News: New versions and features in Latch apps

Monday, June 23, 2014

Facing the summer and holidays for most of you, in Eleven Paths we have created a new important update for Latch app, We have a new version for Android, iOS and Windows Phone, with several improvements and new features.

In this post we're going to specify the most important new features and improvements you can get with the new app for Android, iOS, and Windows Phone, so you can keep protecting services more effectively and easily.

Main improvements

The most flashy improvement for the user updating to the newer version is this new big sliding element that we call here in the office "latchón" as in "big latch". This slider replaces the "Lock Everithing" button in the previous version.

"Latchón" in Android

Another new thing is that when a service is locked with this element, every operation existing below will be locked too. But besides, they will be disabled from the app, so you can't modify the status of any of them.

Locking all the paired services when "Latchon"
is activated.

Locking internal operations when activating the
big Latch of a service
Unlocking the big latch keeps the latest status of any service or operation. The usual slide buttons (that we call "little latches" or "latchitos") now come with text indicating the service status ("LOCK" for locked and "UNLOCK" for unlocked), these texts are translated into Spanish, English, Portuguese and German.
"Latchito" of a locked service

A new intermediate screen when generating the pairing token

Now, when generating a new token, a new intermediate screen appears from where you may access the guide explaining the pairing process or directly generate the token. This offers time for the user to click on the exact form field in the website where the token is being required.

Step before generating the pairing token

Scheduled lock and autolock

Now it's easier to schedule a lock. In previous versions it was done with a clock shaped button next to the lock and unlock buttons. This resulted confusing for some users. Now it's configured from a separate "Schedule lock" field and Latch will automatically set the status depending on the configured time span.

Besides, "Scheduled lock" and "Autolock" are now self-exclusive to avoid confusion between the status of a service or operation at a given time. When one is set, the other is disabled.
"Scheduled lock" set and "Autolock" disabled

Another new feature is that the services or operations with a "Scheduled lock" will show a clock shaped icon inside their "latchitos" (little latches).
A little clock in the latch indicates a "Scheduled lock"

The autolock time is now global for all services or operations, and is set from the "Settings" menu.

Notifications about unlocking parent operations

When unlocking an operation from a notification, if this operation is locked because a lock is set in a "parent" operation, a message indicating the operations that will be unlocked will be received too.

This is because if a lock is set for a service, all the elements below will be locked too. Thanks to this feature the user may choose if he wants to unlock or not the operation and will be informed about the services or operations that will be unlocked too.
Notification about unlocking parent operations
Improvements on devices

Beside theses common features, Android and Windows Phone have integrated some improvements:
  • For Android the app is now optimized for MDPI resolution. 
  • Latch for Windows Phone is the one that has been modified the most. Now, notifications are received when upairing services, and may be configured to be received when accessing an unlocked service. Another improvement: if the service provider modifies the status of the service, the app will show an orange notification. Windows Phone 8.1 is now supported.

    The weakest hand (on security)

    Monday, June 9, 2014

    Users have much more at stake in the digital world than ever before. Arguably as much or more, even, than our employers: our personal and professional reputations, livelihood, assets, family, friendships and homes. Yet, most of us use little more than an antivirus, desktop firewall, and whatever has been built into our routers and implemented for us by our local ISPs to safeguard all of this. Meanwhile, the businesses we work for have hired experts to monitor the organization, its systems, applications, and devices around the clock. They invest in layered defenses, analytics, forensics, intelligence and so forth. But, they do little to protect users when we leave the office.

    The weakest link

    Finding Nemo. Source:
    Whether or not they realize it, organizations depend on us, also around the clock, to defend both personal and enterprise interests. Attackers can leverage vulnerabilities in our personal digital lives to get at our employers, and vice versa; and often, this is precisely what they do. Users are an easy mark. We are the weakest link, "the fish" as they say at the poker table susceptible to phishing, watering hole, and social engineering. We are error prone, willing to sacrifice security for productivity gains, often lazy, or resistant to security policy. To make matters worse, when we leave the office we haven’t got the resources our employers have; and so, we don’t take the precautions that might otherwise help our organizations minimize the risks associated with attacker-leap-frogging from the personal to the professional.

    Just as with businesses, the overall level of risk to which we, the fish, are exposed is increasing, and we ought to dedicate more care and awareness to safeguard our personal digital lives, the same way our employers do to protect their assets. But, we don’t (at least not the majority of us) and so long as we don’t do enough to protect ourselves we will continue to be fish.

    Long live the antivirus?

    There´s a paternalistic aspect to securing users and consumers that, though well intentioned, may ultimately have caused this problem. I am referring to the very global security policies and measures to which our organizations subject us. Take the antivirus as an example. The antivirus is practically ubiquitous in desktop systems of all large and medium enterprises, and its presence is enforced; sometimes even on visitors and contractors, through policy, and complex and expensive network admission control systems. Enterprises have been singing the praises of antivirus in this way, both explicitly and implicitly, even when "fake-av" aka "rogue antivirus" came along in 2008 to sound the death knell on the venerated, but tired bluff of recursive decompression, signatures, heuristics, and so forth.

    Virustotal statistics

    Enterprises and households could have saved themselves numerous headaches, by focusing their time and budgets on alternatives to the antivirus, years ago. At least since 2007, when studies began to demonstrate that the trusted software was only effective 20-30% of the time. Instead, we all soldiered on, long after the tool was rendered more or less useless. It survived, thanks in no small part to organizations that insisted on playing this losing game, throwing good money after bad on a losing hand. The thing is, antiviruses have become largely irrelevant to attackers, who now avail themselves of novel vectors of entry inaugurated by the mobile-cloud-social era in which we all live.

