Ios: Including Ordinary Security?

www.dinosec.com @ dinosec

iOS: including Ordinary Security?

Raúl Siles Founder & Senior Security Analyst [email protected] December 2, 2016

• iOS State-of-the-Art • Malware • Developers • Lock Screen • Digital Certificates • Software Updates • Wi-Fi • Conclusions

Q2 2015: Android: 82.8% iOS: 13.9% WP: 2.6% BB: 0.3% Others: 0.4%

Consolidated trend to exceed more than 300 Reference: http://www.idc.com/prodserv/smartphone-os-market-share.jsp million units by quarter (Qx): 1,3 billions (2014)

Official numbers: Official numbers:

• iOS 6: 197 • iOS 8: 56 • iOS after 10 years… • iOS 7: 80 • iOS 8.1: 5 • iOS 7.1: 41 • iOS 8.1.1: 9 Official –numbers?2007: iPhone 2G (iOS• … 1) • iOS 8.1.2: - Official– numbers2008: iPhone 3G (iOS 2) • iOS 8.1.3: 34 • iOS 10: 7 • iOS 8.2: 6 • iOS• iOS 10.0.1: 10:– 2009: 1 49 iPhone 3GS (iOS 3) • iOS 8.3: 58 Official numbers: • iOS• iOS 10.0.2: 10.0.1: 0 1 • iOS 8.4: 33 • iOS 10.0.2:– 2010: 0 iPhone 4 (iOS 4) + iPad 1 • iOS 8.4.1: 71 • iOS 9: 101 • wOS 3: 1 • iOS 9.0.1: - • wOS 3:– 2011: 19 iPhone 4S (iOS 5) + iPad 2 iOS 8.x: 272 • iOS 9.0.2: 1 • iOS 9.1: 49 – 2012: iPhone 5 (iOS 6) + iPad 3 & 4 & mini • iOS 9.2: 50 Official numbers: • iOS 9.2.1: 13 – 2013: iPhone 5c & 5s (iOS 7) + iPad air & mini 2 • iOS 9.3: 39 • wOS 1.0.1: 13 • iOS 9.3.1: - • wOS– 2.0:2014: 39 iPhone 6 & 6+ (iOS 8) + iPad air 2 & mini 3 • iOS 9.3.2: 39 • wOS 2.0.1: 14 • iOS 9.3.3: 46 • wOS– 2.1:2015: 30 iPhone 6S & 6S+ (iOS 9) + iPad Pro 12,9" & mini• iOS 4 9.3.4: 1 • wOS 2.2:• Apple 34 Watch & Apple Pencil • iOS 9.3.5: 3 • wOS 2.2.1: 26 • wOS– 2.2.2:2016: 26 iPhone SE + iPad Pro 9.7" + iPhone 7 & 7+ (iOS iOS10) 9.x: 342 wOS x.y: 182 6

How do we identify or classify malware families and specimens if there are no anti-virus (or anti-malware) solutions for iOS? – Malware (CME) – Vulnerabilities (CVE)

• “No iOS Zone” (DoS) – Malicious SSL certificates (iOS < 8.3) (Apr'15) – https://www.skycure.com/blog/ios-shield-allows-dos-attacks-on-ios-devices/ – WiFiGate: https://www.skycure.com/blog/wifigate-how-mobile-carriers-expose-us-to-wi-fi-attacks/ • XARA: Unauthorized Cross-App Resource Access on MAC OS X and iOS (Jun'15) – https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view?pli=1 – http://www.imore.com/depth-look-ios-os-x-xara-vulnerabilities • KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts (Aug'15) – http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts- to-create-free-app-utopia/ (for jailbroken devices) • Masque attack(s)… – "Masque Attack: All Your iOS Apps Belong to Us" (Nov'14) • https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html – Wirelurker (Nov'14): http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ – "iOS Masque Attack Revived: Bypassing Prompt for Trust and App URL Scheme Hijacking" (Feb'15) • https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html – "Three New Masque Attacks against iOS: Demolishing, Breaking and Hijacking" (Jun'15) • https://www.fireeye.com/blog/threat-research/2015/06/three_new_masqueatt.html

