Transcription
Tipe SeranganInstructorCourseAs Taught InLevelCLOWeekSub-Topic: Team: TTH3K3 - Network Security: 2nd semester 2017-2018: Undergraduate:1:3: Types of Attackwww.telkomuniversity.ac.id
Social Engineeringwww.telkomuniversity.ac.id
Introduction to Social Engineering Older than computers Targets the human component of a network Goals– Obtain confidential information (passwords)– Obtain personal informationwww.telkomuniversity.ac.id
Tactics– Persuasion– Intimidation– Coercion– Extortion/blackmailingwww.telkomuniversity.ac.id
Introduction to Social Engineering (continued) The biggest security threat to networks Most difficult to protect against Main idea:– “Why to crack a password when you can simply askfor it?”– Users divulge their passwords to IT personnelwww.telkomuniversity.ac.id
Studies human behavior– Recognize personality traits– Understand how to read body languagewww.telkomuniversity.ac.id
Types of Social Engineering1.2.3.4.5.PhishingPretextingBaitingQuid Pro QuoTailgatingsource: telkomuniversity.ac.id
Types of Social Engineering: Phising1. PhishingPhishing scams might be the most common types of social engineeringattacks used today. Most phishing scams demonstrate the followingcharacteristics: Seek to obtain personal information, such as names, addresses and socialsecurity numbers. Use link shorteners or embed links that redirect users to suspiciouswebsites in URLs that appear legitimate. Incorporates threats, fear and a sense of urgency in an attempt tomanipulate the user into acting promptly. Some phishing emails are more poorly crafted than others to the extentthat their messages oftentimes exhibit spelling and grammar errors butthese emails are no less focused on directing victims to a fake website orform where they can steal user login credentials and other personalinformation.www.telkomuniversity.ac.id
Types of Social Engineering: Pretexting2. PretextingPretexting is another form of social engineering where attackers focus oncreating a good pretext, or a fabricated scenario, that they can use to try andsteal their victims’ personal information. These types of attacks commonlytake the form of a scammer who pretends that they need certain bits ofinformation from their target in order to confirm their identity.More advanced attacks will also try to manipulate their targets intoperforming an action that enables them to exploit the structural weaknessesof an organization or company. A good example of this would be an attackerwho impersonates an external IT services auditor and manipulates acompany’s physical security staff into letting them into the building.Unlike phishing emails, which use fear and urgency to their advantage,pretexting attacks rely on building a false sense of trust with the victim. Thisrequires the attacker to build a credible story that leaves little room for doubton the part of their target.www.telkomuniversity.ac.id
Types of Social Engineering: Baiting3. BaitingBaiting is in many ways similar to phishing attacks. However, whatdistinguishes them from other types of social engineering is the promise of anitem or good that hackers use to entice victims. Baiters may offer users freemusic or movie downloads, if they surrender their login credentials to acertain site.Baiting attacks are not restricted to online schemes, either. Attackers can alsofocus on exploiting human curiosity via the use of physical media.www.telkomuniversity.ac.id
Types of Social Engineering: Quid pro Quo4. Quid pro QuoSimilarly, quid pro quo attacks promise a benefit in exchange for information.This benefit usually assumes the form of a service, whereas baiting frequentlytakes the form of a good.One of the most common types of quid pro quo attacks involve fraudsterswho impersonate IT service people and who spam call as many directnumbers that belong to a company as they can find. These attackers offer ITassistance to each and every one of their victims. The fraudsters will promisea quick fix in exchange for the employee disabling their AV program and forinstalling malware on their computers that assumes the guise of softwareupdates.It is important to note, however, that attackers can use much lesssophisticated quid pro quo offers than IT fixes. As real world examples haveshown, office workers are more than willing to give away their passwords fora cheap pen or even a bar of chocolate.www.telkomuniversity.ac.id
