CS338 Computer Security Wednesday, 4 May 2022 + Next - Threat modeling - Other conceptual models of security - Authentication & authorization including password cracking - Security-related law - Ethical analysis - Test returned Friday (I hope) + Scenario 1: working on my laptop at the coffee shop - Cast of characters ("stakeholders" dehumanizing terminology) - me - Everybody else in the coffee shop - IT people at coffee shop - network organizations/elements (servers, hardware, ISP,...) - owners - whoever wants my laptop or data - other people connected to the wifi - hardware manufacturers - employees - security people related to my laptop - city, county, state, federal governments - ... - What's at risk? - my laptop - my data - me - my coffee and my pastry - students' data - various characters' reputations - my credentials - other people's service, data, etc. - Describe threats * restroom visit, leaving laptop there and open * somebody taking my laptop (or my coffee!) (or pastry!!!) * spilling coffee on my laptop * open wifi network visibility... - spoofing wifi (get me to connect to Mal's network) * people watching me type my password and everything else - AirDrop me malware - Leave a malicious thumb drive (or QR code) lying around - I (or another customer) could be hogging the bandwidth, etc. - roofies - Steal my fingerprint from my coffee cup - hidef cameras selling to the Dark Web - Jesse James' grandson returns "Git yer guns, boys, they're robbin' Little Joy!" - Categorize threats - Describe mitigations - Sit where people can't see your keyboard or screen - Use a VPN - Close your computer when you leave the table Take your computer when you leave the table - Don't work there - Back up your data - Use your phone hotspot - Cover your drink - Wear gloves, get a raincoat and a tent, I guess? - Don't go to http: websites - Describe tradeoffs - It's a pain to take your computer to the restroom - ... + Scenario 2: installing a Ring at my house + Threat modeling - Frameworks to help structure thinking - Four questions - What are we doing? - What could go wrong? - What are we doing about it? - Did we do a good job? - STRIDE - What are the six items in STRIDE? S = Spoofing (e.g. fake wifi network) T = Tampering (e.g. sneaky student changes grade while I'm ordering more pastries) R = Repudiation I = Information leakage (wifi sniffing, looking over your shoulder, ...) D = Denial of service (hog the bandwidth, stealing laptop, etc.) E = Escalation of Privilege (two customers claim the same drink...?) - Stuff not covered by STRIDE - Discoverability - Forensics, recovery - Explicit attention to people - ... - "Attack surface" - Questions about what you're supposed to do for Friday? + Next readings - Conceptual modeling - Information Tech, nation-state intelligence (spying, etc.),... + How deeply should you study? - What happens if I point my browser at https://jeffondich.com:7/ https://jeffondich.com:22/ https://jeffondich.com:8080/ - Do 22, 7, and 8080 have any special significance? - Does the result differ from browser to browser? - What if you try it with curl? - What do you know (and what can you repeat from memory) about the sequence of client/server interactions that comes from this browser activity? Does that knowledge help you predict and/or understand what you actually see? -