For the past several years, the information security community has heard the constant refrain: use Signal, Tor, and two-factor authentication (2FA). At BSidesNYC, however, conference speakers urged attendees to dig deeper than simply “more crypto.” Originating in 2009, Security BSides is committed to surfacing the alternative and informative presentations. Nine years later, volunteer-run BSides conferences stretch across the globe—Terbium Labs is excited about making an appearance at BSidesCharm at the end of April!—John Jay College’s D4CS program hosted BSidesNYC, which broadly focused on information security but also featured entrepreneurial panel discussions about what makes startups successful.
Alongside the keynotes and panel discussions, the one-day summit also offered hands-on villages that featured hardware hacking, community-owned mesh networking, and a killer lockpicking tutorial (thanks, TOOOL NYC!). The conference included two rooms of talks ranging from threat-based risk management to a historical analysis of American intelligence. The keynote speakers—Runa Sandvik of the New York Times and Amber Baldet of JP Morgan’s Blockchain Center of Excellence—set the eclectic tone of the conference, covering everything from the security of the New York Times’ newsroom to the nexus of big banks and the blockchain.
In an entertaining yet sobering presentation, Roel Schouwenberg of The Celsus Advisory Group, suggested that “phone numbers are the unofficial successor to SSNs.” One of the most common suggestions to secure an account is to enable two-factor authentication (2FA), which is often done via SMS (a six digit code texted to a user’s phone). As Schouwenberg pointed out, however, SMS-based 2FA requires users to tie their account security to a phone number – a piece of information that users carry for years, is personal to each individual, and people share with almost everyone in their lives. If that phone number is then compromised, accounts can be subject to downgrade attacks; a bad actor in control of the phone can reset passwords and easily gain access to accounts. While his suggestions only provided limited mitigation, it’s a starting point: use a unique (or separate) phone number and email address for account recovery, remove a phone number from account recovery altogether (but keep for 2FA), ask service providers for an additional password, and re-think the use of number-only apps.
While Schouwenberg’s conclusion challenged conventional security wisdom, it highlighted an important truth in infosec: education involves than telling people what to do; lasting security education involves teaching users why they should take precautions. As Julian Cohen and Justin Berman discussed in their talk on threat-based risk management, creating a revolutionary new security system is essentially useless if stakeholders do not comprehend what it does and why it matters. Building a culture of security awareness at the New York Times, as Runa Sandvik explained in her keynote, required getting employees from the newsroom to the mailroom to feel involved and invested. And JP Morgan’s Baldet asserted that “there are no stupid problems, only poorly informed solutions.” (She also candidly and casually explained that a cryptokitty traded at $117,000 “because…everything is meaningless at this point.” The audience affirmed with applause. Check it out at 09:12.)
One bright spot of entrepreneurial advice was Kelly Shortridge’s GIF-tastic talk (forthcoming) laced with her trademark acerbic insight. For example, here were a few key takeaways:
- Stringing together buzzwords is a common, yet lazy marketing plan.
- A smart business strategy is to enter a frothy market, keep funding and valuation low, and bet on self-combusting competitors’ egos.
- Don’t fund a company which is solving a “Mossad” problem.
- Instead, fund a company solving the “we don’t have enough resources to cover the basics” problem.
Whether you’re a hacker, hustler, designer, or investor, Shortridge’s hindsight might shape your foresight. She also spoke candidly about how toxic masculinity can generate hype and over-inflated valuations.
Seeing women and people of color featured prominently as speakers is always a welcome sight at any conference. BSidesNYC curated a varied group of presenters, but the audience didn’t reflect that same diversity. Unfortunately, the conference overlapped with the 2nd Women’s March (happening just a few blocks away), and perhaps—perhaps—on a different weekend the audience would have been more representative. Hopefully, BSidesNYC 2019 can bring the same breadth of topics while supplementing with diversity in attendees. The value of BSidesNYC comes from the design to make information security knowledge accessible to everyone. We hope that the messages of inclusion and education are even stronger in 2019, and in the other BSides events taking place this year. (Let us know if you’ll be in Baltimore for the next one!)