Types of Social Engineering: Tailgaiting5. TailgaitingAnother social engineering attack type is known as tailgating or“piggybacking.” These types of attacks involve someone who lacks the properauthentication following an employee into a restricted area.In a common type of tailgating attack, a person impersonates a delivery driverand waits outside a building. When an employee gains security’s approval andopens their door, the attacker asks that the employee hold the door, therebygaining access off of someone who is authorized to enter the company.Tailgating does not work in all corporate settings, such as in larger companieswhere all persons entering a building are required to swipe a card. However,in mid-size enterprises, attackers can strike up conversations with employeesand use this show of familiarity to successfully get past the front desk.www.telkomuniversity.ac.id
Preventing Social Engineering Train user not to reveal any information tooutsiders Verify caller identity– Ask questions– Call back to confirm Security drillswww.telkomuniversity.ac.id
Social Engineering: Other Techniques UrgencyStatus quoKindnessPositionShoulder SurfingDumpster Divingwww.telkomuniversity.ac.id
The Art of Shoulder Surfing Shouldersurfer– Reads whatusers enteron keyboards Logonnames Passwords PINswww.telkomuniversity.ac.id
Tools for Shoulder Surfing Binoculars or telescopes or cameras in cellphones Knowledge of key positions and typingtechniques Knowledge of popular letter substitutions– s equals , a equals @www.telkomuniversity.ac.id
The Art of Shoulder Surfing (continued) Prevention– Avoid typing when someone is nearby– Avoid typing when someone nearby is talking oncell phone– Computer monitors should face away from dooror cubicle entryway– Immediately change password if you suspectsomeone is observing youwww.telkomuniversity.ac.id
Dumpster Diving Attacker finds information in victim’s trash– Discarded computer manuals––––––– Notes or passwords written in themTelephone directoriesCalendars with schedulesFinancial reportsInteroffice memosCompany policyUtility billsResumes of employeeswww.telkomuniversity.ac.id
The Art of Dumpster Diving (continued) Prevention– Educate your users aboutdumpster diving– Proper trash disposal– Use “disk shredder” softwareto erase disks beforediscarding them Software writes random bits Done at least seven times– Discard computer manualsoffsite– Shred documents beforedisposal19www.telkomuniversity.ac.id
The Art of Piggybacking Trailing closely behind an employee cleared toenter restricted areas How it works:– Watch authorized personnel enter an area– Quickly join them at security entrance– Exploit the desire of other to be polite and helpful– Attacker wears a fake badge or security cardwww.telkomuniversity.ac.id
The Art of Piggybacking (continued) Prevention– Use turnstiles– Train personnel to notify thepresence of strangers– Do not hold secured doorsfor anyone Even for people you know– All employees must use secure cardswww.telkomuniversity.ac.id
Sample Phishingwww.telkomuniversity.ac.id
Network AttackTheoretical Perspectivewww.telkomuniversity.ac.id
Tipe Network Attack1.2.3.4.5.6.7.8.9.EavesdroppingData ModificationIdentity Spoofing (IP Address Spoofing)Password-Based AttacksDenial-of-Service AttackMan-in-the-Middle AttackCompromised-Key AttackSniffer AttackApplication-Layer Attacksource: ww.telkomuniversity.ac.id
Tipe Network Attack: Eavesdropping1. EavesdroppingIn general, the majority of network communications occur in anunsecured or "cleartext" format, which allows an attacker whohas gained access to data paths in your network to "listen in" orinterpret (read) the traffic. When an attacker is eavesdroppingon your communications, it is referred to as sniffing or snooping.The ability of an eavesdropper to monitor the network isgenerally the biggest security problem that administrators face inan enterprise. Without strong encryption services that are basedon cryptography, your data can be read by others as it traversesthe network.www.telkomuniversity.ac.id
Tipe Network Attack: Data Modification2. Data ModificationAfter an attacker has read your data, the next logical step is toalter it. An attacker can modify the data in the packet withoutthe knowledge of the sender or receiver. Even if you do notrequire confidentiality for all communications, you do not wantany of your messages to be modified in transit. For example, ifyou are exchanging purchase requisitions, you do not want theitems, amounts, or billing information to be modified.www.telkomuniversity.ac.id
Tipe Network Attack: Identity Spoofing3. Identity Spoofing (IP Address Spoofing)Most networks and operating systems use the IP address of acomputer to identify a valid entity. In certain cases, it is possiblefor an IP address to be falsely assumed— identity spoofing. Anattacker might also use special programs to construct IP packetsthat appear to originate from valid addresses inside thecorporate intranet.After gaining access to the network with a valid IP address, theattacker can modify, reroute, or delete your data. The attackercan also conduct other types of attacks, as described in thefollowing sections.www.telkomuniversity.ac.id
