Personal Cybersecurity #35: Daily news

What you need to know for your personal cyber security life… 

Number thirty-five in a series of semi-regular daily current and topical computer threats that may affect your online, or even offline, digital and real life. Why cyber-security on SurvivalRing? Because EVERYTHING you do in your life everyday is a part of the cyber world…even your offline plans. So, be aware, and pay attention. The bad guys WILL eventually get around to YOU…personally…so be prepared for it, by staying in the informational loop. 

And, just so you know, I’ve got 31 years of IT experience, and my day job is for the State of Wyoming as an Information Specialist. I believe an informed prepper is a BETTER prepper. Information is the life blood of being prepared. Learn more with every article in this continuing series. Please ask questions if you want to learn more…I’m here to help.

evil inside

# # #

HEADLINES…for this issue…19 articles

  • Computer server at UNCW hacked, university officials say
  • Vendor sacked for HIPAA breach blunder
  • Most Enterprises Lack Basic Assets to Fight Off Data Theft
  • Emergency patch for critical IE 0-day throws lifeline to XP laggards, too
  • Study: Users don’t much care about Heartbleed hacking dangers
  • Where’s the Next Heartbleed Bug Lurking?
  • Cyber spying bug, attack plans found in Lithuania — report
  • Top IT Security Certifications 2014
  • Obama Policy on Zero Days Craps Out
  • ‘War-like’ cybercrime threatens European growth
  • Cyber Security: Why Nigeria Needs Computer Emergency Response Team
  • Exclusive: Meet the Secret Fed Cybersecurity Unit Keeping Trillions of Dollars Safe From Hackers
  • Even Homeland Security Says Not to Use Internet Explorer
  • Microsoft Warns Of Zero-Day Vulnerability In Internet Explorer
  • Europe Begins Its Largest-Ever Cyberwar Stress Test
  • Lawmakers Want Pentagon to Clarify Cloud Security Standards
  • It’s Insanely Easy to Hack Hospital Equipment
  • Secret Shin Bet Unit at The Front Lines of Israel’s Cyber-War
  • Red tape, ‘tattoo-aversion’ snarls government hiring of cybersecurity experts

Computer server at UNCW hacked, university officials say

  • By Wayne Faulkner
  • Star News Online
  • May 1, 2014

A computer server at the University of North Carolina Wilmington has been hacked, possibly giving access to personal information of some employees and students.

The university said Thursday that it is investigating the event, but indicated that so far it had no evidence of fraud or that the hackers had actually found or used the information. The school added that it had begun to notify those affected by email or traditional mail.

UNCW announced earlier this week that its information technology systems team discovered unauthorized access to a database that included names, addresses and Social Security numbers of individuals employed at the university as of March.

Those might include part-time and temporary employees, graduate students and adjunct instructors. Also affected were individuals who took a foreign language placement test at UNCW between 2002 and 2006, the university said.


# # #

Vendor sacked for HIPAA breach blunder

  • By Erin McCann
  • Associate Editor
  • Healthcare IT News
  • May 1, 2014

Can a subcontractor expect to keep the job after accidentally posting protected health information of some 15,000 patients online? A Boston teaching hospital says, ‘definitely not.’

The 496-bed Boston Medical Center in Massachusetts has fired third-party vendor MDF Transcription after hospital officials discovered the company posted health records and demographic data of 15,000 patients to the vendor’s website with no password protection.

“As a result, the notes could have potentially been accessed by non-authorized individuals,”  BMC spokesperson Jenny Eriksen Leary wrote to Healthcare IT News.

When asked how long the information had been posted publicly online, Eriksen Leary said hospital officials are not sure, but they are currently working with MDF to determine that information. The hospital has been working with MDF Transcription for 10 years.


# # #

Most Enterprises Lack Basic Assets to Fight Off Data Theft

  • By Nathan Eddy
  • 2014-05-01

This will not come as a surprise to most IT security people: Most enterprises lack the tools and business intelligence to protect their critical information in an optimal manner, according to new research conducted by the Ponemon Institute and sponsored by Websense.

