Gmail style ‘plus’ email aliases in Office365

It’s an often used feature of Gmail to append a ‘+’ (plus) to an email address to create an unlimited number of instant email aliases – see Gmail Blog for an explanation. I gather this is also a feature of Outlook.com, but the same does not apply for hosted domains on Office365. The same can however be achieved with a bit of configuration.

Go to Exchange Admin Centre > mail flow > rules and create a new rule as follows:

Create this rule… The sender is located… Outside the organization

and The recipient address matches… ^yourname\+[\w-]+@yourdomain.com

(For example, if your usual email address is david@yourdomain.com then the rule should match ^David\+[\w-]+@yourdomain.com)

Do the following… Redirect the message to… <select your user>

(The [\w-]+ regular expression will match one or more alphanumeric or hyphen characters).

Next choose the ‘external domains’ tab, select your domain and make sure that the domain type is set as an Internal Relay.

Now that this domain is an internal relay, we’ll need an extra rule to bounce email addressed to unknown recipients more gracefully (instead of looping internally).

Add this as your last mail flow rule:

Create this rule… The sender is located… Outside the organization

Do the following… Reject the message with the explanation… ‘User unknown’

Except if… The recipient is a member of… <select all the valid users>

You will now receive email addressed to david+anything@yourdomain.com in your regular inbox.

Advertisements

Disabling delivery and read receipts in Exchange Online

The default configuration for Office 365’s Exchange server is to automatically respond to requests for mail delivery reports. If like me you don’t want to divulge this information then here is what you need to do.

Follow these steps to block all forms of email delivery and read receipts …

Exchange Admin Centre > mail flow > remote domains > Default 
Untick 'Allow delivery reports' and 'Allow non-delivery reports'
Save
Screenshot 2019-06-07 at 09.38.39.png
 
Next create four separate mail flow rules to remove these mail headers:
 
Disposition-Notification-To
Return-Receipt-To
Receipt-Requested-To
X-Confirm-Reading-To
 
Exchange Admin Centre > mail flow > rules > +
Create a new rule > More options...

Apply this rule if... The Sender is located... Outside the organization
Do the following... Modify the message properties...
Remove a message header (paste a header as above)
Save
You should end up with four rules like these:
 
Screenshot 2019-06-07 at 09.39.06.png
 
Those mail flow rules should strip out the headers and block read receipts before they reach a recipient’s mailbox, but just to be sure:
 
Outlook > Settings > View all Outlook settings > Email
Message handling > Read receipts > Never send a response
Save
Screenshot 2019-06-07 at 10.01.42.png

You have become the new currency

I was alerted to the contents of the privacy policy for Google Payments by an episode of the BBC series – Billion Dollar Deals and How They Changed Your World – in which the presenter Jacques Peretti makes a rather astonishing (for me at least) discovery …

Take Apple Pay, there’s a small amount of money they make in each transaction. But with Android Pay, which is run by Google, they don’t take anything. So what’s going on?

The answer lies in the small print of the terms and conditions: “we may collect information about the transaction, including: Date, time and amount of the transaction, the merchant’s location and description, a description provided by the seller of the goods or services purchased, any photo you choose to associate with the transaction, the names and email addresses of the seller and buyer (or sender and recipient), the type of payment method used, your description of the reason for the transaction, and the offer associated with the transaction, if any.”

Remember that space in the transaction, the space where business makes money? Now that space is about data. You have become the new currency.

This piqued my interest as I have been using Android Pay for a few months. In doing so had I also given my consent for my personal financial transaction data to be harvested by Google?!

For the uninitiated, Apple Pay and Google Pay let you create a digital copy of your payment cards, which are held in a secure virtual wallet on your mobile phone. You can then make contactless payments using your phone instead of the physical cards.

The Apple Pay security and privacy overview states: “Apple Pay doesn’t collect any transaction information that can be tied back to you. Payment transactions are between you, the merchant (or developer for payments made within apps and on the web), and your bank“. That sounds perfectly fair and reasonable, but what about Google?

The current Terms of Service for Android Pay includes the line: “Your use of Android Pay is subject to these Android Pay Terms of Service and the Google ToS (which together, for purposes of these Android Pay Terms of Service, we refer to as the “Terms”), as well as to the Google Privacy Policy.

The Google Privacy Policy includes a link to the specific privacy practices with respect to Payments, which contains the aforementioned small print concerning Google’s collection of payment transaction information.

So yes, by virtue of using their product I did unwittingly give Google permission to ‘spy’ on my spending habits. This financial transaction data has intrinsic value and it’s obvious why Google would like to get their hands on it, but I didn’t expect the banks to be so lax as to allow it to be shared in this way.

This revelation left me wrestling with a dilemma. There is no denying that the simplicity of making small payments with a quick tap of my phone is really handy, but I value my privacy more than the convenience factor.

I just can’t abide my personal data being exploited in this way and so have reluctantly removed my payment and loyalty cards from Android Pay and I won’t be using it again. Sorry Google, but how I choose to spend my hard-earned moolah will be kept between myself, the retailer and my bank from now on.