Tipe Network Attack: Password-based Attacks4. Password-Based AttacksA common denominator of most operating system and networksecurity plans is password-based access control. This means youraccess are determined using user name and password.When an attacker finds a valid user account, the attacker has thesame rights as the real user, even an administrator-level rights.After gaining access to your network with a valid account, anattacker can do any of the following: Obtain lists of valid user and computer names and network information. Modify server and network configurations, including access controls androuting tables. Modify, reroute, or delete your data.www.telkomuniversity.ac.id
Tipe Network Attack: Denial-of-Service Attack5. Denial-of-Service AttackUnlike a password-based attack, the denial-of-service attackprevents normal use of your computer or network by valid users.After gaining access to your network, the attacker can do any ofthe following: Randomize the attention of your internal Information Systems staff so thatthey do not see the intrusion immediately, which allows the attacker tomake more attacks during the diversion. Send invalid data to applications or network services, which causesabnormal termination or behavior of the applications or services. Flood a computer or the entire network with traffic until a shutdownoccurs because of the overload. Block traffic, which results in a loss of access to network resources byauthorized users.www.telkomuniversity.ac.id
Tipe Network Attack: Man-in-the-Middle Attack6. Man-in-the-Middle AttackAs the name indicates, a man-in-the-middle attack occurs whensomeone between you and the person with whom you arecommunicating is actively monitoring, capturing, and controllingyour communication transparently. For example, the attackercan re-route a data exchange.Man-in-the-middle attacks are like someone assuming youridentity in order to read your message. The person on the otherend might believe it is you because the attacker might be activelyreplying as you to keep the exchange going and gain moreinformation. This attack is capable of the same damage as anapplication-layer attack, described later in this section.www.telkomuniversity.ac.id
Tipe Network Attack: Compromised-key Attack7. Compromised-Key AttackA key is a secret code or number necessary to interpret securedinformation. Although obtaining a key is a difficult and resourceintensive process for an attacker, it is possible. After an attackerobtains a key, that key is referred to as a compromised key.An attacker uses the compromised key to gain access to asecured communication without the sender or receiver beingaware of the attack.With the compromised key, the attacker candecrypt or modify data, and try to use the compromised key tocompute additional keys, which might allow the attacker accessto other secured communications.www.telkomuniversity.ac.id
Tipe Network Attack: Sniffer Attack8. Sniffer AttackA sniffer is an application or device that can read, monitor, andcapture network data exchanges and read network packets. Ifthe packets are not encrypted, a sniffer provides a full view ofthe data inside the packet. Even encapsulated (tunneled) packetscan be broken open and read unless they are encrypted and theattacker does not have access to the key.Using a sniffer, an attacker can do any of the following: Analyze your network and gain information to eventually cause yournetwork to crash or to become corrupted. Read your communications.www.telkomuniversity.ac.id
Tipe Network Attack: Application-layer Attack9. Application-Layer AttackAn application-layer attack targets application servers bydeliberately causing a fault in a server's operating system orapplications. This results in the attacker gaining the ability tobypass normal access controls. The attacker takes advantage ofthis situation, gaining control of your application, system, ornetwork, and can do any of the following: Read, add, delete, or modify your data or operating system. Introduce a virus program that uses your computers and softwareapplications to copy viruses throughout your network. Introduce a sniffer program to analyze your network and gain informationthat can be used to crash or to corrupt your systems and network. Abnormally terminate your data applications or operating systems.www.telkomuniversity.ac.id Disable other security controls to enable future attacks.