• …More masque attack(s) – "iOS Masque Attack Weaponized: A Real World Look" (Aug'15) • https://www.fireeye.com/blog/threat-research/2015/08/ios_masque_attackwe.html • XcodeGhost (Sep'15 & Nov'15) – http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple- ios-apps-and-hits-app-store/ – https://blog.lookout.com/blog/2015/09/20/xcodeghost/ – https://blog.lookout.com/blog/2015/09/21/xcodeghost-apps – https://blog.lookout.com/blog/2015/09/22/xcodeghost-detection/ – https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html • ZergHelper: Pirated iOS App Store’s Client (…) Evaded Apple iOS Code Review (Feb'16) – http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple- ios-code-review/ • AceDeceiver: iOS Trojan Exploiting Apple DRM Design Flaws (…) (Mar'16) – http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design- flaws-to-infect-any-ios-device/ • Pegasus: (Aug'16) – https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

• Distributing Apps Out of the App Store • Abusing Apple Private APIs

• Apple Developer Enterprise Program (vs. Apple Developer Program) – https://developer.apple.com/programs/enterprise/ ($299/year) • Provision iOS apps for internal corporate distribution (in-house) – Enterprise certs and profiles can "only" be used for internal distribution – Technically, they can be used to install any app on any device • Violating Apple's Developer Enterprise Program terms of service – Avoid Apple's App Store vetting process • And it allows the usage of Apple private APIs (sensitive operations) • User must accept the app installation (two taps) – In iOS 9 it is required to manually trust the developer (provisioning profile)

http://johannesluderschmidt.de/provision-ios-ipa-app-for-in-house-enterprise-distribution/

• Become an Apple enterprise "developer": $299/year • Generate a certificate to distribute iOS apps • Create a provisioning profile • Create the iOS app IPA file & associated Manifest file (PLIST) • Create an "itms-services" web link pointing to the Manifest – The Manifest file includes the reference to the IPA file (app) • Own a web server with a valid trusted certificate (HTTPS) • Distribute the web link: E.g. Tweet, web page, e-mail, Google dork, etc. – Real benign distribution cases in Spain and China

Install this app!

• Objective-C – Message dispatch mechanism to invoke method/function calls – objc_msgSend (String parameters) • Class name and method name • Not resolved statically, but at runtime (or execution time) – Obfuscated and/or encrypted – Load a library (dlopen) and access a function (dlsym) • Runtime (or NSClassFromString / NSSelectorFromString) • Apple's App Store review or vetting process – Private APIs accessing sensitive user information

• "iRiS: Vetting Private API Abuse in iOS Applications" (Oct 2015) – Dynamic analysis of API calls that cannot be resolved statically ("suspicious") – 2,019 apps analyzed: 146 (7%) make use of 150 private APIs (25 critical) • SourceDNA (Oct 2015) – Using the methods described in the previous slide… – 256 apps affected (+1 million downloads) – Youmi's Ad SDK (obfuscated binary ad library) • It sends user info to a server in China – List of installed apps, current running being, serial number, hardware components (peripherals), "e-mail" Apple ID…

http://www.cse.buffalo.edu/~mohaisen/classes/fall2015/cse709/docs/deng-ccs15.pdf https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html

