News: Latch plugin for SugarCRM is out

Florence Broderick    27 August, 2014
We have uploaded to GitHub our latest plugin for SugarCRM. It makes it easier to use Latch technology with this popular CRM platform. You can download it form here. This is a little “how to” so you can check how easy the integration is.

Prerequisites

Admins have to follow the usual steps if they want to protect SugarCRM with Latch:

  1. Create a developer account if they haven´t it.
  2. Create an application with the features they want.
  3. Download the plugin.
  4. Install and configure the plugin in their SugarCRM environment. 

Steps 1, 2 and 3 are documented on the website of Eleven Paths, step 4 is going to explained in this post.

Go to the “Admin” panel in SugarCRM.

SugarCRM Admin Panel

Go to module loader using the “Module Loader” link, in the “Developer Tools” section.

“Module Loader” in SugarCRM

In this section add the downloaded zip file, upload and install it.

Add the downloaded module to SugarCRM

Module installation

Next, rebuild SugarCRM template. Return to the “Admin” panel and click on the “Repair” link, and then on “Quick Repair and Rebuild”.

Rebuild the templates

Once the process is completed, SugarCRM will rebuild the application and Latch module can now be set up. A “Latch Configuration” link will appear in the “Admin” panel.

Accessing Latch module setup menu

Here the administrator has to add the Application ID and the Application Secret.

Application ID an Application secret form

Latch is now ready to be used and users are ready to pair their accounts. Users with SugarCRM accounts have to set their own accounts going to “Pair with Latch” and typing the characters generated with the phone into the text box displayed on the web. Once the token generated by Latch is introduced into their accounts, a notification will be received on the phone, announcing that the account is already paired.

SugarCRM successfully paired

Now the user may lock and unlock access to his SugarCRM account and a notification on his phone will be received, warning about anyone trying to access the account.

Notification of an unauthorized access attempt

The database

When the plugin is installed in SugarCRM, SugarCRM database is set to store the values needed by Latch.
The latch_accounts table indicates which user account has been paired with Latch, and the account id user.

Table latch_accounts with the users that have already paired their accounts

News: Latch plugin for Moodle is out

Florence Broderick    15 August, 2014
We have uploaded to GitHub our latest plugin for Moodle. It makes it easier to use Latch technology with this popular e-learning platform. You can download it form here. This is a little “how to” so you can check how easy the integration is.

Prerequisites

Admins have to follow the usual steps if they want to protect Moddle with Latch:

1. Create a developer account if they haven´t it.
2. Create an application with the features they want (one-time password has not been implemented yet for Moodle).
3. Download the plugin.
4. Install and configure the plugin in their Moodle environment.

Steps 1, 2 and 3 are documented on the website of Eleven Paths and step 4 is going to explained in this post.

Moodle plugin is a zip file, copy its contents to the root directory of Moodle.

Moodle root directory

After copying the plugin, Moodle administrator has to access his own account with username and password, and complete the installation.

Confirmation message

To set up the plugin, the administrator should go to the “Manage authentication” section, under the “Site administration – Plugins – Authentication” menu and enable the Latch plugin.

Enabling the plugin

After enabling the plugin, the administrator has to enter the “Application ID” and the “Secret” to the section corresponding to “Latch” under the “Site administration – Plugins – Authentication” menu.

Entering the app ID and the Secret

Latch is now ready to be used and users are ready to pair their acounts. Users with Moodle accounts have to set their own accounts going to “My Profile settings – Edit profile”, access the “Latch” section. Type the token generated on the phone into the text box displayed on the web.

Introduce the token generated by Latch app

A notification will be received on the phone, announcing that the account is already paired.

Notification after successful pairing

Now the user may lock and unlock access to his Moodle account and a notification on his phone will be received, warning about somebody trying to access the account

Notification of an unauthorized access attemp

The database

When Latch is installed in Moodle, Moodle database is set to store the values needed by Latch. Specifically the mdl_config_plugins table stores the Application ID and App Secret.

mdl_config_plugin table with the Application ID an the Secret

The mdl_user_info_data table indicates which user account has been paired with Latch.

mdl_user_info_data table with the users that have already paired their accounts

Latch in Node.js… too mainstream?