Distributed Denial of Servicewww.telkomuniversity.ac.id
Denial-of-service Denial of service (DoS) an action that prevents or impairs theauthorized use of networks, systems, or applications byexhausting resources such as central processing units (CPU),memory, bandwidth, and disk space Attacks (overload or invalid request services that consumesignificant resources)– network bandwidth– system resources– application resources Have been an issue for some time (25% of respondents to anFBI survey)www.telkomuniversity.ac.id
Classic DoS attacks Flooding ping command– Aim of this attack is to overwhelm the capacity of thenetwork connection to the target organization– Traffic can be handled by higher capacity links on the path,but packets are discarded as capacity decreases Source of the attack is clearly identified unlessa spoofed address is used Network performance is noticeably affectedwww.telkomuniversity.ac.id
Classic DoS attackswww.telkomuniversity.ac.id
Internet Control Message Protocol (ICMP) The Internet Control Message Protocol (ICMP) is oneof the main IP protocols; it is used by networkdevices, like routers, to send error messagesindicating (e.g., a requested service is not availableor a host or router could not be reached)The host must respond to all echo requestswith an echo reply containing the exact datareceived in the request messagewww.telkomuniversity.ac.id
Source address spoofing Use forged source addresses– Usually via the raw socket interface on operating systems– Makes attacking systems harder to identify Attacker generates large volumes of packets that havethe target system as the destination address Congestion would result in the router connected to thefinal, lower capacity link Backscatter traffic– Advertise routes to unused IP addresses to monitor attacktrafficwww.telkomuniversity.ac.id
Backscatter traffic Security researchers (Honeypot Project)advertise blocks of unused IP addresses (noreal/legit uses) If ICMP/connection request is made, mostlikely from attackers Monitoring provides valuable info on the typeand scale of attackwww.telkomuniversity.ac.id
SYN spoofing Common DoS attack Attacks the ability of a server to respond tofuture connection requests by overflowing thetables used to manage them Thus legitimate users are denied access to theserver Hence an attack on system resources,specifically the network handling code in theoperating systemwww.telkomuniversity.ac.id
TCP connection handshakesyn/ack pktsy server seq#x client seq#www.telkomuniversity.ac.id
SYN spoofing attackassumption: most connections succeed and thus table cleared quicklywww.telkomuniversity.ac.id
SYN spoofing attack: attacker’s source Attacker often uses either– random source addresses (addresses that may not exist)– or that of an overloaded server (that may not send a RST)– to block return of (most) reset packets Has much lower traffic volume– attacker can be on a much lower capacity link Objective: uses addresses that will not respond tothe SYN-ACK with a RSTwww.telkomuniversity.ac.id
Types of flooding attacks Classified based on network protocol used Objective: to overload the network capacity on some link to aserver Virtually any type of network packet can be used ICMP Flood– Uses ICMP packets, eg ping (echo) request– Typically allowed through, some required UDP Flood– Alternative uses UDP packets to random ports (even if no service isavailable, attacker achieves its goal) TCP SYN Flood (SYN spoof vs SYN flood)– Sends TCP SYN (connection request) packets– But for volume attackwww.telkomuniversity.ac.id
UDP packet User Datagram Protocol (UDP)is a component of the IP suiteand allows computerapplications to send messages A UDP can be directed atpractically any service (port); ifservice is unavailable, thepacket is discarded but theattacker objective is achievedwww.telkomuniversity.ac.id
Distributed DoS attacks Have limited volume if single source used Multiple systems allow much higher traffic volumesto form a distributed DoS (DDoS) attack Often compromised PC’s/workstations– Zombies with backdoor programs installed– Forming a botnet Example: Tribe Flood Network (TFN), TFN2K– did ICMP, SYN, UDPF and ICMP floodswww.telkomuniversity.ac.id
DDoS control hierarchyAttacker sends one command to the handler zombies;the handler forwards to other handlers, agentswww.telkomuniversity.ac.id
Application-based bandwidth attacks Force the victim system to execute resourceconsuming operations (e.g., searches, complexDB queries) VoIP Session Initiation Protocol (SIP) flood:attacker sends many INVITE requests; majorburden on the proxies– server resources depleted while handling requests– bandwidth capacity is consumedwww.telkomuniversity.ac.id
HTTP-based attacks Attempts to monopolize by sending HTTPrequests that never complete Eventually consumes Web server’s connectioncapacity Utilizes legitimate HTTP traffic Spidering: Bots starting from a given HTTP linkand following all links on the provided Web site ina recursive way Existing intrusion detection and preventionsolutions that rely on signatures to detect attackswill generally not recognize Slowloriswww.telkomuniversity.ac.id
