Aug 27, 2012

Easy Way To Change The Login Background in Windows 7

A while back I wrote a post on how you can change the login screen for Windows 7, or at least the wallpaper used on the login screen. That article is still valid, but it requires you to do some registry edits which not everyone is comfortable with. I have a solution for you!

Introducing the Windows 7 Logon Background Changer. From the page:

Windows 7 Logon Background Changer is a free open source software that lets you change the wallpaper of the Windows 7 login screen (also known as "welcome screen" or "login screen"). It does not change any system file, and the program itself does not requires admin rights to run (it will just ask you to run as admin a very simple cmd file that creates the required folder and registry key with the appropriate rights) It creates a few JPEG files based on the image you want to put as wallpaper for the Windows 7 login screen, applies the appropriate cropping and sizing and saves them using the best compression quality possible.

Here is a screen shot:

Some things to keep in mind. The image you select must be a jpeg. Other formats don't seem to work so well. Also, if you happen to download it from CNET, don't just click next, next, next as you will end up with some additional junk software you don't need.

What do you think? Are you going to try it out? Know of other cool programs for customizing your Windows 7 experience? let us know in the comments!

Aug 24, 2012

Holy Crap Finally! SSTP Client For Linux

A few days ago I wrote about a free two factor authentication solution for your Microsoft RRAS VPN server. In that post I mentioned how much I like Microsoft's VPN solution, particularly SSTP. I just like not having to use a third party client to connect to my company's VPN.

The problem with SSTP though is that I also like using Linux a lot, and SSTP is only available for Microsoft Windows Vista systems or better. Well, that is until now. Introducing SSTP-Client for Linux.

From their page:

SSTP-Client is an SSTP client for Linux. It can be used to establish a SSTP connection to a Windows 2008 Server. This software is similar commandline and configuration as the pptp-client software. 
SSTP-Client features:
  • Connect to Microsoft RAS network using SSTP
  • Use HTTPS with strong encryption over port 443
  • Asynchronous HDLC frame support
  • Integration with pon/poff with various distributions

I have yet to  setup, but it looks simple enough. The instructions for Ubuntu is as follows:

It's pretty simple to integrate sstp-client into the Ubuntu / Debian distribution distribution. An example script is provided in support/peer-sstp-example.txt 
Specify your MSCHAP password in /etc/ppp/chap-secrets 
Example Entry:
     SSTP-TEST\\JonDoe  sstp-test   'testme1234!'     
  • Create a connect script in /etc/ppp/peers/sstp-test, similar to the example provided in ./support. Swap out user-name as appropriate.
  • Start the script using "pon".
  • sudo pon sstp-test
I'm going to try this, and hopefully it works. It looks promising!

Aug 22, 2012

Free Two Factor Authentication for RRAS/SSTP/PPTP/L2TP VPN's

Virtual Private Network site to site and from ...
Virtual Private Network site to site and from roaming users (Photo credit: Wikipedia)
Some people are die hard Cisco VPN guys. Believe me I know a few. Others are die hard any kind of appliance VPN guys. I however, am a server VPN type guy. By that I mean I prefer to use a VPN that doesn't require a third party client. For that reason I am a big fan of Microsoft's SSTP VPN which is a part of their Routing and Remote Access Service (RRAS) on Windows 2008 and newer.

One of the problems with RRAS is that out of the box there isn't a real method for using two factor authentication. By two factor authentication it means you need to know something and your need to have something in order to gain access to the VPN tunnel. There are products out there like RSA tokens, but they can be pretty expensive. I found an alternative though.

It's a free tool called RAS-SMS. What it does is integrates with your RRAS service and provides a secondary method of authentication. The second method is a text message to your phone number with a code. If you enter the password correctly for VPN, a random code is then sent to the phone number associated with your account. You must then enter the code to gain access. Cool right?

From their page:

RAS-SMS is an extension (dll) for the Microsoft VPN / PPTP server also known as Remote Access Service (RAS). RAS is a standard component of the Microsoft Windows Server family. RAS can be configured to use the Microsoft Internet Access Service (IAS), also a standard light weight component, not to be confused with ISA. By default RAS uses windows authentication directly when checking credentials. When configured for IAS, the authentication is relayed to IAS. IAS can be extended with extra authentication functions. This project, RAS-SMS, is about inserting such an extra authentication function based on the idea that users should enter randomly generated codes that were sent to their personal cell-phone number. Codes are only generated if users entered their credentials correctly.

