Sunday, April 06, 2008

HDRI photos are get into the news in geek in japan.

@takesako who is popular engineer in japan.
he start HDRI photosHigh dynamic range imaging few days ago.

HDRI photos are composite photograph with changing 2-4 leaves of photos iris.
you can see HDRI detail at wikipedia.

I create few leaves of HDRI photos.
SAKURA with blue sky.

SAKURA

and SAKURA SAKURA SAKURA :-)

Spring has come to kyoto and cherry blossomed!!!

Spring has come! every spring Japanese love to see cherry blossomed.
cherry blossomed flower are very short life like 1week.
and gone like flower shower.

these cherry blossomed compared to human life.

Anyway this year's Cherry is so beautiful.
Blue sky and pink flower and white flower shower.
We love SAKURA!

SAKURA with Blue sky



Dandelion and Cherry Blossom

Wednesday, March 12, 2008

Trendmicro Virus Infomation pages are Hacked(falsificated).

Trendmicro Virus information page was modified by hacker.
And they insert <iframe> tags to download malware.

JS_DLOADER.TZE is the malware which download from falsificated pages.
Anti virus vendor spread malware...really?!

Virus infomation on these are falsificated virus infomation pages.

Trendmicro US does not release News anything.
There is Japanese release News page(see google translated page Below )
http://translate.google.com/translate?u=http%3A%2F%2Fjp.trendmicro.com%2Fjp%2Fabout%2Fnotice%2F0312%2Findex.html&langpair=ja%7Cen&hl=ja&ie=UTF8

English virus infomation pages.

  • ADWARE_BHO_WEBDIR
  • ADWARE_BHO_WSTART
  • HKTL_MDBEXP.A
  • POSSIBLE_OTORUN3
  • SPYWARE_TRAK_RADMIN
  • TROJ_ARTIEF-1
  • TROJ_CLAGGER.D
  • TSPY_BANKER-2.002
  • TSPY_BANKRYPT.N
  • TSPY_GAMANIA.CI
  • TSPY_GOLDUN.GEN
  • TSPY_LINEAGE
  • TSPY_ONLINEG.DAU
  • TSPY_ONLINEG.OAX
  • TSPY_ONLINEG.OAX
  • TSPY_QQPASS
  • TSPY_SDBOT.BTI
  • W97M_DLOADER.BKV
  • WORM_IRCBOT.JK
  • WORM_NYXEM.E
  • WORM_SOBER.AG

Japanese virus infomation pages.

  • ADW_BRUNME.A
  • ADW_ZANGO.A
  • ADWARE_ADBLASTER
  • ADWARE_EXACTADVERTISING
  • ADWARE_EZULA.ILOOKUP
  • TSPY_AGENT.HS
  • TSPY_ANICMOO
  • TSPY_GOLDUN.GEN
  • TSPY_HUPIGON.ZY
  • TSPY_Lmir TSPY_Tiny

Thursday, January 31, 2008

Cross Site Scripting(XSS) Challenges by yamagata21h

Japanese IT Security technical expert yamagata21h has made Cross Site Scripting(XSS) challenging site.
-> http://xss-quiz.int21h.jp/

Yamagata21h is Japanese famous technical Security expert.
Yamagata21h was impressed by "XSS Workshop" http://blogged-on.de/xss/.

This page was written by yamagata21, inspired by http://blogged-on.de/xss/.

but "XSS Workshop" is not so covering various of type of XSS he said.
so yamagata21h makes "XSS Challenges" him self.

Please Challenge it!!!
if you interesting on Development Security.
and feed back yamagata21h more XSS question if you have.
http://xss-quiz.int21h.jp/

Friday, December 28, 2007

[security] Microsoft Security Advisory (945713) can open arbitrary pages.

In Microsoft Security Advisory (945713): Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure.
They said that "man-in-the-middle attacks" is threat. but is this vulnerability is realy only man-in-the-middle???

What causes this threat?
A malicious user could host a WPAD server, potentially establishing it as a proxy server to conduct man-in-the-middle attacks against customers whose domains are registered as a subdomain to a second-level domain (SLD). For customers with a primary DNS suffix configured, the DNS resolver in Windows will attempt to resolve an unqualified “wpadhostname using each sub-domain in the DNS suffix until a second-level domain is reached. For example, if the DNS suffix is corp.contoso.co.us and an attempt is made to resolve an unqualified hostname of wpad, the DNS resolver will try wpad.corp.contoso.co.us. If that is not found, it will try, via DNS devolution, to resolve wpad.contoso.co.us. If that is not found, it will try to resolve wpad.co.us, which is outside of the contoso.co.us domain.
I verify using malicious proxy.pac(wpad.dat) to open arbitrary malicious pages as real pages.

For Example put proxy.pac as below.
function FindProxyForURL(url,host)
{
return "PROXY www.yahoo.co.jp:80";
}

By setting in Internet Explorer 6.
sorry for Japanese version of IE.
The setting file is located in local disk for convenience.
(but no matter for putting in wpad.consolto.co.us.)


And then browse "http://www.microsoft.com/".
but shown "http://www.yahoo.co.jp/".
(Look at the URL of browser.)


Next how about FireFox2.

sorry for Japanese version of FireFox.
The setting file is located in local disk for convenience.
(but no matter for putting in wpad.consolto.co.us.)


