Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Lose your Passwords 20 times in 20 minutes – Eleven Paths en GsickMinds 2014 (José Palazón)

980 visualizaciones

Publicado el

La probabilidad de que nuestras credenciales queden comprometidas aumenta cada vez que interactuamos con servicios y sistemas digitales. En esta conferencia se hace un recorrido exhaustivo sobre diferentes maneras en las que nuestra identidad digital puede ser robada y se justifica cómo apostar por la reducción del tiempo de exposición que garantiza Latch y por los beneficios derivados de la arquitectura sobre la que se propone este producto, permiten recuperar el control sobre nuestra vida en los medios digitales.


The probability that our credentials would have been compromised increases every time we interact with digital services and systems. In this conference, Palazón introduces an exhaustive analysis about different ways in which our digital identity can be stolen and how rely on the exposure time reduction given by Latch and on the benefits of the architecture on which this product is built allow to regain control over our digital lives.

http://www.gsickminds.net/

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Lose your Passwords 20 times in 20 minutes – Eleven Paths en GsickMinds 2014 (José Palazón)

  1. 1. Lose your password 20 times in 20 minutes …and use Latch so that you don’t care that much about it Jose Palazon elevenpaths.com
  2. 2. Insecure networks
  3. 3. Clear text passwords over the net Tumblr iOS apps elevenpaths.com 3 01
  4. 4. Symmetric cryptography Client side stored secrets. Secret sharing elevenpaths.com 4 02
  5. 5. Asymmetric cryptography, invalid certificates Man In The Middle elevenpaths.com 5 03
  6. 6. Asymmetric cryptography, Good certificates No certificate pinning, compromised CA elevenpaths.com 6 04
  7. 7. StripSSL Change on the fly elevenpaths.com 7 05
  8. 8. Insecure storage
  9. 9. Clear text password storage Just grab them elevenpaths.com 9 06
  10. 10. Symmetric crypto, weak algorithm DES, IDEA, RC4, Blowfish, keys too weak elevenpaths.com 10 08
  11. 11. Symmetric crypto, good algorithm still sharing secrets elevenpaths.com 11 07
  12. 12. Hashes. Weak passwords Brute force elevenpaths.com 12 09 a b c d e f g … h i J … aa ab ac ad ae af ag … ha hb hc … aaa aab aac aad aae aaf aag … hel hem hen … aaaaa aaaab aaaac aaaad aaaae aaaaf aaaag … hello hellp hellq … hell0 h3ll0 h3110 hello77 19hello77 …
  13. 13. Hashes. Common passwords Dictionary attacks elevenpaths.com 13 10 • Pet names • Artists • Celebrities • Countries • Entire dictionaries • All languages (not only human) • … • John The Ripper wordlists: 40 million entries in 20+ languages
  14. 14. Hashes. Unsalted passwords Rainbow tables, hash collisions elevenpaths.com 14 11
  15. 15. Hashes. Salted passwords Run dictionaries using the stored salt elevenpaths.com 15 12
  16. 16. Other
  17. 17. Password reuse Have I been pwned? elevenpaths.com 17 13
  18. 18. Password managers All passwords and tokens together protected by a single key elevenpaths.com 18 14
  19. 19. Leaked passwords Every day elevenpaths.com 19 15
  20. 20. Password recovery mechanisms Secret questions. Email reset elevenpaths.com 20 16
  21. 21. Oauth in mobile devices Can’t see it’s fake elevenpaths.com 21 17
  22. 22. One Time Passwords
  23. 23. Physical tokens Expensive to replace when lost or broken. Need to carry them elevenpaths.com 23 18
  24. 24. Shared secrets and sync problems Expensive to replace when compromised and exposed meanwhile elevenpaths.com 24 19
  25. 25. OTP in mobile phones HOTP, TOTP, Still sharing secrets elevenpaths.com 25 20
  26. 26. Lose your password 40 times in 40 minutes • Phising via Email • Phising via XSS • iOS biometrics (fingerprint printed in transparent plastic) • Android Face recognition (picture in front of camera) • RFID (building access, cars keys) using antennas • Track phone accelerometer while typing password • Keys click with a microphone from afar • Remote camera • Default passwords • Post its • Thermal image in cash machines • Keylogger • Compromised sudo (or different sudo in $PATH) and its win/osx equivalents when installing applications etc… • Passwords sent via GET remain in the system logs (even if https) • Login prompt: type password instead of username ends up in logs elevenpaths.com 26
  27. 27. Enough Please!! What do I do?? elevenpaths.com 27
  28. 28. elevenpaths.com Reduce availability Reduce exposure Reduce risk
  29. 29. Latch Lock and unlock anything from a single screen elevenpaths.com 29
  30. 30. How it works elevenpaths.com 30
  31. 31. Pairing protocol Completely anonymous and private for both parties. How to pair • From the service provider, find the latch preferences. It should ask you to enter a pairing code • Generate a temporary pairing code with the latch mobile app • Read the pairing code from your phone screen and type it into your service provider website • The service provider will send latch the pairing code and get a unique account identifier in return. • The Service provider will use this identifier to query the status of this, and only this Latch. elevenpaths.com 32
  32. 32. Secure side channel, alerts Sending data to the phone • Latch only tells the device that new data is available. • Data is never sent using other parties • All data is encrypted on a secure channel. between the phone and Eleven Paths. Alerts and notifications • New latch • Latch removed • Access attempt while latch locked • Access while unlocked (optional) elevenpaths.com 33
  33. 33. Not only authentication Even operations are anonymous Authentication • Sits on top of any authentication • Provides an easy second factor, no tokens • Optional extra factors (OTP) • Access to customer applications • Access to VPN and remote networking • Access to B2B applications • Email and social networks • Control panels elevenpaths.com 34 Authorization • Credit card operations • Bank transfers • Online payments • Card Not Present transactions • International phone calls • Publishing rights on Internet Media
  34. 34. Scheduler and autolock and of course, a panic button Scheduler • Services that you only use at work • Services that you never use when sleeping Autolock • Set latches to close on their own if you forget to close them after use elevenpaths.com 35
  35. 35. elevenpaths.com 36
  36. 36. Mobile Apps English, Spanish, Portuguese and German elevenpaths.com 37
  37. 37. SDKs and plugins elevenpaths.com 39
  38. 38. Latch for the Enterprise elevenpaths.com 40
  39. 39. Latch Satellite elevenpaths.com 41
  40. 40. Frequently Asked Questions My phone 1 • What if I run out of battery? • What if my phone is stolen? • What if I switch phones? The service 2 My accounts 3 • What if Latch is compromised? • What if the Latch service is down? • Is this like puting all my eggs in a basket? • What if I lost my Latch password? elevenpaths.com 42
  41. 41. Latch Plugin Contest elevenpaths.com 43
  42. 42. Interships for Students elevenpaths.com 44
  43. 43. https://latch.elevenpaths.com elevenpaths.com 45

×