Florence Broderick    18 July, 2014
Hoy en día cuando comenzamos cualquier proyecto web que se precie existen unos pasos de obligado cumplimiento si queremos estar en la cresta de la ola y convertirnos en verdaderos “hipsters”. Lejos quedaron las épocas donde se usaban frameworks que eran “mainstream”, donde los hombres eran hombres (y las mujeres mujeres) y escribían sus propios drivers.

Node.js? Too mainstream

Actualmente estamos viviendo una carrera continua para ser más modernos: desde frameworks como Nodyn donde desarrollamos en ClojureScript que compila a JavaScript, se ejecuta en Node.js que compila a una… ¡JVM!, a infinidad de variedades de AngularJS (EmberJS, Backbone, Knockout, Ractive.js etc.), alternativas a Grunt como gulp.js, alternativas a Yeoman como FireShell, pasando por convertidores de JavaScript a CoffeeScript, o mejoras sobre el propio CoffeeScript como Six o Functional Reactive Programming como bacon.js.

Básicamente, estos son los pasos principales para desarrollar cualquier proyecto web en 2014:

  1. Escribe tweets sobre él.
  2. Fotografía tu espacio de trabajo y súbelo a Instagram.
  3. Elige tu framework JS.
  4. Configura tu MongoDB y Redis.
  5. Visita Reddit, meneame, forocoches y similares.
  7. Profit

Bromas aparte, es para nosotros un placer tener ya disponible un SDK de Latch para Node.js e incluso una estrategia de autenticación para PassportJS de Latch. Para los que no lo conozcan, Node.js es un framework creado en 2009 por Ryan Dahl y su desarrollo está patrocinado por la empresa Joyent (compañía que ofrece IaaS y PaaS, y entre cuyos inversores se encuentra Telefónica).

Su característica principal es que está basado en el famoso y potente motor V8 de JavaScript de Google y pretende ofrecer una forma fácil y segura de crear aplicaciones en JavaScript escalables y de altas prestaciones. De hecho una de las características que cuesta un poco al principio entender es su orientación mayoritaria a utilizar código asíncrono y basado en eventos, que puede llegar a ser más complejo que uno síncrono normal.

Si se comprueba el código del SDK de Latch veremos que, realmente, es muy sencillo (el código siguiente está extraído de index.js).

Primero tenemos que añadir las cabeceras HTTP que necesitan recibir nuestros servidores de Latch para saber que las peticiones son correctas:
Y luego simplemente hacemos la petición HTTP a nuestros servidores de Latch con la operación escogida.

Observando este último código podemos ver una parte de funcionamiento de Node.js donde se aprecia ese carácter asíncrono que se ha mencionado. La petición HTTP que realizamos (el “request”) es a su vez una función donde podemos ver varios eventos; en la respuesta tenemos el evento “data”, que significa que estamos recibiendo datos, y también el evento “end” que significa que ya hemos recibido todos los datos y pueden ser tratados si se quiere (o se podrían haber tratado según llegaban). También existe un evento “error” en la petición, en el caso de que hubiera algún problema con la petición HTTP.

Así de sencillo; con unas cuantas líneas tenemos implementado todo el SDK de Latch en Node.js. También hemos puesto a disposición de todos una estrategia de autenticación de PassportJS para que sea fácil su uso: Ahí mostramos ejemplos de cómo utilizar Latch, ya sea como:

En definitiva, el SDK de latch para Node.js se une a lista de SDK existentes como PHP, Java, Ruby, Python, C, .NET o PowerShell para que se puedan utilizar en todas las aplicaciones.
David Barroso
[email protected]

News: Latch plugin for Windows is out

Florence Broderick    10 July, 2014
With this plugin, you may protect access to Windows Systems, as a standalone machine not connected to any other authenticator. The plugin may be downloaded directly from here or here depending on your architecture. This personal edition is for free, but it is necessary to register to get a developer account with an AppiD and Secret if you do not have one yet. Visit https://latch.elevenpaths.com and, on the upper right side, click on “Developer’s area”.

