PayPal released a fingerprint payments mobile application

PayPal payment system launched a mobile application to allow Samsung smartphone owners in 25 countries have the ability to authorize payments using the fingerprint. New biometric authentication procedure replaces the traditional user name and password.

Survey of users in the United States showed that the majority of them ( 53 %) believe the new procedure to be more comfortable .

While the press release have not disclosed the key characteristics for PayPal biometric authentication  , including the percentage of false positives. this new innovative solution can be a good enhancement to the system usability but from the security prospective there is no changes compared to traditional authentication.

Heartbleed vulnerability, made it clear that any new technology should consider several factor authentication. Standard authentication using login and password will not totally prevent attacks on remote system.


Subterfuge Automated Man-in-the-Middle Attack Framework

Subterfuge is a python based tool that you can use for testing Man-In-The-Middle attacks. the program will start to sniff network traffic and wait to have user login to online websites such as gmail , twitter, facebook and more.  Next it will display accounts information.

Beside the session hijacking module there are other modules that can be used for scanning the network, perform an HTTP code injection or Denial of service.  there is also a Tunnel Block to prevent certain protocols from accessing the internet including PPTP, Cisco IPSec, L2TP, OpenVPN, SSH.

Another module is the Network View where it provides a rapid sync to represent victim information in real-time. another addition is Evilgrade which allow attacker to spoof operating system update and provide victim patches shipped with backdoor.

subterfugescreenshot for Subterfuge with modules (click to enlarge)

 You can read more about Subterfuge on the following link:


Heartbleed Critical Vulnerability in OpenSSL

The security community is actively discussing over this week the openssl vulnerability that allows attacker to exploit the Heartbeat TLS and receive 64KB in the RAM memory. The attack can be repeated continuously to get sensitive information from end users such as their passwords.

Many online servers were affected by this critical vulnerability while patching openssl will not totally solve the situation. Administrators need to install new certificate for the servers and all account passwords should be changed.

The vulnerability was reported last Friday by codenomicon and on Monday a security fix were released and included in openssl 1.0.1g. Script based on python for Nmap were also issued to detect the vulnerable server and published for testing any active bug.

Heartbleed is one of the more serious bugs up to now because the attacker can take all the information without any traces which makes it complex to monitor and identify the attack. The real number of the attack is unknown up to now.

This makes that security testing for software’s and programs is one of the best way to secure the applications and end users and such glitches can rise at any moment. If you are using openssl make sure that you have applied the entire security requirement and you can also use snort signature to detect and monitor Heartbleed exploitation on your facilities.


passivedns network sniffer to log DNS query

Domain name servers may contain several type of security vulnerabilities that allow a malicious user to redirect website visitors to a third party website. The attack can be cache poisoning or ARP spoof and this in case that the DNS server is not patched or hardened.

Passivedns is an open source tool that you can use to investigate an incident related to DNS attack. The tool allows security analyst to collect DNS traffic passively to read them in form of pcap file or log files. This helps to identify the answer of the DNS and find out where the redirection or the issue with the server.

Passivedns can be used as a standard DNS packet sniffer to monitor network traffic and search history to provide a list of what the URL is resolving so it will display the first time URL seen with query and the IP answered by the DNS.

passivdnsPassivedns screenshot during sniffing the DNS packets (click to enlarge)

Logs are going to be stored in passivedns.log. This will be useful for the security analyst and can be used for creating report related to the incident. You can download the tool on the following link:


Smbexec rapid post exploitation tool

Smbexec is a tool that you can use for penetration testing domain controllers, the program allows to run post exploitation for domain accounts and expand the access to targeted network. this makes pentester have a full access without any privilege requirement.

Latest release include improvements so it runs faster and there are more options in configuration and a module that support file search. using smbexec allows to easily go through all machines on the network and collect the necessary information such as the UAC configuration or other system settings beside where the domain administrators credentials are in use.

SMBexecScreenshot for the smbexec options

To install smbexec it will be possible to make the following:

  1. git clone
  2. Run the script, select your operating system, and supply any required information
  3. Run the script and compile the binaries
  4. Type smbexec

you can find more information on the release notes:


IE PassView 1.31

We have several tools for recovering passwords in web browsers. IE PassView can be used for internet explorer in case you have forget the passwords you are using to log in different system. the tool have a graphical interface and simple to use.

” IE PassView is a small password management utility that reveals the passwords stored by Internet Explorer Web browser, and allows you to delete passwords that you don’t need anymore. It supports all versions of Internet Explorer, from version 4.0 and up to 10.0. For each password that is stored by Internet Explorer, the following information is displayed: Web address, Password Type (AutoComplete, Password-Protected Web Site, or FTP), Storage Location (Registry, Credentials File, or Protected Storage), and the user name/password pair. You can select one or more items from the passwords list and export them into text/html/csv/xml file.”


iepvScreenshot for IE PassView

You can download the program on the following link:


MS Office files used to spread malwares

New malware have been observed by TrendMicro that is targeting Microsoft office files. The virus is using windows PowerShell script which is allowed on many environments by system administrator to customize OS configuration.

The malware is named CRIGENT and it integrates itself with word or excel document. When the victim opens the malicious file it will execute and download two components hosted on cloud providers using Tor and Polipo. Cyber-criminal are masking the URL in DNS records.

Opening the URL will run a PowerShell script to get users information including IP , country code, OS version , Domain, OS language, Office application version, victim location and the script will keep monitoring the information with each system start up.

crigent2-2screenshot for the PS script modifying reg keys

Usually on local network it is important to monitor the traffic and if we detect connection to non standard protocols it is required to make more investigation and identify the root cause for the issue. We may prevent this on the firewall level because this indicate a risk for infected systems.

Trend Micro already have the appropriate signature to make users protected against this malware so keep you security software updated.