Reflection attacks Attacker sends packets to a known service on theintermediary with a spoofed source address of theactual target system When intermediary responds, the response is sent tothe target “Reflects” the attack off the intermediary (reflector) Goal is to generate enough volumes of packets to floodthe link to the target system without alerting theintermediary The basic defense against these attacks is blockingspoofed-source packetswww.telkomuniversity.ac.id
Reflection attackswww.telkomuniversity.ac.id
Reflection attacks Further variation creates a self-contained loopbetween intermediary and target (attacker spoofsusing port 7 requiring echoes) Fairly easy to filter and blockwww.telkomuniversity.ac.id
DNS amplification attacks Use packets directed at a legitimate DNS server asthe intermediary system Attacker creates a series of DNS requests containingthe spoofed source address of the target system Exploit DNS behavior to convert a small request to amuch larger response (amplification) Target is flooded with responses Basic defense against this attack is to prevent the useof spoofed source addresseswww.telkomuniversity.ac.id
Amplification attacksCan take advantage of broadcast address of some networkwww.telkomuniversity.ac.id
Four lines of defense against DDoS attacks Attack prevention and preemption (before attack) Attack detection and filtering (during the attack) Attack source traceback and identification (duringand after the attack) Attack reaction (after the attack)www.telkomuniversity.ac.id
DoS attack prevention Block spoofed source addresses– On routers as close to source as possible Filters may be used to ensure path back to the claimed sourceaddress is the one being used by the current packet– Filters must be applied to traffic before it leaves the ISP’s network orat the point of entry to their network Use modified TCP connection handling code– Cryptographically encode critical information in a cookie that is sent asthe server’s initial sequence number– Legitimate client responds with an ACK packet containing theincremented sequence number cookie– Drop an entry for an incomplete connection from the TCP connectionstable when it overflowswww.telkomuniversity.ac.id
Attack prevention Rate controls in upstream distribution nets– On specific packets types e.g. some ICMP, someUDP, TCP/SYN– Impose limits Use modified TCP connection handling– Server sends SYN cookies when table full(reconstruct table data from the cookie from legitclients)– Sr selective or random drop when table fullwww.telkomuniversity.ac.id
Responding to attacks Good incidence response plan– Details on how to contact technical personal forISP– Needed to impose traffic filtering upstream– Details of how to respond to the attack Implement anti-spoofing, directed broadcast,and rate limiting filters Ideally have network monitors and IDS todetect and notify abnormal traffic patternswww.telkomuniversity.ac.id
TCP Connection Management: ClosingStep 1: client end system sends TCPFIN control segment to serverclientserverclosingStep 2: server receives FIN, replieswith ACK. Closes connection, sendsFIN.closingStep 3: client receives FIN, replies– Enters “timed wait” - willrespond with ACK toreceived FINsStep 4: server, receives ACK.Connection closed.timed waitwith ACK.closedclosedwww.telkomuniversity.ac.id
Detection Methods (I) Utilize SYN-FIN pair behaviorOr SYNACK – FINCan be both on client or server sideHowever, RST violates SYN-FIN behavior– Passive RST: transmitted upon arrival of a packet at aclosed port (usually by servers)– Active RST: initiated by the client to abort a TCP connection(e.g., Ctrl-D during a telnet session) Often queued data are thrown away– So SYN-RSTactive pair is also normalwww.telkomuniversity.ac.id
SYN – FIN Behavior Generally every SYN has a FIN We can’t tell if RST is active or passive Consider 75% activewww.telkomuniversity.ac.id
Detection Method (II) SYN – SYN/ACK pair behavior Hard to evade for the attacking source Problems– Need to sniff both incoming and outgoing traffic– Only becomes obvious when really swampedwww.telkomuniversity.ac.id
Password Managementwww.telkomuniversity.ac.id
Password Management Front line of defense againts intruder Virtually all multiuser systems require that a userprovide not only a name or identifier (ID) but also apassword– Password serves to authenticate the ID of the individuallogging on to the system– The ID provides security by: Determining whether the user is authorized to gain access to a system Determining the privileges accorded to the user Used in discretionary access controlwww.telkomuniversity.ac.id
Managing Password need policies and good user education ensure every account has a default password ensure users change the default passwords tosomething they can remember protect password file from general access set technical policies to enforce good passwords– minimum length ( 6)– require a mix of upper & lower case letters, numbers,punctuation– block known dictionary wordswww.telkomuniversity.ac.id