New uses for old Dash buttons

I recently acquired a few Amazon Dash buttons and wondered if they might be repurposed to serve some useful purpose, other than ordering groceries.

I found this article by Ted Benson in which he describes how Dash buttons send an ARP probe after joining the WiFi network. By listening for these ARP probes (and their unique MAC addresses) you can trigger IFTTT Webhooks workflows, which turns the humble Amazon ordering tool into a customisable IoT button.

Bob Steinbeiser replied to Ted’s post with a clever Python script which sniffs ARP packets using a raw socket. Having played with Bob’s script I set about trying to make a few improvements. I’m a novice when it comes to Python though, so forgive my amateur code.

import socket
import struct
import binascii
import urllib2
import time

# Based on an original script by Bob Steinbeiser (https://medium.com/@xtalker)
# Adapted to ignore duplicate presses and added support for multiple IFTTT triggers

# Use your own IFTTT Webhooks key here - see https://ifttt.com/maker_webhooks
ifttt_key = 'abc123'

# MAC addresses and their corresponding IFTTT Webhooks triggers
things = {
    'aabbccddeeff' : ['lights_off', 'sockets_off'],
    'a0b1c2d3e4f5' : ['test_1', 'test_2', 'test_3']
}

last_success={}

for macaddr in things:
    last_success[macaddr] = 0

rawSocket = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(0x0003))

while True:
    packet = rawSocket.recvfrom(2048)

    ethernet_header = packet[0][0:14]
    ethernet_detailed = struct.unpack('!6s6s2s', ethernet_header)

    arp_header = packet[0][14:42]
    arp_detailed = struct.unpack('2s2s1s1s2s6s4s6s4s', arp_header)

    # Skip non-ARP packets
    ethertype = ethernet_detailed[2]
    if ethertype != '\x08\x06':
        continue

    source_mac = binascii.hexlify(arp_detailed[5])

    time_now = int(time.time())

    # Is this a known 'thing' ?
    if source_mac in things:

        trigger_list = things[source_mac]

        # Prevent duplicate presses from being actioned (within 10 secs)
        if time_now > last_success[source_mac] + 10:
 
            # Supports multiple IFTTT Webhook triggers
            for trigger in trigger_list:

                print "Device " + source_mac + " has triggered " + trigger
                last_success[source_mac] = int(time.time())
                data = '{ "value1" : "' + source_mac + '", "value2" : "' + trigger + '" }'
                req = urllib2.Request('https://maker.ifttt.com/trigger/' + trigger + '/with/key/' + ifttt_key, data, {'Content-Type': 'application/json'})
                f = urllib2.urlopen(req)
                response = f.read()
                f.close()
                print response

         else:
             print "Ignoring repeated event for " + source_mac

    else:
        print "Ignoring unknown device " + source_mac

Note that this Python script doesn’t work on Mac OS, due to the lack of support for AF_PACKET sockets.

Sky Hub syslogging to Mac OS

The standard issue Sky Broadband SR102 ADSL router includes the capability to send syslog messages to a remote host.

Unfortunately the plucky little SR102 doesn’t send syslog messages in entirely the right format (checked using ‘syslog -F raw’):

[ASLMessageID 303320877] [Time 1463491448] [TimeNanoSec 0] [Level 2]
 [PID 4294967295] [UID 4294967294] [GID 4294967294] [ReadGID 80] [Host
 1] [Sender 2016-05-17T14] [Facility daemon] [Message 24:08.000Z
 skyhub.ihr syslog - - [skySDID@32666 mac="7C4CA5D9E148"
 sn="A502141D002081"]  Administrator login successful from IP:
 192.168.0.100 .]

You can however still use Mac OS’s syslog daemon to receive these messages, but first you’ll need to enable the socket listener:

cd /System/Library/LaunchDaemons
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener dict" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockServiceName string syslog" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockType string dgram" com.apple.syslogd.plist

To restart the syslog daemon:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

Next go into the Sky Hub web interface, click on the Security tab (default admin credentials are admin / sky), select Logs and then enter the IP address of your Mac in the Syslog server address.

You can check for Sky Hub syslog entries in /var/log/system.log

To filter out the Sky Hub messages into a separate log file, add these two lines to /etc/asl.conf and then restart the syslog daemon again:

# Sky SR102 broadband router saved to skyhub.log
? [S= Message skyhub.ihr ] file skyhub.log mode=0640 format=bsd rotate=seq compress all_max=50M

The query-action rule tells syslogd to match on the “skyhub.ihr” substring in the Message key and then save those entries to /var/log/skyhub.log. The options are for log file rotation, retaining up to 50MB of files.

Typical Sky Hub log entries will include connection retraining, web interface logins and NTP synchronisations.

Re-signing iOS apps

I am occasionally presented with a packaged iOS .ipa archive by a third-party developer, which is intended for in-house distribution (using an Apple Developer Enterprise certificate), or for App Store distribution using a different developer account.