The main problems are a critical deficit of security solution effectiveness, a disconnect in executives’ perceived value of data, and limited visibility into attack activity, according to the global cyber-security report,

The findings, based on the responses of IT security practitioners with an average of 10 years’ experience in the field from 15 countries, including Brazil, China, Germany, India, the United Kingdom and the United States, revealed a global consensus that security professionals need access to heightened threat intelligence and defenses.

According to respondents, there is a gap between data breach perception and reality–specifically regarding the potential revenue loss to their business. Eighty percent of respondents say their company’s leaders do not equate losing confidential data with a potential loss of revenue.


 # # #

Emergency patch for critical IE 0-day throws lifeline to XP laggards, too

  • By Dan Goodin
  • Ars Technica
  • May 1, 2014

Microsoft has released an emergency update for all recent Windows operating systems—including the recently decommissioned XP—fixing a critical security bug that is currently being exploited in real-world attacks.

The decision to patch XP underscores the potential seriousness of the vulnerability. Since it resides in versions 6 through 11 of Internet Explorer, the remote code-execution hole leaves an estimated 26 percent of Internet browsers susceptible to attacks that can surreptitiously install hacker-controlled backdoors when users visit a booby-trapped website. By some measures, 28 percent of the Web-using public continues to use the aging OS, which lacks crucial safety protections built into Windows 7 and 8.1.

Thursday’s release demonstrates the razor-thin tightrope Microsoft walks as it tries to wean users off a platform it acknowledges is no longer safe against modern hacks. While the XP fix may deprive some laggards of the incentive to upgrade, Microsoft also has a responsibility to prevent exploits that could turn large numbers of the Internet population into compromised platforms that attack others.

Attacks grow by “multiple, new threat actors”

The Microsoft patch comes as the in-the-wild attacks exploiting the vulnerability have expanded to include XP users running IE 8, researchers from security firm FireEye reported Thursday. Previously, the IE attacks FireEye observed targeted only versions 9, 10, and 11 running on Windows 7 and 8.


 # # #

Study: Users don’t much care about Heartbleed hacking dangers

  • By Shaun Nichols
  • The Register
  • 2 May 2014

Despite dire warnings from security experts and a massive public awareness campaign, users are less aware of the Heartbleed flaw than other recent security threats.

So say researchers with the Pew Research Center. According to a public survey of 1,501 people conducted by the company, less than one fifth feel they are well versed on the dangers of the flaw, and less than 40 per cent have taken action to protect their accounts.

The survey (PDF) polled users on both the level of their awareness on the data-leaking OpenSSL flaw and the steps they have taken to change credentials which may have been harvested by attackers. The study of 1,501 American adults was taken in the midst of the Heartbleed scare between the 23-27 April.

During that time, researchers found that 60 per cent of adults had heard of Heartbleed in some form, though 41 per cent said that they had “a little” information about the flaw and just 19 per cent had heard “a lot” about it.


 # # #

Where’s the Next Heartbleed Bug Lurking?

  • By Robert Lemos
  • MIT Technology Review
  • April 29, 2014

After causing widespread panic and changing of passwords, the Heartbleed bug has largely disappeared from the news. Yet the implications of the discovery are still being debated across the computer industry. The biggest concern for security experts is how to preëmpt other flaws lurking in the Internet’s foundations.

The Heartbleed bug was discovered earlier this month in a piece of software called OpenSSL that is widely used to establish a secure connection between Web browsers and servers by managing the cryptographic keys involved. OpenSSL is an “open source” project, meaning that the underlying code is published along with the software. Also, like many other open-source efforts, it is maintained by a small group of volunteer programmers (see “The Underfunded Project Keeping the Web Secure”).

The problem is being recognized by big software companies that rely on efforts like OpenSSL. Last week, the Linux Foundation, which provides support for the popular Linux operating system, launched an effort called the Core Infrastructure Initiative to support small open-source projects. Companies including Google, Amazon, Facebook, IBM, Intel, Cisco, and Dell have so far committed more than $3 million to the effort. A steering committee will try to identify the open-source projects that most need financial support.

“The problem with open source is that you have the ‘free rider’ problem,” says Chris Wysopal, a well-known computer security expert and chief technology officer and cofounder of Veracode, an application-security assessment firm. “People and companies who are using it, and getting huge value out of it, are not giving a lot of money to keep it going.”


