Encrypt SCPrompt communications using SecureVNC plugin

Encrypt SCPrompt communications using Ultravnc’s SecureVNC DSM plugin which uses AES-256 encryption for all communications between client and server

SecureVNC Plugin allows secure communications between UVNC viewer and server. The following steps show how-to Add SecureVNC plugin to secure SCPrompt.

As SCPrompt uses UVNC server at its core, its easy to modify SCPrompt to use SecureVNC Plugin which secures connections between ultravnc components using AES-256

By using an encryption module (DSM in UVNC world), you can be assured that only the person with a correctly configured SCPrompt server can connect to the viewer and only the viewer from the person who created the SCPrompt is able view remote computers using SCPrompt created by you.

  1. download scprompt Roll-your-own and unzip to a suitable location.
  2. download SecureVNC.dsm.
  3. place SecureVNC.dsm in the same folder as scprompt.exe
    (there are all conf files and others)
  4. Next step is to configure your ultravnc.ini.
    You can make it by your hands or just start winvnc.exe in the scprompt directory and configure it through the program properties.
    All changes made in program gui will be written to ultravnc.ini in the scprompt directory
  5. Enable SecureVNC.dsm plugin (by hands or through gui).
  6. Configure scprompt.ini through gui (provided by settings_manager.exe).
  7. “build” scprompt.
  8. run uvncviewer in listen mode, don’t forget to:
    1. copy SecureVNC.plugin to vncviewer’s directory
    2. make uvncviewer use SecureVNC.plugin.
  9. Enjoy the secure opensource goodness

That’s all.

Make PHP’s $_POST data more secure

PHP is a great programming language, but it is not a framework like many of the newer “languages” and as such its basic functions are not as secure as required in a modern web application. Trusting PHP’s $_POST is risky but we have functions that can help make PHP’s $_POST data more secure. This is done by using a few of PHPs functions to get and filter the variable data and provide it in a somewhat more secure manor.

Web application security, nowadays, is quite different to when PHP first started as “Personal Home Page” and you need to ensure that any “web application” published is as secure as possible. Using Posted data (via $_GET or $_POST) directly without filtering is not a good idea in almost any situation. There are a few exemptions where we think this is acceptable, and we cover this below.

So we are providing an alternative function to the $_POST variable, which returns the same data after we make PHP’s $_POST data more secure by filtering (sanitizing) it for naughty stuff. Explanations are below, but here is the function …

Function to make PHP’s $_POST data more secure

function Input_Post($par, $parType = '')
{
	if($parType == '')
	{
		$parType = gettype($par);
	}
	$return = '';
	switch ($parType) {
		case 'email':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_EMAIL);
			break;
		case 'int':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_NUMBER_INT);
			break;
		case 'float':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'double':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'url':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_URL);
			break;
		default: // 'string'
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_STRING);
			break;
	}
	if($par != $return)
	{
		//Log error to SQL and ban if more than predefined amount of errors in predefined amount of time ...
	}
	return $return;
}

Explanation

The function name should be short and succinct. we think input_post() is about as good as we need it, but you may also like _post().

We also need two parameters ($par & $parType) in some situations, to check for email addresses for example.

Next we need to make the second parameter $parType optional and check the type of the first variable (using gettype()). This is important to ensure we are providing the correct type of sanitizing and filtering of the input data so we do not filter any important data out and filter any harmful data.

Now comes the critical part, sanitizing any data based on the type and storing that in $return variable.

Using a switch (or case) is more efficient than if/elseif when dealing with many options and it just looks better.

Last test is if the return data $return is different to input data $par (eg, if we did any filtering / sanitizing), then we can call a logging function to ensure this is logged for auditing / banning users (we run functions that log to an SQL table and check how many failures in X days for this session footprint), but this is beyond the scope of this post.

Then, return the filtered data $return.

Implementation

Using STG’s Input_Post() function is as simple as replacing occurrences of:
$_POST[‘variable’]
with
Input_Post(‘variable’)

Exceptions

As stated above, there are exceptions to when you can use $_POST variables directly. We only use submitted data directly when testing, such as if it equals a value:

if($_POST['me'] == 'you') 
{
echo 'you';
}
elseif($_POST['me'] == 'me')
{
echo 'me';
}
else
{
echo 'you and me';
}

Unless you make PHP’s $_POST data more secure, you should NEVER EVER trust any $_GET or $_POST variable as trusting PHP’s $_GET is risky and using it directly should be avoided. We rather using submitted data to make decisions from.

