{"title":"Alikhan Uzakov","link":[{"@attributes":{"href":"https:\/\/uzakov.io\/atom.xml","rel":"self"}},{"@attributes":{"href":"https:\/\/uzakov.io\/"}}],"updated":"2025-12-23T19:17:23+00:00","id":"https:\/\/uzakov.io","author":{"name":"Alikhan Uzakov","email":"alikhanatthisdomain"},"entry":[{"title":"Executing arbitrary JavaScript from third-party origin when processing HTTP Basic Auth in Firefox, the story behind Bugzilla 1944926 and no CVE.","link":{"@attributes":{"href":"https:\/\/uzakov.io\/2025\/12\/23\/javascript-injection-via-basic-auth-in-firefox-the-story-behind-bugzilla-1944926-and-no-cve\/"}},"updated":"2025-12-23T00:00:00+00:00","id":"https:\/\/uzakov.io\/2025\/12\/23\/javascript-injection-via-basic-auth-in-firefox-the-story-behind-bugzilla-1944926-and-no-cve","content":"<p><em>All opinions in this post are my own (and my colleague\u2019s), and do not represent any employer, organization, or institution with which we are or have been affiliated.<\/em><\/p>\n\n<p>Whenever I\u2019m asked for a password on the web, I try to be deliberately boring. <strong>This is a simplified explanation for the sake of the article<\/strong>, but the habit is basically:<\/p>\n\n<ul>\n  <li>I prefer using bookmarked URLs (or typed URLs I\u2019ve used a hundred times).<\/li>\n  <li>And if something feels even slightly off, I click the lock icon and inspect the certificate \/ site identity details to confirm I\u2019m really talking to the domain I think I am.<\/li>\n  <li>Use VMs<\/li>\n<\/ul>\n\n<p>One day I visited a URL and got HTTP Basic Authentication prompt. But when I clicked the lock icon to double-check the site identity, I got a surprise: (The domain below are examples for illustration; it\u2019s not the actual URL I visited.)\n<img src=\"https:\/\/uzakov.io\/public\/images\/2025\/image8.png\" alt=\"HTTP Auth URLs mismatch\" title=\"Title\" \/>\nThe <strong>domain shown in the identity\/certificate UI did not match the domain shown in the URL bar<\/strong>, while Firefox was actively asking me for credentials. See how the URL in the URL bar is referencing Twillio while cert is showing a different URL<\/p>\n\n<p>My first thought was: What\u2019s going on?\nDid I get hacked?\n<img src=\"https:\/\/uzakov.io\/public\/images\/2025\/image1.gif\" alt=\"Hmmmmm\" title=\"Hmmmm\" \/><\/p>\n\n<p>That question turned into a rabbit hole, and eventually into an attack vector we could actually demo: by starting an async XHR on an attacker page and immediately navigating the victim to a legit site\u2019s HTTP Basic Auth prompt, Firefox can still run the attacker\u2019s XHR callback while the URL bar shows the legit site, letting us trigger a download at that moment and then call window.stop() so that no matter what the user types (or even if they cancel), the auth flow is terminated and the victim is dropped back onto our page where we can socially engineer them to open the \u201ctrusted-looking\u201d file and go from there.<\/p>\n\n<p>ELI5: You send the victim to a malicious site, then redirect them to a legitimate site\u2019s HTTP Basic Auth prompt. While the URL bar shows the legitimate site, you start a file download from the malicious site, and no matter what the victim types into the auth window, you force them back to your page, where you use social engineering (and possibly another bug) to convince them to open the file and continue the attack.<\/p>\n\n<p>Philip: <a href=\"https:\/\/www.linkedin.com\/in\/sysmus3p\">https:\/\/www.linkedin.com\/in\/sysmus3p<\/a> and I filed with Mozilla: <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1944926\">Bug 1944926<\/a> - \u201cExecuting arbitrary JavaScript from a third-party origin when processing HTTP Basic Auth.\u201d And yes: <strong>no CVE<\/strong> (which we do not agree with).<\/p>\n\n<h2 id=\"what-we-tried\">What we tried<\/h2>\n<p>After an initial investigation to make sure I hadn\u2019t been hacked, the URL wasn\u2019t Punycode, and no software on the machine was interfering, I realized this was a bug and that something interesting could be done, so I reached out to Philip.<\/p>\n\n<p>The bug is about the <strong>gap between what Firefox is showing in the UI and which origin is actually running JavaScript<\/strong> while an HTTP authentication prompt is displayed.<\/p>\n\n<h3 id=\"first-look\">First look<\/h3>\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2025\/image10.png\" alt=\"HTTP Auth\" title=\"HTTP Auth\" \/>\nThe previous page is not unloaded, but HTTP Auth URL is displayed in the address bar. To be clear: This is NOT a Same Origin Policy(SOP) bypass.<\/p>\n\n<p>We may be able to execute arbitrary JavaScript from previous origin (attacker controlled domain) while the URL in the address bar is displaying a different URL.\n<img src=\"https:\/\/uzakov.io\/public\/images\/2025\/image11.png\" alt=\"HTTP Auth\" title=\"HTTP Auth\" \/><\/p>\n\n<p>Few ideas we had:<\/p>\n\n<h3 id=\"idea-1-javascript-keylogger---failed\">Idea 1: JavaScript Keylogger - FAILED<\/h3>\n<p>What if we setup JS even handler to intercept key presses?<\/p>\n\n<p>Can we log credentials that victim puts into HTTP Basic Auth this way?\n<img src=\"https:\/\/uzakov.io\/public\/images\/2025\/image12.png\" alt=\"Idea 1\" title=\"Idea 1\" \/><\/p>\n\n<p>Firefox paused execution of JavaScript when redirecting to HTTP Auth. Events\/setInterval are paused. This limitation seems reasonable and secure.\n<img src=\"https:\/\/uzakov.io\/public\/images\/2025\/image13.png\" alt=\"Cat nope\" title=\"Cat nope\" \/><\/p>\n<h3 id=\"idea-2\">Idea 2:<\/h3>\n\n<ul>\n  <li>You start on an <strong>attacker-controlled<\/strong> domain: <code class=\"language-plaintext highlighter-rouge\">attacker.tld<\/code>.<\/li>\n  <li>The page navigates to <code class=\"language-plaintext highlighter-rouge\">thirdparty.tld<\/code>, which is protected by HTTP Basic Auth.<\/li>\n  <li>While the Basic Auth dialog for <code class=\"language-plaintext highlighter-rouge\">thirdparty.tld<\/code> is on screen and the URL bar already shows <code class=\"language-plaintext highlighter-rouge\">thirdparty.tld<\/code>, Firefox will still:\n    <ul>\n      <li>fire certain <strong>XMLHttpRequest (XHR) event handlers<\/strong> from the old page, and<\/li>\n      <li>allow that code to call things like <code class=\"language-plaintext highlighter-rouge\">window.stop()<\/code> and trigger a file download <strong>while the URL bar still displays<\/strong> <code class=\"language-plaintext highlighter-rouge\">thirdparty.tld<\/code> (the download is from <code class=\"language-plaintext highlighter-rouge\">attacker.tld<\/code>).<\/li>\n    <\/ul>\n  <\/li>\n  <li>The attacker then forces the user back to <code class=\"language-plaintext highlighter-rouge\">attacker.tld<\/code> after the user enters credentials or cancels.<\/li>\n  <li>The attacker asks the user to open the downloaded file.<\/li>\n<\/ul>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2025\/image14.png\" alt=\"Idea 2\" title=\"Idea 2\" \/><\/p>\n\n<p>Attack demo:<\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2025\/image2.gif\" alt=\"Idea 2\" title=\"Idea 2\" \/><\/p>\n\n<p>From a user\u2019s perspective, this can look like:<\/p>\n\n<blockquote>\n  <p>\u201cI just authenticated to \u2018trustedwebsite.com\u2019 and now it\u2019s asking me to open a file that downloaded while I was logging in.\u201d<\/p>\n<\/blockquote>\n\n<p>Under the hood, though, that download is being initiated by JavaScript from \u2018attacker.local\u2019, not from the trusted site. The identity panel (the \u201csite information\u201d popup) still exposes that fact - but the URL bar and the timing are working against the user.<\/p>\n\n<p>Mozilla\u2019s security team eventually decided this is <strong>a bug, but not a security bug<\/strong> in their classification system - so: <em>no CVE<\/em>.<\/p>\n\n<h2 id=\"the-core-idea-of-the-bug\">The core idea of the bug<\/h2>\n\n<p>Our setup used two hostnames pointing to the same machine:<\/p>\n\n<ul>\n  <li>\u2018attacker.local\u2019<\/li>\n  <li>\u2018thirdparty.local\u2019<\/li>\n<\/ul>\n\n<p>And an app behind to simulate:<\/p>\n\n<ul>\n  <li>an attacker controlled landing page, and<\/li>\n  <li>a \u201ctrusted\u201d site protected by HTTP Basic Auth.<\/li>\n<\/ul>\n\n<p>At a very high level, the exploit chain looks like this:<\/p>\n\n<ol>\n  <li>\n    <p>Start on the attacker page \nThe user lands on \u2018http:\/\/attacker.local:8080\u2019 and redirected to trusted.local<\/p>\n  <\/li>\n  <li>\n    <p>Fire an asynchronous XHR with a delay \nThe attacker page sends an asynchronous XHR to an endpoint like \u2018\/sleep\u2019, which simply waits a bit before responding. A handler is registered for the XHR\u2019s state change.<\/p>\n  <\/li>\n  <li>Immediately navigate to a Basic Auth-protected resource\nThe script then sets \u2018document.location\u2019 to something under \u2018thirdparty.local\u2019 that requires HTTP Basic Auth.\n    <ul>\n      <li>Firefox starts navigating.<\/li>\n      <li>The URL bar updates to \u2018thirdparty.local\u2019.<\/li>\n      <li>A modal Basic Auth prompt appears asking for credentials for \u2018thirdparty.local\u2019.<\/li>\n    <\/ul>\n  <\/li>\n  <li>XHR handler still runs, even though the page is \u201cfrozen\u201d<br \/>\nAt this point, the user sees the auth dialog and the new URL. The old page is visually gone and input is blocked, but under the hood:\n    <ul>\n      <li>The XHR completes, and<\/li>\n      <li>Its event handler is invoked on the original document.<\/li>\n    <\/ul>\n\n    <p>This behaviour - XHR event handlers firing while a modal dialog is open - is an old known quirk in Firefox.<\/p>\n  <\/li>\n  <li>\n    <p>In the handler, control the timing and outcome<\/p>\n\n    <p>In that event handler, the attacker can:<\/p>\n\n    <ul>\n      <li>Use a synchronous XHR as a crude \u201csleep\u201d to make sure the Basic Auth dialog is fully visible.<\/li>\n      <li>Call \u2018window.stop()\u2019 to cancel the authentication flow once the user submits credentials.<\/li>\n      <li>Trigger a file download from \u2018attacker.local\u2019 at just the right moment.<\/li>\n    <\/ul>\n  <\/li>\n<\/ol>\n\n<p>From the browser\u2019s perspective, all of this code still runs in the attacker\u2019s origin, there is no SOP bypass or cross-origin script execution. But from the user\u2019s perspective, the sequence is:<\/p>\n\n<ol>\n  <li>Land on a page.<\/li>\n  <li>See the browser ask for credentials for <code class=\"language-plaintext highlighter-rouge\">trustedwebsite.com<\/code> in the URL bar.<\/li>\n  <li>A download appears at the same time as the credential prompt.<\/li>\n  <li>Enter credentials.<\/li>\n  <li>The prompt closes, and they end up back on what looks like a follow-up page that mentions a document.<\/li>\n<\/ol>\n\n<h2 id=\"what-the-user-actually-sees-and-why-its-confusing\">What the user actually sees (and why it\u2019s confusing)<\/h2>\n\n<p>The behaviour we reported has two UI oddities:<\/p>\n\n<ol>\n  <li><strong>Address bar vs identity panel mismatch<\/strong>\n    <ul>\n      <li>The URL bar shows the third-party domain (\u2018thirdparty.tld\u2019 \/ the \u201ctrusted\u201d site).<\/li>\n      <li>If the user clicks the site identity button (the lock \/ info icon), Firefox shows details tied to the attacker origin - because that\u2019s where the running document actually lives.<\/li>\n    <\/ul>\n  <\/li>\n  <li><strong>Download timing that looks like it came from the trusted site<\/strong><br \/>\nBecause the attacker can delay the download until <em>after<\/em> the user has arrived at the trusted origin and seen the auth prompt, mental model becomes:\n    <blockquote>\n      <p>\u201cI authenticated to X, X gave me a file.