SecureTech https://www.securetech.com.au/ Security conscious technology solutions Fri, 26 Jan 2024 13:59:38 +0000 en-AU hourly 1 https://wordpress.org/?v=6.4.3 161665430 Make PHP’s $_POST data more secure https://www.securetech.com.au/projects/web-app-development/make-phps-post-data-more-secure.html Fri, 26 Jan 2024 04:58:25 +0000 https://www.securetech.com.au/?p=213 we are providing an alternative function to the $_GET vavriable, which returns the same data after filtering (sanitizing) it. Explainations are below, but here is the function ...

The post Make PHP’s $_POST data more secure appeared first on SecureTech.

]]>
PHP is a great programming language, but it is not a framework like many of the newer “languages” and as such its basic functions are not as secure as required in a modern web application. Trusting PHP’s $_POST is risky but we have functions that can help make PHP’s $_POST data more secure. This is done by using a few of PHPs functions to get and filter the variable data and provide it in a somewhat more secure manor.

Web application security, nowadays, is quite different to when PHP first started as “Personal Home Page” and you need to ensure that any “web application” published is as secure as possible. Using Posted data (via $_GET or $_POST) directly without filtering is not a good idea in almost any situation. There are a few exemptions where we think this is acceptable, and we cover this below.

So we are providing an alternative function to the $_POST variable, which returns the same data after we make PHP’s $_POST data more secure by filtering (sanitizing) it for naughty stuff. Explanations are below, but here is the function …

Function to make PHP’s $_POST data more secure

function Input_Post($par, $parType = '')
{
	if($parType == '')
	{
		$parType = gettype($par);
	}
	$return = '';
	switch ($parType) {
		case 'email':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_EMAIL);
			break;
		case 'int':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_NUMBER_INT);
			break;
		case 'float':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'double':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'url':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_URL);
			break;
		default: // 'string'
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_STRING);
			break;
	}
	if($par != $return)
	{
		//Log error to SQL and ban if more than predefined amount of errors in predefined amount of time ...
	}
	return $return;
}

Explanation

The function name should be short and succinct. we think input_post() is about as good as we need it, but you may also like _post().

We also need two parameters ($par & $parType) in some situations, to check for email addresses for example.

Next we need to make the second parameter $parType optional and check the type of the first variable (using gettype()). This is important to ensure we are providing the correct type of sanitizing and filtering of the input data so we do not filter any important data out and filter any harmful data.

Now comes the critical part, sanitizing any data based on the type and storing that in $return variable.

Using a switch (or case) is more efficient than if/elseif when dealing with many options and it just looks better.

Last test is if the return data $return is different to input data $par (eg, if we did any filtering / sanitizing), then we can call a logging function to ensure this is logged for auditing / banning users (we run functions that log to an SQL table and check how many failures in X days for this session footprint), but this is beyond the scope of this post.

Then, return the filtered data $return.

Implementation

Using STG’s Input_Post() function is as simple as replacing occurrences of:
$_POST[‘variable’]
with
Input_Post(‘variable’)

Exceptions

As stated above, there are exceptions to when you can use $_POST variables directly. We only use submitted data directly when testing, such as if it equals a value:

if($_POST['me'] == 'you') 
{
echo 'you';
}
elseif($_POST['me'] == 'me')
{
echo 'me';
}
else
{
echo 'you and me';
}

Unless you make PHP’s $_POST data more secure, you should NEVER EVER trust any $_GET or $_POST variable as trusting PHP’s $_GET is risky and using it directly should be avoided. We rather using submitted data to make decisions from.

The post Make PHP’s $_POST data more secure appeared first on SecureTech.

]]>
213
Install handbrake on CentOS8 https://www.securetech.com.au/tips/linux/install-handbrake-on-centos8.html Sat, 11 Jul 2020 04:50:59 +0000 https://www.securetech.com.au/?p=316 Handbrake is easy to install and update on many linux distro’s because it is available as a package and can be installed without having to compile from source, simply for this tutorial to learn how. Handbrake install instructions for centos8 show that you have to install from source as well as installing all development tools, […]

The post Install handbrake on CentOS8 appeared first on SecureTech.

]]>
Handbrake is easy to install and update on many linux distro’s because it is available as a package and can be installed without having to compile from source, simply for this tutorial to learn how.

Handbrake install instructions for centos8 show that you have to install from source as well as installing all development tools, but there is an easier way … install from rpmfusion.