If someone shares their password with an unauthorized user, you no longer have to worry about that person gaining access. They will not be able to get in without the phone. Likewise, if the phone is lost or stolen, you don't have to worry because nobody will have the password. Seems pretty slick to me, and it doesn't really cost any extra money to implement.

What kind of VPN person are you? Appliance or Server? Do you use two factor authentication? What do you use? Let us know in the comments.

Aug 21, 2012

Hacking: Hollywood vs Real Life

I often write a lot about hacking and security, or I make videos about hacking and network security on my weekly video podcast Tech Chop. Although I have a bachelor's degree in Network Security I don't, however, consider myself a hacker.

In order to write these articles, and make these videos though I do have to setup test environments to test hacking tools, or to make a particular program do what I want even if it was not designed to do it. In that regard I totally understand the picture below:

What do you think? Accurate?

Aug 20, 2012

OpenDNS Uses SuperMicro Servers

Ever since my last company I've been interested in SuperMicro server systems. They are relatively inexpensive, yet just as powerful as their more expensive counterparts like HP and Dell. The only problem, if you consider this a problem, is that SuperMicro is not necessarily an out of the box solution. It's sold as a build your own solution. That being said, there are vendors that specialize in SuperMicro where you can get fully built systems.

Anyway, back to my last company. I had a really douchy boss, and an even douchier colleague. Both of them brought SuperMicro to my attention when they started bad mouthing them. They would talk about how cheap they are and how hard they are to put together. I decided to look into it myself and realized they were dead wrong. Well, dead wrong if you're not an idiot at putting computers together, or finding vendors that can do it for you. After looking into SuperMicro more I realized one could save a ton of money by moving to SuperMicro instead of buying high priced systems from HP.

At my current company I got my first opportunity to test my theory when I built a XenServer cluster using SuperMicro servers, and two iSCSI SAN's running on Ubuntu Linux also using SuperMicro servers. I was right, these servers have been very reliable, and the cost savings really earned me browny points with the CFO. Win Win!

Well I just found out that I am not the only one that really likes SuperMicro solutions. Apparently OpenDNS uses SuperMicro as well for their Hadoop clusters. Check out these pics from their Facebook page:

Do you use OpenDNS? Does the fact that they are successfully using SuperMicro in their environment ease your mind about the use of SuperMicro servers in your production environment? Let us know what you think in the comments!

Aug 17, 2012

Cutting Out Cable Is Going Mainstream

Image representing Boxee as depicted in CrunchBase
Image via CrunchBase
One of the hardest things I ever did in my life did not happen while I was in the Navy serving in a hostile part of the world. It was not doing anything physically demanding either. It was trying to convince my wife that we could survive AND be perfectly happy without cable television. It was a hard concept for her. After all, like most Americans, we have spent our whole lives in front of the television.

We finally did cut the cord though a few short months after buying our Boxee, and my wife is actually happier now. Not only do we save over $100 per month by not having cable, but we can still watch what we want when we want. Plus, everything we watch is commercial free!

Before now only early adopters and the technically savvy were venturing out into the world of online streaming and alternative media, but now it seems that everyone is doing it. According to Yahoo Finance:

The shift away from pay TV services is actually accelerating, with both publicly traded and private cable, satellite and phone companies reporting a net loss of as many as 400,000 total video subscribers in the second quarter of 2012. That's up from 340,000 net defections in Q2 2011. Overall, the number of U.S. households subscribing to pay TV services declined by 1.5% or 1.5 million in 2011, according to Nielsen.

In that article they mention a number of online streaming services that people use to help them cut cable. If you follow Tech Chop at all, you know that we recently did a video talking about a method to cut cable that was not mentioned in the article. Using BitTorrent. Check it out:

Are you planning on cutting your cable? Have you cut it already? What devices and/or services to you use now for your entertainment at home? Let us know in the comments.

