Welcome to Montebello Partners' security home page. Here we include important current alerts, resources, and announcements. If this is your first visit here, you may want to browse:

• Our introduction to Internet Security,
• Description of our security services
• Monthly email news and updates
• The monthly meetings of the SDForum Internet Security SIG
• The FBI-sponsored bay area Infragard chapter
• Useful security links and tools
• Various presentations given by us.

April, 2003

Hacks

• Identify theft continues to cause significant monetary losses. A recent victim had $75,000 stolen from a home equity line. A hacker took an entire database of personal information from a third-party marketing company, which had purchased it from a credit-reporting bureau, which had collected it from the victim's bank. The victim's first inkling was a routine notice from the lending bank that new equity-line checks had been sent to "your new address in Florida, as per your request". After months of work to unravel the transaction and dispute the withdrawal, it turns out that the entity that accepted and cashed the check is responsible for the loss, rather than any of the other negligent parties involved. As these sorts of incidents continue to occur, expect consumers to insist on better information security from the companies they work with.

Holes

• Severe newly-announced vulnerabilities in Lotus Notes and Domino, and a core library in Windows 2000 allow remote attackers to take complete control of the vulnerable system. Source code to exploit these vulnerabilities has been posted on the Internet. Yet another incentive to keep your software security patches up-to-date!

• New subtle vulnerabilities in the core SSL and HTTPS web security protocols were found by various researchers. These attacks involve inspecting the timing of server error responses, or the patterns of millions of failed connection attempts. Patches are available, and no source code exploits have been posted. Note that these vulnerabilities are much harder to xploit than the above proprietary software vulnerabilities. One of the benefits of open source technology!

Hints

• Ames was quoted in an article by American Banker online, about the impact of the new California SB 1386 identify theft disclosure law:

  "If you're concerned about your reputation, then this is a pretty big deal," said J. Ames Cornish, the founder of the technology consulting firm Montebello Partners in Palo Alto.

  Mr. Cornish advises companies to update their customer contact information regularly to avoid having to tell the general public about any breaches. [...] Mr. Cornish says banks can mitigate some risks, such as the lost laptop, by keeping records of which laptops contain which data. Otherwise, all customers would have to be notified -- not just the ones on that particular laptop."

Other Updates

• June, 2006
• May, 2006
• November, 2005
• August, 2005
• June, 2005
• May, 2005
• April, 2005
• March, 2005
• January, 2005
• December, 2004
• November, 2004
• October, 2004
• September, 2004
• August, 2004
• April, 2003
• March, 2003