Managing Password may reactively run password guessing tools– note that good dictionaries exist for almost anylanguage/interest group may enforce periodic changing of passwords have system monitor failed login attempts, & lockoutaccount if see too many in a short period do need to educate users and get support balance requirements with user acceptance be aware of social engineering attackswww.telkomuniversity.ac.id
Attack Strategies and Countermeasures (1)Workstation hijacking The attacker waits until a logged-in workstation is unattended The standard countermeasure is automatically logging the workstation outafter a period of inactivityExploiting user mistakes Attackers are frequently successful in obtaining passwords by using socialengineering tactics that trick the user or an account manager intorevealing a password; a user may intentionally share a password to enablea colleague to share files; users tend to write passwords down because itis difficult to remember them Countermeasures include user training, intrusion detection, and simplerpasswords combined with another authentication mechanismwww.telkomuniversity.ac.id
Attack Strategies and Countermeasures (2)Offline dictionary attack Determined hackers can frequently bypass access controls and gain accessto the system’s password file Countermeasures include controls to prevent unauthorized access to thepassword file, intrusion detection measures to identify a compromise, andrapid reissuance of passwords should the password file be compromisedSpecific account attack The attacker targets a specific account and submits password guesses untilthe correct password is discovered The standard countermeasure is an account lockout mechanism, whichlocks out access to the account after a number of failed loginwww.telkomuniversity.ac.id
Attack Strategies and Countermeasures (3)Electronic Monitoring sniffing/eavesdropping (advanced) encryptionsPassword guessing against single user User awareness, password policiesExploiting multiple password use Similar password for given user @ diff network User awareness, password policiePopular password attack User awareness, password policies,www.telkomuniversity.ac.id
UNIX Password Schemewww.telkomuniversity.ac.id
– – – – Password Selection StrategiesThe goal is to eliminate guessable passwords while allowing the user to select a passwordthat is memorableFour basic techniques are in use:User educationUsers can be told the importance of using hard-to-guess passwords and can beprovided with guidelines for selecting strong passwordsComputer-generated passwordsComputer-generated password schemes have a history of poor acceptance by usersUsers have difficulty remembering themReactive password checkingA strategy in which the system periodically runs its own password cracker to findguessable passwordsProactive password checkingA user is allowed to select his or her own password, however, at the time of selection,the system checks to see if the password is allowable and, if not, rejects itwww.telkomuniversity.ac.id
Passwords New Ways Use passwords manager applications Use passphrase instead of passwords– Random common words instead of gibberish hardto-memmorized random word (xkcd #936)www.telkomuniversity.ac.id
–– ––ExerciseUse wireshark to monitor your network trafficSave your network traffic for 30 minutesFrom your saved traffic file:Determine how many is ARP, DNS, and HTTP traffic?What’s your IP address? What’s your DNS server?Assume that passwords are selected from four-character combinations of 26 alphabeticcharacters. Assume that an adversary is able to attempt passwords at a rate of one persecond.Assuming no feedback to the adversary until each attempt has been completed, whatis the expected time to discover the correct password?Assuming feedback to the adversary flagging an error as each incorrect character isentered, what is the expected time to discover the correct password?www.telkomuniversity.ac.id
Sertifikat Server: SSLwww.telkomuniversity.ac.id
Virtual Communication between LayersApplication DataApplication layerApplication layerTransport payloadTransport layerNetwork layerTransport layerNetworkNetwork layerPayloadData Link layer Data Link Data Link layerPayloadHost ARouterNetwork layerNetwork layerData Link layerData Link layerRouterHost B76www.telkomuniversity.ac.id
TCP/IP Secutiry ProtocolApplication LayerPGP, SSHTransport LayerSSL/TLSInternetwork LayerNetwork Access LayerIPsecIEEE 802.11 (WEP, WPA)77www.telkomuniversity.ac.id
Security in what layer? Depends on the purpose – How are keys provisioned/shared?– Should the (human) user be involved?– Semantics: authenticate user-to-user, or host-tohost?www.telkomuniversity.ac.id
Security in what layer? Depends on what’s available– E.g., consider a user connecting to a website froma café (over a wireless network)– End-to-end encryption might be unavailable (e.g.,if website does not support encryption)– Eavesdropping on Internet backbone less likelythan eavesdropping on wireless link in café– Encrypt link from user to wireless router– Link-layer encryption more appropriate Link-layer au
Types of Social Engineering: Baiting 3. Baiting Baiting is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims. Baiters may offer users free music or movie