RPMFusion provides software that the Fedora project or Redhat don’t want to.

Before you progress any further, you need to enable EPEL in CentOS8

According to the RPMFusion configuration guide at time of writing, you need to do the following in a console to add the required settings to CentOS8:

sudo dnf install --nogpgcheck https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf install --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-8.noarch.rpm

Next, you need to install Handbrake GUI

sudo dnf install HandBrake-gui

This will then try to resolve all the dependencies using the new RPMFusion repositories and should prompt to download approx 20MB of packages:

Install  22 Packages

Total size: 20 M
Total download size: 20 M
Installed size: 63 M
Is this ok [y/N]: 

to run handbrake, type the following into a console:

ghb

The post Install handbrake on CentOS8 appeared first on SecureTech.

]]>
316
Securing your devices using DNS https://www.securetech.com.au/tips/security/securing-your-devices-using-dns.html Sat, 20 Jun 2020 23:38:01 +0000 https://www.securetech.com.au/?p=311 We have long wondered why some of the more harmful webpages are not blocked more easily using DNS, and we finally found a system that does it for us. Securing your devices using DNS may sound like an odd concept, but read on to find out more

The post Securing your devices using DNS appeared first on SecureTech.

]]>
We have long wondered why some of the more harmful webpages are not blocked more easily using DNS, and we finally found a system that does it for us. Securing your devices using DNS may sound like an odd concept, but read on to find out more. You can now improve your Internet Security & Privacy In a Few Easy Steps

dns9.quad9.net is a great free service that blocks many bad things from talking to your computers and other devices. Alot of the viruses people get come from either webpages or email and use DNS to talk to their command and control (C&C) server(s). Quad9 provides Internet Security & Privacy
In a Few Easy Steps

dns9.quad9.net will allow you to block all harmful webpages and many other things without you even being aware of it.

If your unsure what DNS is, its the Domain Name System. in other words, its the domain name of the site (such as securetech.com.au) which resolves into an IP address of “208.113.162.199”. which one is easier to remember?

The post Securing your devices using DNS appeared first on SecureTech.

]]>
311
Remove preinstalled window 10 apps for all users using powershell https://www.securetech.com.au/tips/windows/remove-preinstalled-window-10-apps-for-all-users-using-powershell.html Wed, 03 Jun 2020 07:53:33 +0000 https://www.securetech.com.au/?p=295 To remove the apps that come pre-installed with windows 10, open a powershell window as Administrator, and paste the following

The post Remove preinstalled window 10 apps for all users using powershell appeared first on SecureTech.

]]>
We all need Remove preinstalled window 10 apps for all users at some point. We can do this using powershell. The list on this page is hard to keep current, but running the following code will give you a list of the names of your currently installed packages and you can remove what you think isn’t required. It is fairly easy to re-install if required, but we still advise caution.

Get-AppxPackage -AllUsers | Select Name

To remove the preinstalled windows 10 apps for all users using powershell, open powershell as Administrator, and paste the following.

#Be careful with the first line ... you may want to keep the windows store installed as alot of applications come through there now, rather than direct installs.
#Get-appxpackage -allusers windowsstore | install-appxpackage
Get-appxpackage -allusers xboxapp | remove-appxpackage
Get-appxpackage -allusers 3dbuilder | remove-appxpackage
Get-appxpackage -allusers zune | remove-appxpackage
Get-appxpackage -AllUsers camera | remove-appxpackage
Get-appxpackage -AllUsers solitaire | remove-appxpackage
Get-appxpackage -AllUsers bing | remove-appxpackage
Get-appxpackage -AllUsers getstarted | remove-appxpackage
Get-appxpackage -AllUsers photos | remove-appxpackage
Get-appxpackage -allusers alarms | remove-appxpackage
Get-appxpackage -allusers skype | remove-appxpackage
Get-appxpackage -allusers phone | remove-appxpackage
Get-appxpackage -allusers maps | remove-appxpackage
Get-appxpackage -allusers people | remove-appxpackage
Get-appxpackage -allusers messaging | remove-appxpackage
Get-appxpackage -allusers connectivity | remove-appxpackage
Get-appxpackage -allusers communication | remove-appxpackage
Get-appxpackage -allusers candy | remove-appxpackage
Get-appxpackage -AllUsers office | Remove-AppxPackage
Get-appxpackage -AllUsers twitter | Remove-AppxPackage

If you didn’t actually read the above before copying and pasting (as we may or may not have done), you will need to re-install the store if you want it (which is likely):

Get-AppXPackage WindowsStore -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

To Add singular packages back in, use the following code

Get-appxpackage -allusers twitter | install-appxpackage

Powershell is an amazing thing that allows the reasonably knowledgeable person to do many functions easily which would normally require alot more time and or effort.

