Welcome to Montebello Partners' security home page. Here we include important current alerts, resources, and announcements. If this is your first visit here, you may want to browse:

• Our introduction to Internet Security,
• Description of our security services
• Monthly email news and updates
• The monthly meetings of the SDForum Internet Security SIG
• The FBI-sponsored bay area Infragard chapter
• Useful security links and tools
• Various presentations given by us.

October, 2004 Update

Hacks

• The Apache software foundation recently declined to implement Sender ID because it requires a Microsoft license incompatible with open source licenses. A recent study showed that spammers use anti-spam sender authentication even more than the rest of us.

• @stake is reporting that they can easily read data from "protected" areas of the Lexar JumpDrive USB drive. The encryption password can be read directly from the device. Not to pick on Lexar, but this is an example of how hard it is for companies to create proprietary security schemes that can actually keep out an experienced hacker.

• Even USA Today is picking up on the prevalence of "zombie" computers among home users. Cyber-criminals methodically search the Internet for vulnerable machines, surreptitiously take them over, and then re-sell usage of these machines to illegal spammers, porn distributors, and other criminals. Use of a computer can be purchased for as little as $0.10. If you're a home user, use a firewall, anti-virus, and keep your system up-to-date!

Holes

• This month, serious vulnerabilities were found in Kerberos. Make sure to get your software up-to-date!

• Cryptologists have found "collisions" in the sha-0 and popular md5 hash functions. A collision indicates that two separate documents (e.g. an original signed contract and a altered forged contract) can have the same hash fingerprint. Though these aren't yet exploitable vulnerabilities in any current systems (md5 or sha-1), they do indicate that vulnerabilities will be found, and cryptographers need to organize around a next generation hash function.

Hints

• One of our clients was recently having problems with spam being sent to their public email addresses. Spammers use special email address harvesters that automatically scan the web for addresses they can add to their databases for sending out spam. It is possible to specially encode email links on your website so that they are not readable by most spammer's address harvesters, and therefore won't get as much spam. I recommend using a "character entity" translator. The mailto links on your website will still work for visitors, but will be skipped by most address harvesters.

Other Updates

• June, 2006
• May, 2006
• November, 2005
• August, 2005
• June, 2005
• May, 2005
• April, 2005
• March, 2005
• January, 2005
• December, 2004
• November, 2004
• October, 2004
• September, 2004
• August, 2004
• April, 2003
• March, 2003