Some security short-takes I never got around to posting

Here’s some stuff I’ve found in recent weeks that I never got around to posting, so I’ll just round it all up briefly.

Let’s lead off with an interesting walkthrough of reverse-engineering:

There’s little I can add to this, but if you’re interested in getting started in security research, walkthroughs like this are a gold mine.

Here’s an example of a targetted attack using a breached password dump:

This clearly illustrates the problem of using a common password. I think it’s also a good example of responsible disclosure. He shows enough to show a budding security professional how to hack, but leaves out enough that he’s not going to make an inexperienced malicious hacker’s life much easier.

And from the same site:

I don’t know if the response he got by reporting a misconfigured web server should make me laugh or cry. But in all seriousness, I expect their “security reviews” are standard compliance auditing that happens once a year, and Apache directory traversal isn’t the kind of item I would expect an auditor to find in an annual review. I apologize for sounding flip, but the standards assume your sysadmins are competent enough not to do something like that.

If you found this post informative or helpful, please share it!
%d bloggers like this: