Connect to VPN on Startup Before Login

If like me you have a need to establish a VPN from a host to another or even to a secure management network, you might like to configure your host device to establish a connection at boot rather than lose remote connectivity if the device reboots. In my case I chose to use OpenVPN Cloud as it was a simple 2 node requirement, I was able to get the host specific configuration by following the guide from https://openvpn.net, check it out here https://openvpn.net/cloud-docs/switching-to-manual-profile-distribution-creating-a-device/

To achieve this using OpenVPN, simply download and install the OpenVPN client most suited to your environment https://openvpn.net/index.php/open-source/downloads.html

Install the client, this guide assumes the defaults. Once complete, place your configuration file in the folder C:\Program Files\OpenVPN\config\ and open Task Scheduler. Click Action followed by Create Task, name the task and provide a description as appropriate. Select the Run whether user is logged on or not and set Run with highest priveleges, change the Operating system for which the task is meant.

Click the Triggers tab, New and change the task to begin At startup. I set the task to delay for 1 minute but that is entirely up to you, once you’re happy click OK. Click the Actions tab, with the Action set to be Start a program and enter the following under Program/script;

"C:\Program Files\OpenVPN\bin\openvpn-gui.exe"

Add the arguments to ensure the correct profile is selected

--connect YourVPNFileNameHere.ovpn

Next click on the Conditions tab and deselect everything, unless you want one of the settings enable. We then open the Settings tab but leave all of the defaults, only adding a tick for Run task as soon as possible after a scheduled start is missed, just in case the host gets caught up with other processes. Then we just press OK.

Then all that is left is to test it.

Connect to AzureAD

Quite often the basic logic of how to connect to Azure Active Directory with PowerShell is omitted in so many of these how to guides and for this reason I’ve added the references below. If for no other reason than to allow me to refer back to in the future.

Below is Microsoft’s documentation on Azure Active Directory PowerShell 2.0;

https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0

If your machine meets the prerequisites, the following command will install the General Availability version of the module on your computer

Install-Module AzureAD

Prior to any cmdlets being run, the Connect-AzureAD command should be run in PowerShell. Running this command will prompt for credentials which can be pre-empted using the $AzureAdCred = Get-Credential command.

$AzureAdCred = Get-Credential
Connect-AzureAD -Credential $AzureAdCred

Once complete, you’ll be connected to AzureAD and able to run further commands found here https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0#azuread

Ad-blocking with Pi-Hole

The days of needing browser plugins to block unwanted ad traffic on home networks are well and truly over and Pi-Hole just keeps delivering more and more stable innovation. There are numerous options when configuring the setup, Raspberry Pi, Docker image, virtual host or even an old physical device. Ultimately as long as you have a Linux flavour installed (see Prerequisites) it should function pretty nicely but for the sake of this guide, I will assume the Operating System (OS) has been cleanly installed on your platform of choice. Ensure you have a static IP assigned (easiest to assign this at build) and that ssh is configured to remote allow access to the host.

Log onto the host or ssh to get command line access, once complete type the below into the command line interface (CLI) and hit Enter. If it asks for your password you, it needs to be able to elevate privilege to install, once entered it will progress.

curl -sSL https://install.pi-hole.net | bash

If you prefer to see the code and subsequently run it then navigate to the folder you want to clone the repository to and run the following commands

git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
cd "Pi-hole/automated install/"
sudo bash basic-install.sh

#Optional further options can be found here https://github.com/pi-hole/pi-hole/#one-step-automated-install

Confirmation that the installation is progressing will present like Screen 1 below, followed by a sequence of information screens. Subsequently you’ll be asked to choose your preferred DNS provider (Screen 3), in my case I chose cloudflare. The next page asks for confirmation of the third party block lists, any of which can be removed if you so wish.

Screen 1
Screen 3

Next choose whether the Pi-Hole will be responding to IPv4 and/or IPv6 traffic. Now you’ll be asked to confirm the hosts IP address and gateway, which can be changed if necessary, once complete the Pi-Hole warns that statically assigned IP’s used in conjunction with DHCP can cause conflicts. Would you like the web admin interface to be installed (well you can’t see the analytics without it) and whether you want to install the web server to support the admin interface (if you have a web server installed you don’t need this one). Do you want to log the queries, well I’d hope so to be able to see the analytics. Finally you can choose the level of logging, whether domains should be hidden etc, I choose to see everything.

