RootedCON 2014: Playing and Hacking with Digital Latches

9,677 views

Published on

Talk about Latch (https://latch.elevenpaths.com) delivered by Chema Alonso in RootedCON 2014. Charla sobre Latch (https://latch.elevenpaths.com) y los distintos escenarios de uso de la tecnología realizada durante la RootedCON 2014

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
9,677
On SlideShare
0
From Embeds
0
Number of Embeds
7,145
Actions
Shares
0
Downloads
31
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

RootedCON 2014: Playing and Hacking with Digital Latches

  1. 1. Hacking with Digital Latches Chema Alonso (@chemaalonso) Eleven Paths 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  2. 2. Security Incidents 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  3. 3. Identity Dumps 3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  4. 4. We use our digital services just a tiny portion of time everyday. Why should we left them open through the day? If we reduce availability, we reduce exposure, and therefore risk. Those developing new security proposals in online purchase are seizing all of the market. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  5. 5. Passwords+OTP SMS TOKEN 8762134 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  6. 6. One-Time Passwords User needs to type a code SMS Deployment Matrix is static Hardware tokens are expensive User needs to type a code People don´t like typing codes 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  7. 7. People like naps (with remotes) 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  8. 8. Keep it Simple, Stupid. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  9. 9. Taking a cab To make her trip easier she decides to pay everything using a service, on her way to the office at the destination point she switches service on, so she can pay the taxi fare. Once done she switches her account off, minimizing the exposure to improper usage. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  10. 10. Login into a Web 3.- asks about Latch1 status Latch Server 4.- Latch 1 is OFF 6.- Someone try to get Access to Latch 1 id. Latch app Latch1: OFF Latch2:ON Latch3:OTP Latch4:OFF …. My Bank Users DB: Login: XXXX Pass: YYYY Latch: Latch1 2.- Web checks Credentials with Its users DB 2.- Check user/pass 1.- Client sends Login/password 5.- Login Error Login Page: Login:AAAA Pass:BBBB 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  11. 11. Demo 1: Using Latch 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  12. 12. Latch a digital ID 4.-AppID+Temp pairing Token Latch Server 5.- OK+Unique Latch 1.- Generate pairing code 2.- Temporary Pariring token 6.-ID Latch appears in app My Site User Settings: Login: XXXX Pass: YYYY Latch: U L a t c h 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  13. 13. Demo 2: Latch Shodan ID 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  14. 14. Granularity 3.- asks Latch1:Op1 status Latch Server 4.- Latch 1:Op1 is OFF 6.- Someone try to do a Latch 1:Op1 Operation Latch app Latch1: ON Op1:OFF Op2:ON OP3:OTP Latch 2: OFF …. My Bank Login: XXXX Pass: YYYY Latch: Latch1 Int_Trnas: Op1 1.- Client orders International Transactions 5.- Denied Online Banking Send Money: 1231124343 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  15. 15. Users Developers Control all digital identities from one single point. ON/OFF. Sites Integrate Plugins and develop solutions with SDKs to adapt Latch technology to their needs · Deploy 2FAuth · Opt-in/mandatory · Detect identity theft · Granularity · Reduce Fraud SDKs: PHP, Java, .NET, C, Ruby, Python · Parental Control · 4 Eyes verification & WebService API Plugins: WordPress, PrestaShop, RedMine, Cpanel, Moodle, OpenVPN, SSH, Drupal, DotNetNuke, Joomla!, … more than 20 Tools · Control Dashboard · Usage Statistics · Internal appliance (beta) 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  16. 16. Demo 3: Latching SSH 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  17. 17. Windows pGina http://unstableequilibrium.com/2014/02/07/using-pgina-and-latch-to-protect-your-windows-login/ Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 17
  18. 18. Parental Control Login: User Pass: Pass Latch: Latch User Pass 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  19. 19. 4-eyes verification Login: User1 Pass: Pass1 Latch: Latch1 User1 Pass1 Login: User2 Pass: Pass2 Latch: Latch2 User2 Pass2 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  20. 20. 2 keys activation Asset Latch: Latch1 Latch: Latch 2 User1 Pass1 User2 Pass2 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  21. 21. One-Time Password 3.- asks about Latch1 status 4.- Latch Server Generates OTP Latch Server 5.- Latch 1 is ON(OTP) My Bank Users DB: Login: XXXX Pass: YYYY Latch: Latch1 2.- Web checks Credentials with Its users DB 7.- Use this (OTP). 1.- Client sends Login/password Latch app Latch1: OFF Latch2:ON Latch3:OTP Latch4:OFF …. 6.- OTP? Login Page: Login:AAAA Pass:BBBB 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  22. 22. OTP Verification 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  23. 23. Supervision Login: User Pass: Pass Latch: Latch Op1:Unlock Op2: OTP Why? Answer User Pass OTP 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  24. 24. Monitoring Switch With one latch – – – – As many granularity as needed Two status OTP User confs • Schedulle • AutoLock Possible to re-act at status If Lock then {} Else {} Goto fail; Goto fail: 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  25. 25. Demo 4: SCCAID 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  26. 26. Triggering actions at events 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  27. 27. Demo 5: Latch Event Monitor 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  28. 28. Coming Soon Physical World Biometry AD Plugins New Plugins – – – – – Open Exchange PHP MyAdmin Django? LDAP Bridge Etc… 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  29. 29. Consumer Apps Firefox OS On development: · Blackberry & BlackBerry z10 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  30. 30. https://latch.elevenpaths.com 30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

×