\u201d<\/p>\n    <\/blockquote>\n\n    <p>In reality, it\u2019s:<\/p>\n    <blockquote>\n      <p>\u201cI visited attacker.tld, attacker.tld downloaded a file while Firefox was busy showing an auth dialog for X.\u201d<\/p>\n    <\/blockquote>\n  <\/li>\n<\/ol>\n\n<h2 id=\"why-we-thought-this-might-deserve-a-cve\">Why we thought this might deserve a CVE<\/h2>\n\n<p>When we filed the report, we framed it as:<\/p>\n\n<p>\u201cExecuting JavaScript from an attacker origin while Firefox is visually representing a different origin, in a security-sensitive context (HTTP auth).\u201d<\/p>\n\n<p>From a phishing and malware delivery perspective, this is attractive because:<\/p>\n\n<ul>\n  <li><strong>HTTP Auth is still widely used<\/strong> in internal tools and admin interfaces, often in front of pages that handle sensitive operations.<\/li>\n  <li>There is a visual mismatch between context and URL displayed, while as an attacker you can still perform certain actions<\/li>\n<\/ul>\n\n<p>To be clear: the browser isn\u2019t mislabeling the file\u2019s origin in the download UI, and we\u2019re not escaping any sandbox. The issue is about perception and timing: during the HTTP Basic Auth prompt, the URL bar can show the <strong>legitimate site<\/strong>, while the user can still be served a file\/download initiated by JavaScript from the <strong>attacker-controlled domain<\/strong>. This is not code execution on the trusted domain\u2019it\u2019s a UI\/attribution mismatch at the worst possible moment.<\/p>\n\n<p>Still, from our point of view as people who care about phishing and UX, this felt like an interesting edge case.<\/p>\n\n<p>PS: We reported the same issue to Tor, and Tor is also vulnerable\/affected by this bug.\nPPS: LLM was used mainly to help check grammar.<\/p>\n\n<p>Further links and reading:<\/p>\n\n<p>[1] https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1944926 has demo files you can use to demo this \u201cattack\u201d\/bug<\/p>\n\n<p>[2] https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2023\/10\/clever-malvertising-attack-uses-punycode-to-look-like-legitimate-website - how punycode gets used to trick users<\/p>\n\n<hr \/>\n"},{"title":"Why every Security Engineer needs to know UX, program management and be imperfect.","link":{"@attributes":{"href":"https:\/\/uzakov.io\/2024\/07\/09\/why-every-security-engineer-needs-to-know-UX-program-management-and-be-imperfect\/"}},"updated":"2024-07-09T00:00:00+00:00","id":"https:\/\/uzakov.io\/2024\/07\/09\/why-every-security-engineer-needs-to-know-UX-program-management-and-be-imperfect","content":"<p>In the past decade, the landscape of technical roles has transformed dramatically. Where once software engineers, ops, and sysadmins had distinct skill sets, the advent of DevOps has blurred these lines, creating an expectation for multifaceted expertise.<\/p>\n\n<p>In the security field, while technical expertise remains paramount, it\u2019s crucial to balance this with project management skills and a deep understanding of user and client needs. Your colleagues are your internal clients, and being able to manage projects efficiently and empathize with user requirements can be as important as keeping up with the latest security trends. Often having \u201cperfect technical solution\u201d is not what is needed nor required for a company.<\/p>\n\n<p><strong>Hint<\/strong>: Maybe you don\u2019t need Kubernetes <a href=\"https:\/\/endler.dev\/2019\/maybe-you-dont-need-kubernetes\/\">https:\/\/endler.dev\/2019\/maybe-you-dont-need-kubernetes\/ <\/a><\/p>\n\n<p>Stepping back and looking more generically, there are 3 things I\u2019ve seen that differentiate many good security engineers from bad: knowledge of UX, project management and admitting when they are wrong. Delivering good user experience, understanding the customer and providing a solid product often is the 10x multiplier that many people strive for, but not always get<\/p>\n\n<p><a href=\"https:\/\/www.marclittlemore.com\/be-a-force-multiplier\/\">https:\/\/www.marclittlemore.com\/be-a-force-multiplier\/ <\/a><\/p>\n<h2 id=\"ux\"><strong>UX<\/strong><\/h2>\n\n<p><strong>User experience<\/strong> (UX) design is the process design teams use to create products that provide meaningful and relevant experiences to users.<\/p>\n\n<p>What many security engineers don\u2019t realise, is that product does not have to be a software, but also the work they deliver.<\/p>\n\n<p>Security processes, policies, and internal offerings often suffer from poor user experience. Consider the difference between presenting a security tool with no automation, documentation, or examples versus providing a tool accompanied by thorough documentation, automated processes, and accessible security support channels. The latter approach not only enhances usability, overall user experience but also ensures better adherence to security protocols.<\/p>\n\n<p>What we should strive for is providing good user experience, easy to use security services, tools, documentation.<\/p>\n\n<h2 id=\"program-and-project-management\">Program and project management<\/h2>\n\n<p>How often do security people ask themselves:<\/p>\n\n<p>\u201cWould I be satisfied with this product\/service\/feature if I were the user?\u201d<\/p>\n\n<p>\u201cDoes business actually need this perfect implementation, or can the issue be solved by less technically perfect solution?\u201d<\/p>\n\n<p>Striving for the perfect solution isn\u2019t always the best approach. Effective security engineers understand the importance of finding a balance between technical excellence and business practicality. Instead of chasing perfection or settling for a quick fix, they seek the \u2018right level of good\u2019\u2014a solution that is both effective and feasible<\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2024\/relevant_xkcd_comics.png\" alt=\"https:\/\/xkcd.com\/1425\/\" \/>\n<em>https:\/\/xkcd.com\/1425\/<\/em><\/p>\n\n<p>As unusual as it sounds, good security engineers not only get deeply involved with the tech side, but also with product and project management side. Getting involved with other teams, driving security initiatives, solving roadblockers (how often was lack of automation an issue for you?), adapting to your client is something good engineers strive for.<\/p>\n\n<h2 id=\"being-imperfect\">Being imperfect<\/h2>\n\n<p>The Unseen Virtue in Engineering: Humility<\/p>\n\n<p>Humility is a critical yet often overlooked trait in security engineering. No matter your level of skill or experience, a hostile or toxic attitude can hinder team productivity and morale. Great security engineers recognize their imperfections, welcome honest feedback, and rely on collaborative efforts to achieve common goals.<\/p>\n\n<p>Ultimately, what distinguishes great security engineers is their balanced skill set\u2014combining technical prowess with project management, UX understanding, and humility. By recognizing their limitations and valuing team collaboration, they drive security initiatives that are not only effective but also embraced by the entire organization.<\/p>\n"},{"title":"The Inconvenience of 2FA Convenience","link":{"@attributes":{"href":"https:\/\/uzakov.io\/2023\/07\/18\/the-inconvenience-of-2FA-Convenience\/"}},"updated":"2023-07-18T00:00:00+00:00","id":"https:\/\/uzakov.io\/2023\/07\/18\/the-inconvenience-of-2FA-Convenience","content":"<div class=\"message\">\nWhy your 2FA might not be an actual 2FA: the story of how I broke my phone screen\n<\/div>\n<p>A common piece advice in the security world for securing your accounts\/services is to use 2-Factor Authentication (2FA). \u201cUse 2FA to be safe!\u201d slogan often fails to take into account that many\/most people have the second factor authentication on the same device that houses the first factor authentication.<\/p>\n\n<p>Some quotes from the Web about 2FA:<\/p>\n\n<p><em>2FA is essential to web security because it immediately neutralizes the risks associated with compromised passwords.  [1]<\/em><\/p>\n\n<p><em>Using multi-factor authentication blocks 99.9% of account hacks [2]<\/em><\/p>\n\n<p><em>The use of multi-factor authentication (MFA) could prevent as much as 80\u201390% of cyber-attacks[3]<\/em><\/p>\n\n<p>These types of advice and quotes are plenty in magazines, forums and all around the web. Someone reading this might easily assume that using 2FA automatically guarantees safety and security.<\/p>\n\n<p>Let\u2019s imagine a scenario: While heading to Borough Market in London on a Saturday afternoon, you decide to take out your phone to check WhatsApp and send a message. The next thing you know, your phone is stolen. Unlikely? Well, according to official figures, a phone is reported stolen in London every six minutes. [4][5]\nThieves in London often snatch phones on their bicycles or mopeds, preying on victims who are walking on the street with phones in their hands.<\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2023\/SD_London.png\" alt=\"Image generated by Stable Diffusion - Thief on bike snatching phone from walking person in London, photography, two people, 4k, 8k\" \/>\n<em>Image generated by Stable Diffusion - Thief on bike snatching phone from walking person in London, photography, two people, 4k, 8k<\/em><\/p>\n\n<p>Thieves used to primarily target phones to resell them for parts, but times have changed. More and more people become victims of \u201ccrypto muggings\u201d[6], money stolen from bank accounts, data theft. Just think about the amount of important data an average person has stored in Gmail, Dropbox and phone itself? If a malicious person were to gain access to your inbox and 2FA app on your phone, could they potentially access your accounts and steal your money?<\/p>\n\n<p>Consider this: a thief who stole your unlocked phone (we will discuss this in details later) likely has access to Google Auth app, your SIM number and your passwords, that are synced in the browser. This is more than enough to take over your online accounts, drain your crypto etc<\/p>\n\n<p><strong>Threat modeling - IRL style<\/strong><\/p>\n\n<p>I will start this section by sharing what prompted me to write this article. Recently, I traveled to Washington, DC, and on the second day of travel, I dropped my phone. Fortunately, I was already checked into the hotel. Unfortunately, I cracked my phone screen. This is where the tale of the Threat Modeling article begins. For anyone who is not familiar with or intimidated by the term \u201cThreat Modeling,\u201d I\u2019ve provided links at the bottom of this article explaining what it\u2019s.<\/p>\n\n<p>Threat modeling is likely something you\u2019ve already done, even if you are not aware of this specific terminology. Simply put, Threat Modeling is a process of understanding what can go wrong and what you can do about it. [This is an oversimplified explanation.]<\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2023\/random_picture.jpg\" alt=\"Random pic from the trip\" \/>\n<em>Random pic from the trip<\/em><\/p>\n\n<p>Scenarios:<\/p>\n\n<p>1) I could use a backup phone\/buy a new phone and re-login to important services\/apps<\/p>\n\n<p>2) Try to get the phone screen repaired ASAP<\/p>\n\n<p>3) Be without a phone for the next 3 days<\/p>\n\n<p>Before we discuss each scenario in detail I would like to talk about Threat modelling of the 2FA setup and how it affects scenarios above.<\/p>\n\n<h2 id=\"a-threat-model-by-user-persona\">A Threat Model, by User Persona<\/h2>\n\n<p>Let\u2019s take a look at 2FA security from the attacker\u2019s point of view.