Here’s some stuff I’ve found in recent weeks that I never got around to posting, so I’ll just round it all up briefly.
Let’s lead off with an interesting walkthrough of reverse-engineering:
http://www.devttys0.com/2014/02/reversing-the-wrt120n-firmware-obfuscation/
There’s little I can add to this, but if you’re interested in getting started in security research, walkthroughs like this are a gold mine.
Here’s an example of a targetted attack using a breached password dump:
http://7habitsofhighlyeffectivehackers.blogspot.com/2013/11/can-someone-be-targeted-using-adobe.html
This clearly illustrates the problem of using a common password. I think it’s also a good example of responsible disclosure. He shows enough to show a budding security professional how to hack, but leaves out enough that he’s not going to make an inexperienced malicious hacker’s life much easier.
And from the same site:
http://7habitsofhighlyeffectivehackers.blogspot.com/2013/04/being-good-internet-citizen.html
I don’t know if the response he got by reporting a misconfigured web server should make me laugh or cry. But in all seriousness, I expect their “security reviews” are standard compliance auditing that happens once a year, and Apache directory traversal isn’t the kind of item I would expect an auditor to find in an annual review. I apologize for sounding flip, but the standards assume your sysadmins are competent enough not to do something like that.