Talk about Latch (https://latch.elevenpaths.com) delivered by Chema Alonso in RootedCON 2014. Charla sobre Latch (https://latch.elevenpaths.com) y los distintos escenarios de uso de la tecnología realizada durante la RootedCON 2014
4. We use our digital services just a
tiny portion of time everyday.
Why should we left them open
through the day?
If we reduce availability, we reduce
exposure, and therefore risk.
Those developing new security
proposals in online purchase are
seizing all of the market.
4
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
6. One-Time Passwords
User needs to type a code
SMS Deployment
Matrix is static
Hardware tokens are expensive
User needs to type a code
People don´t like typing codes
6
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
7. People like naps (with remotes)
7
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
8. Keep it Simple, Stupid.
8
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
9. Taking a cab
To make her trip easier she decides to pay everything using a service, on her way to the
office at the destination point she switches service on, so she can pay the taxi fare.
Once done she switches her account off, minimizing the exposure to improper usage.
9
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
10. Login into a Web
3.- asks about Latch1 status
Latch
Server
4.- Latch 1 is OFF
6.- Someone try to get
Access to Latch 1 id.
Latch app
Latch1: OFF
Latch2:ON
Latch3:OTP
Latch4:OFF
….
My Bank
Users DB:
Login: XXXX
Pass: YYYY
Latch: Latch1
2.- Web checks
Credentials with
Its users DB
2.- Check user/pass
1.- Client sends
Login/password
5.- Login Error
Login Page:
Login:AAAA
Pass:BBBB
10
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
11. Demo 1: Using Latch
11
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
12. Latch a digital ID
4.-AppID+Temp pairing Token
Latch
Server
5.- OK+Unique Latch
1.- Generate pairing
code
2.- Temporary
Pariring token
6.-ID Latch
appears in app
My Site
User Settings:
Login: XXXX
Pass: YYYY
Latch: U
L
a
t
c
h
12
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
13. Demo 2: Latch Shodan ID
13
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
14. Granularity
3.- asks Latch1:Op1 status
Latch
Server
4.- Latch 1:Op1 is OFF
6.- Someone try to
do a Latch 1:Op1
Operation
Latch app
Latch1: ON
Op1:OFF
Op2:ON
OP3:OTP
Latch 2:
OFF
….
My Bank
Login: XXXX
Pass: YYYY
Latch: Latch1
Int_Trnas: Op1
1.- Client orders
International
Transactions
5.- Denied
Online
Banking
Send Money:
1231124343
14
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
15. Users
Developers
Control all digital identities from
one single point. ON/OFF.
Sites
Integrate Plugins and develop
solutions with SDKs to adapt
Latch technology to their needs
· Deploy 2FAuth
· Opt-in/mandatory
· Detect identity theft
· Granularity
· Reduce Fraud
SDKs:
PHP, Java, .NET, C, Ruby, Python · Parental Control
· 4 Eyes verification
& WebService API
Plugins:
WordPress, PrestaShop,
RedMine, Cpanel, Moodle,
OpenVPN, SSH, Drupal,
DotNetNuke, Joomla!, … more
than 20
Tools
· Control Dashboard
· Usage Statistics
· Internal appliance (beta)
15
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
16. Demo 3: Latching SSH
16
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
21. One-Time Password
3.- asks about Latch1 status
4.- Latch
Server
Generates
OTP
Latch
Server
5.- Latch 1 is ON(OTP)
My Bank
Users DB:
Login: XXXX
Pass: YYYY
Latch: Latch1
2.- Web checks
Credentials with
Its users DB
7.- Use this (OTP).
1.- Client sends
Login/password
Latch app
Latch1: OFF
Latch2:ON
Latch3:OTP
Latch4:OFF
….
6.- OTP?
Login Page:
Login:AAAA
Pass:BBBB
21
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
24. Monitoring Switch
With one latch
–
–
–
–
As many granularity as needed
Two status
OTP
User confs
• Schedulle
• AutoLock
Possible to re-act at status
If Lock then {}
Else {}
Goto fail;
Goto fail:
24
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
27. Demo 5: Latch Event Monitor
27
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
28. Coming Soon
Physical World
Biometry
AD Plugins
New Plugins
–
–
–
–
–
Open Exchange
PHP MyAdmin
Django?
LDAP Bridge
Etc…
28
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March
29. Consumer Apps
Firefox OS
On development:
· Blackberry & BlackBerry z10
29
Rooted CON 2014
6-7-8 Marzo // 6-7-8 March