<\/p>\n\n<p>When making a decision on how your 2FA setup should look, it would be useful to understand what you are trying to achieve and how much time and effort you are willing to put in.<\/p>\n\n<p>Similarly to the Bicycle Threat Model article [7], I would like to threat model by considering each kind of attacker in turn, making assumptions about their level of competence and motivation, i.e., by \u201cattacker persona.\u201d By understanding what type of attackers we are likely to face, we can improve our threat model. This type of Threat Modeling has its limitations, but it will be covered in a separate Threat Modeling blog post.<\/p>\n\n<p>From a 2FA security point of view, there are four types of attackers you, as the average user, are most likely to face:<\/p>\n\n<h3 id=\"phish-mcperson-remote-attacker-trying-to-phish-you\">\u201cPhish McPerson,\u201d remote attacker trying to phish you<\/h3>\n\n<p>McPerson is an attacker who is trying to gain access to your accounts remotely. McPerson loves to send emails pretending to be from websites you are familiar with. \u201cYou have a \u00a310000 charge on your card. Please click here to authorize or cancel\u201d - their favorite SMS.<\/p>\n\n<h3 id=\"malwareena-jones-remote-attacker-who-is-more-technically-capable-than-phish-mcperson\">\u201cMalwareena Jones,\u201d remote attacker who is more technically capable than Phish McPerson<\/h3>\n\n<p>Malwareena Jones knows how to perform more things than Phish McPerson: SIM hijacking, 2FA specific attacks. Jones got her username because in the past she used malware to steal 2FA codes.<\/p>\n\n<h3 id=\"bandit-bob-criminal-who-loves-bicycles\">\u201cBandit Bob,\u201d criminal who loves bicycles<\/h3>\n\n<p>Bob loves to snatch phones from people who walk around town, with the phone in their hands, but he also doesn\u2019t mind watching you type the PIN code when you are unlocking your phone and stealing the phone sneakily later. When in a cafe or a bar, how often do you leave your phone on the table? Well, this is one of the favorite places for thieves to steal your phones. [8]<\/p>\n\n<h3 id=\"smashing-sam-criminal-who-isnt-afraid-to-use-muscles\">Smashing Sam, criminal who isn\u2019t afraid to use muscles<\/h3>\n\n<p>Smashing Sam used to be somewhat of a fighter back in the day, but now prefers to use her muscles in illegal ways. She can threaten you to unlock your phone and transfer money or give your password.<\/p>\n\n<h3 id=\"coming-up-with-better-advice-based-on-phish-mcperson-malwareena-jones-bandit-bob-smashing-sam\"><strong>Coming up with better advice based on Phish McPerson, Malwareena Jones, Bandit Bob, Smashing Sam<\/strong><\/h3>\n\n<p>In order to have a more secure setup, we need to take steps against all four imaginary attackers.<\/p>\n\n<p>Phish McPerson can be secured against by:<\/p>\n\n<ul>\n  <li>Using a custom DNS server to block malicious domains - PiHole [9] and NextDNS[10] can subscribe to blocklists, so new malicious domains get blocked on the DNS level.<\/li>\n  <li>Using an ad blocker plugin for your browser - This is even recommended by the FBI [11].<\/li>\n  <li>Being vigilant when receiving emails, texts, and calls.<\/li>\n  <li>[Optional] Having a separate device for all important services. For example, a separate, hardened laptop that is only used to log in to banking, government, and other applications. This way, you have all important links saved and don\u2019t need to click on anything to avoid getting phished<\/li>\n<\/ul>\n\n<p>Malwareena Jones can be secured against by:<\/p>\n\n<ul>\n  <li>Whenever presented with a choice between a 2FA app or SMS for the 2FA, always choose the 2FA app.<\/li>\n  <li>Contacting your SIM card provider and asking them to lock your SIM. This could mean that if you lose your SIM card, you will have to do additional things to get it back. You might also put a PIN on your account (though many people say this is useless).<\/li>\n  <li>Porting your number to a provider that is less likely to easily give your SIM card away.<\/li>\n  <li>Unless required, don\u2019t provide your phone number to services you use a lot [12].<\/li>\n  <li>Following the advice against Phish McPerson above.<\/li>\n  <li>[Optional] Similarly to Phish McPhishing defense, consider using a separate, hardened device to interact with important services.<\/li>\n<\/ul>\n\n<p>Bandit Bob can be secured against by:<\/p>\n\n<ul>\n  <li>Having a 2FA app on a device stored in a secure location, like home, or having a second, locked phone that you carry with you but don\u2019t use in public. Even if this phone is snatched or stolen from you, the phone is locked, so it\u2019s less likely a thief is able to extract keys and passwords.<\/li>\n  <li>Having a separate user profile on your phone. <a href=\"https:\/\/source.android.com\/docs\/devices\/admin\/multi-user\">https:\/\/source.android.com\/docs\/devices\/admin\/multi-user<\/a><\/li>\n  <li>When you need to use your phone in public, check your surroundings.<\/li>\n  <li>Don\u2019t leave your phone on the table in public spaces.<\/li>\n<\/ul>\n\n<p>Smashing Sam can partially be secured against by:<\/p>\n\n<ul>\n  <li>Following everything listed for Bandit Bob.<\/li>\n  <li>Having your 2FA stored in a safe place and not carrying it with you. For example, locked at home\/safe.<\/li>\n  <li>Staying vigilant whenever possible.<\/li>\n  <li>Having secondary physical security controls - a higher level, the actions you take are all geared towards making it physically impossible for you to compromise\/give away access even if they try to strongarm you into doing so<\/li>\n  <li>Implementing secondary physical security controls - taking actions to make it physically impossible for someone to compromise or obtain access, even if they use intimidation tactics. This is a higher level of security than other measures.<\/li>\n<\/ul>\n\n<p>The majority of people are most likely to encounter Phish McPerson and Bandit Bob. Unless it\u2019s a targeted attack, it\u2019s unlikely that you will be targeted by Smashing Sam or Malwareena Jones for the sole purpose of stealing your 2FA.<\/p>\n\n<h2 id=\"creating-your-own-threat-model-vs-universal-advice\">Creating Your Own Threat Model vs Universal Advice<\/h2>\n\n<p>When faced with a choice on how to secure your 2FA setup or anything else, the logic remains the same: what can be done and how likely am I to follow this advice?<\/p>\n\n<p>Some level of threat modeling is much better than no threat modeling at all. Think of it like exercising - often it\u2019s better to exercise at least a bit than not to exercise at all. Develop your own 2FA strategy that is both secure and likely to be followed daily.<\/p>\n\n<p>To wrap up this article, I wanted to share what happened to my broken phone and how it ties to my personal strategy.<\/p>\n\n<p>After my phone screen got cracked, I was presented with three choices:<\/p>\n\n<ol>\n  <li>I could use a backup phone or buy a new one and re-login to important services.<\/li>\n  <li>Try to get the phone screen repaired ASAP.<\/li>\n  <li>Be without a phone for the next three days.<\/li>\n<\/ol>\n\n<p>Option 3 was not viable for me, as I needed to access my personal email and other things.<\/p>\n\n<p>Option 2 ended up being impossible, as none of the nearby phone screen repair services could replace the screen quickly enough.<\/p>\n\n<p>Thankfully, my colleague Pavan helped me (a big thanks to him) and took me to BestBuy, where I bought a temporary phone. However, after getting the new phone, I was presented with an issue: my 2FA device is stored in a secure location, which I don\u2019t have access to, nor do I have access to my password manager. Thankfully, my 2FA setup allowed for this scenario. Without going into too much detail, using a one-time pad [14], my laptop, secure line and an authorized\/trusted person, I was able to regain access to my accounts. Having a support network, such as a collegue or trusted individual can be a valuable factor when doing TM.<\/p>\n\n<p>There are several new developments that are gaining traction that will significantly alter how many of us organize our two-factor authentication (2FA) setups. These include Passkeys, WebAuthn, as well as older measures like hardware keys such as Yubikey. However, as there are already great articles covering those, they will not be covered in this blog post. Instead, they will be included in the further reading section below.<\/p>\n\n<p>This article is heavily inspired by <a href=\"https:\/\/calpaterson.com\/bicycle-threat-model.html\">https:\/\/calpaterson.com\/bicycle-threat-model.html<\/a>. Check it out for a fantastic read!\nReferences:<\/p>\n\n<p>[1] <a href=\"https:\/\/www.bu.edu\/tech\/support\/information-security\/why-use-2fa\/\">https:\/\/www.bu.edu\/tech\/support\/information-security\/why-use-2fa\/<\/a><\/p>\n\n<p>[2] <a href=\"https:\/\/www.zdnet.com\/article\/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks\/\">https:\/\/www.zdnet.com\/article\/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks\/<\/a><\/p>\n\n<p>[3] <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/tech-execs-mfa-prevent-90-of\/\">https:\/\/www.infosecurity-magazine.com\/news\/tech-execs-mfa-prevent-90-of\/<\/a><\/p>\n\n<p>[4] <a href=\"https:\/\/www.bbc.com\/news\/uk-england-london-65105199\">https:\/\/www.bbc.com\/news\/uk-england-london-65105199<\/a><\/p>\n\n<p>[5] <a href=\"https:\/\/www.theguardian.com\/money\/2012\/jan\/20\/phone-snatchers-iphones-thieves-bikes\">https:\/\/www.theguardian.com\/money\/2012\/jan\/20\/phone-snatchers-iphones-thieves-bikes<\/a><\/p>\n\n<p>[6] <a href=\"https:\/\/www.theguardian.com\/technology\/2022\/may\/08\/crypto-muggings-thieves-in-london-target-digital-investors-by-taking-phones\">https:\/\/www.theguardian.com\/technology\/2022\/may\/08\/crypto-muggings-thieves-in-london-target-digital-investors-by-taking-phones<\/a><\/p>\n\n<p>[7] <a href=\"https:\/\/calpaterson.com\/bicycle-threat-model.html\">https:\/\/calpaterson.com\/bicycle-threat-model.html<\/a><\/p>\n\n<p>[8] <a href=\"https:\/\/www.standard.co.uk\/news\/crime\/thief-s-trick-to-steal-diner-s-phone-revealed-by-cctv-as-police-warn-over-spate-of-thefts-in-city-10163937.html\">https:\/\/www.standard.co.uk\/news\/crime\/thief-s-trick-to-steal-diner-s-phone-revealed-by-cctv-as-police-warn-over-spate-of-thefts-in-city-10163937.html<\/a><\/p>\n\n<p>[9] <a href=\"https:\/\/pi-hole.net\/\">https:\/\/pi-hole.net<\/a><\/p>\n\n<p>[10] <a href=\"https:\/\/nextdns.io\/\">https:\/\/nextdns.io<\/a><\/p>\n\n<p>[11] <a href=\"https:\/\/www.ic3.gov\/Media\/Y2022\/PSA221221\">https:\/\/www.ic3.gov\/Media\/Y2022\/PSA221221<\/a><\/p>\n\n<p>[12] <a href=\"https:\/\/news.ycombinator.com\/item?id=29742970\">https:\/\/news.ycombinator.com\/item?id=29742970<\/a><\/p>\n\n<p>[14] <a href=\"https:\/\/en.wikipedia.org\/wiki\/One-time_pad\">https:\/\/en.wikipedia.org\/wiki\/One-time_pad<\/a><\/p>\n\n<p>Further reading:<\/p>\n\n<p><a href=\"https:\/\/shostack.org\/resources\/threat-modeling\">https:\/\/shostack.org\/resources\/threat-modeling<\/a><\/p>\n\n<p><a href=\"https:\/\/owasp.org\/www-community\/Threat_Modeling\">https:\/\/owasp.org\/www-community\/Threat_Modeling<\/a><\/p>\n\n<p><a href=\"https:\/\/news.ycombinator.com\/item?id=36712497\">https:\/\/news.ycombinator.com\/item?id=36712497<\/a><\/p>\n\n<p><a href=\"https:\/\/news.ycombinator.com\/item?id=35801392\">https:\/\/news.ycombinator.com\/item?id=35801392<\/a><\/p>\n\n<p><a href=\"https:\/\/news.ycombinator.com\/item?id=21962424\">https:\/\/news.ycombinator.com\/item?id=21962424<\/a><\/p>\n"},{"title":"Cost-effective means of combating domain phishing.","link":{"@attributes":{"href":"https:\/\/uzakov.io\/2021\/09\/21\/cost-effective-means-of-combatting-domain-phishing\/"}},"updated":"2021-09-21T00:00:00+00:00","id":"https:\/\/uzakov.io\/2021\/09\/21\/cost-effective-means-of-combatting-domain-phishing","content":"<p>If you ever needed a solution to find and monitor phishing domains related to your company, but didn\u2019t have a budget (or didn\u2019t want to spend too much money) for a full scale solution \u2013 you are in the right place.