Welcome to Montebello Partners' security home page. Here we include important current alerts, resources, and announcements. If this is your first visit here, you may want to browse:

• Our introduction to Internet Security,
• Description of our security services
• Monthly email news and updates
• The monthly meetings of the SDForum Internet Security SIG
• The FBI-sponsored bay area Infragard chapter
• Useful security links and tools
• Various presentations given by us.

March, 2003

Hacks

• CERT is reporting a dramatic increase in successful attacks on home broadband users. These attacks typically exploit weak passwords on Windows file shares, and concentrate on IP ranges of consumer DSL and Cable customers. A successful attack installs a hidden "backdoor" on the system, and tools for launching Distributed Denial of Service (DDoS) attacks from the system. All broadband users should have a software or hardware firewall, and should check their systems for any default or weak passwords. (Examples of weak passwords are "password", a blank password, "123", or any dictionary word.)

• Eight million credit card records were stolen from an east coast third-party processor. It is unclear if usable data, including cardholder names, was fully compromised. The companies involved have decided not to notify individual consumers, but will monitor the relevant accounts for fraud. All credit card holders should regularly check their bills and their credit reports for unauthorized use.

Holes

• The most popular mail server software, Sendmail, has a serious buffer overflow vulnerability. SIG members have reported already seeing attacks based on this vulnerability. Anyone running Sendmail should install the appropriate patches.

News

• The Privacy sections of the Health Insurance Portability and Accountability Act (HIPAA) will take effect in April 21. HIPAA applies to all companies that transmit personal health-care information electronically. HR departments may be affected. Federal penalties for violations are up to $250,000 and 10 years in jail. Affected organizations must conduct a risk analysis and implement reasonable safeguards.

• A new California law, SB 1386, will take effect on July 1st. The law requires all companies doing business with California customers (not just companies based in California), to promptly notify customers of possible compromise of private data including social security numbers and financial account numbers. If a company is unable to notify affected customers, they must feature notice of the compromise prominently on their website, and must alert national media. All companies which store personal data should review their security posture and their notification procedures.

• The FBI is creating a fifth Regional Computer Forensics Lab in Menlo Park. This lab will support all law enforcement agencies in the area, and has an initial budget of $3,000,000. A company which is the victim of a possible cybercrime should take care to preserve evidence, and can contact the FBI Computer Intrusion Squad at (510) 886-7447.

Other Updates

• June, 2006
• May, 2006
• November, 2005
• August, 2005
• June, 2005
• May, 2005
• April, 2005
• March, 2005
• January, 2005
• December, 2004
• November, 2004
• October, 2004
• September, 2004
• August, 2004
• April, 2003
• March, 2003