 # # #

Cyber spying bug, attack plans found in Lithuania — report

  • By Editor
  • The Lithuania Tribune
  • April 29, 2014

Lithuania’s military intelligence said on Tuesday it last year found spying software in computers used to process information related with Lithuania’s domestic and foreign policy, as well as energy.

In a report, the Defence Ministry’s Second Investigation Department also said it had evidence about large-scale cyber attacks plotted in Lithuania.

“Cyber incidents were reported in the cyber space in the first half of 2013, and they had to do with the spread of spying software,” reads the document.


 # # #

Top IT Security Certifications 2014

  • By S. Sotans
  • April 29, 2014

Best IT Security Certifications 2014: the 10 top paying

The global threat to core IT infrastructure by hackers has created the conditions for security certification skills. When enterprise systems networks are violated by way of internet service providers (ISP) or unauthorized access to designated user login credentials, operations may result in failure. For professionals working in the IT administration and engineering fields, the risk of violations to core infrastructure and data has opened the door for new opportunities in IT security certification. The best information technology security certifications available to IT professionals in 2014, are also top paying roles in the field of enterprise systems management.

Entry level training for a Security+ certification is the first level of training for IT security qualification. Security+ and SSCP are preface CISSP, CISA, and CASP certification. The U.S. National Security Agency (NSA) and Committee on National Security Systems (CNSS) both recognize Cisco Company security training courses meeting certification standards in different areas of IT security. Increase IT enterprise systems efficiency with security certification. Professionals can train with Cisco or other accredited source for meeting certification requirements. Earning potential for most tech security certification is over $100,000 per year.

If you are a CIO, information systems engineer, or entry level IT administration professional, the potential offered in certification has never been better. By training in an IT security certification program, technical professionals receive the education and specialized skills they require to design, maintain, analyze, and govern core IT enterprise systems infrastructure. For IT network administrators, security is an essential element of continuing education. Certification in information technology security measures ensures that IT operations are controlled with the appropriate measures to ward against hacking or other systems attack.

Here are the top paying IT security certifications for 2014:

1. CISSP Security Professional Certification — $103,299

Due to the rapid rise in the frequency, scope and complexity of cyber-attacks, the Certified Information Systems Security Professional (CISSP) security training has emerged as one of the main IT security certifications sought by major enterprises and government agencies. CISSP covers the ten vital IT security domains (i.e. disaster recover, network security, risk management, security architecture and operations, and software development security).

2. CCNA Security Certification — $150,000

Cisco CCNA Security certification meets courses meets NSA and CNSS 4011 training standards. Certified IT security administrators are qualified to assist federal agencies and private sector entities in development of security plans to protect defense and aid information. The CCNA certification covers the identification of system vulnerabilities, investigation and documentation of system security technologies and policies, and the analysis and evaluation of system security technologies.


 # # #

Obama Policy on Zero Days Craps Out

  • By Jennifer Granick
  • 4/29/2014

Yesterday afternoon, the White House put out a statement describing its vulnerability disclosure policies: the contentious issue of whether and when government agencies should disclose their knowledge of computer vulnerabilities. The statement falls far short of a commitment to network security for all and fails to provide the reassurance the global public needs in the midst of the NSA’s security scandal. It basically says the White House plays a well-intentioned guessing game with our online safety.

The National Security Agency (NSA) is a single agency with a dual mission—protecting the security of U.S. communications while also eavesdropping on our enemies. In furtherance of its surveillance goals, we recently learned about some of NSA’s top secret efforts to hack the Internet. For example, the NSA runs a network of Internet routers that it surveils all traffic going through. It hijacks (or did until recently) Facebook sessions to install malware. It has its own botnets, or networks of compromised computers, that it controls, and it has taken over botnets created by other criminals. It uses these capabilities to steal information, to deny access to websites and other internet services, and to modify digital information, whether in transit or stored on servers.

