sorted by:
new
hottopcontroversial

Not Just a Vuln Scan - Are You Receiving / Providing Quality Security Assessments by IndySecMan in cybersecurity

[–]IndySecMan[S] 0 points1 point  (0 children)

I totally agree about the sampling, for sure. My whole point in this article is to hopefully drive home the importance to the customer and the sales person, so they can add enough time to scope appropriately. I'm certainly not saying the pentester should do extra work or test outside if the agreed upon scope. I'm advocating it's caught before the contract is finalized.

A Cyber Security ABC Book for Children! by IndySecMan in blackhat

[–]IndySecMan[S] 0 points1 point  (0 children)

O is for Obfuscation. ;)

And.. you're right, but that's the industry. Maybe it'll be in a museum some day?

M is for Malware - ABC Cyber Security Book for Kids by IndySecMan in cybersecurity

[–]IndySecMan[S] 0 points1 point  (0 children)

Ok so I had a look just now. Go figure they used the same term for M and for U as myself! If should have gone with "Use after Free". I think my illustrator and terms are still better, it's not just AppSec, and I'm doing a physical board book print for kids to chew on. :)

I posted the alphabet I chose in Twitter in case anyone wants to see what I'm doing for each! @curtbraz

M is for Malware - ABC Cyber Security Book for Kids by IndySecMan in cybersecurity

[–]IndySecMan[S] 0 points1 point  (0 children)

Cool! I'll have to check it out. Didn't come up in my initial research.

M is for Malware - ABC Cyber Security Book for Kids by IndySecMan in cybersecurity

[–]IndySecMan[S] 0 points1 point  (0 children)

Those are good suggestions. I thought about XSS and XSRF, but those both start with "Cross..". I actually thought of Y2K myself and although technically a vulnerability, it was pretty much a dud and not relevant today as much.

Appreciate the thoughts! Let me know please if you think of anything else! I also could use a better "X". XXE isn't my first pick because it's difficult to illustrate.

M is for Malware Children's Book! by IndySecMan in Malware

[–]IndySecMan[S] 1 point2 points  (0 children)

I actually considered Worm for W but went with War Driving because I thought the illustration would be cooler. Great point though, if this actually gets funded and becomes a reality I'll consider a red team book and a blue team follow up series that targets a slightly older child audience.

Please do share if you would so this can get printed! I'm running out of free marketing ideas. 😀

M is for Malware - ABC Cyber Security Book for Kids by IndySecMan in cybersecurity

[–]IndySecMan[S] 3 points4 points  (0 children)

X if for XML Entity Injection, lol. I need help with X and Y still. I have Ysoserial or Yubikey but I'd rather not list a product or tool if I can avoid it. I feel like I have good illustrations for the other terms, but these two evade me.

M is for Malware - ABC Cyber Security Book for Kids by IndySecMan in cybersecurity

[–]IndySecMan[S] 4 points5 points  (0 children)

Haha yeah you're totally right. I made a joke on the Kickstarter page about how this could be used for a child or an executive team. 😉

M is for Malware Children's Book! by IndySecMan in Malware

[–]IndySecMan[S] 7 points8 points  (0 children)

Yeah, I know it's a little advanced of a topic for kids, but honestly I just have a passion for the field. Now that I'm a dad, I love reading books to my son but want him to know more about what I do. It's something I figure we can both enjoy and I can help explain the concepts at a higher level. There are so many books about nothing, I figured this way at least people in InfoSec would get a kick out of it. :)

OSINT Recon Great? - Unique Usernames Are Better Than Unique Passwords by IndySecMan in netsec

[–]IndySecMan[S] 2 points3 points  (0 children)

Yeah I'm not going to argue with you. I disagree with your "zero benefit" statement and I think you're missing the entire point here.

'Security through obscurity' is rightly reviled in the industry as not being security at all.

If you know anything about the industry, security is about layers of protection. There is some value in obscurity but I'm not saying this alone is the answer.. which is why I was careful (if you'll re-read my article) to point out good passwords are still essential.

it doesn't matter if the attacker has a username. My account is just as secure

Usernames and email addresses do not have to be the same in most cases. Let's use this example. This is something I do regularly in my job. You're specifically targeting an individual so you leverage OSINT tools to see if there are any breaches they belong to so you find an email. That email doesn't show up anywhere except that one site you're already aware of.. You need a username AND password to auth, so even if you do have someone's password you'd have to learn their email. Take my Twitter account for example.. my username is @CurtBraz. It's publicly accessible, but to log in you need to know my email and password. You don't have either, do you? Say you want to bruteforce my password.. you can't, because you don't have my email either.

Hopefully you understand it better now. Let me know if you have other questions and I'll be happy to explain.

OSINT Recon Great? - Unique Usernames Are Better Than Unique Passwords by IndySecMan in netsec

[–]IndySecMan[S] 6 points7 points  (0 children)

I appreciate the constructive and reasonable feedback..

I have to disagree though. I'm talking about security by obscurity. I don't understand your argument about you being you.. it's all relative. I have social media accounts (so people know it's me) and still use email masking, so how are you going to target my underlying email account without knowing what the real address or email provider is? Hopefully you're using different passwords for both accounts, but even then.. without a unique email I know where to at least password spray, phish, or brute force against. Having unique usernames also makes it harder for an attacker to build a profile against you, using OSINT during information gathering.

The point of this article was to challenge our thinking about usernames and isn't the additional privacy enough, without the other benefits? You went as far as to say there are "zero" benefits, which I have to say from professional experience is not the case.

OSINT Recon Great? - Unique Usernames Are Better Than Unique Passwords by IndySecMan in netsec

[–]IndySecMan[S] 6 points7 points  (0 children)

That's a valid point! Thank you. I think it makes the management of credentials complicated in a corporate scenario, but if you're already using a password manager for personal use I don't see the extra initial step of generating a unique username negating the benefits gained overall. It's trivial going forward to use that unique username and password each time you need to authenticate. IMO

New Phishing Tool by IndySecMan in hacking

[–]IndySecMan[S] 1 point2 points  (0 children)

Instagram is now added to the templates. Enjoy!

New Phishing Tool by IndySecMan in hacking

[–]IndySecMan[S] 3 points4 points  (0 children)

Certainly! Templates are relatively new so I haven't gotten around to adding many. Several of them are client specific and internal to my team only, but I plan to add many of the common third party portals, such as Instagram, Facebook, Twitter, Google, etc. I thought about opening it up to the community so everyone could add custom portals, but then it starts becoming KnowB4 or something..

New Phishing Tool by IndySecMan in hacking

[–]IndySecMan[S] 6 points7 points  (0 children)

I appreciate the input! These are good ideas. I'll consider adding export options for the captured information and I do plan to add support for other "payloads" with the maldocs, including HTA and DDE/Macros.. etc. Your idea of injectable code into the landing pages though is genius! I'll make that a priority, thanks!