A Quick Introduction to Lockpicking and Useful Resources for Beginners
I’ve been into lockpicking for a few years now, and I’m surprised I’ve never posted more about it (maybe I will). Suffice it to say that lockpicking is great fun, you learn a lot, and one day it may come in handy (legally of course). One thing I’ve noticed whenever I talk about lockpicking, is that most people -including techies – have very little clue about how locks themselves actually work. It’s no surprise then that lockpicking feels like a bit of mystery to many. In reality the majority of locks are very simple devices, and many can be picked or bypassed using fairly simple tools.
I had the pleasure of taking part in the Defcon 19 Gringo Warrior contest where participants must bypass a series of locks to ‘escape’. It’s scored based on time and difficult of locks picked. I scored about above average. In this post I’m going to give my own shotgun intro to lockpicking, and provide some videos and links to other useful references where you can go find more detail.
Reverse SSH over Tor on the Pwnie Express
The Pwnie Express (PwnPlug) is a great little tool for hackers, pentesters and social engineers alike. While I don’t advocate the use of a Pwnie for illicit purposes, I was intrigued about using it as an untraceable tap into a network. Out of the box the Pwnie allows you to configure reverse SSH connections, exfiltrated over a number of different protocols including HTTP, SSL, ICMP and DNS.
While these are great for getting out of controlled networks, they all require the Pwnie to be configured with the IP address of your SSH server, which could potentially be traced back to you. It also requires your SSH server to be able to directly receive connections at the IP/hostname configured on the Pwnie. While one could run an SSH server on a proxy box somewhere, I felt that was too primitive, so I installed Tor on my Pwnie and configured a Tor Hidden Service on my SSH server.
Note: For the purposes of this tutorial, the SSH server will be running on BackTrack 5. I’m assuming you’ve already performed the initial Pwnie Express setup steps on the server! Check out my PwnieScripts to help speed up and automate the Pwnie setup.
These instructions do not yet work on Pwn Plug software >= 1.1 as they’ve changed the layout of things! Will update this post when I get the time.
Using GPGMail to Encrypt Email
This post forms part of the series on Securing Leopard, and covers GPGMail, Mail.app plugin that allows you to digitally sign, encrypt and decrypt emails using PGP/GPG.
When Snow Leopard came around, it completely broke support for GPGMail, and there were no other solutions that enabled similar functionality. This caused a significant issue for Snow Leopard users needing GPG functionality. The original developer of GPGMail unfortunately did not have the time to update the plugin and restore support for Snow Leopard.
Since then the GPGMail project has been handed over to a new team of developers who have been working on restoring the full functionality of the plugin under 10.6. This tutorial shows you how to easily install GPGMail and start sending and receiving encrypted emails!
[Updated 21/01/2011] The team at GPGTools have now created a unified installer which consolidates MacGPG2, GPG Keychain Access, GPGMail and GPG Service. Their all-in-one installer simplifies the install process, and installs everything you need for encrypting/signing files and emails.
If you’ve used the GPGTools package, please post your experiences in the comments!
Securing Leopard – 10.6 Edition
I’ve finally re-written my article on Securing Leopard, with some updates to reflect the changes made in 10.6. This is still an early edition, and I’d be happy to hear feedback/suggestions (contact form) on how I could improve it.
The article is aimed at new and developing Mac OS X users, and covers a variety of suggestions on how to quickly and easily improve the security of your (Snow) Leopard install. It also provides tips on how to manage your privacy and protect your personal information.
It includes a quick checklist which can help when trying to secure an install of Mac OS X. Enjoy!
How To Delete Your Account on 14 Popular Websites
A few months ago I posted about Facebook’s ever-so-slightly simplified account deletion process. I just stumbled across an article on Smashing Magazine that describes how to delete one’s account on 14 popular websites.
Here are the relevant links for the following sites:
Facebook (Delete Account page)
MySpace (people still use this?)
