Category: Security

OpenVPN reconnect

My OpenVPN likes to have difficulty and go yellow from time to time.  The problem with this is twofold – I have any and all downloads stop at the absence of VPN, and when I’m not home connecting to my server is more difficult when VPN has hundged up.  The simplest fix for now is just to restart/reconnect VPN on the daily.

I use OpenVPN with PIA.

First thing to do is create a autologin VPN profile.  See how to do that here.  Yes yes, there are inherent security issues with this.  Obviously if you’re worried about that you’re not in the market for this solution in the first place.

After creating and testing your autologin, create a daily task (preferably at a time when you know your host box will be idle).  Add the following Actions:

Setting –connect in the third program start to point to the .ovpn file you created for autologin.  Make sure to set this task to Run with highest privileges to avoid UAC prompts interrupting the process.

Windows – Force Applications to Use VPN

Got an app you want to work only when connected to VPN?  Have Windows Firewall do the work for you

First, connect to your VPN.  Then, ensure that your Public connection is that VPN connection.  You can do this by opening Network and Sharing Center.  In the example below, clicking on Ethernet 3 on the Unidentified network reveals the VPN IP address.

apng Continue reading

Pale Moon and HTTPS Everywhere

For reasons I won’t get into here, the EFF has decided for now not to support Pale Moon, which is my current browser of choice (sideplug:  Like Firefox but tired of it gobbling all your resources and crashing?  Pale Moon my friend).  The inability to install HTTPS Everywhere nearly had me leaving Pale Moon until I discovered that there’s a fork of it out there that works!  So use Pale Moon, and install Encrypted Web (and uBlock Origin).

TrueCrypt – No longer safe?

Bad news.  A serious flaw in TrueCrypt has been found that potentially allows full system compromise.  The worse news?  There’s no truly trustworthy TC successor for Windows out there in the wilds so far.  Microsoft and Symantec both offer encryption solutions, but surely they’re rife with back doors.  VeraCrypt is a fork of TC, but so far there’s nothing to generate any confidence that it too isn’t compromised.

The good news, I suppose, is that so far it appears that TrueCrypt on Linux doesn’t have this newly found flaw.  Also, it seems this flaw requires the machine to be on and in Windows.  In other words, if your fully disk encrypted machine is powered down, or your drives are removed or are external and the machine isn’t with them, your data remains safe.  Cold comfort, really.

AVG selling your browser history?

According to this reddit thread, yes.  Time to move on if you’re using it.  See below from their current privacy policy.  Emphasis mine.

We collect non-personal data to make money from our free offerings so we can keep them free, including: Advertising ID associated with your devices Browsing and search history, including meta data; Internet service provider or mobile network you use to connect to our products; and Information regarding other applications you may have on your device and how they are used. Sometimes browsing history or search history contains terms that might identify you. If we become aware that part of your browsing history might identify you, we will treat that portion of your history as personal data, and will anonymize this information. We may also aggregate and/or anonymize personal data we collect about you. For instance, although we would consider your precise location to be personal data if stored separately, if we combined the locations of our users into a data set that could only tell us how many users were located in a particular country, we would not consider this aggregated information to be personally identifiable.

That’s a huge italicized if.  Basically a get out of jail free card.  IF we become aware that we’re collecting identifying data.  If we don’t, well, sorry.  We weren’t aware.

Server has a weak ephemeral Diffie-Hellman public key

weak

The other day my neighbor headed to a United Airlines affiliated site in Chrome to book a trip and was greeted with “Server has a weak ephemeral Diffie-Hellman public key.”  Full stop.  She could not continue on to the site.  This is occurring because there is an attack in the wild that takes advantage of a flaw in the Transport Layer Security protocol (a fancy way of saying the supposedly secure way in which a web server communicates to your browser) in order to watch your traffic.  This is called a Man in The Middle Attack.  Essentially it inserts itself between you and your destination and logs your conversation.  You can read more about this here.

