SNMPv3 → Simple Network Management Protocol → Monitors & manages network devices such as routers & switches
Uses port 161/162
Can modify devices’ configuration & can check device report status
SNMPv3 agents installed on devices send information to SNMP manager via notifications known as traps
Flood guard sends SNMP trap messages in response to an alert
SNMP Usage → Commonly used to gather information from routers, switches, and other network devices → It provides information about a device’s status, including CPU and memory utilization, as well as many other useful details about the device
IPSec → Used to encrypt IP traffic
Authentication Header → IPSec uses AH to allow each conversation hosts to authenticate with each other before exchanging the data
AH provides authentication & integrity
Encryption → IPSec includes Encapsulating Security Payload (ESP) to encrypt data & provide confidentiality
IPSec uses Internet Key Exchange (IKE) to authenticate clients in the IPSec conversation → Internet key exchange (IKE) is used to set up security associations (SAs) on each end of the tunnel.
Modes:
Transport Mode → Only the payload (the data being transmitted) of the IP packet is encrypted and/or authenticated. The IP header remains intact.
Typically used for end-to-end communication between two hosts or devices.
Tunnel Mode → The entire IP packet (including the original IP header and payload) is encapsulated within a new IP packet with a new IP header
Commonly used for site-to-site VPN connections where entire packets need to be protected.
Post Office Protocol (POP3) → Transfers emails from servers down to clients
POP3 → Port 110
POP3S → Port 995
IMAP → Internet Message Access Protocol → Used to store email on the server & it allows users to organize & manage emails in folders on the server
Real Time Protocol (RTP) → a network protocol designed for delivering audio and video over IP networks
Secure Real Time Protocol (SRTP) → An extension of RTP that provides encryption, message authentication, and integrity, as well as replay protection for RTP data.
SRTP ensures secure transmission of real-time audio and video communications.
Session Initiation Protocol (SIP) → A signaling protocol used to initiate, maintain, modify, and terminate real-time sessions that involve video, voice, messaging, and other communications applications and services.
Time Synchronization →
Network Time Protocol (NTP) → A protocol used to synchronize the clocks of computers over a network.
Simple Network Time Protocol (SNTP) → A simplified version of NTP, used for less complex and less demanding synchronization needs
It provides time synchronization but with reduced accuracy and fewer features compared to NTP.
Email and Web → Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), HTTP, HTTPS
File Transfer → File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), SSH, SSL, TLS, IPSec, SFTP, FTPS
UEFI → Unified Extensible Firmware Interface → Performs many of same functions as BIOS but provides some enhancement
A specification for a software program that connects a computer’s firmware to its operating system (OS)
BIOS → provides instructions on starting → It runs some basic checks, locates the OS & boots
BIOS & UEFI can be upgraded with using flashing → Flashing overwrites the software within the chip with newer software
BIOS vs UEFI
BIOS → Initializes hardware components and boots the OS
Generally slower boot times due to the sequential initialization process.
UEFI → More complex initialization process with support for modern hardware and boot methods
Faster boot times due to parallel initialization processes and optimized boot methods
Measured Boot → Goes through enough boot process to perform these checks without allowing a user to interact with a system.
If it detects that system has lost integrity & can no longer be trusted, the system won’t boot
A security feature that helps ensure the integrity of the boot process by recording each step in the boot sequence and storing the measurements in a secure location, typically in a Trusted Platform Module (TPM)
Boot Attestation → Signature Key Files used to boot the computer
Boot attestation requires that systems record and measure the boot process, and subsequently verify to a system that the process was secure.
Measured Boot Vs Secure Boot
Measured Boot → Ensure integrity of the boot process through measurements
Records and stores measurements of each boot component in TPM
Can provide remote attestation of system integrity
Useful for environments requiring verifiable integrity
Secure Boot → Ensure only trusted code is executed during boot
Verifies digital signatures of each boot component
Does not provide remote attestation
Useful for environments requiring strict execution control
Trusted Boot → Verifies the operating system kernel signature and starts the ELAM(Early Launch Anti-Malware) process.
Secure Cookies → Cookie that has the secure attribute set
When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS).
Code Signing → Identifies author & the hash verifies that code hasn’t modified
Verifies the originator of the component & thus make malware less likely
Full Disk Encryption (FDE) → Encrypts the entire disk
Users typically need to enter a password or use a cryptographic key stored on a separate device (like a smart card or USB token) to unlock the disk and access its contents.
Self Encrypting Drive (SED) → Also known as hardware based FDE drives
Automatically encrypts & decrypts data on a drive without user interaction
A storage device that automatically encrypts data before it is written to the drive and decrypts it when read, without requiring any action from the operating system or user.
SED doesn’t need authentication
Opal → Set of specifications for SEDs
It defines what hardware vendors must do to ensure SEDs are configured to prevent unauthorized access
Opal-Compliant drives requires users to enter credentials to unlock the drive while booting the system
TPM is hardware chip on computer’s motherboard that stores cryptographic keys used for encryption
TPM provides Full Disk Encryption capabilities
It keeps the hard drives locked or sealed until the system completes the system verification & authentication process
TPM supports boot attestation process → When TPM is configured, it captures signature of key files used to boot the computer & stores the report of signatures within the TPM
Uses burned-in cryptographic keys & Includes built-in protections against brute-force attacks
Secure Boot → When system boots, the secure boot process checks the files against the stored signatures to ensure that they haven’t changed → If it detects that files have been modified, it blocks the boot process to protect the data on the drive
Remote Attestation → It uses a separate system instead of checking boot files reports in TPM
It captures the signatures of key files & sends it to remote system
Hardware root of trust → When private key matched with the public key, it provides hardware root of trust also known as Known Secure Starting Point
A TPM includes a unique RSA asymmetric key burned into the chip that provides a hardware root of trust
Active/Active → Can optimize & distribute data loads across multiple computers / networks
Distributes traffic equally among all the servers in the web farm
Scheduling → Load balancers use a scheduling technique to determine where to send a new request.
They use Round-Robin algorithm to send request
Persistence → Load balancers use source address affinity to direct the request
Source affinity sends requests to the same server based on the requester’s IP address & provides the user with persistence
Load balancers can detect when a server fails → If server stops responding, load balancers will not send request to this server → Contributes to high availability
Active/Passive → One server is active & another server is inactive
If active server fails, the inactive server takes over
Two servers have a monitoring connection to each other to check each other’s health
Load Balancer Algorithms
Least connection-based → takes load into consideration and sends the next request to the server with the least number of active sessions
Round Robin → simply distributes requests to each server in order
Weighted Time → Uses health checks to determine which server is currently responding the quickest, and routing traffic to that server.
Source IP Hash → Uses a unique hash key generated from the source and destination IP addresses to track sessions, ensuring that interrupted sessions can be seamlessly reassigned to the same server, thus allowing the sessions to continue uninterrupted.
Virtual Local Area Networks (VLAN) → Separates or Segments traffic on physical networks
A logical network segment within a physical network infrastructure that allows devices to be grouped together even if they are not physically connected on the same network switch.
We can create multiple VLANs with a single Layer 3 Switch
A VLAN can locally group several computers together or logically separate computers without regard their physical location
VLANs are used to separate various traffic types (voice, data)
Screened Subnet → Buffer zone between internet & intranet (internal network)
It allows to access services while segmenting access to internal network
An additional layer of security is implemented to protect internal networks from external threats
East-West → Refers to traffic between servers
Intranet → Internal Network
Extranet → Part of the network that can be accessed by authorized entities from outside of network
Zero Trust → A network that doesn’t trust any devices by default, even if it’s previously verified
Helps to reduce attacks from internal clients
Zero trust in not technology, instead it is a security model based on principle of zero trust
SSL/TLS → Some tunneling protocols use TLS to secure VPN channels
Provides the easiest way for users to use VPN since it does not require a client. (most user-friendly)
Split Tunnel → A VPN admin determines what traffic should use the encrypted tunnel
Full Tunnel → All traffic goes through the encrypted tunnel while the use is connected to VPN
Site-to-Site VPN → Includes two VPN servers that acts as a gateways for two networks separated geographically
IPSec VPNs are used for site-to-site VPNs
Ex. Users in the remote office can connect to the servers in the HQ location easily
Always-On → Create a VPN connection as soon as user’s device connect to the internet
Layer 2 tunneling protocol (L2TP) → L2TP is tunneling protocol → Uses port 1701
Uses IPsec for encryption, providing confidentiality and integrity of data transmission.