Here is a little how to so you can check how easy the integration is. The only prerequisites you need is Microsoft Windows version XP SP 3 or later. For a professional version of this plugin, valid for Active Directory, please check the Enterprise version here.

Installing and configuring

Unzip the program and execute latch_windows_plugin_pe_64.exe. By default, the plugin is added as a standard program under “Eleven Paths” folder, “Latch for Windows”. Usually this will be: “C:Program Files (x86)Eleven PathsLatch for Windows” or “C:Program FilesEleven PathsLatch for Windows” depending on the architecture. Check the “Enable” checkbox and click “Latch Settings”.

Click on “Enabled” to start using Latch for Windows
  • Complete the fields with the Application ID and Secret previously generated in developer’s area, and click “OK” . Operation ID is not mandatory.

In “Latch settings”, fill the fields up with Application Id and Secret key

  • Back to the main window, click on “Add” and add an username. From the Latch app on the phone, generate the token and complete the “Pairing token” box in “User options” window, and click the button “Pair” and “OK”.
Add an username and generate a token with your app

Generate a pairing token for the user

  • The user is added to the list. Restart Windows, and the plugin is now ready to be used.

 Using Latch 

From now on, the user may lock his Windows account in his smartphone so no one will be able to log in even if the password is known.

Lock or unlock the account from Latch app
Even if the password is correct, the user will not be able to log in until the latch is unlocked

News: New versions and features in Latch apps

Florence Broderick    24 June, 2014

Facing the summer and holidays for most of you, in Eleven Paths we have created a new important update for Latch app, We have a new version for Android, iOS and Windows Phone, with several improvements and new features.

In this post we’re going to specify the most important new features and improvements you can get with the new app for Android, iOS, and Windows Phone, so you can keep protecting services more effectively and easily.

Main improvements

The most flashy improvement for the user updating to the newer version is this new big sliding element that we call here in the office “latchón” as in “big latch”. This slider replaces the “Lock Everithing” button in the previous version.

“Latchón” in Android

Another new thing is that when a service is locked with this element, every operation existing below will be locked too. But besides, they will be disabled from the app, so you can’t modify the status of any of them.

Locking all the paired services when “Latchon”
is activated.

Locking internal operations when activating the
big Latch of a service

Unlocking the big latch keeps the latest status of any service or operation. The usual slide buttons (that we call “little latches” or “latchitos”) now come with text indicating the service status (“LOCK” for locked and “UNLOCK” for unlocked), these texts are translated into Spanish, English, Portuguese and German.

“Latchito” of a locked service

A new intermediate screen when generating the pairing token

Now, when generating a new token, a new intermediate screen appears from where you may access the guide explaining the pairing process or directly generate the token. This offers time for the user to click on the exact form field in the website where the token is being required.

Step before generating the pairing token

Scheduled lock and autolock

Now it’s easier to schedule a lock. In previous versions it was done with a clock shaped button next to the lock and unlock buttons. This resulted confusing for some users. Now it’s configured from a separate “Schedule lock” field and Latch will automatically set the status depending on the configured time span.

Besides, “Scheduled lock” and “Autolock” are now self-exclusive to avoid confusion between the status of a service or operation at a given time. When one is set, the other is disabled.

“Scheduled lock” set and “Autolock” disabled

Another new feature is that the services or operations with a “Scheduled lock” will show a clock shaped icon inside their “latchitos” (little latches).

A little clock in the latch indicates a “Scheduled lock”

The autolock time is now global for all services or operations, and is set from the “Settings” menu.

Notifications about unlocking parent operations

When unlocking an operation from a notification, if this operation is locked because a lock is set in a “parent” operation, a message indicating the operations that will be unlocked will be received too.

This is because if a lock is set for a service, all the elements below will be locked too. Thanks to this feature the user may choose if he wants to unlock or not the operation and will be informed about the services or operations that will be unlocked too.

Notification about unlocking parent operations

Improvements on devices

Beside theses common features, Android and Windows Phone have integrated some improvements:

  • For Android the app is now optimized for MDPI resolution. 
  • Latch for Windows Phone is the one that has been modified the most. Now, notifications are received when upairing services, and may be configured to be received when accessing an unlocked service. Another improvement: if the service provider modifies the status of the service, the app will show an orange notification. Windows Phone 8.1 is now supported.

Resources

    The weakest hand (on security)

    Florence Broderick    10 June, 2014
    Users have much more at stake in the digital world than ever before. Arguably as much or more, even, than our employers: our personal and professional reputations, livelihood, assets, family, friendships and homes. Yet, most of us use little more than an antivirus, desktop firewall, and whatever has been built into our routers and implemented for us by our local ISPs to safeguard all of this. Meanwhile, the businesses we work for have hired experts to monitor the organization, its systems, applications, and devices around the clock. They invest in layered defenses, analytics, forensics, intelligence and so forth. But, they do little to protect users when we leave the office.

    The weakest link

    Finding Nemo. Source: imdb.com

    Whether or not they realize it, organizations depend on us, also around the clock, to defend both personal and enterprise interests. Attackers can leverage vulnerabilities in our personal digital lives to get at our employers, and vice versa; and often, this is precisely what they do. Users are an easy mark. We are the weakest link, “the fish” as they say at the poker table susceptible to phishing, watering hole, and social engineering. We are error prone, willing to sacrifice security for productivity gains, often lazy, or resistant to security policy. To make matters worse, when we leave the office we haven’t got the resources our employers have; and so, we don’t take the precautions that might otherwise help our organizations minimize the risks associated with attacker-leap-frogging from the personal to the professional.

    Just as with businesses, the overall level of risk to which we, the fish, are exposed is increasing, and we ought to dedicate more care and awareness to safeguard our personal digital lives, the same way our employers do to protect their assets. But, we don’t (at least not the majority of us) and so long as we don’t do enough to protect ourselves we will continue to be fish.

    Long live the antivirus?

    There´s a paternalistic aspect to securing users and consumers that, though well intentioned, may ultimately have caused this problem. I am referring to the very global security policies and measures to which our organizations subject us. Take the antivirus as an example. The antivirus is practically ubiquitous in desktop systems of all large and medium enterprises, and its presence is enforced; sometimes even on visitors and contractors, through policy, and complex and expensive network admission control systems. Enterprises have been singing the praises of antivirus in this way, both explicitly and implicitly, even when “fake-av” aka “rogue antivirus” came along in 2008 to sound the death knell on the venerated, but tired bluff of recursive decompression, signatures, heuristics, and so forth.

    Virustotal statistics

    Enterprises and households could have saved themselves numerous headaches, by focusing their time and budgets on alternatives to the antivirus, years ago. At least since 2007, when studies began to demonstrate that the trusted software was only effective 20-30% of the time. Instead, we all soldiered on, long after the tool was rendered more or less useless. It survived, thanks in no small part to organizations that insisted on playing this losing game, throwing good money after bad on a losing hand. The thing is, antiviruses have become largely irrelevant to attackers, who now avail themselves of novel vectors of entry inaugurated by the mobile-cloud-social era in which we all live.

    But, let’s set aside the irrelevance of antiviruses, and their technical limitations. (Antivirus technology has always imposed significant system performance issues, the risk of false positives, and even an additional attack target due to its kernel level access). Their ineffectiveness is not just limited to the underlying technology, but also due to the lack of user involvement and understanding. How many users know, or even bother to tune the software to their system? How many are aware that it does not adequately address zero day threats, or most malware on websites, phishing, advanced malware and Trojans, and so on? Is it any wonder that users continue to download free and purchased antivirus software? Is it any wonder they think themselves secure once it’s installed?