\nThe goal of this post is to talk about combating phishing domains, what actionable and measurable steps you can take, advantages and disadvantages of this setup.<\/p>\n\n<h3 id=\"core-functionality\">Core functionality:<\/h3>\n\n<ol>\n  <li>Certificate Monitoring - real-time monitoring of certificates issued for specific domain strings and permutations<\/li>\n  <li>Suspicious domain monitoring for changes<\/li>\n  <li>Checking new domains bought and sold<\/li>\n<\/ol>\n\n<h3 id=\"certificate-monitoring\">Certificate monitoring<\/h3>\n<p>Whenever a new certificate gets requested and issued, the Certificate Authority (CA) records information about it to the public log. More information about certificate transparency can be found here: <a href=\"https:\/\/certificate.transparency.dev\/howctworks\/\">https:\/\/certificate.transparency.dev\/howctworks\/<\/a><\/p>\n\n<p>What this setup does is monitors for certificates issued for your domain but also for lookalike domains or certain keywords in domains. For example, if the domain is example.com we will monitor for certificates issued to example-sales.com, examples.com, testexample.com etc<\/p>\n\n<p>The way you do that is by watching the Certificate Transparency log update stream in real-time, parsing certificate information and checking for information related to the company. Diving deeper, this is performed by directly parsing certificate information from the Certificate Transparency log, while cross-checking for company information, such as company name, brands, intellectual property.\nExample certificate logged <a href=\"https:\/\/crt.sh\/?id=5112823461\">https:\/\/crt.sh\/?id=5112823461<\/a><\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2021\/certificate.png\" alt=\"Certificate\" \/>\nWhile you can build a solution for this yourself, you can also look at open source solutions, for example, <a href=\"https:\/\/github.com\/AssuranceMaladieSec\/CertStreamMonitor\">CertStreamMonitor<\/a><\/p>\n\n<p>CertStreamMonitor can monitor certificates generated for specific domain strings and associated, store data into sqlite3 database, alert you when sites come online.\n<img src=\"https:\/\/uzakov.io\/public\/images\/2021\/CT.gif\" alt=\"Certificate Transparency\" \/>\nTo get started you would need to edit at least<\/p>\n\n<figure class=\"highlight\"><pre><code class=\"language-js\" data-lang=\"js\"> <span class=\"nx\">SearchKeywords<\/span><span class=\"p\">,<\/span> <span class=\"nx\">DetectionThreshold<\/span><span class=\"p\">,<\/span> <span class=\"nx\">BlacklistKeywords<\/span> <\/code><\/pre><\/figure>\n<p>in the config file.<\/p>\n\n<h3 id=\"notifications\">Notifications<\/h3>\n\n<p>There are two portable and cheap ways to enable notifications: Slack and Telegram. In this post I will be covering Telegram.<\/p>\n\n<h3 id=\"telegram\">Telegram<\/h3>\n\n<p>Probably the easiest way to enable notifications, as the only thing required on machines is curl. For more information about Telegram bots: <a href=\"https:\/\/core.telegram.org\/bots\">https:\/\/core.telegram.org\/bots<\/a><\/p>\n\n<p>Registering our bot:<\/p>\n\n<ol>\n  <li>On Telegram message @BotFather with \/newbot command. The BotFather will ask you for a name and username, then will generate an authorization token for your new bot.<\/li>\n  <li>After you successfully register the bot you will receive a token you will need later<\/li>\n<\/ol>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2021\/telegram.png\" alt=\"Telegram\" \/><\/p>\n\n<p>To be able to send messages we need a token and chat_id.<\/p>\n\n<p>To get \u201cchat_id\u201d, you need to first<\/p>\n<figure class=\"highlight\"><pre><code class=\"language-js\" data-lang=\"js\"> <span class=\"nx\">curl<\/span> <span class=\"nx\">https<\/span><span class=\"p\">:<\/span><span class=\"c1\">\/\/api.telegram.org\/bot&lt;BOT_TOKEN&gt;\/getUpdates <\/span><\/code><\/pre><\/figure>\n\n<p>After you get <em>chat_id<\/em> you can start messaging :) Please note, <em>chat_id<\/em> can be a negative value<\/p>\n\n<figure class=\"highlight\"><pre><code class=\"language-js\" data-lang=\"js\"> <span class=\"nx\">curl<\/span> <span class=\"dl\">\"<\/span><span class=\"s2\">https:\/\/api.telegram.org\/bot&lt;BOT_TOKEN&gt;\/sendMessage?chat_id=&lt;CHAT_ID&gt;&amp;text=&lt;YOUR_TEXT&gt;<\/span><span class=\"dl\">\"<\/span> <\/code><\/pre><\/figure>\n\n<h3 id=\"newly-registered-domains-squatting-homograph-attacks-monitoring\">Newly registered domains, squatting, homograph attacks monitoring<\/h3>\n<p>Often malicious actors register domains that are similar to your company domain but these domains wouldn\u2019t necessarily be caught by Certificate Transparency log monitoring.<\/p>\n\n<p>To combat this we can use <a href=\"https:\/\/en.wikipedia.org\/wiki\/Levenshtein_distance\">Levenshtein distance<\/a> to find similar enough domain names and watch for those as well, by monitoring newly registered domains, performing DNS requests. openSquat project can help with that and much more.<\/p>\n\n<p><a href=\"https:\/\/github.com\/atenreiro\/opensquat\">openSquat<\/a> is an opensource Intelligence (OSINT) security tool to identify cybersquatting threats to specific companies or domains, such as:<\/p>\n\n<ol>\n  <li>Phishing campaigns<\/li>\n  <li>Domain squatting<\/li>\n  <li>Typosquatting<\/li>\n  <li>Bitsquatting<\/li>\n  <li>IDN homograph attacks<\/li>\n  <li>Doppelganger domains<\/li>\n  <li>Other brand\/domain related scams<\/li>\n  <li>Automatic newly registered domain updating (once a day)<\/li>\n  <li>IDN homograph attack detection<\/li>\n  <li>Integration with VirusTotal<\/li>\n  <li>Integration with Quad9 DNS service<\/li>\n<\/ol>\n\n<h3 id=\"advantages-and-disadvantages-of-this-setup\">Advantages and disadvantages of this setup<\/h3>\n\n<p>Most commercial offerings are comprised of 80% of what this post covers, with price ranges starting at $7k per year for basic, and upwards of $50k for comprehensive monitoring, that sometimes includes certain number of takedowns per month. The advantage of the setup described above is that it is fast to build, does not cost anything\/much, can deliver value from the very beginning and covers most of the use cases majority of companies face.<\/p>\n\n<p>The setup explained above does not take into account things like ML, the amount of engineering effort required to build and maintain such a solution, amount of time spent requesting domain takedowns and other ways and tools to discover phishing domains like <a href=\"https:\/\/github.com\/sherlock-project\/sherlock\">sherlock<\/a>. It\u2019s up to the reader to decide whether it\u2019s worth building this yourself or buying a solution.<\/p>\n\n<p>Having read this you might be wondering how this all fits together. Well this is a task for the reader to combine everything mentioned above into one.<\/p>\n\n<blockquote>\n  <p>Give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime - Anne Isabella Thackeray Ritchie<\/p>\n<\/blockquote>\n\n<blockquote>\n  <p>Give a man an 0day and he\u2019ll have access for a day, teach a man to phish and he\u2019ll have access for life. - grugq<\/p>\n<\/blockquote>\n\n<p>Thank you for reading and have a good day!<\/p>\n\n<p>Further reading:<\/p>\n<ul>\n  <li><a href=\"https:\/\/www.ncsc.gov.uk\/guidance\/phishing\">https:\/\/www.ncsc.gov.uk\/guidance\/phishing<\/a><\/li>\n  <li><a href=\"https:\/\/www.keepnetlabs.com\/antiphishing-tools-and-phishing-protection-software-phishing-attacks-with-legitimate-urls\/\">https:\/\/www.keepnetlabs.com\/antiphishing-tools-and-phishing-protection-software-phishing-attacks-with-legitimate-urls\/<\/a><\/li>\n  <li><a href=\"https:\/\/www.fbi.gov\/scams-and-safety\/common-scams-and-crimes\/spoofing-and-phishing\">https:\/\/www.fbi.gov\/scams-and-safety\/common-scams-and-crimes\/spoofing-and-phishing<\/a><\/li>\n<\/ul>\n"},{"title":"Efficiency in personal finance","link":{"@attributes":{"href":"https:\/\/uzakov.io\/2020\/11\/03\/efficiency-everywhere\/"}},"updated":"2020-11-03T00:00:00+00:00","id":"https:\/\/uzakov.io\/2020\/11\/03\/efficiency-everywhere","content":"<p>Working in the software engineering field one of the concepts we often speak about is efficiency. It would be no surprise to many that we can apply efficiency to our personal finance as well.\n<img src=\"https:\/\/uzakov.io\/public\/images\/2020\/1280px-Bulle_und_Bar_Frankfurt.jpg\" alt=\"Signal\" \/>\n<a href=\"https:\/\/en.wikipedia.org\/wiki\/Market_trend#\/media\/File:Bulle_und_B%C3%A4r_Frankfurt.jpg\">Credits<\/a> by Eva K, CC BY-SA 2.5<\/p>\n\n<p>This blogpost shares what you can do in terms of financial optimisation, money and finances in general. I am assuming a certain level of income, as it is impossible to optimise spendings if you can\u2019t afford to.<\/p>\n\n<p><em>Note: A big part of this article was written pre-Covid, my hope that this article can help people who can optimise their spendings be more effective and by no means written to hurt those who unfortunately can\u2019t at the moment.\nOpinions expressed here are mine alone, not those of any bank, credit card issuer, employer, and have not been reviewed, approved or otherwise endorsed by any of these entities. Please do your own research and take this on your own risk. Nothing here should be construed as financial advice, and it is your own responsibility to ensure that anything mentioned is right for your circumstances.<\/em><\/p>\n\n<h3 id=\"key-optimisation-tips\">Key optimisation tips:<\/h3>\n<ul>\n  <li>Get a credit card that offers a cashback, try to use this card for all your spendings, you get around 1% cashback as well as sign-up bonus in many cases (some offer \u00a3100-250 worth of sign up bonus in points). One of the risks with credit cards is that the interest rate on some is very high, some are 75%! Do make sure to read Terms and Conditions<\/li>\n  <li>Use current account switch bonuses regularly (at the moment of writing NatWest offers \u00a3125 for new account switching).<\/li>\n  <li>Do use websites like <a href=\"https:\/\/www.hotukdeals.com\/\">hotukdeals<\/a>  and <a href=\"https:\/\/uk.camelcamelcamel.com\/\">CamelCamelCamel<\/a>  and cashback websites when shopping online. Hotukdeals shows your discounts on products and CamelCamelCamel shows price history for Amazon products. One feature I like on camelcamelcamel is \u201cAlerts\u201d, if you are happy to wait for a particular item to drop in price you can set up a price alert and get a notification when it becomes a certain price.<\/li>\n  <li>Cashback websites - they will give you a nice cashback in many cases, make sure to shop around<\/li>\n  <li>Make your own coffee! Seriously, you save so much money and I bet your coffee will be better quality too! Should have learned this earlier. Invest into equipment and it will pay off in 2-3 month. I personally have a Bialetti Mokka pot and Hario Mill Mini Plus. <a href=\"https:\/\/www.bialetti.com\/it_en\/\">https:\/\/www.bialetti.com\/it_en\/<\/a><\/li>\n  <li>Do open and use an ISA (Individual Savings Accounts) <a href=\"https:\/\/www.gov.uk\/individual-savings-accounts\">https:\/\/www.gov.uk\/individual-savings-accounts<\/a><\/li>\n  <li>Switch your providers regularly - internet, gas, electricity. You often get good deals and bonuses.