Combines the features of PPTP (Point-to-Point Tunneling Protocol) and L2F (Layer 2 Forwarding) to create a tunnel between two endpoints.
HTML5 VPN Portal → Allows users to connect to the VPN using their web browser
It uses TLS to encrypt the session → Can be resource intensive
SSTP → Secure Socket Tunneling Protocol
A VPN protocol developed by Microsoft for creating secure, encrypted connections over the internet
SSTP is designed to provide secure remote access to networks by tunneling Point-to-Point Protocol (PPP) traffic through an SSL/TLS channel. → Port 443 TCP
Refers to a set of technologies and policies used by organizations to ensure that devices connecting to their networks are secure and compliant with established security policies
Features:
Verifies the identity of users and devices attempting to connect to the network.
Checks endpoints (devices) for compliance with security policies and configurations before granting network access.
Defines rules and policies that dictate who and what can access specific parts of the network.
Automatically corrects or isolates non-compliant devices to remediate security issues before allowing access.
Monitors connected devices continuously to detect anomalies or suspicious behavior.
Integrates with existing security solutions such as firewalls, IPS/IDS, SIEM
Helps organizations improve network security by controlling access, enforcing policies, and detecting/responding to security threats in real-time.
Agent NAC → NAC uses agent when the client attempts to log on remotely
A permanent agent installed on the client & stays on client
Agentless NAC → A dissolvable agent is downloaded & runs on client when clients logs on remotely
It collect the information it needs, identifies the client as healthy or non-healthy & reports the status back to NAC system
NAC agents remove themselves immediately after they report to the NAC system
Other NAC agents remove themselves after session ends
An agentless NAC system scans a client remotely without installing code on the client
Jump Servers → Also called Jump box → A hardened server used to access & manage devices in another network with a different security zone
A jump server is places between different security zones
It can provide secure access to devices in screened subnet from internal network
Proxy Servers → Forwards requests from clients for services like HTTP or HTTPS → Forward Proxy Server
Improves performance by caching content
Can restrict users’ access to inappropriate websites by filtering content
A proxy server is located on the edge of the network bordering the internet & intranet
A web proxy can be used to block certain websites.
Transparent Proxy → Accepts & forwards requests without modifying them
Non-Transparent Proxy → Use URL filters to restrict access to certain sites
Both types of proxy log user activity
Reverse Proxy Server → Accepts requests from internet for a single web server
It appears as a web server to clients but it forwards requests to the web server & serves pages returned by web server
Reverse proxy is configured to protect the web server
Reverse proxy server can be used for a web farm of multiple servers → When it is used with web farm → It can act as a load balancer
Forward Proxy Vs Reverse Proxy
Forward Proxy → A forward proxy regulates client access to the internet, enhancing security and policy enforcement within an internal network
It sits between the client and the internet and forwards client requests to the internet.
In a corporate network, a forward proxy may be used to control access to the internet and enforce security policies.
Reverse Proxy → A reverse proxy, manages external requests to servers, offering load balancing and concealing server identities for added security
It sits in front of servers and directs client requests to the appropriate backend servers.
A reverse proxy can distribute incoming web requests to multiple web servers in a server farm.
NIDS / NIPS
Signature-based Detection → Detects known malware based on signature definitions
Heuristic-Based Detection → Detects previously unknown malware based on behavior
Can detects unknown anamalies
Inline → An IPS placed inline with traffic can detect, react to & prevent attacks
Passive → Collects data passively
Heuristic vs Anomaly-based detection
Heuristic: Heuristic IPS uses algorithms and rules to detect potentially malicious behavior, often identifying new and unknown threats. However, it does not specifically create a baseline of normal activity.
Heuristic IPS technology uses artificial intelligence to identify attacks that have no prior signature.
