C. Alonso_Seguridad Informática: Digital Latches for your Digital Life_Semanainformatica.com 2014
•
0 j'aime•873 vues
Ponencia: Seguridad Informática: Digital Latches for your Digital Life. COIICV: X Congreso de la Ingeniería Informática de la Comunidad Valenciana
Recommandé
Recommandé
Contenu connexe
Similaire à C. Alonso_Seguridad Informática: Digital Latches for your Digital Life_Semanainformatica.com 2014
Similaire à C. Alonso_Seguridad Informática: Digital Latches for your Digital Life_Semanainformatica.com 2014 (20)
Plus de COIICV
Plus de COIICV (20)
Dernier
Dernier (20)
C. Alonso_Seguridad Informática: Digital Latches for your Digital Life_Semanainformatica.com 2014
- 1. Valencia 2014 – Chema Alonso Chema Alonso @chemaalonso chema@11paths.com http://www.elladodelmal.com
- 2. Valencia 2014 – Chema Alonso Incidentes de Seguridad
- 3. Valencia 2014 – Chema Alonso Dumps de identidades
- 4. Valencia 2014 – Chema Alonso BYOM (Bring Your Own Malware)
- 5. Valencia 2014 – Chema Alonso El enemigo a las puertas
- 6. Valencia 2014 – Chema Alonso Superficie de exposición • Los servicios están activos 24 x 7 x 365 • Solo usamos nuestras identidades un breve espacio de tiempo • Las cuentas deberían poder apagarse
- 7. Valencia 2014 – Chema Alonso Passwords+OTP SMS TOKEN 8762134
- 8. Valencia 2014 – Chema Alonso 2FA “classics” • Usuario necesita introducir un código • Despliege de SMS • Matriz de coordenadas es estática • Hardware tokens son caros • Usuario necesita introducir un código • Usuario no le gusta introducir un código
- 9. Valencia 2014 – Chema Alonso A la gente le gusta dormir la siesta (con el mando de la tele)
- 10. Valencia 2014 – Chema Alonso Patentes
- 11. Valencia 2014 – Chema Alonso KISS (Keep It Spanish, Stupid)
- 12. Valencia 2014 – Chema Alonso At the airport Anna has just started a new job and she is on a business trip. As usual, she checks the weather, prepares her suitcase and defines her online security levels using Latch.
- 13. Valencia 2014 – Chema Alonso Taking a cab To make her trip easier she decides to pay everything using a service, on her way to the office at the destination point she switches service on, so she can pay the taxi fare. Once done she switches her account off, minimizing the exposure to improper usage.
- 14. Valencia 2014 – Chema Alonso An alert of the service used! Fortunately her account was blocked by Latch, as Anna easily requested using the app. Alas, in the stopover someone tried to hack her service account. The attack was under control and no misuse was ever fulfilled.
- 15. Valencia 2014 – Chema Alonso ¿Cómo proteger una identidad?
- 16. Valencia 2014 – Chema Alonso “Latch” de una cuenta Latch Server 1.-‐ Generate pairing code 2.-‐ Temporary Pariring token My Site User Se>ngs: Login: XXXX Pass: YYYY Latch: 4.-‐AppID+Temp pairing Token 5.-‐ OK+Unique Latch 6.-‐ID Latch appears in app ULatch
- 17. Valencia 2014 – Chema Alonso Login en una Web Latch Server Latch app Latch1: OFF Latch2:ON Latch3:OTP Latch4:OFF …. My Bank Users DB: Login: XXXX Pass: YYYY Latch: Latch1 Login Page: Login:AAAA Pass:BBBB 1.-‐ Client sends Login/password 2.-‐ Web checks CredenXals with Its users DB 3.-‐ asks about Latch1 status 4.-‐ Latch 1 is OFF 5.-‐ Login Error 6.-‐ Someone try to get Access to Latch 1 id. 2.-‐ Check user/pass
- 18. Valencia 2014 – Chema Alonso Login en una web
- 19. Valencia 2014 – Chema Alonso Vamos a “Latchear”…