    Recently, Symantec officially proclaimed the death of the antivirus through a Wall Street Journal interview. For large manufacturers antiviruses continue to generate a lot of revenue, but the business proposition is no longer acceptable. It is a saturated market, in which top firms compete against cost free alternatives, including Windows Essentials, fight to displace competitors for miniscule changes in enterprise B2B market share, and depend largely on renewals. For such companies the shift to a replacement technology could not have come soon enough. Enter sandboxing and automated malware analysis engines, which overcome many of the shortcomings of the antivirus, including performance and detection of advanced threats.

    Involve the user

    What such technology does not address, however, is the fundamental need to involve the user in securing their digital identity. Sandboxing may be a solid step forward in detection. But, it is also a toolset which promotes continued reliance on a hackneyed, cat-and-mouse updating model. Similar to antivirus technology, this new technical approach to defeating malware lulls users into the belief that they are supremely protected, even against zero day threats. Sandboxing combined with malware analysis may be big business. However, it may also be, that security technologies which do not engage and motivate users to take an active role in their own defense are of limited benefit.

    Excessive attention focused on new, advanced detection and mitigation technologies will likely result in the same blowback of unprepared, ignorant, and vulnerable user populations, as traditional antivirus. We are still the “weakest link”. Sandboxing doesn’t change that. But, times have changed; and like the skin of an expanding balloon our vulnerabilities are spreading out across an ever-widening attack surface: mobile, cloud and social. Systems, applications, and users are becoming increasingly difficult to secure; and global security policies and measures imposed across these surfaces are stretched thin.

    Perhaps it is not the technology, but our focus which must shift, from global policies, toolsets, and procedures, to one that leverages the user’s help. After all, we bring our own advanced, mobile computing devices to work; we subscribe to cloud based storage systems, and upload and share company documents; we use professional and personal social networks, and leverage them to the benefit of ourselves and our employers, spin up new systems and servers, for trials, training and our own curiosity. It doesn’t require much imagination to see how our public and private lives have never been so intricately interwoven.

    Data Leakage Worldwide: Common Risks and Mistakes Employees Make:
    Shows the frequency with which corporate computers are used for personal use
    Source: http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/data-loss-prevention/white_paper_c11-499060.html

    A quick review of some statistics show this intermingling is likely to deepen, that there are business incentives for it to happen, as well as significant business risks. According to Citrix, organizations predict that the percentage of BYO desktops and laptops will grow from 18-25%; Gartner says that by 2017, 50% of businesses will not supply employee computing devices; Deloitte adds that 69% of polled companies experience no technical support problems after implementing BYOD; despite the finding by Acronis that 80% of businesses do not provide education or training on BYOD.  In a 2012 survey, commissioned by Check Point, of 768 IT professionals in the US, Canada, UK, Germany and Japan 78% said there were more than twice as many personal devices connecting to corporate networks than there were two years before; and 47% reported that customer data was stored on mobile devices; 90% of which, according to Forbes, are used for email, calendar, shopping, banking and social.

    Source: http://dreamscashtrue.com

    The new digital polis involves a fusion of the private with the public, the personal with the professional, and requires organizations to change their perspective on securing systems, applications, users and other assets. This new view opens unprecedented opportunities to engage with us users (whether we are employees, partners or consumers). Organizations can become protagonists in our active involvement both within and without the workplace to secure ourselves, and thereby protect the enterprise. Currently, few security solutions help in this way. Most strive to do precisely the opposite: to minimize users’ roles in the security process. Rather than encouraging us to secure ourselves, these solutions lead us into taking foolish risks, shortcuts, and workarounds, making erroneous judgments and mistakes. In sum, we end up behaving like the weakest player at the poker table, the mark for all of our adversaries, the fish who, no matter what, always has the weakest hand.

    Christopher Adelman 

    News: Latch plugin for phpBB 3.x is out

    Florence Broderick    3 June, 2014
    We have uploaded to GitHub our latest plugin for phpBB 3.x. It makes it easier to use Latch technology with this popular forum system. You can download it form here. Here is a little how to so you can check how easy the integration is. If you want a full step by step guide, visit our slideshare channel.