• Distributed through an Apple Enterprise Developer certificate – Evades Apple's App Store vetting process – Targets both jailbroken and non-jailbroken iOS devices </frame> • Extensive usage of private APIs – MobileInstallation: local app (.ipa file) install & uninstall capabilities – Claims a private entitlement key used by iOS system apps • com.apple.private.mobileinstall.allowedSPI – Monitor currently open app and displays advertisements • SpringBoardServices: SBSCopyFrontmostApplicationDisplayIdentifier • SpringBoardServices: SBSLaunchApplicationWithIdentifier – Obtains the list of installed apps: MobileInstallationLookup – Mobile <a href="/tags/Safari_(software)/" rel="tag">Safari</a> manipulation: default search engine, bookmarks, etc. http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non- jailbroken-ios-devices-by-abusing-private-apis/2016 © Dino Security S.L. www.dinosec.com 18 All rights reserved. Todos los derechos reservados. Abusing Apple iOS System Features• Suppress the presence of the app icon from SpringBoard – Makes it harder to remove the app / malware (e.g. YiSpecter) • Alternative: Reset the iOS device to factory defaults • Info.plist file – Declares the properties & app– Undocumented feature <dict> ... <key>CFBundleDisplayName</key> • Suppress SpringBoard from <string> Passbook </string> displaying the installed app icon <key>CFBundleExecutable</key> • Intended for Apple's system apps <string> NoIcon </string> <key>CFBundleIdentifier</key> without UI components <string>com.weiying.hiddenIconLaunch</string> <key>CFBundleShortVersionString</key> – Deprecated as of iOS 8.3 <string>2.3.0</string> • iOS 8: com.apple.* ... <key>SBAppTags</key> <array> http://www.zdziarski.com/blog/?p=5072 <string>hidden</string> </array>2016 © Dino Security S.L. www.dinosec.com 19 All rights reserved. Todos los derechos reservados. Another way of Temporarily Hiding iOS Apps• iOS 7, 8 & 9 (9.3.2) – Non-jailbroken iOS devices • The first SpringBoard pane (home screen) and the <a href="/tags/Dock_(macOS)/" rel="tag">dock</a> must be completely full of apps – App to hide must go into another app, to create a folder, and into the dock at the end • Hidden apps are still accessible from <a href="/tags/Spotlight_(software)/" rel="tag">Spotlight</a> search – Hidden apps are still visible from Settings – General – Storage & iCloud Usage – [Storage] Manage Storage – (List of installed apps) • Hidden apps are restored after the iOS device reboots https://www.youtube.com/watch?v=NlA-B_98K782016 © Dino Security S.L. www.dinosec.com 20 All rights reserved. Todos los derechos reservados. Temporarily Hiding iOS Apps2016 © Dino Security S.L. www.dinosec.com 21 All rights reserved. Todos los derechos reservados. Developers2016 © Dino Security S.L. www.dinosec.com 22 All rights reserved. Todos los derechos reservados. "Is this a bug or a feature?"2016 © Dino Security S.L. www.dinosec.com 23 All rights reserved. Todos los derechos reservados. What Is This?• San Francisco, June 13-17, 2016 • 2,000,000 – Apps in the App Store (from 500 to 2M in 8 years) – Downloaded 130,000,000,000 times • 13,000,000 – Registered developers – 2 million registered in the last year alone • Anything strange here?2016 © Dino Security S.L. www.dinosec.com 24 All rights reserved. Todos los derechos reservados. Developing for the Apple Mobile Ecosystem• Apple developer membership options – Individual: Free or Apple Developer Program ($99/year) – Organization: Apple Developer (Enterprise) Program ($99 or $299/year) • Prior to Xcode 7 (Sep 2015) – Rigorous control over the iOS developer community (regulated market) • After Xcode 7: iOS app sideloading – A free Apple ID is all you need to start running any code on iOS devices • No Apple ID extensive checks: anonymity via fake Apple IDs (e-mails) • A malware developer just needs physical access to an iOS device (USB connection) • Install, or even replace legitimate, iOS apps with malicious ones… https://www.mi3security.com/why-2016-may-be-the-year-of-ios-malware/2016 © Dino Security S.L. www.dinosec.com 25 All rights reserved. Todos los derechos reservados. iOS App Sideloading2016 © Dino Security S.L. www.dinosec.com 26 All rights reserved. Todos los derechos reservados. Advanced App Capabilities https://developer.apple.com/support/app-capabilities/2016 © Dino Security S.L. www.dinosec.com 27 All rights reserved. Todos los derechos reservados. Su-A-Cyder (1/2)• Toolset or framework to generate trojanized iOS apps / malware – Take a decrypted iOS app, inject it with evil code, resign the app with any Apple ID, and install the repackaged app on any non-jailbroken iOS device – Home-Brewed iOS Malware PoC Generator (BlackHat ASIA 2016) • http://blackhat.com/asia-16/briefings.html#su-a-cyder-homebrewing-malware-for-ios-like-a-b0$$ – Threat or attack vector (not a vulnerability, and not malware) • User must accept app installation prompt – Unlocked iOS device • Full access to most data within the trojanized app – Corporate credentials, VPN access, healthcare records, etc. – Location info (GPS or EXIF), address book, <a href="/tags/Calendar_(Apple)/" rel="tag">calendar</a>, <a href="/tags/Health_(Apple)/" rel="tag">Health</a> Kit, etc. https://www.mi3security.com/su-a-cyder-ios-malware/2016 © Dino Security S.L. www.dinosec.com 28 All rights reserved. Todos los derechos reservados. Su-A-Cyder (2/2)• Based on open-source tools • Cydia, Theos(-jailed), libimobiledevice, insert_dylib & Spaceship/Fastlane – By Mi3 Security (Chilik Tamir) • Evil .dylib (no need for original source code) - E.g. Cycript • Provisioning profile (Apple ID) • Untrusted developer – Verify the developer app certificate is trusted on target iOS device – Settings – General – Device Management: Developer App (by Apple ID) – Trust "Apple ID" (developer) – Verify App via network connection for a specific iOS device (& Delete Apps) https://github.com/Mi3Security/su-a-cyder2016 © Dino Security S.L. www.dinosec.com 29 All rights reserved. Todos los derechos reservados. Su-A-Cyder: SkypeBased on: https://www.youtube.com/watch?v=oscx8AC0qUI2016 © Dino Security S.L. www.dinosec.com 30 All rights reserved. Todos los derechos reservados. SandJacking• Su-a-cyder app upgrades fixed by Apple in iOS 8.3 – Install process denies app upgrades with mismatched app ID (bundle ID) • Alternative attack vector for iOS 8.3+ – Backup device – Delete legitimate app – Install evil app – Restore backup over the evil app • HITB (May 2016) by Mi3 Security (Chilik Tamir) – PoC tool, SandJacker, not released until it is fixed by Apple https://conference.hitb.org/hitbsecconf2016ams/materials/D1T2%20- %20Chilik%20Tamir%20-%20Profiting%20from%20iOS%20Malware.pdf2016 © Dino Security S.L. www.dinosec.com 31 All rights reserved. Todos los derechos reservados. Pangu 9 Jailbreak• Pangu 9.2-9.3.3 on demand jailbreak – 64-bit devices only • Vulnerability fixed in 9.3.4 • Tap-to-jailbreak app – First semi-untethered jailbreak (reboot device) – 7-day certificate vs. 1-year certificate • Beijing Hong Yuan Online Technology (revoked – April 2017) • Trust developer (requires an Internet connection) – Cydia Impactor: http://www.cydiaimpactor.com (Saurik) http://en.pangu.io/help.html2016 © Dino Security S.L. www.dinosec.com 32 All rights reserved. Todos los derechos reservados. iOS Malicious Apps Distribution Vectors • Jailbroken iOS device – iOS version? Vulnerable to jailbreak? Local or remote? 