Welcome to Montebello Partners' security home page. Here we include important current alerts, resources, and announcements. If this is your first visit here, you may want to browse:

• Our introduction to Internet Security,
• Description of our security services
• Monthly email news and updates
• The monthly meetings of the SDForum Internet Security SIG
• The FBI-sponsored bay area Infragard chapter
• Useful security links and tools
• Various presentations given by us.

August, 2005 Update

Hacks

• Microsoft has introduced "Windows Genuine Advantage" -- a feature of Windows Update that checks for pirated versions of Windows before allowing online updates. This feature has apparently been cracked within 24 hours of release, and can be quickly disabled by changing a "WGA" flag to "false" in your browser's javascript. This is a good example of why applications need professional security testing before release.

• The New York Times reports on rampant theft of credit card data from Miami retailers via unsecured wireless access points. Companies should audit themselves for unauthorized or improperly secured wireless networks.

• The going rate for stolen identities is about 4 British Pounds Sterling each. According to the Sun, a reporter was able to purchase identities from an Indian call center, including credit card numbers and banking account passwords. All companies should work carefully with their partners to ensure security and privacy of customer data.

Holes

• A former ISS security research has delivered a presentation at the Black Hat conference in which he demonstrated a vulnerability that allows attackers to gain complete control of Cisco routers. The researcher claims the disclosure is to protect national critical infrastructure. He is now being sued by Cisco and his former employer. The latest firmware update from Cisco should fix this flaw.

• The US CERT center has released several security alerts about vulnerabilities in Oracle, Windows, and Internet Explorer. They also warn about increasing risks from targetted Trojan email attacks (also reported on Security Focus, where an attacker creates a custom piece of code to comprise a specific corporation. Additional user eductation is recommended, since automatic anti-virus systems have limited effectiveness against custom attacks.

News

• We have recently posted some presentations by Montebello Partners' Ames Cornish on Payment Card Industry data security standards and anti-Spam techniques.

Upcoming Events

• The next Infragard chapter meeting, on August 18th at Google headquarters in Mountain View, will cover physical security, including bay area bridges, BART, and California state terrorism assessments.

• The next Internet Security SIG, Thursday, August 25th, in Palo Alto, will cover Gerhard Eschelbeck's "Laws of Vulnerabilities". Gerhard is the CTO of Qualys, a leading vulnerability management vendor.

Other Updates

• June, 2006
• May, 2006
• November, 2005
• August, 2005
• June, 2005
• May, 2005
• April, 2005
• March, 2005
• January, 2005
• December, 2004
• November, 2004
• October, 2004
• September, 2004
• August, 2004
• April, 2003
• March, 2003