Re-signing is a quick and simple way of delivering an app when a developer won’t provide you with their Xcode project source from which to spin your own build.

I previously used the iReSign utility to accomplish this, but found that this wouldn’t work in all cases, in particular when the app includes linked frameworks or libraries (which results in errors such as “DYLD, Library not loaded“).

To solve this I wrote the shell script below. It takes an existing .ipa archive, embeds your own developer provisioning profile, replaces any existing code signatures and packages it again for distribution.

Please use with my compliments and leave a comment if this helps you out.

(Note: This script has a dependency on command line tools such as PlistBuddy and codesign, so you will likely need to install Apple’s Xcode developer tools)

Replace DEVCERT with the Common Name of your own Apple developer certificate.

#!/bin/bash
# Re-sign an IPA with specified developer certificate (present in keychain)

DEVCERT="iPhone Distribution: Your Developer Cert Name"
TMPDIR="tmpwork"
SOURCEIPA="$1"
MOBILEPROV="$2"
BUNDLEID="$3"

if [ $# -eq 0 ]

then
  echo "Usage: $0 [app.ipa] [provprofile] [bundleid]"
else
  if [ ! -e "$SOURCEIPA" ]
  then
    echo "Error: $SOURCEIPA not found"
    exit
  fi

  if [ ! -e "$MOBILEPROV" ]
  then
    echo "Error: $MOBILEPROV not found"
    exit
  fi

  SIGNEDAPP=`echo $SOURCEIPA | awk -F".ipa" '{ printf ("%s-signed.ipa", $1) }'`
  unzip -qo "$SOURCEIPA" -d $TMPDIR
  APP=$(ls ${TMPDIR}/Payload/)

  if [ ! -z "$BUNDLEID" ]
  then
     echo "Changing Bundle ID to ${BUNDLEID}";
     /usr/libexec/PlistBuddy -c "Set:CFBundleIdentifier $BUNDLEID" "${TMPDIR}/Payload/${APP}/Info.plist"
  fi

  cp "$MOBILEPROV" "${TMPDIR}/Payload/${APP}/embedded.mobileprovision"
  security cms -D -i "${TMPDIR}/Payload/${APP}/embedded.mobileprovision" > Entitlements_full.plist
  /usr/libexec/PlistBuddy -x -c 'Print:Entitlements' Entitlements_full.plist > Entitlements.plist
  echo "Re-signing with certificate: $DEVCERT"

  for folder in `find -d ${TMPDIR} \( -name "*.app" -or -name "*.appex" -or -name "*.framework" -or -name "*.dylib" \)`; do
    /usr/bin/codesign --continue -f -s "$DEVCERT" --entitlements "Entitlements.plist" "$folder"
  done

  echo "Package the signed IPA"
  cd $TMPDIR
  zip -qry ../${SIGNEDAPP} *
  cd ..
  rm -rf $TMPDIR
  rm Entitlements_full.plist

fi

EncFS for OS X Yosemite

securecloud It’s about time I updated my instructions for installing and running an EncFS filesystem on Mac OS X, synchronised to Dropbox. Use a combination of FUSE for OS X, EncFS, Dropbox and DropSec to create and maintain a super-secure filesystem which syncs with the cloud, while maintaining

  1. Download and install FUSE for OS X (the MacFUSE compatibility layer is not required)
  2. If you don’t have it already, install the Homebrew package manager
  3. Download and install EncFS (v1.7.5_1 at time of writing) and any dependencies, it’s as easy as ‘brew install homebrew/fuse/encfs
  4. Download DropSec, extract DropSec.app from the archive and copy it to your Applications folder

To create a new encrypted volume (stored locally at first to prevent your EncFS key from being synchronised with Dropbox):

encfs ~/Desktop/_Encrypted ~/Documents/_DropSec

Answer ‘yes’ when prompted to create the new folders and choose ‘p’ for pre-configured paranoia mode (256-bit AES encryption). Enter a secure EncFS password when prompted and you’re done. Now the filesystem has been created we can deal with securing the key.

umount ~/Documents/_DropSec
mkdir ~/.keys
mv ~/Desktop/_Encrypted/.encfs6.xml ~/.keys/dropsec.xml

The commands above move your key from the EncFS filesystem into a hidden folder in your (local) home directory Now move the entire ~/Desktop/_Encrypted folder (minus your key) into your Dropbox:

mv ~/Desktop/_Encrypted ~/Dropbox/

To mount the secure filesystem run the DropSec app from your Application folder. The first time you run DropSec it will prompt you for your EncFS password which it stores in your local login keychain. The password must match the secure password you set earlier.

When the secure volume is mounted a DropSec folder with a padlock icon will appear on your desktop. If it doesn’t, check that you have ‘Show Connected servers’ checked in Finder preferences.

To mount or unmount the encrypted volume simply run the DropSec app. For convenience copy it to your Mac OS dock for quick access.