<\/li>\n  <li>Mix and match shopping - if possible buy from different shopping chains, ie meat from a more premium supermarket while everything from discount ones. Make sure to do a comparison between more and less expensive supermarkets, for example \u201cTesco vs Aldi vs Waitrose(surprise!)\u201d. When doing personal calculations and taking into account certain peculiarity of each one of them (For example Waitrose does free delivery over certain amount, will often substitute items for items for the higher amount\/price(for free) if selected item isn\u2019t available, give items for free if they have a short end date) I found that for me in particular online grocery shopping with Waitrose is 5-10% more expensive compared to Tesco\/Sainsburys, while I prefer the taste of Waitrose food much more. Aldi\/Lidl is generally cheaper compared to other retailers but they are not available everywhere and you generally need a car to get to them, which makes it more difficult for many.<\/li>\n<\/ul>\n\n<p>Additionally, my friend Jonas, who works as a money manager, shared some investment tips<\/p>\n\n<h2 id=\"investment-optimisation\">Investment optimisation<\/h2>\n<p>You probably already have heard the famous investing rules of legendary investor Warren Buffet:<\/p>\n\n<h4 id=\"rule-no-1-never-lose-money-rule-no-2-never-forget-rule-no-1\">\u201cRule No. 1: Never lose money. Rule No. 2: Never forget rule No. 1.\u201d<\/h4>\n\n<p>Of course, easier said than done, but why is this rule so important? The answer has many layers, but first of all, let\u2019s start with a point which is often neglected in your everyday finance: the power of compounding interest. To illustrate this, assume you invest 100$ into the stock-market with the 10y average annual return of the last 140 years, which is 9,2% according to Goldman Sachs (1). In just 10 years this would have grown to 241,12, in 20 years to 581,37$ and in 30 years to 1401,78$. Naturally this is just the plain number without inflation and costs, but still an overall very impressive 1401% gain over the three decades. Now let\u2019s assume you lose 50$ right at the start and you are able to make it back a year later. After another 9 years you only have 230,96$, resulting in a loss of 10,18$ just on compounded interest. I hope with this example you understand that losing money, your future compounding gains are severely reduced severely.<\/p>\n\n<p>The second point I want to touch on is also very common knowledge, but it is important to be reminded every once in a while: The order of Percentage-wise gains and losses can result in very different outcomes. A trade with an equivalent percentage loss and a gain in succession is losing you money, while in the reverse order the result is a net-profit. Moreover this effect has a negative  imbalance, meaning losses weigh more than gains. For example a trading win of +70% with a consecutive loss of just 50% still sums up to a net loss of 12,5%. I suggest to either keep record  currency-wise or be sure to remind yourself regularly of this fact.<\/p>\n\n<p>Let\u2019s quickly dive into the psychology of finance and investing. But let\u2019s begin with the most essential: before you use any of your money (and this not only applies to finance), don\u2019t buy the \u201ccat in the bag\u201d. That means make yourself knowledgeable. It also always helped me to extensively make myself familiar with the fundamentals of the asset as well as the likelihood of negative outcomes, over a considerable period of time. If you can afford this luxury it is also a good idea to step aways and come back later (sleep over it!). Often I was able to find something I did not consider before. Just be sure to make yourself comfortable in a position. Meaning always only takes as much risk as you can handle. So positions moving against you do neither impact your financial nor your physical health. If you find yourself in a position where you lose sleep over it, or constantly have the urge to check your position, you most likely have overstepped your risk tolerance. If that is the case, hedge your position or simply reduce your exposure.<\/p>\n\n<p>Another reason to not lose money: winnings and losses are differently experienced. As an illustration consider the following two examples and choose the one you like best. Scenario A is the following: \u201cYou get 100$ immediately. Immediately after, there is a 50% chance, that you lose half of it.\u201d In Scenario B: \u201d You get 50$ and have the chance of a 50% to win another 50$\u201c. It is quite obvious that these scenarios virtually equivalent, but are interpreted in the human mind differently. Losses are psychological more taxing than gains are rewarding. This was researched to a great extent and summarized by psychologist Daniel Kahneman (2).<\/p>\n\n<p>Let\u2019s come back to the power of compounding interest. As I earlier illustrated, a small amount of money does make a considerable difference over time. John C. Bogle founder and former chairman of the Vanguard Group (one of the largest registered investment advisors) more or less dedicated a whole book to this topic (1). He touches on various topics and the one I find more (not less!) important is the significance of reducing your costs. You might think: well that was great advice in his time since it does not apply anymore, because nowadays many trading\/finance platforms reduced their trading fees to zero. However, there is a saying: \u201cif you don\u2019t know what the product is that means you are the product\u201d. Companies such Robinhood or Charles Schwab make money from interest on customer deposited stocks, fees on margins, or selling customer order-flow to high frequency trader and market maker. While the later costs, you do not see directly, since your trade just gets a worse execution, it significantly worsens the price of your position. On top of that, costs of assets heavily reduce the yield of the underlying and great effort should be taken to select the cheapest one among its peers. So make sure you know where and what your costs are, and pay attention to them since they add up quickly especially with the losses in compounding interest.<\/p>\n\n<p>Lastly, take advantage of Tax Code if you can (since this is different in each country I won\u2019t go into it here), otherwise at least take advantage of your employment retirement fund benefits. If you don\u2019t know whether your company does offer something like that just ask HR.<\/p>\n\n<p>In conclusion: while on one hand money is important and since Time=Money, you should use it wisely. On the other hand you should enjoy your life to the fullest, since you don\u2019t need it when you are dead.<\/p>\n\n<p>[1] https:\/\/www.spglobal.com\/marketintelligence\/en\/news-insights\/latest-news-headlines\/s-p-500-returns-to-halve-in-coming-decade-8211-goldman-sachs-59439981<\/p>\n\n<p>[2] Thinking fast and slow by Daniel Kahneman<\/p>\n\n<p>The little Book of Common Sense Investing by John C. Bogle<\/p>\n"},{"title":"Homelab of someone who rents | My setup","link":{"@attributes":{"href":"https:\/\/uzakov.io\/2020\/08\/27\/homelab-of-someone-who-rents-my-setup\/"}},"updated":"2020-08-27T00:00:00+00:00","id":"https:\/\/uzakov.io\/2020\/08\/27\/homelab-of-someone-who-rents-my-setup","content":"<div class=\"message\">\n  See original post on <a href=\"https:\/\/medium.com\/@uzakov\/homelab-of-someone-who-rents-my-setup-a4f8b119aa1f\">Medium<\/a>\n<\/div>\n<p>If you browse r\/homelab you would see a myriad of amazing homelabs, which is great unless you rent, can\u2019t add proper cabling to the house\/flat, can\u2019t spend much money or do not have enough space for all equipment. My setup was primarily created due to my interest in different tech, improving security as well as a result of the requirements mentioned above.<\/p>\n\n<h3 id=\"what-is-a-homelab\">What is a homelab?<\/h3>\n\n<p>Homelab is a place\/environment at home that allows you to implement, learn and test different technologies. Some examples of what people run in their homelabs:\n<a href=\"https:\/\/www.reddit.com\/r\/homelab\/comments\/3usg1y\/what_vmservices_are_you_running\/\">https:\/\/www.reddit.com\/r\/homelab\/comments\/3usg1y\/what_vmservices_are_you_running\/<\/a>\n<a href=\"https:\/\/www.reddit.com\/r\/homelab\/comments\/dzjecg\/what_services_are_you_guys_running_in_your_home\/\">https:\/\/www.reddit.com\/r\/homelab\/comments\/dzjecg\/what_services_are_you_guys_running_in_your_home\/<\/a>\nCheck this out: <a href=\"https:\/\/www.reddit.com\/r\/homelab\/comments\/d0oahc\/my_not_so_humble_homelab_is_finally_complete\/\">https:\/\/www.reddit.com\/r\/homelab\/comments\/d0oahc\/my_not_so_humble_homelab_is_finally_complete\/<\/a><\/p>\n\n<h3 id=\"why-have-a-homelab\">Why have a homelab?<\/h3>\n<p>Overall having a homelab is about learning and improving quality of life for me. Also it is about:<\/p>\n\n<ul>\n  <li>Automation \u2014 there are things you want automated, homelab can take care of that<\/li>\n  <li>Potential security improvement \u2014 I know some people who browse the internet from dedicated VMs that roll to a \u201cclean\u201d state and update daily for example.<\/li>\n  <li>Freedom to break things without worrying as much,<\/li>\n  <li>Improvements to your quality of life :)<\/li>\n  <li>\n    <p>Some people out there aim to be independent from online service providers and run their own mail server, storage etc.\nThere are some disadvantages to having a homelab, to name a few:<\/p>\n  <\/li>\n  <li>Time consuming \u2014 for some people its nearly a part-time job<\/li>\n  <li>Money \u2014 good hardware can cost good money, Dell PowerEdge T440 starts at \u00a31300 for example<\/li>\n<\/ul>\n\n<h3 id=\"my-setup\">My setup<\/h3>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2020\/homelab.png\" alt=\"Network diagram\" \/><\/p>\n<h3 id=\"services\">Services<\/h3>\n<p>List of VMs\/services I run:<\/p>\n<ul>\n  <li>Kali VM \u2014 <a href=\"https:\/\/www.kali.org\/\">https:\/\/www.kali.org\/<\/a><\/li>\n  <li>FreeNAS \u2014 <a href=\"https:\/\/www.freenas.org\/\">https:\/\/www.freenas.org\/<\/a><\/li>\n  <li>Plex media server \u2014 <a href=\"https:\/\/www.plex.tv\/en-gb\/media-server-downloads\/\">https:\/\/www.plex.tv\/en-gb\/media-server-downloads\/<\/a><\/li>\n  <li>Zabbix \u2014 <a href=\"https:\/\/www.zabbix.com\/\">https:\/\/www.zabbix.com\/<\/a><\/li>\n  <li>GitLab with two GitLab runners \u2014 <a href=\"https:\/\/about.gitlab.com\/\">https:\/\/about.gitlab.com\/<\/a><\/li>\n  <li>OSSEC (in progress) \u2014 <a href=\"https:\/\/www.ossec.net\/\">https:\/\/www.ossec.net\/<\/a><\/li>\n  <li>Various VMs that are not in use 24\/7<\/li>\n<\/ul>\n\n<h4 id=\"kali\">Kali<\/h4>\n<p>Used for bug bounties mainly as well as testing, example <a href=\"https:\/\/twitter.com\/alikhan_uzakov\/status\/1294026520965582851\">https:\/\/twitter.com\/alikhan_uzakov\/status\/1294026520965582851<\/a><\/p>\n<h4 id=\"freenas\">FreeNAS<\/h4>\n<p>NAS for file storage and laptop backup.<\/p>\n<h4 id=\"plex-media-server\">Plex media server<\/h4>\n<p>Local media server, I like rewatching some of the TV shows I purchased a while ago.<\/p>\n<h4 id=\"zabbix\">Zabbix<\/h4>\n<p>VM monitoring and alerting, something I am planning to improve in the near future<\/p>\n<h4 id=\"ossec\">OSSEC<\/h4>\n<p>OSSEC is HIDS \u2014 Host based detection system, work in progress.<\/p>\n\n<h3 id=\"hardware\">Hardware<\/h3>\n<p>For the network part I went with Ubiquiti, chose UDM (Unifi Dream Machine) device <a href=\"https:\/\/store.ui.com\/collections\/routing-switching\/products\/unifi-dream-machine\">https:\/\/store.ui.com\/collections\/routing-switching\/products\/unifi-dream-machine<\/a>. It plays a role of my router, switch and security gateway. While there are a number of disadvantages in \u201call-in-one devices\u201d this is the optimal choice for me as it\u2019s likely I might be moving houses and my current place doesn\u2019t have enough space for all the required hardware.