Microsoft also has a great resource on what apps are installed, system apps and if not on the list are therefore removable … Windows 10 – Apps – Windows Application Management | Microsoft Docs

Update 2021

The following list is one that I have found on a newly installed win10 machine and most of the problematic apps where removed. it should be noted that when i re-ran the list and found most of the apps still installed, so im working on a way to remove the likes of skype … good old microsoft, always doing what it thinks is right by us, despite being told to remove an app and actually showing it as removing, the app doesn’t remove … go figure.

Get-AppxPackage -AllUsers Microsoft.GetHelp | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.Windows.Photos | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.WindowsAlarms | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.WindowsCalculator | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.WindowsCamera | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.WindowsMaps | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.WindowsSoundRecorder | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.Xbox.TCUI | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.XboxGameOverlay | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.XboxGamingOverlay | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.XboxIdentityProvider | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.XboxSpeechToTextOverlay | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.YourPhone | Remove-AppPackage
Get-AppxPackage -AllUsers SpotifyAB.SpotifyMusic | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.XboxApp | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.MixedReality.Portal | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.Microsoft3DViewer | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.Getstarted | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.ZuneVideo | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.ZuneMusic | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.BingWeather | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.WindowsFeedbackHub | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.MicrosoftSolitaireCollection | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.MicrosoftStickyNotes | Remove-AppPackage
Get-AppxPackage -AllUsers Microsoft.SkypeApp | Remove-AppPackage

The post Remove preinstalled window 10 apps for all users using powershell appeared first on SecureTech.

]]>
295
How to replace Dropbox OneDrive or sugarsync with syncthing https://www.securetech.com.au/tips/backup-and-sync-tips/how-to-replace-dropbox-onedrive-or-sugarsync-with-syncthing.html Wed, 03 Jun 2020 06:37:33 +0000 https://www.securetech.com.au/?p=293 If your sick of paying for synchronization software that is overpriced or your running out of space using a free account, Syncthing is one answer, particularly if you have computers in multiple locations or have a good friend or family member that is happy to share some HDD space and internet bandwidth to allow you […]

The post How to replace Dropbox OneDrive or sugarsync with syncthing appeared first on SecureTech.

]]>
If your sick of paying for synchronization software that is overpriced or your running out of space using a free account, Syncthing is one answer, particularly if you have computers in multiple locations or have a good friend or family member that is happy to share some HDD space and internet bandwidth to allow you to do offsite automatic backups.

We recently discovered SyncThing and have been very impressed with it’s features, functionality and security. If you have not yet heard of SyncThing, then you don’t know what your missing out on. It has many awesome features, a few of which are listed below.

  • Syncthing is an amazing free software that allows you to share folders between networked devices, such as laptops and mobile phones.
  • Syncthing has clients for windows, mac and linux computers
  • Syncthing has clients for android and apple ios (ipad, iphone, ipod) although the later has limited support.
  • Sycthing is secure.
  • Syncthing can be setup to sync in a mesh or spoke.

The post How to replace Dropbox OneDrive or sugarsync with syncthing appeared first on SecureTech.

]]>
293
Map Network drive to remote computer via SSH https://www.securetech.com.au/tips/windows/map-network-drive-to-remote-computer-via-ssh.html Wed, 03 Jun 2020 03:36:55 +0000 https://www.securetech.com.au/?p=268 If you need to access files on a remote computer (such as a webserver), you can use several different software to do this.

The post Map Network drive to remote computer via SSH appeared first on SecureTech.

]]>
If you need to access files on a remote computer (such as a webserver), you can use several different software to do this.

sshfs-win-manager which is free open source software and uses sshfs-win

ExpanDrive has not been tested, but looks very promising, if only it had sugarsync

The post Map Network drive to remote computer via SSH appeared first on SecureTech.

