victim is
instructed to enable macros to read the document. When macros are enabled, Locky begins encrypting a large array
of file types using AES encryption. Bitcoin ransom is demanded when encryption is complete.

TeslaCrypt: TeslaCrypt is another new type of ransomware on the scene. Like most of the other examples here, it
uses an AES algorithm to encrypt files. It is typically distributed via the Angler exploit kit specifically attacking Adobe
vulnerabilities. Once a vulnerability is exploited, TeslaCrypt installs itself in the Microsoft temp folder.

TorrentLocker: TorrentLocker is typically distributed through spam email campaigns and is geographically targeted,
with email messages delivered to specific regions. TorrentLocker is often referred to as CryptoLocker, and it uses an
AES algorithm to encrypt file types. In addition to encoding files, it also collects email addresses from the victim’s
address book to spread malware beyond the initially infected computer/network—this is unique to TorrentLocker.

WannaCry: WannaCry is a widespread ransomware campaign that is affecting organizations across the globe. Over
125,000 organizations in over 150 countries have been impacted. The ransomware strain is also known as WCry or
WanaCrypt0r and currently affects Windows machines through a Microsoft exploit known as EternalBlue.

ZCryptor: ZCryptor is a self-propagating malware strain that exhibits worm-like behavior, encrypting files and also
infecting external drives and flash drives so it can be distributed to other computers.

While you don't exactly want to scare users when it comes to ransomware, it's important to be informed and
understand how important it is to protect from ransomware.

10. CryptoWall

CryptoWall didn’t partake in any groundbreaking campaigns in 2016. But it did one thing that was significant: it
survived. Researchers first detected CryptoWall back on 19 June 2014. The fact that it’s still going more than two and
a half years later is a testament to CryptoWall’s sophisticated design and the persistence of ransomware as a threat.

9. SamSam

Researchers at Cisco Talos identified SamSam as one of the first instances of a cryptoworm. Unlike traditional
ransomware, which spread primarily via phishing scams and exploit kit attacks, cryptoworms are believed to be the
next generation of crypto-malware in that they mimic a computer worm’s userless distribution methods. SamSam
exhibited this level of self-propagation in a March 2016 campaign when its developers partnered it with JexBoss, a
tool for scanning and exploiting vulnerable JBoss application servers. That pairing allowed SamSam to scan for a
weak server, establish an initial network foothold, and move laterally to other vulnerable machines while encrypting
data along the way.

8. Jigsaw

In April 2016, security researchers released a decryption key for a ransomware called Jigsaw. Their utility couldn’t
have come sooner. Jigsaw is a particularly sadistic form of ransomware that gives victims only 24 hours to pay the
ransom fee of 150 USD. If they fail to meet that deadline, Jigsaw begins deleting files every hour and increases the
number of files for deletion every time. Any funny business, including shutting down the computer, causes Jigsaw to
delete 1,000 of the victim’s files. The ransomware carries out this scheme for 72 hours, at which point it deletes
every remaining file that comes with one of its 240 targeted file extensions.

7. Chimera

Chimera first made headlines in November 2015. It distinguished itself from other ransomware by two main
characteristics: its use of the peer-to-peer messaging service BitMessage to generate a code key for its encryption
process and an invitation for victims to join its affiliate program.

Things went sour for Chimera after a few months of infecting unsuspecting users. In late July 2016, the developers of
Petya/Mischa tweeted out a link to a data dump of 3500 decryption keys for Chimera. That incident, which
represents one of the first documented rivalries between two ransomware groups, helped many (but not all) victims
of Chimera decrypt their files for free.

6. Petya and Mischa

On 25 July 2016, the ransomware-as-a-service (RaaS) platform for Petya and Mischa officially launched. Each
successful infection begins with a dropper activating on an infected computer. That dropper either installs Petya or
Mischa. If it obtains administrative privileges, it loads up Petya, as that ransomware family needs admin rights to
replace the Master Boot Record and encrypt the Master File Table. If the RaaS package fails to achieve those rights, it
instead loads up Mischa, a more traditional ransomware that encrypts users’ data at the file level.

Either way, affiliates get to keep a share of the ransomware’s profits. Their percentage depends on how much
money they collect from victims.

