Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Hacking with Digital Latches
Chema Alonso
(@chemaalonso)
Eleven Paths

1
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
Security Incidents

2
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
Identity Dumps

3
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
We use our digital services just a
tiny portion of time everyday.
Why should we left them open
through the day?
If we redu...
Passwords+OTP

SMS TOKEN
8762134

5
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
One-Time Passwords
User needs to type a code

SMS Deployment
Matrix is static
Hardware tokens are expensive
User needs to ...
People like naps (with remotes)

7
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
Keep it Simple, Stupid.

8
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
Taking a cab
To make her trip easier she decides to pay everything using a service, on her way to the
office at the destin...
Login into a Web
3.- asks about Latch1 status
Latch
Server
4.- Latch 1 is OFF
6.- Someone try to get
Access to Latch 1 id....
Demo 1: Using Latch

11
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
Latch a digital ID
4.-AppID+Temp pairing Token
Latch
Server
5.- OK+Unique Latch
1.- Generate pairing
code

2.- Temporary
P...
Demo 2: Latch Shodan ID

13
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
Granularity
3.- asks Latch1:Op1 status
Latch
Server
4.- Latch 1:Op1 is OFF
6.- Someone try to
do a Latch 1:Op1
Operation
L...
Users

Developers

Control all digital identities from
one single point. ON/OFF.

Sites

Integrate Plugins and develop
sol...
Demo 3: Latching SSH

16
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
Windows pGina

http://unstableequilibrium.com/2014/02/07/using-pgina-and-latch-to-protect-your-windows-login/
Rooted CON 2...
Parental Control
Login: User
Pass: Pass
Latch: Latch

User
Pass

18
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
4-eyes verification
Login: User1
Pass: Pass1
Latch: Latch1

User1
Pass1

Login: User2
Pass: Pass2
Latch: Latch2

User2
Pas...
2 keys activation
Asset
Latch:
Latch1
Latch: Latch
2

User1
Pass1

User2
Pass2

20
Rooted CON 2014

6-7-8 Marzo // 6-7-8 M...
One-Time Password
3.- asks about Latch1 status
4.- Latch
Server
Generates
OTP

Latch
Server
5.- Latch 1 is ON(OTP)

My Ban...
OTP Verification

22
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
Supervision
Login: User
Pass: Pass
Latch: Latch
Op1:Unlock
Op2: OTP
Why?
Answer

User
Pass

OTP

23
Rooted CON 2014

6-7-8...
Monitoring Switch
With one latch
–
–
–
–

As many granularity as needed
Two status
OTP
User confs
• Schedulle
• AutoLock

...
Demo 4: SCCAID

25
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
Triggering actions at events

26
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
Demo 5: Latch Event Monitor

27
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
Coming Soon
Physical World
Biometry
AD Plugins

New Plugins
–
–
–
–
–

Open Exchange
PHP MyAdmin
Django?
LDAP Bridge
Etc…
...
Consumer Apps

Firefox OS
On development:
· Blackberry & BlackBerry z10

29
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
https://latch.elevenpaths.com

30
Rooted CON 2014

6-7-8 Marzo // 6-7-8 March
Prochain SlideShare
Chargement dans…5
×

RootedCON 2014: Playing and Hacking with Digital Latches

Talk about Latch (https://latch.elevenpaths.com) delivered by Chema Alonso in RootedCON 2014. Charla sobre Latch (https://latch.elevenpaths.com) y los distintos escenarios de uso de la tecnología realizada durante la RootedCON 2014

