C. Alonso_Seguridad Informática: Digital Latches for your Digital Life_Semanainformatica.com 2014
-
Upload
coiicv -
Category
Technology
-
view
487 -
download
3
description
Transcript of C. Alonso_Seguridad Informática: Digital Latches for your Digital Life_Semanainformatica.com 2014
Valencia 2014 – Chema Alonso
Chema Alonso @chemaalonso
[email protected] http://www.elladodelmal.com
Valencia 2014 – Chema Alonso
Incidentes de Seguridad
Valencia 2014 – Chema Alonso
Dumps de identidades
Valencia 2014 – Chema Alonso
BYOM (Bring Your Own Malware)
Valencia 2014 – Chema Alonso
El enemigo a las puertas
Valencia 2014 – Chema Alonso
Superficie de exposición
• Los servicios están activos 24 x 7 x 365
• Solo usamos nuestras identidades un breve espacio de tiempo
• Las cuentas deberían poder apagarse
Valencia 2014 – Chema Alonso
Passwords+OTP
SMS TOKEN 8762134
Valencia 2014 – Chema Alonso
2FA “classics”
• Usuario necesita introducir un código • Despliege de SMS • Matriz de coordenadas es estática • Hardware tokens son caros • Usuario necesita introducir un código • Usuario no le gusta introducir un código
Valencia 2014 – Chema Alonso
A la gente le gusta dormir la siesta (con el mando de la tele)
Valencia 2014 – Chema Alonso
Patentes
Valencia 2014 – Chema Alonso
KISS (Keep It Spanish, Stupid)
Valencia 2014 – Chema Alonso
At the airport Anna has just started a new job and she is on a business trip. As usual, she checks the weather, prepares her suitcase and defines her online security levels using Latch.
Valencia 2014 – Chema Alonso
Taking a cab To make her trip easier she decides to pay everything using a service, on her way to the office at the destination point she switches service on, so she can pay the taxi fare. Once done she switches her account off, minimizing the exposure to improper usage.
Valencia 2014 – Chema Alonso
An alert of the service used! Fortunately her account was blocked by Latch, as Anna easily requested using the app. Alas, in the stopover someone tried to hack her service account. The attack was under control and no misuse was ever fulfilled.
Valencia 2014 – Chema Alonso
¿Cómo proteger una identidad?
Valencia 2014 – Chema Alonso
“Latch” de una cuenta
Latch Server
1.-‐ Generate pairing code
2.-‐ Temporary Pariring token
My Site User Se>ngs: Login: XXXX Pass: YYYY
Latch:
4.-‐AppID+Temp pairing Token
5.-‐ OK+Unique Latch
6.-‐ID Latch appears in app
ULatch
Valencia 2014 – Chema Alonso
Login en una Web
Latch Server
Latch app Latch1: OFF Latch2:ON Latch3:OTP Latch4:OFF
….
My Bank Users DB: Login: XXXX Pass: YYYY
Latch: Latch1
Login Page:
Login:AAAA Pass:BBBB
1.-‐ Client sends Login/password
2.-‐ Web checks CredenXals with Its users DB
3.-‐ asks about Latch1 status
4.-‐ Latch 1 is OFF
5.-‐ Login Error
6.-‐ Someone try to get Access to Latch 1 id.
2.-‐ Check user/pass
Valencia 2014 – Chema Alonso
Login en una web
Valencia 2014 – Chema Alonso
Vamos a “Latchear”…
Valencia 2014 – Chema Alonso
Hacer login con OTP
Latch Server
Latch app Latch1: OFF Latch2:ON Latch3:OTP Latch4:OFF
….
My Bank Users DB: Login: XXXX Pass: YYYY
Latch: Latch1
Login Page:
Login:AAAA Pass:BBBB
1.-‐ Client sends Login/password
2.-‐ Web checks CredenXals with Its users DB
3.-‐ asks about Latch1 status
5.-‐ Latch 1 is ON(OTP)
6.-‐ OTP?
7.-‐ Use this (OTP).