Make PHP’s $_GET data more secure

PHP is a great programming language, but it is not a framework like many of the newer “languages” and as such its basic functions are not as secure as required in a modern web application. Trusting PHP’s $_GET is risky but we have functions that can help make PHP’s $_GET data more secure. This is done by using a few of PHPs functions to get and filter the variable data and provide it in a somewhat more secure manor.

Web application security, nowadays, is quite different to when PHP first started as “Personal Home Page” and you need to ensure that any “web application” published is as secure as possible. Using Posted data (via $_GET or $_POST) directly without filtering is not a good idea in almost any situation. There are a few exemptions where we think this is acceptable, and we cover this below.

So we are providing an alternative function to the $_GET variable, which returns the same data after we make PHP’s $_GET data more secure by filtering (sanitizing) it for naughty stuff. Explanations are below, but here is the function …

Function to make PHP’s $_GET data more secure

function Input_Get($par, $parType = '')
{
	if($parType == '')
	{
		$parType = gettype($par);
	}
	$return = '';
	switch ($parType) {
		case 'email':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_EMAIL);
			break;
		case 'int':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_NUMBER_INT);
			break;
		case 'float':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'double':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'url':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_URL);
			break;
		default: // 'string'
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_STRING);
			break;
	}
 	if($par != $return)
	{
		//Log error to SQL and ban if more than predefined amount of errors in predefined amount of time ...
	}
	return $return;
}

Explanation

The function name should be short and succinct. we think input_get() is about as good as we need it, but you may also like _get().

We also need two parameters ($par & $parType) in some situations, to check for email addresses for example.

Next we need to make the second parameter $parType optional and check the type of the first variable (using gettype()). This is important to ensure we are providing the correct type of sanitizing and filtering of the input data so we do not filter any important data out and filter any harmful data.

Now comes the critical part, sanitizing any data based on the type and storing that in $return variable.

Using a switch (or case) is more efficient than if/elseif when dealing with many options and it just looks better.

Last test is if the return data $return is different to input data $par (eg, if we did any filtering / sanitizing), then we can call a logging function to ensure this is logged for auditing / banning users (we run functions that log to an SQL table and check how many failures in X days for this session footprint), but this is beyond the scope of this post.

Then, return the filtered data $return.

Implementation

Using STG’s Input_Get() function is as simple as replacing occurrences of:
$_GET[‘variable’]
with
Input_Get(‘variable’)

Exceptions

As stated above, there are exceptions to when you can use $_GET variables directly. We only use submitted data directly when testing, such as if it equals a value:

if($_GET['me'] == 'you') 
{
echo 'you';
}
elseif($_GET['me'] == 'me')
{
echo 'me';
}
else
{
echo 'you and me';
}

Unless you make PHP’s $_GET data more secure, you should NEVER EVER trust any $_GET or $_POST variable as trusting PHP’s $_GET is risky and using it directly should be avoided. We rather using submitted data to make decisions from.

Icons for webpages using Font-Awesome

At SecureTech, our staff have been creating websites since the early days of the web. When we first started building webpages (20+ years ago), it was rather difficult to put icons on webpages, as each icon required the developer (no such thing as web designers back then … ) to create it as an image and upload it into the site, before creating an <img> tag to insert it into the code. now, we can have icons for webpages using Font-Awesome, which is awesome (it had to be said…).

Font-Awesome allow the web-designer or developer to quickly insert some unicode to insert an icon, or use CSS to insert it wherever required after the development is done (provided the developer allowed for this by labelling each section of the HTML appropriately.

We needed a list of available icons in Font-Awesome and decided to create a list of the Font-Awesome icons on our website, to make it easier for others to use (but its mostly for us)

IPChanger for Windows 10 IPV4 settings

The IPChanger for Windows 10 IPV4, allows you to change your IP address details with just two clicks, disconnect/reconnect adapters.

WARNING

This program is designed to be used by personnel who administrate Network’s and/or have a good understanding of the Network addressing scheme’s of their networks.

Using the IPChanger for Windows 10 IPV4 incorrectly, may stop your computer from accessing or being accessible on the network, and you may loose internet connection.

Download

Download IPChangerV3.8

IPChanger for Windows 10 IPV4 Features

Screenshots

IPChanger for Windows 10 IPV4 Main Window
Main Screen for IPChanger (V3.8)
IPChanger for Windows 10 IPV4 Disclaimer window
Welcome Screen for IPChanger (V3.8)

History

Originally created by Timmio (Circa 2009), the application was updated by us to deal with Windows 7 changes and then again for Windows 10, Unfortunately the original location of the software has been lost to us, so we cannot link to it. If you find it, please comment below, so we can give credit where its due.