Given these revelations, the public might reasonably believe the NSA’s deck is stacked against securing people from the very same online vulnerabilities the agency could exploit. For example, some skeptics–not I, however–disbelieve government disavowals of advance knowledge of Heartbleed, one of the worst security holes ever found. To assuage this concern, on April 12th, President Obama announced the government will reveal major flaws in software to assure that they will be fixed, rather than keep quiet so that the vulnerabilities can be used in espionage or cyberattacks, with one huge exception—if there’s “a clear national security or law enforcement need”.

Yesterday’s statement by Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, tries to reassure the public that this Administration knows how to make that judgment call. There are “established principles” and an “established process” for making what are essentially guesses—bets—on network insecurities, based on a series of facially sensible, but practically almost unanswerable, questions. Officials have to assess the risk from vulnerabilities. They have to guess how hard it is for other people to find the same flaw. They have to gamble on whether officials will figure out when the bad guys gain the same attack capabilities. They have to hypothesize whether, when they do, the attackers will use their knowledge to devastating effect.


 # # #

‘War-like’ cybercrime threatens European growth

  • By Arjun Kharpal
  • @ArjunKharpal
  • 04/28/2014

State-backed hackers are aiming to create “war-like activities” that could harm economic growth in Europe, the region’s cybercrime chief warned on Tuesday.

The stark warning from Troels Oerting, head of the European Cybercrime Center and assistant director at law enforcement agency Europol, comes as governments and law enforcement agencies across Europe are already struggling to contain the threat of cybercrime.

“What we are looking at is state-sponsored activity and it is no secret that we have state-sponsored activities…aimed at starting warlike activity,” Oerting said at a speech at the Infosecurity Europe conference in London Tuesday.


 # # #

Cyber Security: Why Nigeria Needs Computer Emergency Response Team

  • By Nkechi Isaac
  • Leadership
  • April 29, 2014

Cybercrime is one of the fastest growing areas of crime. More and more criminals are exploiting the speed, convenience and anonymity that modern technologies offer in order to commit a diverse range of criminal activities. These include attacks against computer data and systems, identity theft, the distribution of child sexual abuse images, internet auction fraud, the penetration of online financial services, as well as the deployment of viruses, Botnets, and various email scams such as phishing.

The global nature of the Internet has allowed criminals to commit almost any illegal activity anywhere in the world, making it essential for all countries to adapt their domestic offline controls to cover crimes carried out in cyberspace. The use of the Internet by terrorists, particularly for recruitment and the incitement of radicalization, poses a serious threat to national and international security.

In addition, the threat of terrorism forces authorities to address security vulnerabilities related to information technology infrastructure such as power plants, electrical grids, information systems and the computer systems of government and major companies.

Speaking at the handover and launching of the Computer Emergency Readiness and Response Team ( Ecosystem by Consultancy Support Services (CS2) to the National Information Technology Development Agency (NITDA), the former acting director-general of the agency, Dr. Ashiru Daura, said the project marked a turning point in the fight against cyber crime in Nigeria.

Daura said, “ is concerned with cyber crime which is crime committed on the cyber space, the internet. A lot of these crimes, which are of different kinds, happen every minute and every second, now even though we try as much as possible to provide protection for our systems, our networks some of these criminals penetrate or attack. So, there is need for us to do at least two things and these are to repel the attack and recover the systems, to make sure that we can come back to our original status as fast as we can and then also learn few lessons from the attack. That’s the purpose for this team which is to provide response to any threat or attack in the cyber space.”


 # # #

Exclusive: Meet the Secret Fed Cybersecurity Unit Keeping Trillions of Dollars Safe From Hackers

  • By Shane Harris
  • Foreign Policy
  • April 28, 2014

If the U.S. central banking system is ever hit with a crippling cyber attack, a group of roughly 100 government employees working in a three-story fortress-like building next door to a Buick dealership in East Rutherford, N.J., will be among the first to know about it. That’s where, almost entirely out of sight, a team from the Federal Reserve System’s crack cyber security unit is constantly on watch for malicious hackers, criminals, and spies trying to breach the computer networks of the Fed, its regional banks, and some of the most critical financial infrastructure in America.