And then browse "http://www.microsoft.com/".
Again but shown "http://www.yahoo.co.jp/".
(Look at the URL of browser.)



This is "by design" of proxy.pac. And hijacking of wpad(or proxy.pac) can open arbitrary malicious pages.
Not only man-in-the-middle attack.

take care your self! :-)

Tuesday, December 25, 2007

Cross site scripting in year 2007.(Blog by Hasegawa Yosuke)

Hasegawa yosuke wrote about Cross site scripting in Year 2007.
ripjyr translate this post to English.
Original post is http://d.hatena.ne.jp/hasegawayosuke/20071226/p1 (Japanese)
-----
I wrote about XSS(Cross site scripting) I found in year 2007.
someone wrote "hasegawa cut to write Blog :-)" someplace.
I didn't cut to write blog ,but noting to write.....
so I force look back XSS in year 2007 :-)

below are XSS found on a famous site I found.


  • XSS in National Institute of Advanced Industrial Science and Technology (AIST)
    • UTF-7 XSS was enabled because charset was not set in 404 response page.
      Session Cookie can stolen if already logined
      Reported:2007/04/16
      Fixed:2007/05/16
  • XSS in sourceforge.jp
    • UTF-7 XSS was enabled because charset was not set in 404 response page.
      Session Cookie can stolen if already logined
      Reported:2007/04/16
      Fixed:2007/05/16
  • XSS in IBM search page.
    • UTF-7 XSS was enabled because HTML character encoding as MS932 can use if specify like "&cs=MS932" in the query on IBM search page.
      Reported:2007/04/19
      Fixed:2007/08/30
  • XSS in MizuhoBank
    • UTF-7 XSS was enabled because HTML character encoding as jis can use if specify like "&oe=jis" in the query on MizuhoBank search page.
      Reported:2007/04/26
      Fixed:2007/12/25
  • XSS in F5 Networks search page
    • XSS was enabled Search page in F5 Networks.
      Query like below.
      http://www.f5networks.co.jp/cgi-bin/search/search.pl?query=abcd%22onload=%22alert(document.location)%22%20
      Reported:2007/07/31
      Fixed:2007/10/29
  • XSS in Oracle search page
    • "%22" was not escaped so XSS was enabled in search page at oracle.co.jp.
      Reported:2007/08/28
      Fixed:2007/09/21
  • XSS in METI Ministry of Economy, Trade and Industry
    • UTF-7 XSS was enabled because charset was not set in www.meti.go.jp pages.
      Reported:2007/10/10
      Fixed:2007/12/05
  • XSS in MIAU(Movements for Internet Active Users)
    • XSS was enabled at Subscription in MIAU Mail magazines page, Query like below.
      http://miau.jp/miaumailmagsubmit.phtml?miaumgreg=test%40example.com%22%20style=%22xss%3aexpression(alert(1))&userevent=mag-reg
      Reported:2007/10/24
      Fixed:2007/10/31
Shown fake information considerable threat by XSS was already easily found in co.jp(like .com) or go.jp(like .gov).
So take care of yourself(who take cares and what cares :-)

Especially XSS in Image file , I contact IPA(INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN) and Microsoft contacts I knew for three years...
Though a considerable communication was done but every time finally said "by specification"....;-<
I wish to be fixed XSSed(not still fixed) pages here and there in 2008 :-)
Then, everybody have a good holidays.

Tuesday, September 25, 2007

[SECURITY]Hospital biohazard! (Computer) virus spread in hospital.

FUJAX virus kills hospital of Chiba national university network. (http://www.ho.chiba-u.ac.jp/)
http://mytown.asahi.com/chiba/news.php?k_id=12000000709130001
Asahi newspaper said that Sep 5 virus spread into network.
And then confusion occurs in hospital.
Can't see last examination record.
Can't account the examination.

Hospital of Chiba University decides shutdown Web browsing and E-mail.
And so on still shutting down web browsing and E-mail until today (September 26).
Virus was Newly discovered virus and not detected by anti-virus software.

Discovered virus was newly appeared in china in February.
Perhaps, it is thought as newly appeared type of FUJAX.
Infected route was web browsing.
Hospital staff searching Internet for chart of human body, they infected at site in china.

Hospital will recover network on end of September. But not recover yet (September 26).
Is this incident one of bio? (Non-bio?) Hazard??? YES!!!
Computer virus spread in hospital and shut hospital system down…

Sunday, September 16, 2007

Finally F-Secure Blog to be Weblog2.0 :-p

F-Secure Blog to be Weblog2.0!!! they are changing!!!

Here is F-Secure Weblog2.0
-> http://www.f-secure.com/weblog/archives/00001276.html

and this is still Weblog1.0
-> http://www.f-secure.com/weblog/archives/archive-092007.html#00001276

What is deference between Weblog2.0 and Weblog1.0???
Only Permanent link ware made?

We'll update the indexes next week. In the meantime, please provide your feedback.
I thought only two things about F-Secure Weblog2.0.
  1. Please set indivisual Page title to posted title.
    this became weblog or bookmark seen very easily.
  2. Please set category or label of posts.
    this became post seen clearly.
please Hold out, We will expecting you!

(18 Sep 2007 update post)
F-Secure recieve my feedbacks!!!
1 - We will be adjusting the individual Page Titles soon.
2 - We'll investigate the option.