How YubiKey used WebAuthn to achieve security without passwords and more from BSides San Francisco

BSides opened on Day 2 with the founder of YubiKey, the company that developed one of the first secure yet easy-to-use hardware devices for two-factor or multifactor identity authentication. Stina Ehrensvard recounted the history of her company, starting in 2007 to design a device to protect internet users that was as secure as a smartcard but as easy to plug in and use as a keyboard. As important as the original YubiKey was, it has been its partnership with Google that has ignited its success and resulted in the new W3C WebAuthn standard for extremely secure web authentication, ratified today.

Extremely secure is a tough claim to make, but since Google rolled out WebAuthn devices across their organization of 60,000 internal users, they have experienced no successful phishing attempts, logins are four times faster, support calls have dropped 92 per cent, and no devices have failed.

The challenge, in the beginning, was to obtain support from the web browser and operating system vendors as without that, WebAuthn would be a solution that could not be used. With W3C ratification imminent, all the major browsers as well as the smartphone and computer vendors have either released WebAuthn support or will shortly. Now that the browsers support it, the next step is to encourage web app companies to get on board. Currently, many major companies support it (e.g. AWS, DocuSign, Dropbox, Google and Gmail, LastPass, Salesforce, etc.) — but you as a user of web apps can do your bit by emailing your favourite web app that does not yet support FIDO2 or WebAuthn and ask for it. Product managers listen to customers more than their internal security peeps, so you can help accelerate the transition to a post-password world.

History of BSides movement

During a break between sessions, I took the opportunity to interview Reed Loden, lead organizer of BSidesSF, who was kind enough to give me some background on this incredible event.

The BSides movement started in 2009 in Las Vegas, with the first San Francisco BSides the next year. BSidesSF has grown to involve over 1,500 paying participants (over 2,000 total attendees once sponsors, presenters, and volunteers are included), a volunteer staff of 20, more than 200 volunteers, and a large pile of money. This year’s event will cost between US$350,000 and US$400,000, so it is pretty obvious why the generous support of several dozen sponsors is essential to making this happen. Although some BSides are able to operate with free tickets and sometimes also without sponsorship, the costs associated with an event held in downtown San Francisco with 2,000 people make that impossible.

BSides is indeed an “l’embarras de richesses,” which is just a fancy way of saying almost too much of a good thing. With four tracks of carefully vetted and selected talks, there is almost always more than one talk of interest on at the same time. The speaker selection process is uncompromising. Papers are evaluated by a committee only after all identifying information has been removed from the proposals. According to Reed the fame (or notoriety) of the authors is never a factor. Of the 62 talks presented, 15 were invited, and 47 selected from the 156 proposed.

So after the keynote, the choice was among four very attractive options:

  • How to Fix the Diversity Gap in Cybersecurity (and if you don’t know that this is a problem, then you might be part of the problem)
  • Abusing WCF Endpoints for RCE (Remote Code Execution) and Privilege Escalation (in which a 0-day affecting the flagship product of a top tier A/V company was the case study)
  • Making Sense of Unstructured Threat Data, and
  • Anti-privacy Anti-Patterns

Tough choice, but as someone who holds an IAPP privacy certification, I needed the CPEs so opted for the privacy talk.

Privacy issues that arise with non-PII data

Sarah Harvey, privacy engineer at Square, gave a good overview of privacy basics and then proceeded to explain how the misuse of innocuous non-PII data can impact an individual’s privacy. She then led the audience on a fascinating explanation of how internet search has evolved to incorporate personal context, and while that vastly improves the relevancy of the results to the user, it can lead to unexpected privacy concerns. Sarah then lists a number of anti-patterns which developers and product managers ought to heed when designing products that might impact privacy even though, at first blush, no obvious PII is involved.

Slides and speaker notes are available here.

The 51 per cent blockchain attack

Then it was off to a talk by an application security engineer at Coinbase (a cryptocurrency exchange) on how to detect and prevent two attack vectors: the “51 per cent” double-spend attack in which a powerful adversary exploits the voting nature of the blockchain distributed ledger to replace valid accepted transactions with fraudulent ones; and administrative privilege takeover on smart contracts. Mark Nesbitt did a masterful job of explaining the intricacies of blockchains and how valid transactions can be invalidated. He then went on to show how flaws in a smart contract can lead to the value imbedded in the smart contract being siphoned off by the attacker.

Although Mark’s slides have not yet been made available, his blog post on the “51 per cent” attack may be found here.

Ryan Chapman’s session on Blue Team training started the afternoon sessions, and he provided a detailed roadmap on how to build a blue team, from hiring (take mindset over degrees and certificates) through to providing the audience with a detailed, day-by-day, five week bootcamp syllabus to train new team members on the skills they will need to be effective.

After that, I attended a talk explaining the history and use of HTTP security headers. Security headers are configuration commands websites send to browsers to limit activity that could potentially be malicious. All security headers were invented in response to attacks and security breaches, so the presenter Benjamin Hering provided the history and threat model for each configuration setting, providing a much deeper understanding than simply telling us to send this header because it’s a “Good Thing™”. Slides are available here.

Then it was off to hear Arkadiy Tetelman, the (sole) Application Security Engineer at Lob explain why security culture is so important, and to provide a number of concrete examples of what has worked (and not) for him. As someone who spent a lot of time thinking about and working on security culture while I was CISO, I was pleasantly surprised at the number of great ideas Arkadly had, and how he was able to distill his successes into a set of guiding principles.

There were a number of other interesting talks to wind up BSides but your scribe had to dash off to the RSA opening reception. More on that tomorrow.

Fortunately, all of the sessions were video recorded and will be available on BSidesSF’s YouTube channel in a week or so.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
George Pajari
George Pajari
George Pajari is a “CISO-for-hire”, providing cybersecurity leadership to SaaS cloud startups. He was previously the Chief Information Security Officer (CISO) of Hootsuite, the most widely used social media management platform with over 15 million users including more than 800 of the Fortune 1000 companies. He was responsible for information security, IS risk management, and IT general controls. Prior to that he was the Security Architect at Hootsuite, and before that, Manager of Network Operations for Glentel's national digital radio service. He is a member of the BC Government's Provincial Security Advisory Council, a member of the Vancouver (ISC)² Chapter executive, and one of the organisers of the Vancouver BSides and BC AWARE Day security conferences. He was invited by the (ISC)² to write the Security Architecture and Engineering section for the next edition of the Official (ISC)² Guide to the CISSP CBK (Common Body of Knowledge), to be published by John Wiley in 2019. George's professional certifications include the CISSP-ISSAP, CISM, and CIPP/E. He is learning to play the bagpipes and his paper on a new device for improving piping skills will appear in a forthcoming issue of Piping Times.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight