Downloaded 40 times
Uploaded byChema Alonso
RootedCON 2014: Playing and Hacking with Digital Latches
The document discusses security enhancements through the use of digital latches, which help reduce the exposure of digital identities by allowing users to control their online presence. It emphasizes minimizing availability to decrease risks, advocating for simpler security methods like one-time passwords and user-controlled access. Various demos illustrate the application of latch technology in different settings, including online banking and parental controls, with an emphasis on integration and flexibility for developers.
More Related Content
Similar to RootedCON 2014: Playing and Hacking with Digital Latches
RootedCON 2014: Playing and Hacking with Digital Latches
- 1. Hacking with DigitalLatches Chema Alonso (@chemaalonso) Eleven Paths 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 2. Security Incidents 2 Rooted CON2014 6-7-8 Marzo // 6-7-8 March
- 3. Identity Dumps 3 Rooted CON2014 6-7-8 Marzo // 6-7-8 March
- 4. We use ourdigital services just a tiny portion of time everyday. Why should we left them open through the day? If we reduce availability, we reduce exposure, and therefore risk. Those developing new security proposals in online purchase are seizing all of the market. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 5. Passwords+OTP SMS TOKEN 8762134 5 Rooted CON2014 6-7-8 Marzo // 6-7-8 March
- 6. One-Time Passwords User needsto type a code SMS Deployment Matrix is static Hardware tokens are expensive User needs to type a code People don´t like typing codes 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 7. People like naps(with remotes) 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 8. Keep it Simple,Stupid. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 9. Taking a cab Tomake her trip easier she decides to pay everything using a service, on her way to the office at the destination point she switches service on, so she can pay the taxi fare. Once done she switches her account off, minimizing the exposure to improper usage. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 10. Login into aWeb 3.- asks about Latch1 status Latch Server 4.- Latch 1 is OFF 6.- Someone try to get Access to Latch 1 id. Latch app Latch1: OFF Latch2:ON Latch3:OTP Latch4:OFF …. My Bank Users DB: Login: XXXX Pass: YYYY Latch: Latch1 2.- Web checks Credentials with Its users DB 2.- Check user/pass 1.- Client sends Login/password 5.- Login Error Login Page: Login:AAAA Pass:BBBB 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 11. Demo 1: UsingLatch 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 12. Latch a digitalID 4.-AppID+Temp pairing Token Latch Server 5.- OK+Unique Latch 1.- Generate pairing code 2.- Temporary Pariring token 6.-ID Latch appears in app My Site User Settings: Login: XXXX Pass: YYYY Latch: U L a t c h 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 13. Demo 2: LatchShodan ID 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 14. Granularity 3.- asks Latch1:Op1status Latch Server 4.- Latch 1:Op1 is OFF 6.- Someone try to do a Latch 1:Op1 Operation Latch app Latch1: ON Op1:OFF Op2:ON OP3:OTP Latch 2: OFF …. My Bank Login: XXXX Pass: YYYY Latch: Latch1 Int_Trnas: Op1 1.- Client orders International Transactions 5.- Denied Online Banking Send Money: 1231124343 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 15. Users Developers Control all digitalidentities from one single point. ON/OFF. Sites Integrate Plugins and develop solutions with SDKs to adapt Latch technology to their needs · Deploy 2FAuth · Opt-in/mandatory · Detect identity theft · Granularity · Reduce Fraud SDKs: PHP, Java, .NET, C, Ruby, Python · Parental Control · 4 Eyes verification & WebService API Plugins: WordPress, PrestaShop, RedMine, Cpanel, Moodle, OpenVPN, SSH, Drupal, DotNetNuke, Joomla!, … more than 20 Tools · Control Dashboard · Usage Statistics · Internal appliance (beta) 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 16. Demo 3: LatchingSSH 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 17. Windows pGina http://unstableequilibrium.com/2014/02/07/using-pgina-and-latch-to-protect-your-windows-login/ Rooted CON2014 6-7-8 Marzo // 6-7-8 March 17
- 18. Parental Control Login: User Pass:Pass Latch: Latch User Pass 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 19. 4-eyes verification Login: User1 Pass:Pass1 Latch: Latch1 User1 Pass1 Login: User2 Pass: Pass2 Latch: Latch2 User2 Pass2 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 20. 2 keys activation Asset Latch: Latch1 Latch:Latch 2 User1 Pass1 User2 Pass2 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 21. One-Time Password 3.- asksabout Latch1 status 4.- Latch Server Generates OTP Latch Server 5.- Latch 1 is ON(OTP) My Bank Users DB: Login: XXXX Pass: YYYY Latch: Latch1 2.- Web checks Credentials with Its users DB 7.- Use this (OTP). 1.- Client sends Login/password Latch app Latch1: OFF Latch2:ON Latch3:OTP Latch4:OFF …. 6.- OTP? Login Page: Login:AAAA Pass:BBBB 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 22. OTP Verification 22 Rooted CON2014 6-7-8 Marzo // 6-7-8 March
- 23. Supervision Login: User Pass: Pass Latch:Latch Op1:Unlock Op2: OTP Why? Answer User Pass OTP 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 24. Monitoring Switch With onelatch – – – – As many granularity as needed Two status OTP User confs • Schedulle • AutoLock Possible to re-act at status If Lock then {} Else {} Goto fail; Goto fail: 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 25. Demo 4: SCCAID 25 RootedCON 2014 6-7-8 Marzo // 6-7-8 March
- 26. Triggering actions atevents 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 27. Demo 5: LatchEvent Monitor 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 28. Coming Soon Physical World Biometry ADPlugins New Plugins – – – – – Open Exchange PHP MyAdmin Django? LDAP Bridge Etc… 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 29. Consumer Apps Firefox OS Ondevelopment: · Blackberry & BlackBerry z10 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
- 30. https://latch.elevenpaths.com 30 Rooted CON 2014 6-7-8Marzo // 6-7-8 March