Articles by David Campbell

David Campbell is the Chief Security Officer at SendGrid. He is a veteran and visionary in the rapidly evolving field of cyber security. He has nearly two decades of experience providing realistic security assessment and business-focused remediation assistance to organizations ranging from startups to public companies.

Don’t Let Your Credentials Get Stolen on GitHub

API Keys 1

GitHub and other cloud-based source control systems are awesome, and they’re extremely popular with our customers. The ease with which you can collaborate with developers across the cube or around the world is unparalleled. However, as public source control platforms like GitHub have risen to prominence, blackhats have taken note. When developers accidentally publish their secret keys to GitHub, bad actors are quick to pounce. They have automated the process of discovering AWS secret keys in public GitHub repositories and using these keys to spin up EC2 instances to mine Bitcoin. Blackhats are also scouring GitHub looking for credentials for ESPs like SendGrid and our competitors. When they find them, they are quick to use these secrets to try to

Update on Security Incident and Additional Security Measures

SendGrid logo

What Happened On April 8, the SendGrid account of a Bitcoin-related customer was compromised and used to send phishing emails. We initially believed that this account takeover was an isolated incident and worked with our customer to help them recover control of their account and minimize the damage of the attack. After further investigation in collaboration with law enforcement and FireEye’s (Mandiant) Incident Response Team, we became aware that a SendGrid employee’s account had been compromised by a cyber criminal and used to access several of our internal systems on three separate dates in February and March 2015. These systems contained usernames, email addresses, and (salted and iteratively hashed) passwords for SendGrid customer and employee accounts. In addition, evidence suggests

Update on Recent BTC Attack: What Users Can Do To Prevent Attacks

Blacklist sign

Yesterday afternoon, the SendGrid account of a Bitcoin-related customer was compromised and used to send a phish, baiting them to transfer Bitcoins to multiple bad actor accounts, promising interest payments. We worked with the customer to help them recover control of their account and to minimize the damage of the attack. This incident was an isolated attack on one SendGrid customer. A NYT Bits Blog post has reported that users of other Bitcoin-related businesses have been targeted this week with phishing attacks via other email service providers as well. SendGrid encourages ALL of our customers to enable two-factor authentication, which can effectively prevent many attacks. SendGrid customers should also make sure that they are using a unique, random, strong password and

End-to-End Email Encryption with S/MIME

Best Practices
email encryption

In our last post, we provided an overview on the differences between transport layer and end-to-end encryption. We also provided some options for performing end-to-end email encryption, namely S/MIME and PGP/GPG. In this post, we will provide step-by-step instructions for configuring S/MIME on OSX’s as well as the ubiquitous iOS that powers your iPhone, iPad, etc. S/MIME relies on the public PKI, so in order to use it we first need to request a certificate from a publicly trusted certificate authority. StartCom provides free (as in beer) certificates that can be used to vouch for the identity of a web server or individual for non commercial use. StartCom’s StartSSL is a small CA run by an awesome Israeli named

Paranoid Email: End-to-End Crypto Primer

Best Practices
email security

SendGrid recently announced support for TLS encryption for all the email we send as part of #ResetTheNet. While this is a huge step forward for stopping bulk surveillance (spying on everybody), it does little to stop targeted surveillance (spying on a particular person of interest). Bulk Targeted vs. Targeted Surveillance SMTP with TLS protects “data in motion,” meaning that when you submit email to SendGrid using TLS, it is encrypted from your mail server to our mail servers. We then process your message, and send it onward to its recipients. If your recipients’ mail server supports TLS, we will send the message over an encrypted connection, ensuring that any passive surveillance devices along the way will only see ciphertext. Thus, SMTP with

SendGrid and the Future of Email Security

SendGrid TLS

UPDATED: 5 June 2014, 16:00 MDT to reflect Hotmail’s new TLS support! Here at SendGrid, we get a lot of questions about email security. Recent revelations about widespread nation state dragnet surveillance have raised awareness about email security to new levels. We are excited to announce, that effective today, all email sent via SendGrid will utilize opportunistic encryption using TLS. For a long time now we have supported encryption for submitting messages to SendGrid, either via our HTTPS API, implicit SMTP-SSL, or SMTP with STARTTLS. Now when we deliver your message to its recipient we will attempt to negotiate a TLS connection with the recipient’s mail server. This means that so long as your recipients’ mail servers are configured to