The National Incident Response Team, or NIRT, as the group is called (pronounced “nert”) tries to prevent intruders from breaking into Fed computer networks and money transfer systems used by thousands of banks across the U.S every day. Among the team’s most important protectees is the Fedwire Funds Service, a real-time settlement system that banks use to transfer money between accounts. In 2013, Fedwire handled on average $2.8 trillion in transfers every day.

For several years now, current and former U.S. officials, as well as bank executives, have warned that cyber attackers could sow mass panic by disrupting critical financial networks such as the ones NIRT protects, causing the systems to crash or manipulating information so that customers didn’t know how much money was in their accounts and financial institutions couldn’t square their ledgers. The nightmare scenario for NIRT members is a malicious hacker gaining access to Fedwire or to sensitive computers used by the Treasury Department, such as the International Treasury System, which the federal government uses to make payments directly to foreign individuals and companies around the world and is also monitored by the NIRT.

The cyber security team is the first line of defense for the central banking system. “If there’s a breach of Fedwire or another critical system, they’re going to wake the [Federal Reserve] chairman up out of bed,” said one former NIRT member. “That’s a shit-your-pants type of emergency. Anything that compromises the faith and trust in the [government-backed] money system. And that’s all bound to the Fed and Treasury systems.”


 # # #

Even Homeland Security Says Not to Use Internet Explorer

How scary is the latest Internet Explorer security vulnerability? Even the U.S. government says not to use IE until the browser is fixed.

The flaw, which affects Internet Explorer versions 6 and up, allows bad guys to gain complete access to a PC via a malicious website. Dubbed “Operation Clandestine Fox” by the security by the security firm FireEye, the threat is real. And dangerous.

The U.S. Department of Homeland Security doesn’t issue security alerts for computer software very often, but this time, it made an exception. Many agencies within the U.S. government use versions of IE.

Homeland Security recommends that users or administrators “enable Microsoft EMET where possible” and to “consider employing an alternative web browser until an official update is available.”


 # # #

Microsoft Warns Of Zero-Day Vulnerability In Internet Explorer—threats/microsoft-warns-of-zero-day-vulnerability-in-internet-explorer/d/d-id/1234907

  • By Tim Wilson
  • Dark Reading
  • 4/28/2014

Microsoft has discovered a zero-day vulnerability in most versions of Internet Explorer that already has enabled some attackers to execute code remotely on victim PCs, even without action by the end user. In a security advisory issued over the weekend, Microsoft reported that it “is aware of limited, targeted attacks that attempt to exploit a vulnerability” in IE 6, 7, 8, 9, 10, and 11. The vulnerability, which takes advantage of the way IE accesses an object in memory that has been deleted or has not been properly allocated, makes it possible for attackers to do remote code execution on a targeted machine, the advisory says.

“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft says. “An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.”

Remote code execution means that attackers could distribute malware via a drive-by installation, “where simply looking at booby-trapped content such as a Web page or image file can trick IE into launching executable code sent from outside your network,” notes Paul Ducklin, a researcher at security firm Sophos, in a blog posted Sunday. “There won’t be any obvious warning signs, or ‘Danger, Will Robinson’ dialog boxes.”

Using such an exploit, “a crook may be able to sneak malware onto your computer even if you don’t take any obvious risks such as opening a suspicious attachment or agreeing to download a dubious-sounding file,” he observes.


 # # #

Europe Begins Its Largest-Ever Cyberwar Stress Test

  • By Frances Robinson
  • The Wall Street Journal
  • April 28, 2014

In a sign of just how seriously Europe is taking the cyber threat, more than 400 cyber security professionals from 29 countries and 200 organisations are today beginning a biannual cyber exercise coordinated by the European Union Agency for Network and Information Security (ENISA).

It is not the first time ENISA has produced this event, but this year’s will be the largest such “stress test” of the continent’s ability to withstand massive cyber-attack.

The online event brings together various Cyber Security Agencies, EU bodies, Telecoms operators, tech companies and energy providers. Those involved must detect and tackle various challenges based on 16 different cyber-security incidents. The technical part of the exercise takes places in a distributed manner across all of Europe.

“The incidents in Cyber Europe 2014 are very realistic, mimicking unrest and political crisis at a pan-European level, disrupting services for millions of citizens across Europe,” The Executive Director of ENISA, Professor Udo Helmbrecht, said. “This improves the resilience of Europe’s critical information infrastructures”.


