Here’s some stuff I’ve found in recent weeks that I never got around to posting, so I’ll just round it all up briefly.
Let’s lead off with an interesting walkthrough of reverse-engineering:
http://www.devttys0.com/2014/02/reversing-the-wrt120n-firmware-obfuscation/
There’s little I can add to this, but if you’re interested in getting started in security research, walkthroughs like this are a gold mine.
Here’s an example of a targetted attack using a breached password dump:
http://7habitsofhighlyeffectivehackers.blogspot.com/2013/11/can-someone-be-targeted-using-adobe.html
This clearly illustrates the problem of using a common password. I think it’s also a good example of responsible disclosure. He shows enough to show a budding security professional how to hack, but leaves out enough that he’s not going to make an inexperienced malicious hacker’s life much easier.
And from the same site:
http://7habitsofhighlyeffectivehackers.blogspot.com/2013/04/being-good-internet-citizen.html
I don’t know if the response he got by reporting a misconfigured web server should make me laugh or cry. But in all seriousness, I expect their “security reviews” are standard compliance auditing that happens once a year, and Apache directory traversal isn’t the kind of item I would expect an auditor to find in an annual review. I apologize for sounding flip, but the standards assume your sysadmins are competent enough not to do something like that.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.