Aug 16, 2012

Julian Assange Granted Asylum By Ecuador

Julian Assange (1)
Julian Assange (Photo credit: bbwbryant)
Wikileaks founder Julian Assange has finally been granted asylum in Ecuador according to an announcement from Foreign Minister Ricardo Patiño in Quito Ecuador. According to the New York Times:

“The government of Ecuador, faithful to its tradition of protecting those who seek refuge in its territory or in its diplomatic missions, has decided to grant diplomatic asylum to Julian Assange,” said Foreign Minister Ricardo Patiño, reading from a government communiqué at a news conference in the Ecuadorean capital, Quito. He added, “There are indications to presume that there could be political persecution,” and that Mr. Assange would not get a fair trial in the United States and could face the death penalty there.

The catch 22 with this? Assange is only safe while on Ecuadorian soil. Since he is still in London, he is only safe at the Ecuadorian embassy. If Assange tries to leave the embassy to go to the airport to fly to Ecuador, he can face arrest from British authorities.

Since Wikileaks leaked hundreds and thousands of classified U.S. documents back in 2010, Assange has been the focus of a lot of politicians, and other government officials. Many believe that these same government officials want Assange eliminated. It is also widely believed that the charges of rape that Assange is facing in Sweden may also be a part of a larger government conspiracy to take down Assange.

What's your opinion on Ecuador's decision? What's your opinion about Julian Assange and Wikileaks? Do you think Assange can make it to Ecuador? Let us know in the comments.

How To Protect Against a Cold Boot Attack (Theory)

English: FBI agents from the Washington Field ...
 (Photo credit: Wikipedia)
I just finished up editing next week's Tech Chop in which I talk about three tools designed to break into Truecrypt volumes. One of the tools, without giving too much away, is called Passware Kit Forensic and retails for about $995. This tool is a professional computer forensics tool much like something the FBI would use if they seized your encrypted computer and they needed to break into it to obtain evidence. It works by basically using a cold boot attack.

If you didn't know, a cold boot attack is when an attacker is able to get your hard drive's encryption keys out of memory. The term cold boot attack was coined when researchers found that you can keep session information in memory after a reboot longer if you freeze the RAM modules. Other than the freezing part, the FBI has been using this technique for years.

Currently, the only way to prevent this sort of attack is good physical security. Therefore many hackers laugh at this technique because one can do anything if they have physical access. For the most part if you encrypt your drives you will be safe from the average hacker. However, you will not be safe from the government with a warrant. Why? Because you have just lost your ability to keep them away from your computer. The government is who you have to worry about with this attack, not necessarily "evil" hackers.

You are probably saying to yourself, "If the FBI has a warrant to search your computers, don't you have to cooperate and give them your encryption keys or passwords?" The answer is no, not really. According to an article on Geekosystem:
Traditionally, the Fifth Amendment doesn’t cover physical acts. For instance, if you’re asked unlock a safe or open a door, the Fifth Amendment doesn’t have your back. At least if the there is a key involved, relaying a combination, on the other hand, is technically testimony. This ruling equates decrypting a computer with telling something a the combination to a safe.
The EFF, a government watch dog and civil rights group which protect individuals civil rights when it comes to technology wrote a very good article here about how and when encryption is protected under the 5th amendment. In short, if a defendant has to give up anything in their mind as evidence, such as a password, then it is protected under the 5th amendment.

So back on track, you have something on your encrypted computer and you don't want your government getting it. The only way to stop them if they have a warrant is to buy yourself time, time to get your encryption keys out of memory.

So what is one to do? Well after doing some research for my show I came across a video on Youtube demonstrating the cold boot attack, and I started reading the comments. One guy's comment caught my eye when he mentioned using a BIOS password along with full hard drive encryption. That got my mind turning a bit.

If you set a BIOS password, sure it's not that secure in itself, but it can buy you some time. The BIOS password can easily be cleared by a jumper setting on the motherboard, but if the attacker doesn't know it's there, they will power cycle the computer as usual, and will then be greeted by the BIOS password. They will then have to power off the computer, open up the case, set the jumper to clear the BIOS password, power it back on until BIOS is reset, power it back off, reset the jumper, then power it on again. How many minutes will that buy? Probably enough to clear out the keys I'm guessing.

Now, I'm not an expert on how long it takes memory to clear, nor am I an expert on cold boot attacks. If someone knows better than me if this will work or not I'd love to hear about it in the comments. Also, if you have a better solution for protecting against the cold boot attack, please let us know in the comments as well.

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam