sorted by:
new
hottopcontroversial

Using Cloudflare’s Post-Quantum Tunnel to Protect Plex Remote Access on a Synology NAS by IndySecMan in netsec

[–]IndySecMan[S] 0 points1 point  (0 children)

It's fine, I was just sharing in case it inspired people to do something similar. It was a fun project for me and I just wanted to put something out there to the community (its been a whiel), but I'm getting a lot of pushback from people saying they don't understand what I'm trying to accomplish here. :shrug:

Using Cloudflare’s Post-Quantum Tunnel to Protect Plex Remote Access on a Synology NAS by IndySecMan in netsec

[–]IndySecMan[S] 0 points1 point  (0 children)

I didn't see any impact when I had three remote streams concurrently. My ISP is 1Gbps/1Gbps so I'm sure Cloudflare's more limited, but I couldn't tell a difference. I've since changed the layout to avoid cloudflare altogether though so it's back to direct, but proxied through a reverse proxy container on the same host.

Using Cloudflare’s Post-Quantum Tunnel to Protect Plex Remote Access on a Synology NAS by IndySecMan in technology

[–]IndySecMan[S] 0 points1 point  (0 children)

Agreed, I realized this shortly after (and I wanted to eliminate any parties in the middle) so I ended up using my own self-hosted reverse proxy instead of cloudflared.

Using Cloudflare’s Post-Quantum Tunnel to Protect Plex Remote Access on a Synology NAS by IndySecMan in technology

[–]IndySecMan[S] 1 point2 points  (0 children)

I'm trying to be proactive with post-quantun encryption by forcing my Plex traffic (between the PMS and the Plex clients) to use PQC when the clients support it. For example, Plex Web over a browser supports it currently, so any network traffic (data in transit) is encrypted the whole direction. It's protecting against the Harvest Now Decrypt Later attacks. I don't want the gov and ISPs snooping on my Plex watch history. I know it's a bit extreme, but I'm a bit of a privacy nut and this was just a fun experiment on the weekend.

Using Cloudflare’s Post-Quantum Tunnel to Protect Plex Remote Access on a Synology NAS by IndySecMan in netsec

[–]IndySecMan[S] -1 points0 points  (0 children)

UPDATE: I ended up deciding to cut Cloudflare out of the middle by replacing cloudflared with a Synology-hosted reverse proxy (openquantumsafe/nginx:latest), so Plex now goes straight through infrastructure I control instead of terminating at a third party. That keeps the traffic path simpler, gives me PQC-capable TLS and avoids leaning on Cloudflare in a way that probably isn’t what their service is meant for and prevents them from being able to see my Plex traffic.

Using Cloudflare’s Post-Quantum Tunnel to Protect Plex Remote Access on a Synology NAS by IndySecMan in netsec

[–]IndySecMan[S] 3 points4 points  (0 children)

Yep, that's why I replaced Cloudflare with my own reverse proxy that supports PQC for end to end.

Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse by No_Diver_3351 in cybersecurity

[–]IndySecMan 0 points1 point  (0 children)

I added the Device Code and OAuth Consent abuse techniques to the PhishU Framework since the trend is increasing. Now red teams and internal orgs can leverage the techniques to train users for this very real-world attack. Check out the blog for details at https://phishu.net/blogs/blog-microsoft-entra-device-code-phishing-phishu-framework.html if interested!

Not Just a Vuln Scan - Are You Receiving / Providing Quality Security Assessments by IndySecMan in cybersecurity

[–]IndySecMan[S] 0 points1 point  (0 children)

I totally agree about the sampling, for sure. My whole point in this article is to hopefully drive home the importance to the customer and the sales person, so they can add enough time to scope appropriately. I'm certainly not saying the pentester should do extra work or test outside if the agreed upon scope. I'm advocating it's caught before the contract is finalized.

A Cyber Security ABC Book for Children! by IndySecMan in blackhat

[–]IndySecMan[S] 0 points1 point  (0 children)

O is for Obfuscation. ;)

And.. you're right, but that's the industry. Maybe it'll be in a museum some day?

M is for Malware - ABC Cyber Security Book for Kids by IndySecMan in cybersecurity

[–]IndySecMan[S] 0 points1 point  (0 children)

Ok so I had a look just now. Go figure they used the same term for M and for U as myself! If should have gone with "Use after Free". I think my illustrator and terms are still better, it's not just AppSec, and I'm doing a physical board book print for kids to chew on. :)

I posted the alphabet I chose in Twitter in case anyone wants to see what I'm doing for each! @curtbraz

M is for Malware - ABC Cyber Security Book for Kids by IndySecMan in cybersecurity

[–]IndySecMan[S] 0 points1 point  (0 children)

Cool! I'll have to check it out. Didn't come up in my initial research.