0-day? • Non-jailbroken iOS device – App Store • All code must be signed by an identified developer + Apple's review or vetting process • Malware in the official App Store – Coin your own definition of mobile malware: WhatsApp, Linked-In… – LBTM, InstaStock, FindAndCall, Jekyll, FakeTor, XcodeGhost, InstaAgent, abusing private APIs (e.g. Youmi's Ad SDK), ZergHelper, AceDeceiver (Apple's DRM flaws: FairPlay) – Out of the App Store • Abuse private APIs (out of Apple's App Store review process) • Remote: Abusing Apple Enterprise Developer Certificates – Third-party app stores: vShare, 25PP, Kuaiyong, 7659, etc. – Malicious apps: FinFisher, Pangu, Masque Attack, WireLurker, Hacking Team, Oneclickfraud, YiSpecter… • Local: Sideloading iOS apps in Xcode 7+ – Su-a-Cyder, SandJacker and Pangu 9.2-9.3.3 jailbreak • MDM: SideStepper2016 © Dino Security S.L. www.dinosec.com 33 All rights reserved. Todos los derechos reservados. iOS iOS Digging in the Old Trunk 9.3.2 102016 © Dino Security S.L. www.dinosec.com 34 All rights reserved. Todos los derechos reservados. Lock Screen2016 © Dino Security S.L. www.dinosec.com 35 All rights reserved. Todos los derechos reservados. "Voice Hacking"2016 © Dino Security S.L. www.dinosec.com 36 All rights reserved. Todos los derechos reservados. Bypassing iOS Lock Screen History2011• Between 2011-2016… Updated with every single iOS version – iOS 5.x: 4 vulnerabilities since Sep 2014 – iOS 6.x: 8 vulnerabilities – iOS 7.x: 12 vulnerabilities – iOS 8.x: 11 vulnerabilities – iOS 9.x: 6 vulnerabilities (up to now, iOS 9.3.2…) • Smartcover, SIM card, Control Center, Notifications Center, <a href="/tags/Siri/" rel="tag">Siri</a>… • Temporary unauthorized physical access to device – Just a few seconds (or minutes) http://blog.dinosec.com/2014/09/bypassing-ios-lock-screens.html2016 © Dino Security S.L. www.dinosec.com 37 All rights reserved. Todos los derechos reservados. Bypassing iOS Lock Screen Via Siri New iOS version released just to fix one of these bugs: iOS 9.0.2 (CVE-2015-5923)2016 © Dino Security S.L. www.dinosec.com 38 All rights reserved. Todos los derechos reservados. Digital Certificates2016 © Dino Security S.L. www.dinosec.com 39 All rights reserved. Todos los derechos reservados. "If there is no CVE, there is no vulnerability"“Today, I’m proud to say that at the end of 2016, App Transport Security (ATS) is becoming a requirement for App Store apps” Apple’s head of security engineering and architecture, Ivan Krstic WWDC 20162016 © Dino Security S.L. www.dinosec.com 40 All rights reserved. Todos los derechos reservados. What Is This?The double button of mass destruction!!"Continue" or "Details – Trust"2016 © Dino Security S.L. www.dinosec.com 41 All rights reserved. Todos los derechos reservados. (Un)Manageable Digital Certificates• Mobile Safari < 2012 ? • iOS will never ask the user about that certificate again… – Never ever! (iOS 9.3.2) • Settings – Safari: "Clear History and Website Data" does not help • Even after rebooting the iOS device… – Fake: Since iOS 7 • In previous iOS versions (e.g. 5.1.1): Settings – Safari and selecting "Clear Cookies and Data" (and/or rebooting) does not help!2016 © Dino Security S.L. www.dinosec.com 42 All rights reserved. Todos los derechos reservados. Digesting Digital Certificates2016 © Dino Security S.L. www.dinosec.com 43 All rights reserved. Todos los derechos reservados. Managing Digital Certificates?• Alternatively, before connecting to any website via Mobile Safari, install self-signed certs as configuration profiles – Settings – General – Profiles • Delete the "offending" cert by… – … "Never use a cannon to kill a fly" (Confucius) – Removing all settings (or, at least, all network settings)… • Settings – General – Reset – Reset All Settings • Settings – General – Reset – Reset Network Settings • Configuration profile (MDM) – Security & Privacy: "Accept untrusted TLS certificates"2016 © Dino Security S.L. www.dinosec.com 44 All rights reserved. Todos los derechos reservados. Software Updates2016 © Dino Security S.L. www.dinosec.com 45 All rights reserved. Todos los derechos reservados. "Once a vulnerability gets a CVE assigned, and the vendor says it has been fixed… you don't need to worry anymore, right?"2016 © Dino Security S.L. www.dinosec.com 46 All rights reserved. Todos los derechos reservados. iOS & WatchOS Software Updates2014 • "iOS - Back to the Future" (March 2014) & "II" (December 2014) – Raúl Siles (DinoSec): http://www.dinosec.com/en/lab.html#Rooted2014iOS • iOS: Settings – General – Software Update – http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml – http://mesu.apple.com/assets/com_apple_MobileAsset_SoftwareUpdateDocumentation/ com_apple_MobileAsset_SoftwareUpdateDocumentation.xml • watchOS: Watch app – General – Software Update – http://mesu.apple.com/assets/watch/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml – http://mesu.apple.com/assets/com_apple_MobileAsset_WatchSoftwareUpdateDocumentation /com_apple_MobileAsset_WatchSoftwareUpdateDocumentation.xml2016 © Dino Security S.L. www.dinosec.com 47 All rights reserved. Todos los derechos reservados. iOS & watchOS Update FreezeVideo recorded on June 20, 2016 Latest versions available: iOS 9.3.2 watchOS 2.1.12016 © Dino Security S.L. www.dinosec.com 48 All rights reserved. Todos los derechos reservados. iOS Software Updates (Finally) Using HTTPS• iOS 10 – CVE-2016-4741: https://support.apple.com/es-es/HT207143 • Vulnerability lifecycle – Discovered in February 2012 – Notified to Apple in February 2014 – Disclosed publicly in March 2014 – Partially fixed by Apple in September 2014 • iOS 8 (CVE-2014-4383) – Re-notified to Apple in November 2014 & May 2016 • To all security researchers… – You can do it! Yes, we can! J2016 © Dino Security S.L. www.dinosec.com 49 All rights reserved. Todos los derechos reservados. Wi-Fi2016 © Dino Security S.L. www.dinosec.com 50 All rights reserved. Todos los derechos reservados. "What vulnerabilities get a CVE assigned to them?""The ones that are really critical!"2016 © Dino Security S.L. www.dinosec.com 51 All rights reserved. Todos los derechos reservados. Really Critical CVE J2013• "Wi-Fi: Why iOS (Android & others) Fail inexplicably" (March 2013) – Raúl Siles (DinoSec): http://www.dinosec.com/en/lab.html#Rooted2013WiFi • iOS 8.3 (April 8, 2015) – Probably you can get a CVE assigned to you too if you paid attention… radius.dinosec.com https://support.apple.com/en-us/HT2046612016 © Dino Security S.L. www.dinosec.com 52 All rights reserved. Todos los derechos reservados. A Not So Critical (Inexistent) CVE L• "Wi-Fi: Why iOS (Android & others) Fail inexplicably" (March 2013) – Raúl Siles (DinoSec): http://www.dinosec.com/en/lab.html#Rooted2013WiFi • Wi-Fi WPA(2)/Enterprise attacks (No CVE assigned: it's a feature, not a bug…)Can you find the differences?2016 © Dino Security S.L. www.dinosec.com 53 All rights reserved. Todos los derechos reservados. Wi-Fi Enterprise Networks: Set-Up2016 © Dino Security S.L. www.dinosec.com 54 All rights reserved. Todos los derechos reservados. Wi-Fi Enterprise Networks2016 © Dino Security S.L. www.dinosec.com 55 All rights reserved. Todos los derechos reservados. Conclusions2016 © Dino Security S.L. www.dinosec.com 56 All rights reserved. Todos los derechos reservados. Spanish Collection of Proverbs"An apple a day keeps the intruder away"2016 © Dino Security S.L. www.dinosec.com 57 All rights reserved. Todos los derechos reservados. Questions?2016 © Dino Security S.L. www.dinosec.com 58 All rights reserved. Todos los derechos reservados. www.dinosec.com @dinosecRaúl Siles raul@dinosec.com </div> </div> </div> </div> </div> </div> </div> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.1/jquery.min.js" integrity="sha512-aVKKRRi/Q/YV+4mjoKBsE4x3H+BkegoM/em46NNlCqNTmUYADjBbeNefNxYV7giUp0VxICtqdrbqU7iVaeZNXA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script> <script src="/js/details118.16.js"></script> <script> var sc_project = 11552861; var sc_invisible = 1; var sc_security = "b956b151"; </script> <script src="https://www.statcounter.com/counter/counter.js" async></script> <noscript><div class="statcounter"><a title="Web Analytics" href="http://statcounter.com/" target="_blank"><img class="statcounter" src="//c.statcounter.com/11552861/0/b956b151/1/" alt="Web Analytics"></a></div></noscript> </body> </html><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script>