5. Cerber

Researchers first detected Cerber in early spring 2016. Though new to the malware scene, early versions of the
ransomware quickly proved they weren’t messing around. Each variant targeted network shares, the decryptor for
many of those samples came with compatibility for 12 different languages, and some samples even “spoke” the
ransom note using VBScript.

It’s therefore no wonder Cerber’s author ultimately created an affiliate system for their creation that spanned across
the globe. This ransomware-as-a-service (RaaS) platform helped contribute to Cerber’s total activity, so much so that
its current yield is enough to net the ransomware author nearly one million dollars on an annual basis independent
of their own attack campaigns.

4. CryLocker

Most ransomware samples come with a standard ransom note that they display to all their victims. Not CryLocker.
This malware locks a victim out of their computer and demands they pay 45 USD in 24 hours. To heap on the
pressure, CryLocker customizes its ransom note with the user’s name, birthday, location, IP address, system details,
Skype account details, Facebook account details, LinkedIn account details, and other data it harvests from the
infected computer. The ransomware then threatens to publish all that information online unless the victim pays up.

3. HDDCryptor

HDDCryptor is a nasty family of ransomware. It’s capable of enumerating existing mounted drives and encrypting all
files as well as finding and accessing previously connected drives and disconnected network paths. In addition, the
crypto-malware uses disk-level encryption to encrypt and overwrite an infected computer’s Master Boot Record
(MBR) with a new bootloader, which causes a ransom message to display instead of the login screen upon boot up.

Researchers first detected HDDCryptor in September 2016. Two months later, the ransomware made headlines
when it infected 2,000 systems at the San Francisco Municipal Transport Agency (SFMTA), or “Muni,” and demanded
100 Bitcoins (approximately 70,000 USD) in ransom. Fortunately, the attack did not affect SFMTA’s rail and bus
service, and the public agency said it would use its working backups to restore access to its systems.

2. TeslaCrypt

After months of tracking TeslaCrypt across spam campaigns and exploit kit attacks, security researchers at the
Slovakian IT security firm ESET learned its developers intended to abandon the ransomware. The researchers
contacted the developers and requested the master decryption key. In response, TeslaCrypt’s authors published the
key, which ESET used to make a free decryption utility. Victims of the ransomware can now use this tool to regain
access to their files.

1. Locky

Researchers detected the first sample of Locky in February 2016. Shortly thereafter, it made a name for itself when it
infected the computer systems at Hollywood Presbyterian Medical Center in southern California. Officials chose to
temporarily shut down the hospital’s IT system while they worked to remove the ransomware, a decision which
caused several departments to close and patients to be diverted elsewhere. But without working data backups, the
executives at Hollywood Presbyterian ultimately decided to pay the ransom of 40 Bitcoin (70,000 USD).

In the months that followed, Locky went through at least seven different iterations: “.zepto,” “.odin,” “.shit,” “.thor,”
“.aesir,” “.zzzzz,” and “.osiris.” It also leveraged unique distribution channels like SVG images in Facebook Messenger
and fake Flash Player update websites.
Network security assessment consists of four fundamental phases: reconnaissance, enumeration, assessment, and
exploitation. The reconnaissance phase involves discovery of the network devices through alive scanning via Internet
Control Message Protocol (ICMP) or TCP. During the enumeration and assessment phases, the security assessor
determines whether a service or application is running on a particular host and assesses it for potential
vulnerabilities. In the exploitation phase, the assessor leverages one or more vulnerabilities to gain some level of
privileged access to the host and uses this access to further exploit the host or to escalate privilege on that host or
throughout the network or domain.

1. Nmap
The tried-and-true Network Mapper (Nmap) tool was written several years ago and is continually enhanced by
Fyodor. I'd call Nmap the network security expert's Swiss army knife because it's such a useful tool. You can use
Nmap in the reconnaissance phase to perform "alive scans" in a number of ways to determine which hosts on a
given network are online. Nmap is also useful for router ACL or firewall rule discovery via ACK (acknowledgement)
flag probe scanning and other techniques.
You can use Nmap in the enumeration and assessment phases for scanning ports, listing services and their version
numbers, and fingerprinting OSs. Nmap is a great tool for digging deeper into automated scanning tool results or
verifying them. Nmap was originally developed for the UNIX environment but has also become available for the
Windows platform in recent years (although UNIX purists would scoff at the thought of using Nmap on anything but
*IX).
Nmap is open source and available free from a variety of sites, the primary one being
http://www.insecure.org/nmap.