Backup MYSQL databases on Windows 10 free Script

We needed a simple way to automatically Backup MySQL on windows 10 for free. Our development and testing environments required:

  • The convenience of backing up all DBs (such as This Script does).
  • Ability to exclude some of the DBs in each machine.
  • Date stamped backups, so changes are backed up each day.
  • Free and preferably open-source.
  • Easy to integrate into our existing backup scripts.

A quick search showed up nothing. We decided to expand the above mentioned script functionality to include what we require. Provided below is the important parts of the script:

:: allows for skipping of particular databases
set SkipThis=0
for /d %%f in (*) do (
    set /A Counterf=!Counterf!+1
    :: remove echo here if you like
    echo processing folder "%%f"
    pushd "%~dp0"
        set Countera=0
        for %%a in (*.exclude) do (
            rem increment the counter, so we know how many files we have read.
            set /A Countera=!Countera!+1
            if %Debug% == 1 echo DEBUG - Exclude file found: "%%~na"
            if %%a == %%f.exclude set SkipThis=1
            if !SkipThis! == 1 if %Debug% == 1 echo DEBUG - Skipping Backup of "%%f"
            )
        If %Debug% == 1 echo DEBUG - !Countera! exclude files checked
    popd

    if !SkipThis! == 0 %mysqldump% --host="localhost" --user=%dbUser% --password=%dbPassword% --single-transaction --add-drop-table --databases %%f > %backupDir%\%dirName%\%%f.sql
    if !SkipThis! == 0 %zip% a -tzip %backupDir%\%dirName%\%fileSuffix%_%%f.sql.zip %backupDir%\%dirName%\%%f.sql
    if !SkipThis! == 0 set /A Counterb=!Counterb!+1

    :: make sure to set this back to normal, so we don't skip the next DB backup as well
    set SkipThis=0
)
echo DONE - !Counterf! DBs found, !Counterb! DBs backed up

We then just need to create some blank files with “.exclude” extension. The “.exclude” files have the same name as the DB to exclude. Example such as “sys.exclude” will exclude the “sys” DB from backups

Licensing is as usual, this script is Open Source and we provide a download for your easy of use.

Troubleshooting

  1. If backups are not created, check all your location variables are set correctly

How to Use

  1. Download the MySQL Backup Script and extract into a suitable location.
  2. Open up “MySQLBackup.bat” in notepad++ (or similar).
  3. You will need to change the dbUser, dbPassword, backupDir, mysqldump, mysqlDataDir and zip file/app locations on lines 4-9.
  4. Save the file and run (you can open a command prompt by typing cmd into the title bar of explorer)
  5. This script will now be executable. Go to your command prompt and run this to backup your databases.
  6. If backups are not created, check all your location variables are set correctly

Next time you need to Backup MySQL on windows 10 for free, use this script to make it easy

SCPrompt Version 1.11.4.47 released

So much has changed in this version that we figured it was about time to move to version #1 …

**Link removed as old & dead now**

New manual version released (We realised this hadn’t been updated in a while … only about 2 years old)