The solution is, unfortunately, out of your hands.  Your browser isn’t broken –  The site you’re trying to get to is.  And, as evidenced by it affecting a United Airlines site, there are some heavy hitters who are vulnerable. Any site that’s running 1024 bit or less encryption needs to upgrade to 2048 to close the hole.

But in the meantime, what if you really, really need to get to that site?  I’d tell you to try to contact the site owners and tell them to get it together, but realistically that’s not so easy (can you imagine calling United’s customer service and saying to the phone jockey who answered “Hey, y’all need to upgrade your public keys on your site because currently it’s vulnerable to the Logjam attack and any decent browser isn’t allowing your site to resolve.”  Yeah, you’ll get traction there).  So how do you get to the site?  So far there doesn’t appear to be a way to tell Chrome to continue.  You can try switching from HTTPS to HTTP, but most likely you’re hitting a login page and will be forced back to HTTPS (and the error).  You can, however, weaken Firefox to allow navigation on these sites.   Open a new tab and in the address field enter:

about:config

This opens the browser’s sekrit settings.  Get past the warning, and then locate these two settings:

security.ssl3.dhe_rsa_aes_128_sha

security.ssl3.dhe_rsa_aes_256_sha

By default these are set to True.  Change them to False and you’ll be able to hit the effected site.  I STRONGLY recommend only doing this on a site you absolutely trust, and only in situations where there’s absolutely no other recourse, and I recommend changing these back to True as soon as you’re done on that site.

More info on Microsoft’s push to track Windows 7 and 8 users

Surely you’ve already read that Windows 10 includes some pretty disappointing user tracking baked into it.  Microsoft is also pushing this tracking down to its Windows 7 and 8 operating systems.

Aside:  I get the Win 10 thing.  It’s free.  Do what you want with your free operating system.  But quietly inserting anti-privacy shit into operating systems that people have already paid for?  Ludicrous.  Offensive.  Ridiculous.  It’s prompted me to finally get off my ass and move all the machines I can off of Windows and onto Linux, for good.

Anyway, yeah, MS is pushing this stuff into your operating system without really giving you any indication.  The current list of updates that should trouble you are as follows:

You can remove these updates via command line thusly:


wusa /uninstall /KB:2952664 /norestart /quiet
wusa /uninstall /KB:2990214 /norestart /quiet
wusa /uninstall /KB:3021917 /norestart /quiet
wusa /uninstall /KB:3022345 /norestart /quiet
wusa /uninstall /KB:3035583 /norestart /quiet
wusa /uninstall /KB:3044374 /norestart /quiet
wusa /uninstall /KB:3068708 /norestart /quiet
wusa /uninstall /KB:3075249 /norestart /quiet
wusa /uninstall /KB:3080149 /norestart /quiet

In fact, you can save the above to a .bat file and run it.  This takes them off, but unfortunately doesn’t prevent them from presenting themselves for install in the future.  To fix that you’ll have to head to Windows Update, let it scan what you’re missing, and then go through that list hunting for each of these.  When you come across one, right click it and choose to hide it.

This is the list for now… I sincerely doubt this is where it will end, however.  Have you tried Linux lately?

Active Directory Account Lockout – Creation – Deletion – Disable monitoring

We’ve used a variety of third party tools to monitor Active Directory domain account changes.  They’ve all either been expensive or kind of sucked (or, unfortunately, both).  But if you’re running a relatively new OS on your controller you can use the magick of Powershell to ship you alerts on account changes!  Powershell can monitor the local Security Event Log on your controller and ship you an email when events matching your description are entered.  Here’s an example Powershell script:

Continue reading

Google Authenticator Application Passwords

I use Google Authenticator extensively, as I’m a big fan of multi-factor authentication.  In fact, I wish I could use it everywhere I’m required to input a password.

But when using it with your Google account it can get in the way of applications requiring access.  A thick mail client, for instance.  An app that publishes to YouTube.  An addon that syncs contacts.

They’ve solved this problem by allowing the creation of app specific passwords.  Works great.  But, as per usual with Google, finding the information you need can be problematic.  So, log into your Google account and head here:

https://security.google.com/settings/security/apppasswords