CS338 Computer Security
Monday, 13 October 2025

+ This week
- A little threat modeling
- A little ethical analysis
- A little law

+ Threat models
- What's the point?
    - Threat Modeling Manifesto
        https://www.threatmodelingmanifesto.org/
- Why have formal frameworks? 
- STRIDE as an example framework

+ STRIDE lab

Door lock kiosk, server in basement, etc.


- Spoofing
    - Steal a password and use it
        - hack into user's computer, read their password manager/text file
        - phishing
        - physical threats
        - bribes
        - mitigations: Duo and other 2FA; force password rotation(?);
            biometrics; ...; when passwords are created, check
            haveibeenpwned for password reuse;
    - Capture wifi packet that unlocks the door and resend it
        - mitigations: disallow repeated signals (see car key fob algs);
            don't use wifi; use physical keys; TLS
    - Try all the passwords for a given user
        [depends on reverse engineering the wifi login protocol]
         - mitigation: check for unfamiliar IP addresses
- Tampering
    - Replace kiosk with your own kiosk
    - (many of the DOS ones below go here, too)
- Repudiation
    - use one of the spoofing techniques
    - wear a ski mask while installing the evil kiosk
    - hire somebody to do the attack for you
    - walk in behind a legitimate user
- Information Disclosure
    - get onto the server somehow, steal data
    - capture wifi packets to log entrances and exits
- Denial of Service
    - Cut the power cable to the kiosk
    - Break the kiosk
    - Barricade the door
    - Distributed denial of service applied to the login server
        if it's on the open internet (doesn't work if it's wifi only)
        in any case, try to flood it with packets
    - Put up a sign "out of order"...
- Elevation of Privilege
    - (maybe it goes here) Try all the passwords for a given user
    - walk in behind a legitimate user

+ In general
- Threat brainstorming is hard. There are *lots* of possibilities.
- Some mitigations are annoying [usability] or expensive [cost]
- "Shift left" is good: move the security/threat analysis as early
    in the development process as possible
- "Zero trust" is good (though not exactly possible): different
    modules of the system shouldn't trust each other, and hacking
    into one module shouldn't give you access to another
    (e.g., use TLS and IP-checking on the login server to verify
        that you're talking to the kiosk)
- STRIDE is just one example of a framework for threat modeling

+ Ideas of security-related ethical conundrums?

+ The upcoming homework assignments
- Wednesday: ethical analysis
- Friday: a reading response about some legal issues
- Monday: midterm break
- Wednesday: Don't forget to submit your first-half #mindset observation
- After that: more authentication (including password cracking), a bit more authorization, pen-testing/ethical hacking,...