 # # # 

Lawmakers Want Pentagon to Clarify Cloud Security Standards

  • By William Matthews
  • April 25, 2014

Two House members are proposing legislation they say would ease the way for cloud computing vendors to sell services to the Defense Department.

The Defense Cloud Security Act would require department officials to set clearer security requirements for cloud storage and other cloud services “and give vendors an opportunity to meet those standards,” said an aide to Rep. Niki Tsongas, D-Mass. Tsongas and Rep. Derek Kilmer, D-Wash., are expected to introduce the legislation April 28.

Although the Defense Department already buys cloud services from a number of private vendors, Tsongas and Kilmer say that more companies could be providing more cloud services if the military had clearer security requirements.

For vendors, the military represents a large and potentially lucrative market for cloud storage and applications. And for the Defense Department, the cloud represents a way to reduce the cost of owning and operating its own servers and software.


 # # # 

It’s Insanely Easy to Hack Hospital Equipment

  • By Kim Zetter
  • Threat Level
  • 04.25.14

When Scott Erven was given free rein to roam through all of the medical equipment used at a large chain of Midwest health care facilities, he knew he would find security problems–but he wasn’t prepared for just how bad it would be.

In a study spanning two years, Erven and his team found drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.

Erven’s team also found that, in some cases, they could blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all of the testing equipment in a lab and reset the configuration to factory settings.

“Many hospitals are unaware of the high risk associated with these devices,” Erven says. “Even though research has been done to show the risks, health care organizations haven’t taken notice. They aren’t doing the testing they need to do and need to focus on assessing their risks.”


 # # # 

Secret Shin Bet Unit at The Front Lines of Israel’s Cyber-War

  • By Tova Dvorin
  • Arutz Sheva
  • 4/25/2014

Several weeks ago, a vigilante by the name of “Buddhax” made waves when he exposed the true faces – and names and passwords – of several anti-Israel hackers who participated in the #OpIsrael project to launch a cyber-attack against Israel.

Now, nearly one month later, Channel 2 revealed Friday the existence of another party responsible for keeping Israel’s cyberspace safe: a secret unit of the Israeli Security Agency (ISA), or Shin Bet.

Tens of hackers work in S-74, the codename for the Shin Bet unit which protects Israeli cyberspace. For days, they will cluster around their computers, tracking the suspicious movements of “Anonymous” hacktivists around the world. Then, just moments before a hack will disrupt a system, they will strike – without anyone even knowing the Shin Bet was involved.

“We have prepared well in advance, we follow networks around the world closely and collect intelligence through HUMINT and SIGINT [human intelligence and signals intelligence, respectively – ed.],” Alon, an S-74 member, revealed to the daily Friday.


 # # # 

Red tape, ‘tattoo-aversion’ snarls government hiring of cybersecurity experts,0,136919.story

  • By Doina Chiacu
  • Reuters
  • April 26, 2014


p>In the race to attract cybersecurity experts to protect the government’s computer networks, the Department of Homeland Security has a handicap money can’t fix.

Navigating the federal hiring system takes many months, which is too long in the fast-paced tech world.

“Even when somebody is patriotic and wants to do their duty for the nation, if they’re really good they’re not going to wait six months to get hired,” said Mark Weatherford, the former cyber chief at DHS.

After a spate of national security leaks and with cybercrime on the rise, the department is vying with the private sector and other three-letter federal agencies to hire and retain talent to secure federal networks and contain threats to American businesses and utilities.


 # # # 

Updated: May 3, 2014 — 6:38 pm

The Author

Rich Fleetwood

Rich is the founder of SurvivalRing, now in it's 24th year, author of multimedia CDs and DVDs, loves the outdoors, his family, his geeky skill-set, and lives in rural southern Wyoming, just below the continental divide (long story, that...). Always ready to help others, he shares what he learns on multiple blogs, many social sites, and more. With a background in preparedness and survival skills, training with county, state, and national organizations, and skills in all areas of media and on air experience in live radio and television, Rich is always thinking about the "big picture", when it comes to helping individuals and families prepare for life's little surprises.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.