Concerned CISO

(This post originally appeared on the Cyber Tech Accord’s signatory blog: As I write this, we are halfway through the fifth month of the COVID-19 pandemic. All of us have had some amount of upheaval in our lives including restricting travel and our contact with friends and family. Some have had even more difficulty – loss of jobs, businesses, and the downturn of entire economic sectors. An uncertain future remains before us.  The rapid move by many businesses to support teleworking has caused a boom in technology fields. Some organizations like Amazon, Twitter, Teledoc, and Siemens are treating working remotely as not just a temporary change, but as a more permanent shift. Tech adoption, disruption, and digital transformation are[…]

When I first read the article Authy Makes Using Two-Factor Authentication Easier I thought to myself, “why have I never heard of this Authy thing?” After all, we have been covering two-factor for a while. I went ahead and installed it, and started digging into the application and the company. I even fired off some questions about how they treat the information in the application and I’m impressed. This application is advancing the state of the art for two-factor authentication by making it not just simpler to use, but more secure as well. This article is covering how Authy is simplifying the use of two-factor authentication. Next week I’ll publish another article about how they are also advancing the state of[…]

By default, the installation of VMware’s vCenter and ESXi use self-signed certificates with hardcoded passwords to protect the private keys of their SSL web services. While it gets you services that work out of the box, it is really bad form and a poor security practice. If you install (or update to) version 5.1 of the VMware infrastructure components, you will be left with a bunch of warning windows like the ones on the left. If you’re lucky enough to have access to your own public key infrastructure, you can issue your own certificates to replace those provided by VMware so you don’t see constant warnings. However, if you undertake this effort be forewarned: VMWare’s guidance (Replacing Default vCenter 5.1[…]

The tl;dr summary for those with short attention spans – Don’t open the attachment, be quick to delete anything you’re not sure about, and if you want to help in the fight against phishing, report it using the guidelines I’ve outlined below. I received a pretty awesome phishing email today. It included a significant attachment that I’m looking forward to analyzing at a later date. Since it will take me a while before I’ve got the time to run the analysis, I decided I wanted to forward it around to the appropriate organizations to ensure that they take some time and analyze it and make sure other individuals can be protected from it. It turns out that there are more places[…]

Yesterday, this story on Wired was making the rounds: How a Google Headhunter’s E-mail Unraveled a Massive Net Security Hole. Sure, the title is probably hyperbole, but it is an interesting story. At a high level, mathematician Zach Harris noticed that emails from Google – and from several other prominent domains including eBay, PayPal, Yahoo, Amazon, etc. – could be spoofed. Anyone who has ever run telnet to port 25 and sent an email from or knows that email has always been pretty easy to spoof. Given the rise in unsolicited emails also known as spam, something had to be done. In 2006, a working group was founded to try and create a standard that would make email harder to[…]