2. N-Stealth
One of the most challenging aspects of vulnerability assessment is the assessment part. After you've figured out
which hosts are alive and which services they're running (this is the easy part), how do you determine whether a
specific service is vulnerable? For Web services, one tool that works well is the N-Stealth Security Scanner by N-
Stalker. N-Stalker sells a more comprehensive version of N-Stealth, but the free trial version works well for most
basic assessment needs. The fee version includes a whopping 30,000+ Web server security checks, but the free
version provides more than 16,000 specific vulnerability checks, including checks for the SANS Top 20 vulnerabilities
for popular Web servers such as Microsoft IIS and Apache. For example, N-Stealth checks for vulnerable Common
Gateway Interface (CGI) and Hypertext Preprocessor (PHP) scripts, SQL injection attacks, common cross-site
scripting, and other vulnerabilities in popular Web servers.
N-Stealth supports both HTTP and HTTP Secure (HTTPS—using SSL), provides vulnerability correlation to the
Common Vulnerabilities and Exposures (CVE) dictionary and Bugtraq vulnerability database, and provides some
decent reporting options. I use N-Stealth to uncover the most common vulnerabilities on Web servers and then
determine the most likely exploits. You can get more information about N-Stealth at
http://www.nstalker.com/eng/products/nstealth. Of course, if you're thinking serious Web site and application
security assessment, I recommend the fee version or a product such as WebInspect from SPI Dynamics.

3. SNMPWalk
SNMP is a well-known, widely used, and completely insecure protocol that runs over UDP port 161. Cisco Systems
router, Windows server—chances are it supports SNMP and is, at best, minimally secured by requiring a commonly
known clear-text community string for read and read/write access. When you want to assess SNMP security (what
there is of it) on a network, it's great to have a tool such as SNMPWalk that lets you query network devices running
SNMP for important information. It uses a simple SNMP query to find out whether your SNMP devices are giving
away the keys to the kingdom. For example, a well-known default SNMP community string for Cisco routers is
"ILMI". Using this string with SNMPWalk targeting Cisco routers can reveal a gold mine of information that allows
complete control over a network's router infrastructure if a certain key piece of information is stored in the Cisco
Management Information Base (MIB).
SNMPWalk is an open-source tool that was part of the Net-SNMP project at Carnegie Mellon University in the early
1990s when SNMP was first deployed. SNMPWalk uses an SNMP get-next request to retrieve SNMP MIB subtree
management values (denoted in Abstract Syntax Notation—ASN). As I mentioned, authentication for read access to
a device requires nothing more than a string value that's well-known or can be fairly easily sniffed from the network.
SNMPWalk is available for both UNIX and Windows platforms at http://net-snmp.sourceforge.net.

4. Fpipe
One of the more complex network security tests that you might want to perform is to emulate the hacker threat by
finding ways to bypass one or more defense-in-depth measures. One example of a bypass technique in the
assessment or exploitation phase is port forwarding or redirection, and Fpipe from Foundstone (a division of
McAfee) is a great free tool for this. To get around router ACLs, firewall rules, or other security mechanisms, it's
sometimes possible to access a particular service running on a port by redirecting, or tunneling, traffic to your
desired TCP port through another TCP port.
As a simplistic example, suppose you have a router between subnets that allows only HTTP traffic to TCP port 80
through. However, you want to connect to a host running Telnet (TCP port 23) on the other subnet and you've
already compromised another host on the same subnet as the host running Telnet. A port forwarder such as Fpipe
lets you create a TCP or UDP "stream" that encapsulates traffic for TCP port 23 in packets that are identified as TCP
port 80 packets. These packets then traverse the router that allows TCP port 80 traffic and are received by the
compromised host running Fpipe or another port forwarder. This port forwarder strips off the disguise and forwards
the TCP port 23 traffic to its intended host.
You could also use Secure Shell (SSH) or Netcat (see description below) to do port forwarding or redirection, but I
like Fpipe because it's well-documented, easy to use, and free. You can download the latest version of Fpipe at
http://www.foundstone.com.

