Welcome to Montebello Partners' security home page. Here we include important current alerts, resources, and announcements. If this is your first visit here, you may want to browse:

• Our introduction to Internet Security,
• Description of our security services
• Monthly email news and updates
• The monthly meetings of the SDForum Internet Security SIG
• The FBI-sponsored bay area Infragard chapter
• Useful security links and tools
• Various presentations given by us.

November, 2005 Update

Hacks

• A number of California bay area school districts inadvertently exposed private information on thousands of students over the web. A new information system was deployed with a widely-known generic password for all teachers. Be careful to avoid developing or deploying applications with insecure default settings.

• A MySpace user created a cross-site scripting worm that added over 1 million friends to his friends list. MySpace had attempted to screen out "Javascript" from user postings. Web developers should "whitelist" acceptable data rather than attempt to "blacklist" malicious data.

• A satellite TV business used denial-of-service attacks to cripple its competitors. The professional cyber-criminals involved are now pleading guilty. In the Netherlands, Dutch police busted a botnet network of 100,000 zombie PC's. Cybercrime is committed for profit, not for fun.

Holes

• A group of researchers has discovered a way to eavesdrop through walls, by using microwaves to detect vibrations in your clothing when you speak. Never underestimate the ingenuity of your opponent.

• The popular Snort intrusion detection system has a vulnerability which would allow a remote attacker to take over the system it is running on. Every additional component of your infrastructure, even security components, creates potential for additional vulnerabilities.

• Both Firefox and Internet Explorer (including an AJAX component) web browsers have newly discovered remotely-exploitable vulnerabilities. As the Firefox browser becomes more widely-deployed it is been both scrutinized and attacked more often. Keep your systems up to date, and be careful what you click on.

• The popular Skype messaging and voip software announced a remotely-exploitable heap overflow vulnerability. It's important to keep informed and active on patches to your applications, not just your operating system.

• Researchers a Penn State belive they have uncovered a way to "take-out" a cell phone system using SMS messaging. As major segments of our infrastructure become computerized and connected to the Internet, they also become vulnerable to external attack.

News

• Montebello Partners' Ames Cornish has been elected as the President of the Executive Council for the Software Development Forum. As if a busy security consulting practice weren't enough, Ames volunteers for SDForum and other silicon valley non-profits.

Upcoming Events

• The next SDForum Internet Security SIG will be on Thursday, December 1st, on physical security of wireless installations.

• The next bay area Infragard meeting will be on Thursday, November 17th, on disaster planning and recovery lessons learned.

Other Updates

• June, 2006
• May, 2006
• November, 2005
• August, 2005
• June, 2005
• May, 2005
• April, 2005
• March, 2005
• January, 2005
• December, 2004
• November, 2004
• October, 2004
• September, 2004
• August, 2004
• April, 2003
• March, 2003