Anomaly-based: Anomaly-based IPS establishes a baseline of normal network behavior and then monitors traffic to detect and block deviations from this baseline. This makes it the best fit for the requirement of observing normal network activity and blocking deviations
Hardware Security Module (HSM) → A security device that can added to a system to manage, generate & securely store cryptographic keys
HSM supports security methods of TPM
Many server based applications use an HSM to protect keys
Aggregators → Store log entries from dissimilar systems
Firewalls
Stateful → Inspects traffic & makes decisions based on the traffic context or state
Unified Threat Management (UTM) → A single solution that combines multiple security controls
UTM will reduce the workloads of admins without sacrificing security
URL Filtering → Performs same job as a proxy server → Block access to sites based on the URL
Admins can configure URL filters to allow / block access to specific sites
Malware Inspection → Screens incoming data for known malware & blocks it
Content Inspection → Monitors incoming data streams & attempts to block any malicious content
Includes spam filter to inspect incoming emails
Can block specific type of transmissions such as audio or video & file types such as .zip
DDOS Mitigator → Attempts to detect DDOS attacks & blocks them
Common security issue of UTM is misconfigured content filter
Key Features → Firewall, IPS/IDS, Antivirus & Anti-malware, Content Filtering, Spam Filtering, Application Control, Web Filtering, DLP, Logging, Reporting
Network Address Translation (NAT) Gateway → NAT is a protocol that translates public IP addresses to private IP addresses & private addresses back to public.
NAT gateway hosts NAT & provides internal clients with private IP addresses a path to internet
Benefits:
Public IP addresses don’t need to be purchased for all clients
NAT hides internal computers from the internet
Hides the internal network structure, making it harder for attackers to target specific devices.
Static NAT → Uses single public IP address in one-to-one mapping
Dynamic NAT → Uses multiple public IP addresses in one-to-many mapping
Quality of service (QoS) → Refers to technologies running on a network that measure & control different traffic types
It allows admins to prioritize certain types of traffic over others
Implications of IPv6 → All devices on internal network don’t support IPv6 natively
Port Mirroring → Port Spanning → Port Tap → Allows admins to configure the switch to send all traffic the switch receives to a single port
Port Mirroring is not passive (active)
Network Tap → Network taps copy all traffic to another destination, allowing traffic visibility without a device inline.
Network tapping is completely passive
File Integrity Monitor (FIM) → Some antivirus scanners use file integrity monitors to detect modified system files by calculating hash of systems files as a baseline
It uses Simultaneous Authentication of Equals (SAE) instead of PSK used with WPA2
SAE is a variant of Dragonfly Key Exchange which is based on Diffe-Hellman
A password-based authentication and key exchange protocol used primarily in wireless networks
WPA3 is replacement for WPA2
WPA3 also supports enterprise mode → Uses RADIUS server & requires users to authenticate
SAE helps to prevent brute-force attacks against keys by making attackers interact with the network before each authentication attempt. This slows down brute-force attacks.
Comparison → WPA3 > WPA2 > WPA > WEP
Counter-mode/CBC-MAC Protocol (CCMP) → WPA2 uses strong cryptographic protocols such as AES & Counter Mode/CBC-MAC Protocol (CCMP)
An encryption protocol used in WiFi networks to provide confidentiality, integrity & authentication.
Simultaneous Authentication of Equals (SAE) → WPA3 uses SAE instead of PSK
Site Survey → Examines the wireless environment to identify potential issues, such as areas with noise or other devices operating on the same frequency bands
Admins can periodically perform site survey to verify that environment hasn’t changed & detect potential security issues
Heat Maps → Gives you a color-coded representation of wireless signals
Color red shows where the wireless signals are strongest
Color blue shows where the wireless signals are weakest
Also it shows dead spots
WiFi Analyzers → Identifies activity on channels within the wireless spectrum & analyze activity in 2.4 & 5 GHz frequency ranges
Allows you to analyze one frequency range at a time & see each channel’s activity on a graph
BSSID → Basic Service Set Identifier → Unique identifier used in 802.11 WiFi networks to identify a specific access point within a Basic Service Set (BSS)
Personal or End-User Account → Admins create these accounts & assign appropriate privileges based on user’s responsibilities
Basic credential policy
Administrator & Root Accounts → Privileges accounts that have additional rights & privileges beyond what regular user has
Credential policy requires stronger authentication such as MFA
Service Accounts → Some application & services need to run under the context of account
Admins create a regular user account for service like SQL, provide appropriate privileges & configure a SQL server to this account
This account is like a regular user account but the difference is it is used by service or application not by user
Credential policies may require long, complex passwords for this accounts & passwords should not expire
It is common practice to prohibit interactive logins to a GUI or shell for service accounts.
Use of a service account for interactive logins or attempting to log in as one should be immediately flagged and alerted on as an indicator of compromise (IoC).
Device Accounts → Computers & other devices also have accounts
Ex. Microsoft Active Directory only allows users to log on to computers joined to the domain
Third-party Accounts → Accounts from external entities that have access to the network
Strong Credential Policy
Guest Accounts → Useful if you want to grant someone limited access to compute or network without creating a new account
Admins commonly disable guest accounts & only enable it in special situations
Sponsored Authentication for Guest Accounts → Requires a guest user to provide valid identification when registering their wireless device for use on the network.
This requires that an employee validates the guest’s need for access, which is known as sponsoring the guest.
Shared / Generic Account / Credentials → Organizations create a regular user account that temporary workers will share.
If a temporary agency sending a different person everyday, a shared account may provide better solution than guest account because the access can be tailored for the shared account
Knowledge-based authentication → Organization use KBA to prove the identity of individuals
Static KBA → Used to verify the identity when you’ve forgotten your password
Ex. Your first dog’s name
Dynamic KBA → identifies individuals without account
Organizations use this for high risk transactions such as financial institutions or healthcare industry
The site queries public & private data source such as credit reports
It craft MCQ questions that only the user would know & users typically have limited amount of time to answer these questions → This limits the amount of time an attacker can do searches on the Internet to identify accurate answers
Cognitive password attack → A form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity.
If you post a lot of personal information about yourself online, then this type of password can easily be bypassed.
Password Authentication Protocol (PAP) → Used with Point-To-Point protocol (PPP) to authenticate clients
A significant weakness of PPP is that it sends passwords over network in cleartext
Susceptible to sniffing attacks
Challenge-Handshake Authentication Protocol (CHAP) → Uses PPP & authenticates remote users, but it is more secure than PAP
The goal of CHAP is to allow the client to pass credentials over a public network without allowing attackers to intercept the data & later use it in attack
CHAP uses an encrypted challenge & three-way handshake to send credentials
Prevents session hijacking
RADIUS → Remote Authentication Dial-In Service → Centralized Authentication Service
It is a networking protocol used for centralized authentication, authorization, and accounting (AAA) management in computer networks.
RADIUS servers are commonly used to authenticate users accessing network resources, such as Wi-Fi networks, VPNs, and other network services.
Uses port 1812 / 1813
Instead of each VPN server needing a separate database to identify & authenticate, VPN servers forwards the authentication requests to central RADIUS server
RADIUS can be also used with 802.1X server with WPA2 Enterprise Mode
Each VPN server is configured with a shared secret & the RADIUS server is configured with the matching shared secret for each of the VPN servers
Centralized RADIUS servers holds a centralized database of user accounts → LDAP Server
RADIUS uses UDP which provides best delivery mechanism
RADIUS only encrypts password by default & can be used with EAP to encrypt the entire session
TACACS+ → Terminal Access Controller Access-Control System Plus → RADIUS alternative
Uses port 49
Uses TCP to provide Authentication, Authorization & Accounting services
It provides two essential security benefits over RADIUS
It encrypts the entire authentication process
It uses multiple challenges & responses between the client & server
It is authentication service for network devices & it can be used with Kerberos
SAML → Security Assertion Markup Language → an XML based format used for SSO on web browsers
If organization trust each other, they can use SAML as a federated identity management system
Users authenticate with one website & are not required to authenticate again when accessing the second website
Many web based portal use SAML for SSO
SAML defines three roles:
Principal → Principal is typically a user → User log once & if necessary, principal requests an identity from identity provider
Identity Provider (IdP) → Creates, maintains & manages identity information for principals
Service Provider → An entity that provides services to principals
Kerberos → A network authentication protocol used within Windows Active Directory domains & some unix environments known as realms
It provides mutual authentication that can help to prevent on-path attacks & uses tickets to prevent replay attacks
Uses port 88
Kerberos includes several requirement to work properly:
A method of issuing tickets used for authentication:
A key distribution center uses a complex process of issuing ticket-granting tickets (TGTs) & other tickets
Tickets provide authentication for users when they access resource such as files on the file server
These tickets sometimes referred as tokens
Time Synchronization → Kerberos v5 requires all systems to be synchronized within 5 minutes of each other
Helps to prevent replay attacks
A database of subjects or users → DB of users
When users log on to Kerberos, KDC issues a ticket to the user, typically with a lifetime of 10 hours to be useful for single workday
When users try to access resource, they present ticket for authentication & user is issues a ticket to access the resource
Kerberos uses symmetric key cryptography to prevent unauthorized disclosure & to ensure confidentiality
Kerberos does not send the users password across the network. → When the user’s name is sent to the authentication service, the service retrieves the hash of the user’s password from the database → then uses that as a key to encrypt data to be sent back to the user. → The user’s machine takes the password that the user entered, hashes it, and then uses that as a key to decrypt what was sent back by the server.