<\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2020\/20200825_210824.jpg\" alt=\"Ubiquiti UDM\" \/>\n<em>My UDM, I call it \u201cSmol Battle Station\u201d \u2014 its small but as good and strong as a battlecruiser from StarCraft. I really love the design, it\u2019s very minimal, clean and actually reminds me of EVE from WALL-E cartoon.<\/em><\/p>\n\n<p>Alternatively, I could have gone with custom flashing a router with dd-wrt, open-wrt or tomato, buying a dedicated switch. There are a number of reasons I did not do that, to name a few:<\/p>\n\n<ol>\n  <li>There is a chance that router will be bricked during flashing<\/li>\n  <li>I currently have limited free time, dd-wrt always takes time (read forums for example, some builds were unstable etc)<\/li>\n  <li>UDM offers everything I need at the moment<\/li>\n<\/ol>\n\n<p>If you want to see a good guide how to do network segregation and segmentation with a router that is flashed with dd-wrt check out the guide from Bishop Fox <a href=\"https:\/\/labs.bishopfox.com\/industry-blog\/an-updated-guide-to-do-it-yourself-network-segmentation\">https:\/\/labs.bishopfox.com\/industry-blog\/an-updated-guide-to-do-it-yourself-network-segmentation<\/a><\/p>\n\n<h3 id=\"server\">Server<\/h3>\n\n<p>For my server I went with a used PC, the specs are:<\/p>\n<ul>\n  <li>6th gen i7<\/li>\n  <li>48GB DDR RAM<\/li>\n  <li>1TB HDD and 256GB SSD<\/li>\n<\/ul>\n\n<p>This PC hosts my VMWARE ESXi and corresponding VMs\n<img src=\"https:\/\/uzakov.io\/public\/images\/2020\/sticker-homelab.png\" alt=\"Homelab sticker\" \/><\/p>\n\n<h3 id=\"networking\">Networking<\/h3>\n\n<p>One of the key requirements for my homelab was simplicity and best value for time, following the Pareto principle(80\/20). My local network is separated and segregated into various parts, talked about below.<\/p>\n\n<p>One of the things I did was deciding not to allow remote access for the majority of things I run, to save time I would have to spend maintaining adequate security. They can still be accessed locally and can reach the internet.<\/p>\n\n<h4 id=\"guest-network\">Guest network<\/h4>\n<p>This network is used by people visiting the house.<\/p>\n<h4 id=\"homelab-network\">Homelab network<\/h4>\n<p>This network containing homelab: ESXi host and VMs<\/p>\n<h4 id=\"trusted-devices-network\">Trusted devices network<\/h4>\n<p>This network is for devices that are more closely maintained, more trusted<\/p>\n<h4 id=\"iotother\">IoT\/Other<\/h4>\n<p>This network is for Internet of Things devices or ones that are hard to patch, examples are home smart plugs, sensors.<\/p>\n\n<p>Here are the firewall policies I have set:<\/p>\n\n<ol>\n  <li>No outside to inside traffic<\/li>\n  <li>\u201cIoT\/Other\u201d, \u201cGuest networks\u201d can\u2019t reach other networks and can only talk with the internet<\/li>\n  <li>\u201cTrusted\u201d can reach \u201cHomelab\u201d<\/li>\n  <li>Homelab VMs can talk to each other<\/li>\n<\/ol>\n\n<p>Some points to keep in mind: you can do micro segmentation, above example is not perfect, far from it, see what suits you. Additionally you can do MAC filtering but that does not give you a great deal (if any) of security as anyone can easily change their MAC address. All VMs could take good use of things mentioned in <a href=\"https:\/\/medium.com\/@uzakov\/pretty-good-setup-pgs-4d3b58b4341a\">https:\/\/medium.com\/@uzakov\/pretty-good-setup-pgs-4d3b58b4341a<\/a><\/p>\n\n<p>If you are interested to know more, check the links below.<\/p>\n\n<ol>\n  <li><a href=\"https:\/\/robpickering.com\/ubiquiti-configure-micro-segmentation-for-iot-devices\/\">https:\/\/robpickering.com\/ubiquiti-configure-micro-segmentation-for-iot-devices\/<\/a><\/li>\n  <li><a href=\"https:\/\/nguvu.org\/pfsense\/pfsense-baseline-setup\/\">https:\/\/nguvu.org\/pfsense\/pfsense-baseline-setup\/<\/a><\/li>\n  <li><a href=\"https:\/\/joshspicer.com\/homelab\">https:\/\/joshspicer.com\/homelab<\/a><\/li>\n  <li><a href=\"https:\/\/www.homelabrat.com\/\">https:\/\/www.homelabrat.com\/<\/a><\/li>\n<\/ol>\n"},{"title":"Week of Cyber Meetups","link":{"@attributes":{"href":"https:\/\/uzakov.io\/2019\/07\/28\/week-of-cyber-meetups\/"}},"updated":"2019-07-28T00:00:00+00:00","id":"https:\/\/uzakov.io\/2019\/07\/28\/week-of-cyber-meetups","content":"<div class=\"message\">\n  See original post on <a href=\"https:\/\/medium.com\/@uzakov\/week-of-cyber-meetups-c3d2421a7804\">Medium<\/a>\n<\/div>\n<p>Last week was full of interesting cyber security meetups in London.\nI attended two, one hosted at Capital One office and another one hosted by OWASP at Revolut office.<\/p>\n\n<h3 id=\"cyber-london-hosted-by-capital-one\">Cyber London, hosted by Capital One<\/h3>\n<p><a href=\"https:\/\/www.meetup.com\/London-Cyber-Capital-One\/events\/262063647\/\">https:\/\/www.meetup.com\/London-Cyber-Capital-One\/events\/262063647\/<\/a>\n<img src=\"https:\/\/uzakov.io\/public\/images\/2019\/20190717_221119.jpg\" alt=\"White Collar Factory\" \/>\nOn the 17th of July Georg(my colleague) and I attended a cybersecurity event after work, hosted and organized by Capital One.<\/p>\n\n<p>There were two talks:<\/p>\n\n<ol>\n  <li>Hostage Negotiation, Cyber Extortion, Critical Incident Handling and You!<\/li>\n  <li>Browser Security Basics<\/li>\n<\/ol>\n\n<h4 id=\"hostage-negotiation-cyber-extortion-critical-incident-handling-and-you\">Hostage Negotiation, Cyber Extortion, Critical Incident Handling and You!<\/h4>\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2019\/20190717_192344.jpg\" alt=\"Talk 1\" \/>\n\u201cTo Pay or Not To Pay used to be the question, now, Are You Ready to Negotiate?\u201d That was one of the themes of the talk. Two presenters had extensive experience in hostage negotiation and fighting organized crime. One is formerly the Team Leader of Canada\u2019s Royal Canadian Mounted Police\u2019s (RCMP) International Negotiation Team, graduate of both the FBI\u2019s and Scotland Yard\u2019s Hostage Negotiation Programs. Another formerly a United Nations senior security official. They shared their experience and knowledge of organized crime. Even though they do not deal with cybercrime directly, a lot of their methods are also applicable to IT. Do not pay the ransomware creators.<\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2019\/20190717_195303.jpg\" alt=\"Crowd\" \/><\/p>\n\n<h4 id=\"browser-security-basics\">Browser Security Basics<\/h4>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2019\/20190717_201440.jpg\" alt=\"Talk 2\" \/>\nThe most interesting talk from the engineering perspective, where we had a chance to hear from Mark Goodwin, Mozilla engineer who is working on the Firefox web browser.<\/p>\n\n<p>Mark covered the basics of browser security, what it does and why it\u2019s important. He also covered the use of Rust at Mozilla, why it\u2019s a great language from a security point of view(memory and thread safety) and plans to increase the amount of Rust code in Firefox. <a href=\"https:\/\/wiki.mozilla.org\/Oxidation\">https:\/\/wiki.mozilla.org\/Oxidation<\/a>\n<img src=\"https:\/\/uzakov.io\/public\/images\/2019\/20190717_203219.jpg\" alt=\"Firefox talk\" \/>\n<img src=\"https:\/\/uzakov.io\/public\/images\/2019\/20190717_204631.jpg\" alt=\"Talk 3\" \/><\/p>\n\n<h3 id=\"owasp-london-chapter-meeting-at-revolut\">OWASP London Chapter Meeting at Revolut<\/h3>\n\n<p><a href=\"https:\/\/www.meetup.com\/OWASP-London\/events\/262880260\/\">https:\/\/www.meetup.com\/OWASP-London\/events\/262880260\/<\/a>\n<img src=\"https:\/\/uzakov.io\/public\/images\/2019\/20190718_200210.jpg\" alt=\"OWASP Talks\" \/>\n<img src=\"https:\/\/uzakov.io\/public\/images\/2019\/20190718_200723.jpg\" alt=\"OWASP Talks\" \/>\nThere were three talks:<\/p>\n<ol>\n  <li>Scaling Security - Move Fast and Make Things<\/li>\n  <li>Hack In, Cash Out: Hacking and Securing Payment Technologies<\/li>\n  <li>Advanced Bots and Security Evasion Techniques<\/li>\n<\/ol>\n\n<h4 id=\"scaling-security---move-fast-and-make-things\">Scaling Security - Move Fast and Make Things<\/h4>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2019\/20190718_190238.jpg\" alt=\"Scaling security\" \/><\/p>\n\n<p>Talk by Revolut CISO, where he talked about the use of Google Cloud Platform at Revolut, a bit about how they do AppSec, automation around security they do at Revolut, microservices, context-aware access <a href=\"https:\/\/cloud.google.com\/context-aware-access\/\">https:\/\/cloud.google.com\/context-aware-access\/<\/a>, how important it is to move and react fast. He also shared the bank\u2019s plans for the near future.<\/p>\n\n<h4 id=\"hack-in-cash-out-hacking-and-securing-payment-technologies\">Hack In, Cash Out: Hacking and Securing Payment Technologies<\/h4>\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2019\/20190718_195834.jpg\" alt=\"Hack In, Cash Out\" \/><\/p>\n\n<p>Talk by a researcher from Positive Technologies, who talked about attacks on payment platforms, what cybercriminals do, what his company has found. To sum up, there are a lot of problems with payment platforms. One of the methods criminals used to use was a race condition, where there would be a transaction, from account A to B, transferring a very small amount of money, say \u00a30.000005 and then instantly criminals would send cancel transaction call. Due to the processing error, account B would still have \u00a30.000005<\/p>\n\n<h4 id=\"advanced-bots-and-security-evasion-techniques\">Advanced Bots and Security Evasion Techniques<\/h4>\n\n<p>This talk was presented by a Senior Researcher at F5 networks, covering advanced techniques used by bot creators and what F5 does to detect them.\nAs always there was free pizza and beer. The office was very cool, in a good location and hip inside!\nThere was a vending machine that gave out Revolut debit cards. You just need to register it through the app.<\/p>\n\n<p>PS Join OWASP <a href=\"https:\/\/www.owasp.org\/index.php\/Membership\">https:\/\/www.owasp.org\/index.php\/Membership<\/a><\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2019\/20190718_201215.jpg\" alt=\"OWASP Talks\" \/>\n<img src=\"https:\/\/uzakov.io\/public\/images\/2019\/20190718_210057.jpg\" alt=\"OWASP Talks\" \/><\/p>\n\n<h4 id=\"never-settle\">NEVER SETTLE<\/h4>\n"},{"title":"Pretty Good Setup (PGS)","link":{"@attributes":{"href":"https:\/\/uzakov.io\/2017\/05\/08\/pretty-good-setup-pgs\/"}},"updated":"2017-05-08T00:00:00+00:00","id":"https:\/\/uzakov.io\/2017\/05\/08\/pretty-good-setup-pgs","content":"<div class=\"message\">\n  See original post with 23k views on <a href=\"https:\/\/medium.com\/@uzakov\/pretty-good-setup-pgs-4d3b58b4341a\">Medium<\/a>\n<\/div>\n\n<p>For a while I had this security guide written for myself and finally decided to share it with everyone. This post will be a semi-detailed guide on what, why and how to secure your machine. Hope you enjoy it :)<\/p>\n\n<h3 id=\"full-manual\">Full manual<\/h3>\n<p>The reason why I called it Pretty Good Setup is that the security of this setup is pretty good for many situations, it\u2019s good for the vast-majority of people and covers a good amount of threats.