]]>
268
Adding Remote Desktop (RDP) support to windows 10 home https://www.securetech.com.au/tips/windows/adding-remote-desktop-rdp-support-to-windows-10-home.html Wed, 01 Apr 2020 12:23:39 +0000 https://www.securetech.com.au/?p=251 Microsoft Windows 10 home is easily modified to add the Remote Desktop features. These feature are only normally available in the Professional version of win10 (pro). You don’t need to pay for the professional version to have Remote Desktop services installed on your computer. Some smart people have worked out how install Remote Desktop Server […]

The post Adding Remote Desktop (RDP) support to windows 10 home appeared first on SecureTech.

]]>
Microsoft Windows 10 home is easily modified to add the Remote Desktop features. These feature are only normally available in the Professional version of win10 (pro).

You don’t need to pay for the professional version to have Remote Desktop services installed on your computer. Some smart people have worked out how install Remote Desktop Server on Win10 Home.

The below information is now old, as it has been a few years since I needed this, but https://github.com/sebaxakerhtc/rdpwrap/releases allows for a far simpler installation (that is regularly updated)

Ignore everything from here down. It’s now redundant.

A good article explaining how to enable remote RDP access in Windows 10 Home edition, but sadly RDPWrap isn’t updated for the latest version of windows 10, So we decided to make it easier for people to find a working RDPWrap solution:

  1. Copy the files from the archive “RDPWrap-v1.6.2.zip” (or newer) to the “%ProgramFiles%\RDP Wrapper” directory.
  2. DO NOT use other location to install/extract the RDP Wrapper files, as it will not work,
    USE ONLY the “%ProgramFiles%\RDP Wrapper” directory (normally C:\Program Files (x86)\RDP Wrapper)
  3. Extract/Copy the files/folders from the archive “autoupdate.zip” to the “%ProgramFiles%\RDP Wrapper” directory
  4. To enable autorun of autoupdate.bat on system startup, run the following helper batch file as administrator: “%ProgramFiles%\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat”
  5. Set in your Antivirus/WindowsDefender an exclusion on the folder “%ProgramFiles%\RDP Wrapper” to prevent the deletion of RDP Wrapper files
  6. Now you can use the autoupdate batch file to install and update the RDP Wrapper. Please run the following autoupdate batch file as administrator: “%ProgramFiles%\RDP Wrapper\autoupdate.bat”

The post Adding Remote Desktop (RDP) support to windows 10 home appeared first on SecureTech.

]]>
251
Wireless Broadband RAS auto Dialer https://www.securetech.com.au/projects/autodialer/wireless-broadband-ras-auto-dialer.html Sat, 28 Mar 2020 03:04:32 +0000 https://www.securetech.com.au/?p=249 Anyone can Download the RAS automatic dialer (AKA Wireless broadband control)

The post Wireless Broadband RAS auto Dialer appeared first on SecureTech.

]]>
Anyone can Download the RAS automatic dialer (AKA Wireless broadband control)

The post Wireless Broadband RAS auto Dialer appeared first on SecureTech.

]]>
249
Encrypt SCPrompt communications using SecureVNC plugin https://www.securetech.com.au/projects/scprompt/encrypt-scprompt-communications-using-securevnc.html https://www.securetech.com.au/projects/scprompt/encrypt-scprompt-communications-using-securevnc.html#comments Fri, 27 Mar 2020 05:07:18 +0000 https://www.securetech.com.au/?p=247 SecureVNC Plugin allows secure communications (Using AES256) between UVNC viewer and server. The following gives simple steps how-to Add SecureVNC plugin to secure SCPrompt.

The post Encrypt SCPrompt communications using SecureVNC plugin appeared first on SecureTech.

]]>
Encrypt SCPrompt communications using Ultravnc’s SecureVNC DSM plugin which uses AES-256 encryption for all communications between client and server

SecureVNC Plugin allows secure communications between UVNC viewer and server. The following steps show how-to Add SecureVNC plugin to secure SCPrompt.

As SCPrompt uses UVNC server at its core, its easy to modify SCPrompt to use SecureVNC Plugin which secures connections between ultravnc components using AES-256

By using an encryption module (DSM in UVNC world), you can be assured that only the person with a correctly configured SCPrompt server can connect to the viewer and only the viewer from the person who created the SCPrompt is able view remote computers using SCPrompt created by you.