**Link removed as old & dead now**

Updates for THIS release

  • Add – All GUI – Disclaimer GUI shows on startup if disclaimer.htm or disclaimer_*language*.htm exists in scprompt dir (examples: disclaimer_english.htm or disclaimer_german.htm) 
  • Add – All GUI – New tool menu to allow whiteboard writing on screen 
  • Add – All GUI – New tool menu to Start Beacon GUI to call user back to screen. 
  • Add – All GUI – Contextual menu to the Main GUI Screens (doesn’t work too well on button or automatic GUIs – but otherwise works well) 
  • Add – Auto GUI – translation are now available for this GUI type 
  • Add – Auto GUI – Is now an option in GUI_Type within the INI (in addition to the commandline) 
  • Add – Auto GUI – Option to disable Beeps on timer count-down ([Common] > GUIAUTOSILENT=1) 
  • Add – Manual GUI – Is now an option in GUI_Type within the INI (will make settings manager easier to setup manual & automatic GUI’s). 
  • Add – Button GUI – Service Mode (untested, and needs refining, but its there) 
  • Add – Builder – NSIS to Builder (i just made the Batch script into the autoit script … so now it uses the directory name as the application name) 
  • Add – Builder – Setting for Pre (Before) & Post (After) when creating the shortcuts in NSIS mode Builder.INI (best i can do at this point) 
  • Add – Settings Manager – New settings manager (has 4 tabs in it now, to make selections a little easier to understand, and give me room to add more settings as required). 
  • Add – Settings Manager – a “test it” button (or press “CTRL + T”). 
  • Add – Settings Manager – GUI (Accelerator) shortcut keys for Apply (“CTRL + S”) and new test (“CTRL + T”) 
  • UPDATE – Settings Manager – now uses (most of) the latest settings and should be easier and better to use (a few of the minor setting left out, but it is enough for the moment) 
  • UPDATE – All GUI – Change all Languages to use Seperate Language INI files (including English) to allow better selection of Languages and easier Maintenance into the future. 
  • UPDATE – All GUI – Translations now all use the LANG_*****.INI files. All OS IDs are now automatic – may add manual override at a later date if required. 
  • UPDATE – All GUI – Make sure all Translated Languages are in this release 
  • FIX – Error with Combo GUI and one Predefined Connection + Manual (the Predefined connection would disapear – leaving only manual) 
  • Removed – All GUI – Dependancy on [Common] > UsePredefined=1 has been removed as it is no longer needed due to setting Manual as a GUI_Type option

TO-DO for NEXT release

  • Add – Translator – New App – allows easy selection and addition of languages – which can then be listed for blank translations
  • Add – All GUI – If Admin, shutdown all known other versions of VNC before starting SCPrompt in servicemode, then start them up again on exit (save the services we stopped to a temp .ini to allow for recovery after support finishes, no matter how many reboots later that is)
  • Add – Builder – Allow Setting of Company name and more from INI for NSIS package type
  • Add – Settings Manager – Option to setup your own UVNC Password (and read the current one in if possible
  • UPDATE – All GUI – UVNC version to 1.0.9.5+ (requires above in settings manager)
  • UPDATE – Buttons GUI – Fix when manual button pressed, the manual address, port & ID inputs cannot be clicked (but can tab to them)
  • UPDATE – All GUI – Get all translations updated !!!
  • FIX – Auto GUI – Diagnose why the icon doesn’t change on automatic GUI … (why does it ?)

Delayed indefinitely

  • Add – All GUI – Safemode starting of VNC server – The Latest BETA version of UVNC server allows for rebooting to safe mode … so not needed anymore – just replace winvnc.exe with latest BETA (which is already a to-do for the next release) 

YTS Backup Script

Download YTS Backup Script

YTS_Backup_script.cmd is an easily customisable backup script for Windows

Through the use of .backup files, its easy to add extra directories or files to backup when run.

To setup, we need to extract the files from the ZIP into a directory.
once extracted, edit “YTS_Backup_script.cmd” file with Notepad++ or similar.

You will then need to setup your script location & backup directory location.

  • 1) Look for “set ScriptDir=D:\files\Projects\YTS_Backup_Scripts” and change it to suite your needs.
    NOTE: This Directory name needs to not have any spaces in it, or the script will fail.
  • 2) Look for “set ScriptDrive=D:” and change it to suite your needs.
  • 3) Look for “set BackupDir=C:\Backups\Manual” and change it to suite your needs.
  • 4) Look for “set BackupDrive=C:” and change it to suite your needs.
  • 5) Open “mydocs.bac” with notepad++ by double clicking on the file, and associating with notepad++.
    Edit this File to your needs. the file contains only two lines.
    Line1 is the source file or directory for xcopy to use.
    Line2 is the destination file or directory for xcopy to use.
    NOTE: do not add extra lines to this file, as this will break the script. two lines only.
  • 6) Open “Outlook.bac” with notepad++
    Edit this File to your needs.
    to add more files to your backup, simply change add another .bac file to the script directory and enter the details correctly.

Download YTS_Backup_script

PC Beacon

PC Beacon flashes the screen and speaks “Attention Required” from the speakers of the computer (using . It was made for use on customers sites where you are remotely controlling a computer, and either require the users attention again, or need someone to find the appropriate PC quickly and easily.

Download PC Beacon

This is achieved, through changing the background colour of a full-screen window (with no borders). The colour change rate is easily changeable (set for once per second as standard).

As normal, this application is written in AutoIt Scripting Language, and has the source code included as a resource of the application.

Minor modifications would be needed to allow setting of all variables from an INI, as the whole script is contained within one function (to allow easy importing into existing projects)

Application is licensed under GPL 3 or later.