    Prerequisites

    • phpBB version 3.0.X. 
    • Curl extensions active in PHP (uncomment “extension=php_curl.dll” or “extension=curl.so” in Windows or Linux php.ini respectively. 
    • To get the “Application ID” and “Secret”, (fundamental values for integrating Latch in any application), it’s necessary to register a developer account here. On the upper right side, click on “Developer area”. 

    Installing  

    • Once the administrator has downloaded the module, copy its content in phpBB root folder. 
    • Next step is to activate Latch module. From control panel, go to SYSTEM tab, and then to User Control Panel. Select from the menu Latch configuration and press add module button. 
    • After accepting the message, go back to User Control Panel, where there will be a table with installed modules. Latch will be the last one. 
    • Next to Latch configuration text are the options available for the module. You must press on Enable to activate it. Last configuration is for removing the module.

      Adding the module

       Configuring

      • Next step is to include Application Id and Secret previously generated. Got to General tab, and to Authentication. The existing authenticating method should be replaced in the selectbox, indicating that from now on, authentication based in Latch is added. 
      • The second selectbox only appears when Latch is installed, and indicates the method Latch uses for authentication. This method must be the one that was previously indicated in the selectbox above.
      • Press submit to end with module configuration. 
      • The module is now ready to be used. There will be a new tab Latch Configuration in user control panel. Go to Board index and then User Control Panel.

        Latch configuration for phpBB

        New features for Latch website and new plugins

        Florence Broderick    30 May, 2014

        Latch website has been updated with some interesting news that make Latch reach more people and in many other ways. These are the most important::

        Aside, new plugins for Ubuntu and  Open-xchange are available and PowerShell SDK. The OpenSSH plugin has been updated and improved.

        All the information, here.

        Heartbleed plugin for FOCA

        Florence Broderick    30 April, 2014

        By now, everyone knows about Heartbleed. Just like we did for FaasT, we have created a plugin for FOCA (final version) one of our most downloaded tools. This plugin allows the tool to detect vulnerable servers and audit them, among all the other cool features FOCA counts with.

        Loading the plugin in FOCA

        To take advantage of the plugin, just download FOCA and create a project over the domain to be audited. Load the plugin from “Plugins” tab in the upper menu, and press on “Load/Unload plugins”. Browse for HeartBreatPlugin.dll and load it. Once loaded, it will be accessible from the plugins menu.

        There are two options: automatic analysis or manual analysis and exploitation. Checking on “Check all hosts that FOCA detects automatically for the HeartBleed vulnerability” will make FOCA to check for the vulnerability in all domains found for this project.

        Automatically checking domains

        Domains will go from the “Pending” box to “Checked” or “Vulnerable”, depending on the results. All domains found by the usual way FOCA works, will be checked. For a manual analysis, a domain and port has to be specified. There is an option to repeat the attack every 5 seconds and generate a memory dump, that will be stored in a local file.

        Manually checking domains

        Ricardo Martín

        Eleven Path's first anniversary. Cakes and Labs

        Florence Broderick    25 April, 2014

        Although our first post was created in May, Eleven Paths officially started a year ago, in April 2013. It has been a whole year of hard work, but with quite a lot of rewards. Much more than we expected. Anyhow, it is just a year. To be honest, that was “easy”. We still have to grow old and create the innovation technology we want to.

        Just a year ago, Latch was not even an idea. FaasT was a tiny little thing (right now, it’s a monster), Metashield was basically a prototype… and much more (tools, conferences, white papers, patents…). But we still have new technology to show. And it’s going to be great. We really think so.

        For this special day, we took a break in London, Madrid and Málaga Labs. We stop typing for a while and share a moment with our coworkers. These are just a few pictures of the little party we all shared.

        The tiny cake from London (we don’t endorse Evian),

        The big and customized cake for Málaga, with typos included, and hiding the workers identities (you are welcome)…

        And from our headquarters in Madrid.

        As far as we can tell, they were all delicious.