  1. download scprompt Roll-your-own and unzip to a suitable location.
  2. download SecureVNC.dsm.
  3. place SecureVNC.dsm in the same folder as scprompt.exe
    (there are all conf files and others)
  4. Next step is to configure your ultravnc.ini.
    You can make it by your hands or just start winvnc.exe in the scprompt directory and configure it through the program properties.
    All changes made in program gui will be written to ultravnc.ini in the scprompt directory
  5. Enable SecureVNC.dsm plugin (by hands or through gui).
  6. Configure scprompt.ini through gui (provided by settings_manager.exe).
  7. “build” scprompt.
  8. run uvncviewer in listen mode, don’t forget to:
    1. copy SecureVNC.plugin to vncviewer’s directory
    2. make uvncviewer use SecureVNC.plugin.
  9. Enjoy the secure opensource goodness

That’s all.

The post Encrypt SCPrompt communications using SecureVNC plugin appeared first on SecureTech.

]]>
https://www.securetech.com.au/projects/scprompt/encrypt-scprompt-communications-using-securevnc.html/feed 6 247
Make PHP’s $_GET data more secure https://www.securetech.com.au/projects/web-app-development/make-phps-get-data-more-secure.html Tue, 07 Jan 2020 06:16:00 +0000 https://www.securetech.com.au/?p=208 we are providing an alternative function to the $_GET vavriable, which returns the same data after filtering (sanitizing) it. Explainations are below, but here is the function ...

The post Make PHP’s $_GET data more secure appeared first on SecureTech.

]]>
PHP is a great programming language, but it is not a framework like many of the newer “languages” and as such its basic functions are not as secure as required in a modern web application. Trusting PHP’s $_GET is risky but we have functions that can help make PHP’s $_GET data more secure. This is done by using a few of PHPs functions to get and filter the variable data and provide it in a somewhat more secure manor.

Web application security, nowadays, is quite different to when PHP first started as “Personal Home Page” and you need to ensure that any “web application” published is as secure as possible. Using Posted data (via $_GET or $_POST) directly without filtering is not a good idea in almost any situation. There are a few exemptions where we think this is acceptable, and we cover this below.

So we are providing an alternative function to the $_GET variable, which returns the same data after we make PHP’s $_GET data more secure by filtering (sanitizing) it for naughty stuff. Explanations are below, but here is the function …

Function to make PHP’s $_GET data more secure

function Input_Get($par, $parType = '')
{
	if($parType == '')
	{
		$parType = gettype($par);
	}
	$return = '';
	switch ($parType) {
		case 'email':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_EMAIL);
			break;
		case 'int':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_NUMBER_INT);
			break;
		case 'float':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'double':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'url':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_URL);
			break;
		default: // 'string'
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_STRING);
			break;
	}
 	if($par != $return)
	{
		//Log error to SQL and ban if more than predefined amount of errors in predefined amount of time ...
	}
	return $return;
}

Explanation

The function name should be short and succinct. we think input_get() is about as good as we need it, but you may also like _get().

We also need two parameters ($par & $parType) in some situations, to check for email addresses for example.

Next we need to make the second parameter $parType optional and check the type of the first variable (using gettype()). This is important to ensure we are providing the correct type of sanitizing and filtering of the input data so we do not filter any important data out and filter any harmful data.

Now comes the critical part, sanitizing any data based on the type and storing that in $return variable.

Using a switch (or case) is more efficient than if/elseif when dealing with many options and it just looks better.

Last test is if the return data $return is different to input data $par (eg, if we did any filtering / sanitizing), then we can call a logging function to ensure this is logged for auditing / banning users (we run functions that log to an SQL table and check how many failures in X days for this session footprint), but this is beyond the scope of this post.

Then, return the filtered data $return.

Implementation

Using STG’s Input_Get() function is as simple as replacing occurrences of:
$_GET[‘variable’]
with
Input_Get(‘variable’)

Exceptions

As stated above, there are exceptions to when you can use $_GET variables directly. We only use submitted data directly when testing, such as if it equals a value:

if($_GET['me'] == 'you') 
{
echo 'you';
}
elseif($_GET['me'] == 'me')
{
echo 'me';
}
else
{
echo 'you and me';
}

Unless you make PHP’s $_GET data more secure, you should NEVER EVER trust any $_GET or $_POST variable as trusting PHP’s $_GET is risky and using it directly should be avoided. We rather using submitted data to make decisions from.

The post Make PHP’s $_GET data more secure appeared first on SecureTech.

]]>
208