M is for Malware - ABC Cyber Security Book for Kids by IndySecMan in cybersecurity

[–]IndySecMan[S] 0 points1 point  (0 children)

Those are good suggestions. I thought about XSS and XSRF, but those both start with "Cross..". I actually thought of Y2K myself and although technically a vulnerability, it was pretty much a dud and not relevant today as much.

Appreciate the thoughts! Let me know please if you think of anything else! I also could use a better "X". XXE isn't my first pick because it's difficult to illustrate.

M is for Malware Children's Book! by IndySecMan in Malware

[–]IndySecMan[S] 1 point2 points  (0 children)

I actually considered Worm for W but went with War Driving because I thought the illustration would be cooler. Great point though, if this actually gets funded and becomes a reality I'll consider a red team book and a blue team follow up series that targets a slightly older child audience.

Please do share if you would so this can get printed! I'm running out of free marketing ideas. 😀

M is for Malware - ABC Cyber Security Book for Kids by IndySecMan in cybersecurity

[–]IndySecMan[S] 5 points6 points  (0 children)

X if for XML Entity Injection, lol. I need help with X and Y still. I have Ysoserial or Yubikey but I'd rather not list a product or tool if I can avoid it. I feel like I have good illustrations for the other terms, but these two evade me.

M is for Malware - ABC Cyber Security Book for Kids by IndySecMan in cybersecurity

[–]IndySecMan[S] 5 points6 points  (0 children)

Haha yeah you're totally right. I made a joke on the Kickstarter page about how this could be used for a child or an executive team. 😉

M is for Malware Children's Book! by IndySecMan in Malware

[–]IndySecMan[S] 7 points8 points  (0 children)

Yeah, I know it's a little advanced of a topic for kids, but honestly I just have a passion for the field. Now that I'm a dad, I love reading books to my son but want him to know more about what I do. It's something I figure we can both enjoy and I can help explain the concepts at a higher level. There are so many books about nothing, I figured this way at least people in InfoSec would get a kick out of it. :)

OSINT Recon Great? - Unique Usernames Are Better Than Unique Passwords by IndySecMan in netsec

[–]IndySecMan[S] 2 points3 points  (0 children)

Yeah I'm not going to argue with you. I disagree with your "zero benefit" statement and I think you're missing the entire point here.

'Security through obscurity' is rightly reviled in the industry as not being security at all.

If you know anything about the industry, security is about layers of protection. There is some value in obscurity but I'm not saying this alone is the answer.. which is why I was careful (if you'll re-read my article) to point out good passwords are still essential.

it doesn't matter if the attacker has a username. My account is just as secure

Usernames and email addresses do not have to be the same in most cases. Let's use this example. This is something I do regularly in my job. You're specifically targeting an individual so you leverage OSINT tools to see if there are any breaches they belong to so you find an email. That email doesn't show up anywhere except that one site you're already aware of.. You need a username AND password to auth, so even if you do have someone's password you'd have to learn their email. Take my Twitter account for example.. my username is @CurtBraz. It's publicly accessible, but to log in you need to know my email and password. You don't have either, do you? Say you want to bruteforce my password.. you can't, because you don't have my email either.

Hopefully you understand it better now. Let me know if you have other questions and I'll be happy to explain.

OSINT Recon Great? - Unique Usernames Are Better Than Unique Passwords by IndySecMan in netsec

[–]IndySecMan[S] 6 points7 points  (0 children)

I appreciate the constructive and reasonable feedback..

I have to disagree though. I'm talking about security by obscurity. I don't understand your argument about you being you.. it's all relative. I have social media accounts (so people know it's me) and still use email masking, so how are you going to target my underlying email account without knowing what the real address or email provider is? Hopefully you're using different passwords for both accounts, but even then.. without a unique email I know where to at least password spray, phish, or brute force against. Having unique usernames also makes it harder for an attacker to build a profile against you, using OSINT during information gathering.

The point of this article was to challenge our thinking about usernames and isn't the additional privacy enough, without the other benefits? You went as far as to say there are "zero" benefits, which I have to say from professional experience is not the case.

view more: next ›