4.-‐ Latch Server Generates OTP
8.-‐ User introduces OTP
2.-‐ Check user/pass
Valencia 2014 – Chema Alonso
Hacer login con OTP
Valencia 2014 – Chema Alonso
Control Parental
User Pass
Login: User Pass: Pass Latch: Latch
Valencia 2014 – Chema Alonso
User1 Pass1
User2 Pass2
Login: User2 Pass: Pass2 Latch: Latch2
Login: User1 Pass: Pass1 Latch: Latch1
Verificación de 4 ojos
Valencia 2014 – Chema Alonso
2 keys activation
User1 Pass1
User2 Pass2
Asset Latch: Latch1 Latch: Latch 2
Valencia 2014 – Chema Alonso
Operaciones latcheadas
Latch Server
Latch app Latch1: ON Op1:OFF Op2:ON OP3:OTP
Latch 2: OFF ….
My Bank Login: XXXX Pass: YYYY
Latch: Latch1 Int_Trnas: Op1
Online Banking
Send Money: 1231124343
1.-‐ Client orders InternaXonal TransacXons
3.-‐ asks Latch1:Op1 status
4.-‐ Latch 1:Op1 is OFF
5.-‐ Denied
6.-‐ Someone try to do a Latch 1:Op1 OperaXon
Valencia 2014 – Chema Alonso
User Pass
Login: User Pass: Pass
Latch: Latch Op1:Unlock Op2: OTP
Supervision
Why?
Answer
OTP
Valencia 2014 – Chema Alonso
Latch Users Developers Corporates
Control all digital idenXXes in one single point. ON/OFF.
Integrate Plugins and develop soluXons with SDKs to adapt
Latch technology to their needs
SDKs: PHP, Java, .NET, C, Ruby, Python & WebService API
Plugins:
WordPress, PrestaShop, RedMine, Cpanel, Moodle, OpenVPN, SSH, Drupal, DotNetNuke, Joomla!, …
-‐ Deploy 2FAuth -‐ Opt-‐in/mandatory -‐ Detect idenXty theg -‐ Granularity -‐ Reduce Fraud -‐ Parental Control -‐ 4 Eyes verificaXon
Tools -‐ Control Dashboard -‐ Usage StaXsXcs -‐ Internal appliance (beta)
!
Valencia 2014 – Chema Alonso
Monitoring Switch
• With one latch – As many granularity as needed – Two status – OTP – User confs
• Schedulle • AutoLock
• Possible to re-act at status If Lock then {} Else {} Goto fail; Goto fail:
Valencia 2014 – Chema Alonso
Latching SSH
Valencia 2014 – Chema Alonso
Windows pGina
hip://unstableequilibrium.com/2014/02/07/using-‐pgina-‐and-‐latch-‐to-‐protect-‐your-‐windows-‐login/
Valencia 2014 – Chema Alonso
SCCAID
Valencia 2014 – Chema Alonso
Triggering actions at events
Valencia 2014 – Chema Alonso
Latch Event Monitor
Valencia 2014 – Chema Alonso
Coming Soon
• Physical World • Biometry • AD Plugins • New Plugins – Open Exchange – PHP MyAdmin – Django? – LDAP Bridge – Etc…
Valencia 2014 – Chema Alonso
Latch DashBoard
Valencia 2014 – Chema Alonso
Sobre Latch • Privacidad: – AppIDs conoce los UniqueLatches pero no los
UserLatches. – Latch Server conoce Latchets y AppID, pero
no los usuarios/passwords • Robustez: – Si el servidor de Latch es comprometido la
seguridad del sitio protegido sigue intacta. – No se guarda ningún dato sensible en Latch
Server.
Valencia 2014 – Chema Alonso
Developer Area
Valencia 2014 – Chema Alonso
Apps disponibles
En desarrollo: • Firefox OS • Blackberry
Valencia 2014 – Chema Alonso
¿Preguntas?
• Chema Alonso • @chemaalonso • [email protected] • http://www.elladodelmal.com • http://www.elevenpaths.com • https://latch.elevenpahts.com