Routers & Firewalls use rules within access control lists (ACLs)
It is based on set of approved instructions such as ACL
Some Rule-BAC uses rules that trigger in response to an event, such as modifying ACL after detecting an attack or granting additional permissions to a user in a certain situations
Mandatory Access Control (MAC) → Uses labels (sometimes referred as sensitivity labels or security labels) to determine access
Security admins assign labels to both subjects (users) & objects (files / folders)
When the labels match, the system can grant access to subject for the object
It is commonly used when access needs to be restricted based on need to know
Security labels often reflect classification levels of data & clearances granted to individuals
Discretionary Access Control (DAC) → In DAC, objects have an owner & owner establishes access for the objects
Many operating systems such as Windows & Unix-based systems use DAC scheme
Ex. New Technology File System (NTFS) → Provides security by allowing users & admins to restrict access to files & folders with permissions
DAC scheme is more flexible than MAC scheme
Conditional Access → Conditional Access policies use signals, which are similar to attributes in ABAC scheme
Some common signals are:
User / Group membership, IP Location, Device
Privileged Access Management (PAM) → Allows an organization to apply more stringent security controls over accounts with elevated privileges such as admin / root account
PAM implements the concept of just in-time administration → Admins won’t have administrative privileges until they need them → When they need them, they send a request for the elevated privileges
PAM system grant the request, typically by adding the account to a group with elevated privileges
After a pre-set time (such as 15 minutes), their account is automatically removed from the group, revoking the privileges
PAM Capabilities:
Allows users to access the privileged account without knowing the password
Intermediate CA → Root CA issues certificates to Intermediate CAs & Intermediate CAs issues certificates to child CAs → Child CAs issues certificates to devices or end users
Registration Authority (RA) → Assists the CA by collecting registration information
RA never issues certificates, instead it only assist in registration process
The registration authority works with the certificate authority to identify and authenticate the certificate requester.
Certificate Revocation List (CRL) → CAs use CRL to revoke certificates
CRL is version 2 certificate that includes a list of revoked certificates identified by their serial numbers
Since public keys are distributed via certificates, adding certificate in CRL is best way to deauthorize a public key
Certificate Elements:
Serial Number → Uniquely identifies the certificate
Issuer → Identifies the CAs that issued the certificate
Validity Dates → Includes “Valid From” & “Valid To” dates
Subject → Identifies the owner of the certificate
Public Key → Asymmetric encryption uses the public key in combination with the matching private key
Usage → Some certificates are only for encryption or authentication
Certificates Attributes:
CN → Common Name → fully qualified domain name (FQDN)
o → Organization
L → Locality
S → State or Province
C → Country
Online Certificate Status Protocol (OCSP) → Allows client to query the CA with the serial number of the certificate to determine if it is valid
Indicates if certificate is good, revoked or unknown
OCSP is a protocol used by the browser to check the revocation status of a certificate
DV (Domain Validation) Certificate → CA verifies that the certificate subject has control of the domain name
EV (Extended Validation) Certificate → prove that the X.509 certificate has been issued to the correct legal entity.
Certificate Signing Request (CSR) → Used to request a certificate
The certificate signing request is sent with the public key to the certificate authority
Once the certificate information has been verified, the CA will digitally sign the public key certificate.
Subject Alternative Name (SAN) → SAN certificate is used for multiple domains that have different names but are owned by the same organization → Ex. x.google.com, x.android.com