Chema Alonso @chemaalonso

chema@11paths.comhttp://www.elladodelmal.com

Incidentes de Seguridad

Dumps de identidades

BYOM (Bring Your Own Malware)

El enemigo a las puertas

Superficie de exposición

• Los servicios están activos 24 x 7 x 365

• Solo usamos nuestras identidades un breve espacio de tiempo

• Las cuentas deberían poder apagarse

Passwords+OTP

SMS TOKEN8762134

2FA “classics”

• Usuario necesita introducir un código• Despliege de SMS• Matriz de coordenadas es estática• Hardware tokens son caros• Usuario necesita introducir un código• Usuario no le gusta introducir un código

A la gente le gusta dormir la siesta (con el mando de la tele)

KISS (Keep It Spanish, Stupid)

Taking a cabTo make her trip easier she decides to pay everything using a service, on her way to the office at the destination point she switches service on, so she can pay the taxi fare. Once done she switches her account off, minimizing the exposure to improper usage.

An alert of the service used! Fortunately her account was blocked by Latch, as Anna easily requested using the app. Alas, in the stopover someone tried to hack her service account. The attack was under control and no misuse was ever fulfilled.

¿Cómo proteger una identidad?

“Latch” de una cuenta

LatchServer

1.- Generate pairing code

2.- TemporaryPariring token

My SiteUser Settings:Login: XXXXPass: YYYY

Latch:

3.- User in

troduces

Temp Pairing token

4.-AppID+Temp pairing Token

5.- OK+Unique Latch

6.-ID Latchappears in app

ULatch

Login en una Web

LatchServer

Latch appLatch1: OFFLatch2:ONLatch3:OTPLatch4:OFF

….

My BankUsers DB:

Login: XXXXPass: YYYY

Latch: Latch1

Login Page:

Login:AAAAPass:BBBB

1.- Client sendsLogin/password

2.- Web checksCredentials withIts users DB

3.- asks about Latch1 status

4.- Latch 1 is OFF

5.- Login Error

6.- Someone try to getAccess to Latch 1 id.

2.- Check user/pass

Vamos a “Latchear”…

Hacer login con OTP

LatchServer

Latch appLatch1: OFFLatch2:ONLatch3:OTPLatch4:OFF

….

My BankUsers DB:

Login: XXXXPass: YYYY

Latch: Latch1

Login Page:

Login:AAAAPass:BBBB

1.- Client sendsLogin/password

2.- Web checksCredentials withIts users DB

3.- asks about Latch1 status

5.- Latch 1 is ON(OTP)

6.- OTP?

7.- Use this (OTP).

4.- LatchServerGeneratesOTP

8.- User introduces OTP

2.- Check user/pass

Control Parental

UserPass

Login: UserPass: Pass

Latch: Latch

User1Pass1

User2Pass2

Login: User2Pass: Pass2

Latch: Latch2

Login: User1Pass: Pass1

Latch: Latch1

Verificación de 4 ojos

2 keys activation

User1Pass1

User2Pass2

AssetLatch: Latch1Latch: Latch 2

Operaciones latcheadas

LatchServer

Latch appLatch1: ON

Op1:OFFOp2:ONOP3:OTP

Latch 2: OFF….

My BankLogin: XXXXPass: YYYY

Latch: Latch1Int_Trnas: Op1

Online Banking

Send Money:1231124343

1.- Client ordersInternational Transactions

3.- asks Latch1:Op1 status

4.- Latch 1:Op1 is OFF

5.- Denied

6.- Someone try to do a Latch 1:Op1Operation

UserPass

Login: User

Pass: PassLatch: Latch

Op1:Unlock

Op2: OTP

Supervision

Why?

Answer

OTP

Monitoring Switch

• With one latch– As many granularity as needed– Two status– OTP– User confs

• Schedulle• AutoLock

• Possible to re-act at statusIf Lock then {}Else {}Goto fail;Goto fail:

Sobre Latch• Privacidad:– AppIDs conoce los UniqueLatches pero no los

UserLatches.– Latch Server conoce Latchets y AppID, pero

no los usuarios/passwords

• Robustez:– Si el servidor de Latch es comprometido la

seguridad del sitio protegido sigue intacta. – No se guarda ningún dato sensible en Latch

Server.

¿Preguntas?

• Chema Alonso• @chemaalonso• chema@11paths.com• http://www.elladodelmal.com• http://www.elevenpaths.com• https://latch.elevenpahts.com