5. SQLRECON
SQL server vulnerabilities in products such as Microsoft SQL Server, Oracle Database, and Oracle Application Server
have become quite numerous over the last few years, the most notable being the SQL Slammer worm in 2003
(described at http://www.cert.org/advisories/CA-2003-04.html). When you want to assess SQL Server hosts for
potential vulnerabilities, there hasn't been a comprehensive tool for enumerating SQL Server instances and their
version numbers and doing so accurately. All too often, tools incorrectly identify the SQL Server version because they
grab information from ports (e.g., TCP port 1433, UDP port 1434), which often incorrectly show the SQL Server
version.
Recently arrived on the scene is SQLRECON, which you can download from Special Ops Security at
http://specialopssecurity.com/labs/sqlrecon. SQLRECON scans a network or host to identify all the SQL Server and
Microsoft SQL Server Desktop Engine (MSDE) installations. The great thing about the tool is that it combines several
known methods of SQL Server/MSDE enumeration and discovery into one utility. Once you have good information
about the SQL Servers (and their versions) on your network, you can begin to determine potential vulnerabilities.
SQLRECON isn't a vulnerability scanner but rather a discovery tool that makes the network security assessor's job a
whole lot easier. Now we need a tool for Oracle.

6. Enum
For a Windows guy who also dabbles in Linux, it really comes in handy to have a comprehensive (and free) tool that
enumerates all kinds of information about a Windows system. The Enum tool is exactly that tool. The command-line
console-based utility reports a lot of great Win32 information about a host through NetBIOS running on TCP port
139. Using null or authenticated sessions, Enum can retrieve user lists, machine lists, share lists, group and member
lists, and password and Local Security Authority (LSA) policy information. Enum is also capable of a rudimentary
brute-force dictionary attack on individual local accounts. Figure 1 shows the many details about a given Windows
host that are available remotely via Enum. You can download Enum (along with some other great tools, such as
Pwdump2 and LSAdump2) from BindView at http://www.bindview.com/services/razor/utilities.

7. PsTools
Most of you are familiar with the many great tools and resources provided by Sysinternals. From a security
assessment perspective, the PsTools suite is perhaps the most useful. Named after the UNIX ps (process listing)
command-line tool, PsTools is a collection of tools that fill the gaps left by the standard Windows OS command-line
tools and the Windows resource kit tools. PsTools are particularly useful for both remote and local system
assessment and exploitation.
After you've exploited a host vulnerability, PsTools are a huge help in remotely manipulating a system and allowing
you further exploitation such as privilege escalation. For example, if you've exploited a host and gained local
administrator access but you want to escalate your privilege to the domain administrator who's currently logged on,
PsTools can help you through such features as remote shutdown and process kill.
PsExec is perhaps my favorite of the PsTools. It allows someone with local administrator access (via an authenticated
network connection) to remotely execute programs on a system. My favorite operation is to use PsExec to run
cmd.exe on a remote system, giving me a remote command-line prompt to the system with administrator privileges
(PsExec doesn't obtain these privileges for you—you have to get them some other way). For more information about
PsExec, see Windows Power Tools, "PsExec," July 2004, InstantDoc ID 42919.
Other favorites include PsList, which lets you list all processes running on a remote system and PsKill, which lets you
kill individual processes running on a remote system. For more information about these tools, see Windows Power
Tools, "PsList and PsKill," September 2004, InstantDoc ID 43569. Besides security assessment, the PsTools suite is
quite useful simply for performing many administrator functions remotely from the command line (which is probably
more the authors' intention). You can get PsTools (along with many other awesome resources) at the Sysinternals
Web site at http://www.sysinternals.com/utilities.html.

