Some security short-takes I never got around to posting

Here’s some stuff I’ve found in recent weeks that I never got around to posting, so I’ll just round it all up briefly.

Let’s lead off with an interesting walkthrough of reverse-engineering:
http://www.devttys0.com/2014/02/reversing-the-wrt120n-firmware-obfuscation/

There’s little I can add to this, but if you’re interested in getting started in security research, walkthroughs like this are a gold mine.

Here’s an example of a targetted attack using a breached password dump:
http://7habitsofhighlyeffectivehackers.blogspot.com/2013/11/can-someone-be-targeted-using-adobe.html

This clearly illustrates the problem of using a common password. I think it’s also a good example of responsible disclosure. He shows enough to show a budding security professional how to hack, but leaves out enough that he’s not going to make an inexperienced malicious hacker’s life much easier.

And from the same site:

http://7habitsofhighlyeffectivehackers.blogspot.com/2013/04/being-good-internet-citizen.html

I don’t know if the response he got by reporting a misconfigured web server should make me laugh or cry. But in all seriousness, I expect their “security reviews” are standard compliance auditing that happens once a year, and Apache directory traversal isn’t the kind of item I would expect an auditor to find in an annual review. I apologize for sounding flip, but the standards assume your sysadmins are competent enough not to do something like that.

If you found this post informative or helpful, please share it!