Windows Live (“Close your account” at the bottom)
Disable Facebook Places – or – Location-Stalking for Fun and Profit
In a direct strategic offensive on Foursquare’s service and a long-term plan for world domination, Facebook recently introduced their own service dubbed Places. These two services allow users to ‘check-in’ to virtually any venue/event, thus sharing their location with friends (or the world). This introduced an awesome new sport known as Foursquare stalking where one could follow the check-ins of known or random people (eg. by searching for 4sq.com on Twitter Search), call up the venue they are currently at, and ask to speak to the person… and then doing this for every location they check-in to. Tremendous fun. The guys at PLA Radio had fun prank-calling people using this, with amusing results.
Apparently the bald fat guy below just got home. Since he is kind enough to post the actual location of his domicile, all a thief has to do is wait until he checks-in somewhere far away, and then proceed to leisurely rob him of all his stuff. Sorry baldfatguy… didn’t mean to pick on you but you were at the top of the list.
Surely Facebook’s entry into this domain will allow for more stalking goodness. Another interesting perspective is using Places to create an alibi by spoofing one’s GeoLocation. Anyway, onto the essentials. At least most of us can just avoid using services like Foursquare… but if you have a Facebook account, it’s yet another privacy setting you will have to set yourself.
To Disable Places: Log in to Facebook and go to the Privacy Settings. Click on Customize Settings at the bottom, and then modify the Things I Share settings (you will need to select Custom from the dropdown menu in order to choose Only Me). These settings are only important if you do actually use Places.
Next go down to Things Others Share, and uncheck Friends can check me in to Places.
Facebook (finally) adds ability to delete accounts
Facebook has finally added the ability to actually delete – not just deactivate – Mark Zuckerberg one’s account. Until now, the only (easy) option has been to ‘deactivate’ your account which simply removes you from searches and prevents you from logging in (although you can very quickly re-activate). I say ‘easy’, as there did exist a very convoluted delete process. That said, however, they still don’t seem to have made the delete option available to everyone – or they’ve made it particularly hard to find – as I still seem to be stuck with ‘deactivate’.
Even if you can’t find the option in your Facebook settings, you can delete your account by visiting this page (confirmation required) which states:
If you do not think you will use Facebook again and would like your account deleted, we can take care of this for you. Keep in mind that you will not be able to reactivate your account or retrieve any of the content or information you have added. If you would like your account deleted, then click “Submit.”
After submitting an account deletion request you will receive an email informing you that your account will be deleted in 14 days (unless you log back in). Note that if you have your Twitter or YouTube accounts linked to Facebook, then an update from either of these within the 14-day period will also abort the deletion process.
This is in contrast to just deactivating which, as described on Facebook’s deactivation page:
Even after you deactivate, your friends can still invite you to events, tag you in photos, or ask you to join groups.
… so much for ‘deactivation’.
It should probably be noted that although deleting your account will probably automatically remove any content you’ve posted on Facebook, they still reserve the right to retain your information, and you can also be certain that everything you’ve ever posted or done on the site will remain in the slews of hourly backups that are performed and undoubtedly retained for a couple years. There’s no way they are going to go to the effort of clearing their backups of deleted accounts (also, that information is worth far too much them to delete).
The following extract from Facebook’s Privacy Policy outlines the limitations of such account removals:
Even after you remove information from your profile or delete your account, copies of that information may remain viewable elsewhere to the extent it has been shared with others, it was otherwise distributed pursuant to your privacy settings, or it was copied or stored by other users. However, your name will no longer be associated with that information on Facebook. (For example, if you post something to another user’s profile and then you delete your account, that post may remain, but be attributed to an “Anonymous Facebook User.”) Additionally, we may retain certain information to prevent identity theft and other misconduct even if deletion has been requested. If you have given third party applications or websites access to your information, they may retain your information to the extent permitted under their terms of service or privacy policies. But they will no longer be able to access the information through our Platform after you disconnect from them.
Despite my strong views towards privacy, I’m not a complete Facebook hater; it does have its uses and I do have a (very spartan) account there. I just want to help highlight the potential risks and issues associated with the rapid increase in recent online information disclosure and unfortunately the only way to win this particular privacy game… is to avoid playing in the first place.