Welcome to Montebello Partners' security home page. Here we include important current alerts, resources, and announcements. If this is your first visit here, you may want to browse:

• Our introduction to Internet Security,
• Description of our security services
• Monthly email news and updates
• The monthly meetings of the SDForum Internet Security SIG
• The FBI-sponsored bay area Infragard chapter
• Useful security links and tools
• Various presentations given by us.

September, 2004 Update

Hacks

• Three men pleady guilty to hacking into the Lowe's chain of stores. Two of them used an unsecured unencrypted wireless access point that provided access to internal corporate servers which stored credit card information. The third man, Timmons, pleaded guilty in the nation's first conviction for "wardriving". It was when he accessed his email and accidentally browsed a Lowe's server that the other two got the idea to steal credit card numbers. Timmons faces up to 12 months in prison for unauthorized access to a protected computer.

Holes

• The recent BlackHat and DefCon cracker conferences in Las Vegas exposed a number of interesting hacker techniques. Presenters showed how to use Google and the Google cache to find vulnerable information, and how to use Blue Tooth to get phone numbers and personal notes off of many popular cell phones. Tom's hardware has a good summary of the events.

• A vulnerability was discovered in the popular open-source Mozilla and Firefox web browsers. This could let a malicious web site "spoof" elements of the interface using XUL, which could trick users into giving up passwords or installing back doors.

• Vulnerabilities were recently announced in both Microsoft Internet Explorer's handling of "GIF" images, and in the "libpng" library for handling "PNG" images. Security researchers have long been warning that malicious code doesn't have to be placed in executable files at all. It can be placed in something as innocuous as a simple image file, and then a faulty image display program can be tricked into running the malicious code.

• Clicking on a link in an AIM instant message can allow a remote attacker to take over your computer. This is an example of a trend for attackers to exploit weaknesses in all popular internet messaging clients including AIM, Yahoo, and MSN.

Other Updates

• June, 2006
• May, 2006
• November, 2005
• August, 2005
• June, 2005
• May, 2005
• April, 2005
• March, 2005
• January, 2005
• December, 2004
• November, 2004
• October, 2004
• September, 2004
• August, 2004
• April, 2003
• March, 2003