- 20. Valencia 2014 – Chema Alonso Hacer login con OTP Latch Server Latch app Latch1: OFF Latch2:ON Latch3:OTP Latch4:OFF …. My Bank Users DB: Login: XXXX Pass: YYYY Latch: Latch1 Login Page: Login:AAAA Pass:BBBB 1.-‐ Client sends Login/password 2.-‐ Web checks CredenXals with Its users DB 3.-‐ asks about Latch1 status 5.-‐ Latch 1 is ON(OTP) 6.-‐ OTP? 7.-‐ Use this (OTP). 4.-‐ Latch Server Generates OTP 8.-‐ User introduces OTP 2.-‐ Check user/pass
- 21. Valencia 2014 – Chema Alonso Hacer login con OTP
- 22. Valencia 2014 – Chema Alonso Control Parental User Pass Login: User Pass: Pass Latch: Latch
- 23. Valencia 2014 – Chema Alonso User1 Pass1 User2 Pass2 Login: User2 Pass: Pass2 Latch: Latch2 Login: User1 Pass: Pass1 Latch: Latch1 Verificación de 4 ojos
- 24. Valencia 2014 – Chema Alonso 2 keys activation User1 Pass1 User2 Pass2 Asset Latch: Latch1 Latch: Latch 2
- 25. Valencia 2014 – Chema Alonso Operaciones latcheadas Latch Server Latch app Latch1: ON Op1:OFF Op2:ON OP3:OTP Latch 2: OFF …. My Bank Login: XXXX Pass: YYYY Latch: Latch1 Int_Trnas: Op1 Online Banking Send Money: 1231124343 1.-‐ Client orders InternaXonal TransacXons 3.-‐ asks Latch1:Op1 status 4.-‐ Latch 1:Op1 is OFF 5.-‐ Denied 6.-‐ Someone try to do a Latch 1:Op1 OperaXon
- 26. Valencia 2014 – Chema Alonso User Pass Login: User Pass: Pass Latch: Latch Op1:Unlock Op2: OTP Supervision Why? Answer OTP
- 27. Valencia 2014 – Chema Alonso Latch Users Developers Corporates Control all digital idenXXes in one single point. ON/OFF. Integrate Plugins and develop soluXons with SDKs to adapt Latch technology to their needs SDKs: PHP, Java, .NET, C, Ruby, Python & WebService API Plugins: WordPress, PrestaShop, RedMine, Cpanel, Moodle, OpenVPN, SSH, Drupal, DotNetNuke, Joomla!, … -‐ Deploy 2FAuth -‐ Opt-‐in/mandatory -‐ Detect idenXty theg -‐ Granularity -‐ Reduce Fraud -‐ Parental Control -‐ 4 Eyes verificaXon Tools -‐ Control Dashboard -‐ Usage StaXsXcs -‐ Internal appliance (beta) !
- 28. Valencia 2014 – Chema Alonso Monitoring Switch • With one latch – As many granularity as needed – Two status – OTP – User confs • Schedulle • AutoLock • Possible to re-act at status If Lock then {} Else {} Goto fail; Goto fail:
- 29. Valencia 2014 – Chema Alonso Latching SSH
- 30. Valencia 2014 – Chema Alonso Windows pGina hip://unstableequilibrium.com/2014/02/07/using-‐pgina-‐and-‐latch-‐to-‐protect-‐your-‐windows-‐login/
- 31. Valencia 2014 – Chema Alonso SCCAID
- 32. Valencia 2014 – Chema Alonso Triggering actions at events
- 33. Valencia 2014 – Chema Alonso Latch Event Monitor
- 34. Valencia 2014 – Chema Alonso Coming Soon • Physical World • Biometry • AD Plugins • New Plugins – Open Exchange – PHP MyAdmin – Django? – LDAP Bridge – Etc…
- 35. Valencia 2014 – Chema Alonso Latch DashBoard
- 36. Valencia 2014 – Chema Alonso Sobre Latch • Privacidad: – AppIDs conoce los UniqueLatches pero no los UserLatches. – Latch Server conoce Latchets y AppID, pero no los usuarios/passwords • Robustez: – Si el servidor de Latch es comprometido la seguridad del sitio protegido sigue intacta. – No se guarda ningún dato sensible en Latch Server.
- 37. Valencia 2014 – Chema Alonso Developer Area
- 38. Valencia 2014 – Chema Alonso Apps disponibles En desarrollo: • Firefox OS • Blackberry
- 39. Valencia 2014 – Chema Alonso ¿Preguntas? • Chema Alonso • @chemaalonso • chema@11paths.com • http://www.elladodelmal.com • http://www.elevenpaths.com • https://latch.elevenpahts.com