<\/p>\n\n<h4 id=\"table-of-contents\">Table of contents<\/h4>\n\n<ol>\n  <li>Securing the BIOS<\/li>\n  <li>Move to user friendly GNU\/Linux OS<\/li>\n  <li>Enable automatic security updates<\/li>\n  <li>Firewall<\/li>\n  <li>Browser extensions and settings<\/li>\n  <li>Cover your camera<\/li>\n  <li>Install a VPN<\/li>\n  <li>Use a password manager<\/li>\n  <li>Use a Virtual Machine<\/li>\n  <li>Encrypt important files<\/li>\n<\/ol>\n\n<h4 id=\"securing-the-bios\">Securing the BIOS<\/h4>\n<p>You can\u2019t have a secure setup [1] without a secure core\/part of it. The first thing when you make a new system should be securing your BIOS (basic input\/output system):<\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2017\/bios-example.jpeg\" alt=\"Example BIOS\" \/><\/p>\n\n<p>First you must set an admin password in your BIOS. As shown above it will stop an attacker [2] from modifying settings, restrict booting from external devices, which protects against modifying the root password. The next step must be to disable booting from external devices to stop the attack mentioned above.<\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2017\/bios-password.png\" alt=\"Example BIOS\" \/> Now when your PC turns on you might see something like this.<\/p>\n\n<h4 id=\"move-to-user-friendly-gnulinux-os\">Move to user friendly GNU\/Linux OS<\/h4>\n\n<p>Move to Ubuntu or any other user friendly GNU\/Linux OS<\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2017\/ubuntu.png\" alt=\"Example BIOS\" \/><\/p>\n\n<p>There are fewer malwares written for GNU\/Linux Operating systems compared to Windows and by simply switching your OS to Ubuntu you greatly decrease your chances of getting a virus. Also, malware written for Windows generally don\u2019t work on GNU\/Linux. For most the switch shouldn\u2019t cause any problems(in my personal opinion) since Ubuntu offers the same functionality as Windows and even looks similar. My mother, who isn\u2019t a techie is using Ubuntu on day-to-day basis :)<\/p>\n\n<p>Whilst installing a new OS (in my example I will use Ubuntu) choose the option to use the full disk encryption:<\/p>\n\n<p>Full disk encryption ensures that if we lose our machine, the attacker will not be able to read any data from it. More info <a href=\"https:\/\/en.wikipedia.org\/wiki\/Disk_encryption\">here<\/a>. Next follow the steps and create a new account. After it\u2019s done you will have access to a user with sudo rights. You should not use this account for everyday use but create an additional account without any sudo rights:\nSearch for system settings -&gt;\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/ubuntu-settings.png\" alt=\"Ubuntu settings\" \/>\nClick on user accounts\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/ubuntu-user.png\" alt=\"Ubuntu settings\" \/>\nYou will see the list of users on your machine<\/p>\n\n<p>2) Then add another non-Administrative user. It can be done by pressing the + in the lower left corner of the image 1. This is done to protect you from accidentally downloading and executing files, since the user has no sudo right it will be much harder for a virus to get installed.[3] You should use this user on an everyday basis. Before you start using this account on everyday basis it would be a good idea to give this account sudo rights, install all needed programs first, and then switch the account back to standard type. A good practice would be not to install programs from <a href=\"https:\/\/askubuntu.com\/questions\/4983\/what-are-ppas-and-how-do-i-use-them\">PPA<\/a>, unless you know what you are doing.<\/p>\n\n<h4 id=\"enable-automatic-security-updates\">Enable automatic security updates<\/h4>\n<p>From System Settings open Update Manager. Click the \u2018Settings\u2026\u2019 button, then on the \u2018Updates\u2019 tab, select the radio button \u2018Install security updates without confirmation.\u2019\nMore at :<a href=\"https:\/\/askubuntu.com\/questions\/9\/how-do-i-enable-automatic-updates\">https:\/\/askubuntu.com\/questions\/9\/how-do-i-enable-automatic-updates<\/a>\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/ubuntu-updates.png\" alt=\"Ubuntu updates\" \/><\/p>\n\n<h4 id=\"firewall\">Firewall<\/h4>\n<p>In this guide we will be using <a href=\"https:\/\/en.wikipedia.org\/wiki\/Uncomplicated_Firewall\">UFW<\/a> (Uncomplicated Firewall). It\u2019s a simple to use firewall, which doesn\u2019t require vast knowledge in iptables. The goal of the firewall is to monitor traffic and block unwanted (also malicious) traffic. UFW should be installed by default in the Ubuntu OS and is disabled by default. If it is not installed you can install it by typing this command into the terminal:\nsudo apt-get install ufw\nOne of the things that will make setting up any firewall easier is to define some default rules for allowing and denying connections. UFW\u2019s defaults are to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your machine would not be able to connect, while any application within the machine would be able to reach the outside world. To set the defaults used by UFW, you would use the following commands:<\/p>\n\n<figure class=\"highlight\"><pre><code class=\"language-js\" data-lang=\"js\"><span class=\"nx\">sudo<\/span> <span class=\"nx\">ufw<\/span> <span class=\"k\">default<\/span> <span class=\"nx\">deny<\/span> <span class=\"nx\">incoming<\/span>\n<span class=\"nx\">sudo<\/span> <span class=\"nx\">ufw<\/span> <span class=\"k\">default<\/span> <span class=\"nx\">allow<\/span> <span class=\"nx\">outgoing<\/span><\/code><\/pre><\/figure>\n\n<p>Next we need to enable the firewall and can achieve that by typing:<\/p>\n\n<figure class=\"highlight\"><pre><code class=\"language-js\" data-lang=\"js\"><span class=\"nx\">sudo<\/span> <span class=\"nx\">ufw<\/span> <span class=\"nx\">enable<\/span><\/code><\/pre><\/figure>\n\n<p>You should see the command prompt again if all went well. You can check the status of your rules now by typing:<\/p>\n\n<figure class=\"highlight\"><pre><code class=\"language-js\" data-lang=\"js\"><span class=\"nx\">sudo<\/span> <span class=\"nx\">ufw<\/span> <span class=\"nx\">status<\/span><\/code><\/pre><\/figure>\n\n<p>Now you have a working, uncomplicated firewall, which blocks incoming connections and allows outgoing ones. [4]<\/p>\n\n<h4 id=\"browser-extansions-and-settings\">Browser extansions and settings<\/h4>\n<p>Most of the current browsers are pretty secure by default, considering your threat is not coming from state agencies. You can make it even more secure by changing settings in the browser and installing security extensions.<\/p>\n<ol>\n  <li>Install browser plugins\n    <h5 id=\"ublock-origin\">uBlock Origin<\/h5>\n    <p><a href=\"https:\/\/github.com\/gorhill\/uBlock\/\">https:\/\/github.com\/gorhill\/uBlock\/<\/a> uBlock Origin blocks ads, trackers and malware sites. There are a number of reasons why you would choose uBlock Origin over Adblock Plus, which some might say is more known, some of which are: <a href=\"https:\/\/www.theverge.com\/2016\/9\/13\/12890050\/adblock-plus-now-sells-ads\">Adblock Plus sells ads<\/a>, performance and efficiency.\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/uBlock.png\" alt=\"uBlock origin\" \/><\/p>\n  <\/li>\n<\/ol>\n\n<h6 id=\"umatrix\">uMatrix<\/h6>\n<p>https:\/\/github.com\/gorhill\/uMatrix <a href=\"https:\/\/github.com\/gorhill\/uMatrix\">https:\/\/github.com\/gorhill\/uMatrix<\/a>\nuMatrix allows you to configure how your browser interacts with websites, what those can load etc.\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/umatrix_1.png\" alt=\"uMatrix 1\" \/>\nSet the setting as follows by clicking on the top part of the block to make a block green and by clicking at the bottom part to make it red. The \u201c*\u201d in the left corner means that these rules will apply to all websites, unless you have specific rules for particular ones. On the image 1, generally all websites are allowed to load images and css files. When you visit webpages they load Javascript(JS) to enhance its functionality and look. While generally JS loaded is not malicious it could be used to harm your machine. Malicious websites could load bad JS when users visit it, this malicious code infects the users computer with malware or performs unwanted actions on behalf of user *[5] So it\u2019s better not to allow websites to load JS, and whitelist <a href=\"https:\/\/en.wikipedia.org\/wiki\/Whitelist\">whitelist<\/a> the websites you trust so that they can load JS.<\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2017\/umatrix_2.png\" alt=\"uMatrix 2\" \/>\nExplanation of image 2 : Since I trust Medium I allow it to read cookies, allow it to load and run scripts, XHR. Another explanation on how to configure uMatrix: <a href=\"https:\/\/github.com\/gorhill\/uMatrix\/wiki\/Very-bare-walkthrough-for-first-time-users\">https:\/\/github.com\/gorhill\/uMatrix\/wiki\/Very-bare-walkthrough-for-first-time-users<\/a><\/p>\n\n<ol>\n  <li>In your browser set the setting to the following (example shown uses Google Chrome browser):\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/chrome_settings.png\" alt=\"Chrome setting 1\" \/>\nBy blocking sites from setting cookies you improve your privacy\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/chrome_flash.png\" alt=\"Chrome setting 2\" \/>\nBlock Flash and pop-ups (those can still come up without a plugin)\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/chrome_camera.png\" alt=\"Chrome setting 3\" \/>\nWhat is happening above: We blocked websites from setting any data, which increases our privacy since websites will not be able to track us, block Flash from being run, which stops many Flash security holes. Even though we block cookies from being set we will need to manage exceptions, ie allow certain websites you trust to set cookies. You can do that by pressing \u201cManage exceptions\u201d button.\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/chrome_cookies.png\" alt=\"Chrome setting 4\" \/>\nThis what you will see when you click manage exceptions for cookies.\nI allowed websites you can see on Image 3 to set cookies and also made exception on uMatrix.<\/li>\n<\/ol>\n\n<h5 id=\"cover-your-camera\">Cover your camera<\/h5>\n\n<p>Cover your camera with something e.g. tape. Certain viruses can get access to your machines camera and see what you are doing.<\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2017\/camera_fb.jpeg\" alt=\"Camera\" \/><\/p>\n\n<p>Picture taken from the Guardian article: <a href=\"https:\/\/www.theguardian.com\/technology\/2016\/jun\/22\/mark-zuckerberg-tape-webcam-microphone-facebook\">https:\/\/www.theguardian.com\/technology\/2016\/jun\/22\/mark-zuckerberg-tape-webcam-microphone-facebook<\/a><\/p>\n\n<p>Even though it\u2019s not likely that you will get a virus on your machine, which will be able to access the camera, its better be safe than sorry.<\/p>\n\n<h5 id=\"install-a-vpn\">Install a VPN<\/h5>\n\n<p>Install a VPN <a href=\"https:\/\/en.wikipedia.org\/wiki\/Virtual_private_network\">(Virtual private network)<\/a> In short it secures your traffic from your Internet Service Provider(ISP) by not letting them know what websites you visit and what you do on the Web, bad person on the same network as you in a cafe, on any open access wifi hotspot etc. I will not go into the details how to install one but rather suggest to choose VPN which doesn\u2019t log, though its difficult to check if they do and don\u2019t. One of the main ways to check if your provider logs is to have a look if your VPN provider has received any court orders to release data and what have they provided. If your VPN provider didn\u2019t give any data it\u2019s very likely that their no log policy is real. I personally would support <a href=\"https:\/\/www.privateinternetaccess.com\/\">Private Internet Access(PIA)<\/a>. Only get a paid VPN as most free VPN services are probably selling your data, so they\u2019re not worth using.