rootedcon 2014: playing and hacking with digital latches
DESCRIPTION
Talk about Latch (https://latch.elevenpaths.com) delivered by Chema Alonso in RootedCON 2014. Charla sobre Latch (https://latch.elevenpaths.com) y los distintos escenarios de uso de la tecnología realizada durante la RootedCON 2014TRANSCRIPT
1Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Hacking with Digital Latches
Chema Alonso
(@chemaalonso)
Eleven Paths
2Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Security Incidents
3Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Identity Dumps
4Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
We use our digital services just a tiny portion of time everyday. Why should we left them open through the day?
If we reduce availability, we reduce exposure, and therefore risk.
Those developing new security proposals in online purchase are seizing all of the market.
5Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Passwords+OTP
SMS TOKEN8762134
6Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
One-Time Passwords
User needs to type a code
SMS Deployment
Matrix is static
Hardware tokens are expensive
User needs to type a code
People don´t like typing codes
7Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
People like naps (with remotes)
8Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Keep it Simple, Stupid.
9Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Taking a cabTo make her trip easier she decides to pay everything using a service, on her way to the office at the destination point she switches service on, so she can pay the taxi fare. Once done she switches her account off, minimizing the exposure to improper usage.
10Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
LatchServer
Latch appLatch1: OFFLatch2:ONLatch3:OTPLatch4:OFF
….
My BankUsers DB:
Login: XXXXPass: YYYY
Latch: Latch1
Login Page:
Login:AAAAPass:BBBB
1.- Client sendsLogin/password
2.- Web checksCredentials withIts users DB
3.- asks about Latch1 status
4.- Latch 1 is OFF
5.- Login Error
6.- Someone try to getAccess to Latch 1 id.
2.- Check user/pass
Login into a Web
11Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Demo 1: Using Latch
12Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
LatchServer
1.- Generate pairing code
2.- TemporaryPariring token
My SiteUser
Settings:Login: XXXXPass: YYYY
Latch:
3.- Use
r intro
duces
Temp Pairin
g token
4.-AppID+Temp pairing Token
5.- OK+Unique Latch
6.-ID Latchappears in app
ULatch
Latch a digital ID
13Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Demo 2: Latch Shodan ID
14Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Granularity
LatchServer
Latch appLatch1: ON
Op1:OFFOp2:ONOP3:OTP
Latch 2: OFF….
My BankLogin: XXXXPass: YYYY
Latch: Latch1Int_Trnas: Op1
Online Banking
Send Money:1231124343
1.- Client ordersInternational Transactions
3.- asks Latch1:Op1 status
4.- Latch 1:Op1 is OFF
5.- Denied
6.- Someone try to do a Latch 1:Op1Operation
15Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Users Developers Sites
Control all digital identities from one
single point. ON/OFF.
Integrate Plugins and develop solutions with SDKs to adapt Latch technology to their
needs
SDKs:PHP, Java, .NET, C,
Ruby, Python & WebService API
Plugins:WordPress, PrestaShop,
RedMine, Cpanel, Moodle, OpenVPN, SSH,
Drupal, DotNetNuke, Joomla!, … more than
20
· Deploy 2FAuth· Opt-in/mandatory· Detect identity theft· Granularity· Reduce Fraud· Parental Control· 4 Eyes verification
Tools· Control Dashboard· Usage Statistics· Internal appliance (beta)
16Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Demo 3: Latching SSH
17Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Windows pGina
http://unstableequilibrium.com/2014/02/07/using-pgina-and-latch-to-protect-your-windows-login/
18Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
UserPass
Login: User
Pass: PassLatch: Latch
Parental Control
19Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
User1Pass1
User2Pass2
Login: User2Pass: Pass2Latch: Latch2
Login: User1Pass: Pass1Latch: Latch1
4-eyes verification
20Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
2 keys activation
User1Pass1
User2Pass2
AssetLatch: Latch1Latch: Latch 2
21Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
One-Time Password
LatchServer
Latch appLatch1: OFFLatch2:ONLatch3:OTPLatch4:OFF
….
My BankUsers DB:
Login: XXXXPass: YYYY
Latch: Latch1
Login Page:
Login:AAAAPass:BBBB
1.- Client sendsLogin/password
2.- Web checksCredentials withIts users DB
3.- asks about Latch1 status
5.- Latch 1 is ON(OTP)
6.- OTP?
7.- Use this (OTP).
4.- LatchServerGeneratesOTP
8.- User introduces OTP
22Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
OTP Verification
23Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
UserPass
Login: User
Pass: PassLatch: Latch
Op1:Unlock
Op2: OTP
Supervision
Why?
Answer
OTP
24Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Monitoring SwitchWith one latch– As many granularity as needed– Two status– OTP– User confs
• Schedulle• AutoLock
Possible to re-act at statusIf Lock then {}Else {}Goto fail;Goto fail:
25Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Demo 4: SCCAID
26Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Triggering actions at events
27Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Demo 5: Latch Event Monitor
28Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Coming SoonPhysical World
Biometry
AD Plugins
New Plugins– Open Exchange– PHP MyAdmin– Django?– LDAP Bridge– Etc…
29Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Firefox OS
On development:· Blackberry & BlackBerry z10
Consumer Apps
30Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
https://latch.elevenpaths.com