8. Netcat
Although many know about Netcat because of its use as a back door that allows attackers access to a system (an
exploitation feature), Netcat isn't as well known for its capabilities as a tool to perform enumeration and
assessment, as well as other important operations that are part of traditional network security assessment.
Developed more than 10 years ago for UNIX and ported to Windows in 1998, Netcat is an extension of the UNIX
cat command, which lets you "stream" file contents to and from the screen and view, modify, or combine them.
Netcat allows data from the system's standard I/O to be read and written across network connections by using
TCP/IP. This means that you can directly manipulate the TCP/IP stack and read/write data over TCP or UDP ports.
In addition to using Netcat as a back-door tool, you can use it for grabbing banners (such as Telnet, SMTP, and FTP
banners), "piping" files and data, port scanning, remote service and port enumeration, and many other creative
functions. Every time I turn around, someone is showing me new ways that I hadn't thought of to use Netcat. I use it
most frequently for port fuzzing (connecting to a TCP port and poking around to see what I can learn) and shell-
shoveling (piping a command prompt from a target host back to me—a poor man's reverse shell).
Download the Windows version of Netcat at http://www.vulnwatch.org/netcat, and read
http://www.vulnwatch.org/netcat/ readme.html to learn more than you ever wanted to know about the tool. Learn
still more at "Netcat," Security Administrator, September 2003, InstantDoc ID 39680.
9. John the Ripper
Most people have heard of the L0phtCrack password-cracking and -audit tool originally developed by The Cult of the
Dead Cow (don't ask) and now owned and maintained by @stake (recently acquired by Symantec). I prefer John the
Ripper, a simple, high-performance password cracker available for many platforms (including Windows) that grew
out of the well-known UNIX Crack tool. John can detect system characteristics and capabilities that allow it to
optimize performance. In my experience, John runs circles around other crackers such as L0phtCrack in terms of tries
per second (LC5—the current version of L0phtCrack—is supposedly greatly improved over previous versions, but you
have to pay for it).
Also, John doesn't crack just Windows (LAN Manager and NT LAN Manager—NTLM) password hashes but out of the
box cracks any password hashes that use DES (standard, single, extended), MD5, Blowfish, or Andrew File System
(AFS) ciphertext or hash formats. John used in conjunction with a dictionary file (numerous such files are available
containing most any language known in the galaxy—even Wookie and Klingon) is a can't-live-without-it tool for
password cracking and audit (which every company should be doing regardless of how strong its password policy is).
You can get John the Ripper at http://www.openwall.com/john or
http://www.securiteam.com/tools/3X5QLPPNFE.html.
10. The Metasploit Framework
Wouldn't it be nice to have an easy-to-use exploit platform that contained the most recent exploits, featured an
auto-update capability, and was extensible via a well-known language such as Perl? Yes, but ... . It's scary (and
somewhat irresponsible) that someone would provide such a capability to the masses for free—it just calls out to
script kiddies everywhere (roughly similar to offering a nuclear suitcase on eBay). However, I'll concede that having a
tool such as the Metasploit Framework is beneficial for network security assessors emulating threats (if Pandora's
box has been opened, the good guys should have the same tools as the bad guys).
The Metasploit Framework was introduced about 2 years ago as a research project by the well-known security
researchers H.D. Moore and spoonm. The project's goals were half noble: to further security research and provide a
resource for exploit developers. I use the Metasploit Framework (with care and with prior testing in a lab
environment) as an exploitation tool for security assessments.
Metasploit is a Perl script–based engine that allows you to select from a myriad of exploits for a variety of platforms
and applications (more than 75 exploits and 75 payloads and growing at the time of this writing). In addition to
giving you a selection of exploits for known vulnerabilities, Metasploit lets you select the specific payloads that you'd
like to send with the exploits. For example, if you want to exploit a system that has the SQL Slammer vulnerability, as
mentioned in the SQLRECON section above, you can choose how you want to manipulate the vulnerable system: by
creating a Win32 Bind shell connection, by sending back a Win32 Reverse shell, by simply running a remote
command, by injecting a rogue Virtual Network Computing (VNC) server DLL into an exploited running process, or by
some other means. Since the Metasploit Framework is also extensible via Perl modules, you can write your own
exploits, plug them into the framework and use an existing applicable payload. Figure 2 shows the easy-to-use
Metasploit Web interface listing the available exploits.
I recommend that you approach the Metasploit Framework with caution and use it only to demonstrate specific
vulnerabilities during your network security assessment. You can download the Metasploit Framework at
http://www.metasploit.com. Nessus (http://www.nessus.org) is another popular vulnerability scanner and exploit
platform that has been around for years and is worth a look.
I've attempted to do the somewhat impossible—provide a list of the most popular free tools available to aid in
network security assessment. It's difficult at best to choose just 10 tools—there are many tools for the job. If what
I've recommended doesn't work for you, there are bound to be other, comparable free tools you can try. Or you can
look into commercial tools, which are often more fully developed or have better support models than free tools do. I
hope you've come away with some new knowledge about tools that you can leverage. Even if you learned about
only one new great tool, this article was probably worth the read!