    But, let’s set aside the irrelevance of antiviruses, and their technical limitations. (Antivirus technology has always imposed significant system performance issues, the risk of false positives, and even an additional attack target due to its kernel level access). Their ineffectiveness is not just limited to the underlying technology, but also due to the lack of user involvement and understanding. How many users know, or even bother to tune the software to their system? How many are aware that it does not adequately address zero day threats, or most malware on websites, phishing, advanced malware and Trojans, and so on? Is it any wonder that users continue to download free and purchased antivirus software? Is it any wonder they think themselves secure once it’s installed?

    Recently, Symantec officially proclaimed the death of the antivirus through a Wall Street Journal interview. For large manufacturers antiviruses continue to generate a lot of revenue, but the business proposition is no longer acceptable. It is a saturated market, in which top firms compete against cost free alternatives, including Windows Essentials, fight to displace competitors for miniscule changes in enterprise B2B market share, and depend largely on renewals. For such companies the shift to a replacement technology could not have come soon enough. Enter sandboxing and automated malware analysis engines, which overcome many of the shortcomings of the antivirus, including performance and detection of advanced threats.

    Involve the user

    What such technology does not address, however, is the fundamental need to involve the user in securing their digital identity. Sandboxing may be a solid step forward in detection. But, it is also a toolset which promotes continued reliance on a hackneyed, cat-and-mouse updating model. Similar to antivirus technology, this new technical approach to defeating malware lulls users into the belief that they are supremely protected, even against zero day threats. Sandboxing combined with malware analysis may be big business. However, it may also be, that security technologies which do not engage and motivate users to take an active role in their own defense are of limited benefit.

    Excessive attention focused on new, advanced detection and mitigation technologies will likely result in the same blowback of unprepared, ignorant, and vulnerable user populations, as traditional antivirus. We are still the "weakest link". Sandboxing doesn’t change that. But, times have changed; and like the skin of an expanding balloon our vulnerabilities are spreading out across an ever-widening attack surface: mobile, cloud and social. Systems, applications, and users are becoming increasingly difficult to secure; and global security policies and measures imposed across these surfaces are stretched thin.

    Perhaps it is not the technology, but our focus which must shift, from global policies, toolsets, and procedures, to one that leverages the user’s help. After all, we bring our own advanced, mobile computing devices to work; we subscribe to cloud based storage systems, and upload and share company documents; we use professional and personal social networks, and leverage them to the benefit of ourselves and our employers, spin up new systems and servers, for trials, training and our own curiosity. It doesn’t require much imagination to see how our public and private lives have never been so intricately interwoven.

    Data Leakage Worldwide: Common Risks and Mistakes Employees Make:
    Shows the frequency with which corporate computers are used for personal use

    A quick review of some statistics show this intermingling is likely to deepen, that there are business incentives for it to happen, as well as significant business risks. According to Citrix, organizations predict that the percentage of BYO desktops and laptops will grow from 18-25%; Gartner says that by 2017, 50% of businesses will not supply employee computing devices; Deloitte adds that 69% of polled companies experience no technical support problems after implementing BYOD; despite the finding by Acronis that 80% of businesses do not provide education or training on BYOD.  In a 2012 survey, commissioned by Check Point, of 768 IT professionals in the US, Canada, UK, Germany and Japan 78% said there were more than twice as many personal devices connecting to corporate networks than there were two years before; and 47% reported that customer data was stored on mobile devices; 90% of which, according to Forbes, are used for email, calendar, shopping, banking and social.

    The new digital polis involves a fusion of the private with the public, the personal with the professional, and requires organizations to change their perspective on securing systems, applications, users and other assets. This new view opens unprecedented opportunities to engage with us users (whether we are employees, partners or consumers). Organizations can become protagonists in our active involvement both within and without the workplace to secure ourselves, and thereby protect the enterprise. Currently, few security solutions help in this way. Most strive to do precisely the opposite: to minimize users’ roles in the security process. Rather than encouraging us to secure ourselves, these solutions lead us into taking foolish risks, shortcuts, and workarounds, making erroneous judgments and mistakes. In sum, we end up behaving like the weakest player at the poker table, the mark for all of our adversaries, the fish who, no matter what, always has the weakest hand.

    Christopher Adelman

    News: Latch plugin for phpBB 3.x is out

    Tuesday, June 3, 2014

    We have uploaded to GitHub our latest plugin for phpBB 3.x. It makes it easier to use Latch technology with this popular forum system. You can download it form here. Here is a little how to so you can check how easy the integration is. If you want a full step by step guide, visit our slideshare channel.

    • phpBB version 3.0.X. 
    • Curl extensions active in PHP (uncomment "extension=php_curl.dll" or "" in Windows or Linux php.ini respectively. 
    • To get the "Application ID" and "Secret", (fundamental values for integrating Latch in any application), it’s necessary to register a developer account here. On the upper right side, click on "Developer area". 
    • Once the administrator has downloaded the module, copy its content in phpBB root folder. 
    • Next step is to activate Latch module. From control panel, go to SYSTEM tab, and then to User Control Panel. Select from the menu Latch configuration and press add module button. 
    • After accepting the message, go back to User Control Panel, where there will be a table with installed modules. Latch will be the last one. 
    • Next to Latch configuration text are the options available for the module. You must press on Enable to activate it. Last configuration is for removing the module.

      Adding the module
      • Next step is to include Application Id and Secret previously generated. Got to General tab, and to Authentication. The existing authenticating method should be replaced in the selectbox, indicating that from now on, authentication based in Latch is added. 
      • The second selectbox only appears when Latch is installed, and indicates the method Latch uses for authentication. This method must be the one that was previously indicated in the selectbox above.
      • Press submit to end with module configuration. 
      • The module is now ready to be used. There will be a new tab Latch Configuration in user control panel. Go to Board index and then User Control Panel.

        Latch configuration for phpBB