\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/vpn.png\" alt=\"VPN\" \/><\/p>\n\n<p>How VPN works. Credits: <a href=\"http:\/\/blog.flashkirby.com\/\">http:\/\/blog.flashkirby.com\/<\/a>\nBelow you can find reviews of VPN providers.<\/p>\n\n<p>Note that, I am not paid nor connected to any of those providers nor tested them all.\n<a href=\"https:\/\/torrentfreak.com\/best-vpn-anonymous-no-logging\/\">https:\/\/torrentfreak.com\/best-vpn-anonymous-no-logging\/<\/a><\/p>\n\n<h5 id=\"use-a-password-manager\">Use a password manager<\/h5>\n\n<p>A password manager is a software application or hardware that helps a user store and organize passwords. Instead of using a simple password like qwerty123 you have a complex unique password for different services. I suggest to use <a href=\"https:\/\/www.keepassx.org\/\">KeePassX <\/a> for a number of reasons some of which are: your password database is stored locally, meaning that there is no threat from online service leaking your passwords, saves many different information, whole database is encrypted with the AES (aka Rijndael) encryption algorithm using a 256 bit key.\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/keepassx.png\" alt=\"Camera\" \/>\nKeePassX logo\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/keepassx_1.png\" alt=\"KeePassX\" \/>\nCreating a new database\n<img src=\"https:\/\/uzakov.io\/public\/images\/2017\/keepassx_2.png\" alt=\"KeePassX\" \/>\nKeePassX allows to generate unique passwords, containing letters, numbers and special characters.<\/p>\n\n<p>If KeePassX is not installed by default you can install it by running the following command:<\/p>\n\n<figure class=\"highlight\"><pre><code class=\"language-js\" data-lang=\"js\"><span class=\"nx\">sudo<\/span> <span class=\"nx\">apt<\/span><span class=\"o\">-<\/span><span class=\"kd\">get<\/span> <span class=\"nx\">install<\/span> <span class=\"nx\">keepassx<\/span><\/code><\/pre><\/figure>\n\n<p>What it protects from: dictionary attacks, you don\u2019t reuse the same password meaning if a service gets compromised and your password gets leaked an attacker can\u2019t use it to access a different service.<\/p>\n\n<h5 id=\"use-a-virtual-machine-vm\">Use a Virtual Machine (VM)<\/h5>\n\n<p>In computing, a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Virtual_machine\">virtual machine (VM)<\/a> is an emulation of a computer system. What it means is that you can run another OS on your machine without the need to purchase the additional hardware. In terms of security it provides you an option to run programs, open files you don\u2019t trust and which can contain malicious files without infecting your machine. [6]<\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2017\/vm_1.png\" alt=\"VirtualBox\" \/>\nThis is how VirtualBox looks like<\/p>\n\n<p>You can use VM when you receive emails with attachments, which you were not expecting, ie emails comes from known email but unusual attachment. This attachment could possibly be infected. If you open this attachment in the VM, even if VM OS gets infected, your base OS and all files will be fine. There are many different VM software solutions and you are free to choose the one that you find the best. I personally use VirtualBox.\nYou can install VirtualBox by running this command:<\/p>\n\n<figure class=\"highlight\"><pre><code class=\"language-js\" data-lang=\"js\"><span class=\"nx\">sudo<\/span> <span class=\"nx\">apt<\/span><span class=\"o\">-<\/span><span class=\"kd\">get<\/span> <span class=\"nx\">install<\/span> <span class=\"nx\">virtualbox<\/span><span class=\"o\">-<\/span><span class=\"nx\">qt<\/span><\/code><\/pre><\/figure>\n\n<h5 id=\"encrypt-important-files\">Encrypt important files<\/h5>\n\n<p>It would be a good practice to encrypt your important personal files, which you don\u2019t use on everyday basis, so that even if someone knows your password and steals your machine the attacker would not be able to access those files. To explain: when you use full disk encryption all your files are encrypted and an attacked wouldn\u2019t be able to read files without correct password. But if an attacked finds out your password he\/she would be able to access all files. Now say you have some important files you don\u2019t want anyone to access, if you encrypt them and don\u2019t use on everyday basis an attacker who finds your password would not be able to access those files since they require another password. I\u2019d personally recommend using <a href=\"https:\/\/en.wikipedia.org\/wiki\/VeraCrypt\">Veracrypt.<\/a><\/p>\n\n<p><img src=\"https:\/\/uzakov.io\/public\/images\/2017\/veracrypt.png\" alt=\"Veracrypt\" \/><\/p>\n\n<p>I would like to end this guide on explaining what this guide protects from and doesn\u2019t protect from. It protects you when you visit websites on the internet, since even if the website is infected it will not be able to infect your machine. It protects you from data loss through theft, it protects you when you receive malicious files in the emails, it protects you from websites spying on you.<\/p>\n\n<p>It doesn\u2019t protect you from APT, NSA, someone who saw your password and has access to your machine when you are not present, 0day exploits, if your machine was already infected, bad practices.<\/p>\n\n<p>[1] In this guide I am not mentioning the threat agent for a number of reasons. For the most users who will be using this guide the threat will likely be coming from random viruses and hackers of a medium skill. It also does not cover a number of things such as compiling your own kernel; securing machine from RAM attacks, Evil maid attack etc since those are not often used in the wild. This guide was not written to secure your machine from APT actors, organised criminal groups and state actors.\n[2] You can reset the BIOS passwords in some scenarios: <a href=\"http:\/\/www.computerhope.com\/issues\/ch000235.htm\">http:\/\/www.computerhope.com\/issues\/ch000235.htm<\/a>\n[3] An attacker can still gain higher level rights from working under non-sudo user.<a href=\"https:\/\/en.wikipedia.org\/wiki\/Privilege_escalation\">https:\/\/en.wikipedia.org\/wiki\/Privilege_escalation<\/a>. Also if you are running Wine you can catch viruses written for Windows.\n[4] This text about ufw was taken from DO tutorial: <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server#conclusion\">https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server#conclusion<\/a>\n[5] <a href=\"https:\/\/heimdalsecurity.com\/blog\/javascript-malware-explained\/\">https:\/\/heimdalsecurity.com\/blog\/javascript-malware-explained\/<\/a>\n[6] There are exceptions and there were some cases of exploits escaping from VM. Those are very rare, technically compand not used in the wild, since that drops their value. I would not expect an average user to get pwned by a 0day exploit, allowing to escape a VM environment.<\/p>\n\n<p>The material and information contained in this guide is for educational purposes only. You should not rely upon the material or information provided here as a basis for making any business, legal or any other decisions. I make no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability or availability with respect to the websites or the information, products, services or related graphics contained in this guide for any purpose. Any reliance you place on such material is therefore strictly at your own risk. I take no responsibility for issues caused by this project or misuse of information given.<\/p>\n"},{"title":"Why Edward Snowden is wrong and SMS protocol is broken","link":{"@attributes":{"href":"https:\/\/uzakov.io\/2016\/10\/12\/why-edward-snowden-is-wrong\/"}},"updated":"2016-10-12T00:00:00+00:00","id":"https:\/\/uzakov.io\/2016\/10\/12\/why-edward-snowden-is-wrong","content":"<div class=\"message\">\n  See original post on <a href=\"https:\/\/medium.com\/@uzakov\/why-edward-snowden-is-wrong-and-sms-protocol-is-broken-c80b5bc450a6\">Medium<\/a>\n<\/div>\n<p>It all started a while back when I was watching an amazing talk from Defcon <a href=\"https:\/\/www.youtube.com\/watch?v=DU8hg4FTm0g\">https:\/\/www.youtube.com\/watch?v=DU8hg4FTm0g<\/a> and I decided to read more into SMS and telecom technology.<\/p>\n\n<p>Research into this topic showed a couple of companies who offered internet-to-SMS message delivery. I went with (name not given due to privacy) since they provide a nice API and enough documentation. After doing a proof-of-concept SMS spoof on myself and a couple of other phone numbers on different networks, it worked flawlessly! The owners of the other phone numbers were told what was happening, and they gave their permission prior to testing. Even using so called safe messengers, such as Signal, which was recommended by Snowden, doesn\u2019t save you, since the receiving phone has no way of validating the SMS text message.<\/p>\n\n<p>To show possible implications let\u2019s imagine a situation: your friend got a new and exciting job in a big company. One afternoon, his boss leaves the office. Later, your friend receives a text message from his\/hers boss telling them that they have forgotten some documents and need them urgently. They will send their nephew, whose name is say Alikhan, to pick them up. They inform your friend that their nephew is already on their way. Do you think your friend would give those documents to Alikhan? You would be surprised how many people would do this as long as it came from their boss\u2019s phone number.<\/p>\n\n<p>To top this process off, (name not given due to privacy) even offers a couple of free SMS if you validate your mobile number. With this feature in mind, a bad person can buy a prepaid SIM from a small shop in a different town without revealing their identity. Next thing they would need is to have an email address, which one can register completely anonymously, by using VPN and a spoofing User agent of browser.<\/p>\n\n<p>How it works<\/p>\n\n<p>The SMS standard defines what information is sent in a text message, what bits of binary code make up each letter, and how this data is organised so that sending and receiving devices can communicate with each other. The actual data format for the message includes things like the length of the message, a time stamp, the destination phone number, and the actual message of course.\nAfter the sender and receiver information comes a protocol identifier and a tag to identify the data encoding scheme used in the message, which will allowing different receivers to know how to decode the actual message. There\u2019s also a time stamp and information on the length of the users message before the user\u2019s actual message is encoded.<\/p>\n\n<p>As for the message itself, as already mentioned it can contain up to 160 characters, where each character is defined by the 7-bits GSM alphabet. A 7-bit alphabet results in 128 (2\u2077) available letters, numbers, and pieces of punctuation which can be used to create a SMS message. For example, 48656C6C6F is the GSM alphabet equivalent of the word Hello.\nAbove is a short explanation of sms message structure. One can edit variable and in the most networks operator wouldn\u2019t check whether the sender and sender number are the same. After bad guys change the FROM header then can send this SMS to the victim. Network operators keep logs but perform no server side verification.<\/p>\n\n<p>TL;DR\nDon\u2019t use SMS text messages for communication, call the sender if unsure. SMS protocol is broken.\nUpdate 1:\nSome people requested to see proof and images. Here they are:\n<img src=\"https:\/\/uzakov.io\/public\/images\/2016\/signal.jpeg\" alt=\"Signal\" \/><\/p>\n"}]}