  • Soyez le premier à commenter

RootedCON 2014: Playing and Hacking with Digital Latches

  1. 1. Hacking with Digital Latches Chema Alonso (@chemaalonso) Eleven Paths 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  2. 2. Security Incidents 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  3. 3. Identity Dumps 3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  4. 4. We use our digital services just a tiny portion of time everyday. Why should we left them open through the day? If we reduce availability, we reduce exposure, and therefore risk. Those developing new security proposals in online purchase are seizing all of the market. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  5. 5. Passwords+OTP SMS TOKEN 8762134 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  6. 6. One-Time Passwords User needs to type a code SMS Deployment Matrix is static Hardware tokens are expensive User needs to type a code People don´t like typing codes 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  7. 7. People like naps (with remotes) 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  8. 8. Keep it Simple, Stupid. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  9. 9. Taking a cab To make her trip easier she decides to pay everything using a service, on her way to the office at the destination point she switches service on, so she can pay the taxi fare. Once done she switches her account off, minimizing the exposure to improper usage. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  10. 10. Login into a Web 3.- asks about Latch1 status Latch Server 4.- Latch 1 is OFF 6.- Someone try to get Access to Latch 1 id. Latch app Latch1: OFF Latch2:ON Latch3:OTP Latch4:OFF …. My Bank Users DB: Login: XXXX Pass: YYYY Latch: Latch1 2.- Web checks Credentials with Its users DB 2.- Check user/pass 1.- Client sends Login/password 5.- Login Error Login Page: Login:AAAA Pass:BBBB 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  11. 11. Demo 1: Using Latch 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  12. 12. Latch a digital ID 4.-AppID+Temp pairing Token Latch Server 5.- OK+Unique Latch 1.- Generate pairing code 2.- Temporary Pariring token 6.-ID Latch appears in app My Site User Settings: Login: XXXX Pass: YYYY Latch: U L a t c h 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  13. 13. Demo 2: Latch Shodan ID 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  14. 14. Granularity 3.- asks Latch1:Op1 status Latch Server 4.- Latch 1:Op1 is OFF 6.- Someone try to do a Latch 1:Op1 Operation Latch app Latch1: ON Op1:OFF Op2:ON OP3:OTP Latch 2: OFF …. My Bank Login: XXXX Pass: YYYY Latch: Latch1 Int_Trnas: Op1 1.- Client orders International Transactions 5.- Denied Online Banking Send Money: 1231124343 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  15. 15. Users Developers Control all digital identities from one single point. ON/OFF. Sites Integrate Plugins and develop solutions with SDKs to adapt Latch technology to their needs · Deploy 2FAuth · Opt-in/mandatory · Detect identity theft · Granularity · Reduce Fraud SDKs: PHP, Java, .NET, C, Ruby, Python · Parental Control · 4 Eyes verification & WebService API Plugins: WordPress, PrestaShop, RedMine, Cpanel, Moodle, OpenVPN, SSH, Drupal, DotNetNuke, Joomla!, … more than 20 Tools · Control Dashboard · Usage Statistics · Internal appliance (beta) 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  16. 16. Demo 3: Latching SSH 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  17. 17. Windows pGina http://unstableequilibrium.com/2014/02/07/using-pgina-and-latch-to-protect-your-windows-login/ Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 17
  18. 18. Parental Control Login: User Pass: Pass Latch: Latch User Pass 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  19. 19. 4-eyes verification Login: User1 Pass: Pass1 Latch: Latch1 User1 Pass1 Login: User2 Pass: Pass2 Latch: Latch2 User2 Pass2 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  20. 20. 2 keys activation Asset Latch: Latch1 Latch: Latch 2 User1 Pass1 User2 Pass2 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  21. 21. One-Time Password 3.- asks about Latch1 status 4.- Latch Server Generates OTP Latch Server 5.- Latch 1 is ON(OTP) My Bank Users DB: Login: XXXX Pass: YYYY Latch: Latch1 2.- Web checks Credentials with Its users DB 7.- Use this (OTP). 1.- Client sends Login/password Latch app Latch1: OFF Latch2:ON Latch3:OTP Latch4:OFF …. 6.- OTP? Login Page: Login:AAAA Pass:BBBB 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  22. 22. OTP Verification 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  23. 23. Supervision Login: User Pass: Pass Latch: Latch Op1:Unlock Op2: OTP Why? Answer User Pass OTP 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  24. 24. Monitoring Switch With one latch – – – – As many granularity as needed Two status OTP User confs • Schedulle • AutoLock Possible to re-act at status If Lock then {} Else {} Goto fail; Goto fail: 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  25. 25. Demo 4: SCCAID 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  26. 26. Triggering actions at events 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  27. 27. Demo 5: Latch Event Monitor 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  28. 28. Coming Soon Physical World Biometry AD Plugins New Plugins – – – – – Open Exchange PHP MyAdmin Django? LDAP Bridge Etc… 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  29. 29. Consumer Apps Firefox OS On development: · Blackberry & BlackBerry z10 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  30. 30. https://latch.elevenpaths.com 30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

    Soyez le premier à commenter

    Identifiez-vous pour voir les commentaires

  • Mechita98

    Mar. 13, 2014

Talk about Latch (https://latch.elevenpaths.com) delivered by Chema Alonso in RootedCON 2014. Charla sobre Latch (https://latch.elevenpaths.com) y los distintos escenarios de uso de la tecnología realizada durante la RootedCON 2014

Vues

Nombre de vues

10 376

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

7 232

Actions

Téléchargements

40

Partages

0

Commentaires

0

Mentions J'aime

1

×