If an error message pops up claiming that the Pi-Hole is not able to resolve dns, it is probably trying to lookup against itself so use the following command

sudo nano /etc/resolv.conf

Find the entry for “nameserver” and change the IP to your chosen provider, in my case 1.1.1.1 or 1.0.0.1. Save the changes and progress to the next stage.

Once the command finishes running the script, Pi-Hole is pretty much installed, running the following command allows you to set the password for the admin console;

sudo pihole -a -p

Enter a sensibly complex password and store it in a password manager, then navigate to the web console by typing the IP into your browser. You’ll notice it’s not really doing anything so don’t forget to set your router DNS to point at your Pi-Hole’s IP address, or just a laptop, PC, phone in order to test how things are working, then you should be able to see the traffic flowing in over time like this.

Well that is it for the basic configuration, enjoy the analytics and ad blocking.

DNS security for all

Cloudflare have been pounding the security drum for years and I have always looked for financially viable solutions that help me stay safer than the next guy. After recently listening to the Security Now (https://twit.tv/shows/security-now) and Troy Hunt (https://www.troyhunt.com/my-weekly-updates-are-now-available-as-an-audio-podcast/) podcasts, I was intrigued about what Cloudflare could offer me on the go and there it was, 1.1.1.1 which has been a DNS offering to rival Google’s 8.8.8.8 for a short while now but Cloudflare have rolled it into an app that performs similarly to a VPN (I appreciate this is an over simplification). Using the offering on an iPhone gives me an on demand DNS directory over https or tls (depending on your preferences) which is faster than any other DNS provider. For further reading, see here for full details https://1.1.1.1/

VMware Urges Businesses To Stay Secure In An IoT-Enabled Virtual World

VMWORLD 2016: Digital transformation is exciting for many businesses, but VMware has made sure that security plays an integral role

According to Rajiv Ramaswami, VMware’s executive vice president and general manager of Networking & Security, the average cost of a data breach now stands at €4 million – a figure that could bankrupt many businesses.

Source: VMware Urges Businesses To Stay Secure In An IoT-Enabled Virtual World

Ops also the Trump Organization uses insecure e-mail serversSecurity Affairs

The irony of fate, now we are here discussing because also Trump’s staff has some problems with his email servers. According to the security researcher Kevin Beaumont, the Trump Organization’s mail servers run on Microsoft Windows Server 2003 version with Internet Information Server 6 that is no more supported by the company. The researchers also discovered that servers are configured with minimal security.

Source: Ops also the Trump Organization uses insecure e-mail serversSecurity Affairs

UK Police purchased IMSI-catcher technology for mobile surveillanceSecurity Affairs

Privacy advocates and rights groups are in revolt against the UK law enforcement that has purchased mobile phone snooping technology.The rights groups are protesting against the adoption of the IMSI-catcher technology that could be used for dragnet surveillance.The IMSI-catcher is a surveillance solution used for intercepting mobile phone traffic, calls, tracking movements of mobile phone users block phones from operating.

Source: UK Police purchased IMSI-catcher technology for mobile surveillanceSecurity Affairs

Europe to Push New Security Rules Amid IoT Mess — Krebs on Security

The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.

Source: Europe to Push New Security Rules Amid IoT Mess — Krebs on Security

The leak of NSA hacking tools was caused by a staffer mistakeSecurity Affairs

According to the sources, it seems that an employee or a contractor mistakenly left the NSA hacking tools unattended on a remote server about three years ago during a cyber operation. The NSA was aware of the incident and did not inform the companies of the risks related to the exposure of the exploits.

Source: The leak of NSA hacking tools was caused by a staffer mistakeSecurity Affairs

Yahoo Data Breach, the company confirms the incident that exposed 500M accountsSecurity Affairs

The company has finally made the announce, the news related the Yahoo data breach is in the headlines. The IT giant confirmed that hackers have stolen at least 500 million user accounts in a data breach dating back to 2014.

“We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”

Source: Yahoo Data Breach, the company confirms the incident that exposed 500M accountsSecurity Affairs