Holy cow, we've added new cards to Elevation of Privilege!
I recently had a burst of enthusiasm for updating the Elevation of Privilege card game, and there are now 7 new cards, and a bunch of minor edits. ("Everyone in the world" is now "anyone with a Facebook account", similarly, "ACLs" are now "permissions" etc.)
The new cards are:
T 2: An attacker can modify your build system and produce signed builds of your software
DoS 2: An attacker can make your authentication system unusable or unavailable
Dos 3: An attacker can drain our easily replacable battery (battery, temporary)
Dos 4: An attacker can drain a battery that's hard to replace (sealed in a phone, an implanted medical device, or in a hard to reach location) (battery, persist)
Dos 5: An attacker can spend our cloud budget (budget, persist)
E2: An attacker has compromised a key technology supplier
E3: An attacker can access the cloud service which manages your devices
E4: An attacker can escape from a container or other sandbox
A complete list can be found in the github history for cards.yaml.
The "log4j card" remains unchanged: "(R2) An attacker can pass data through the log to attack a log reader, and there's no documentation of what sorts of validation are done."
In other Elevation of Privilege news, there's a good article in Dark Reading, Let's Play! Raising the Stakes for Threat Modeling With Card Games by Andrada Fiscutean.
You can of course get the cards from Elevation of Privilege github, or do like I do, and buy decks from Agile Stationery.
Create your profile
Only paid subscribers can comment on this post
Check your email
For your security, we need to re-authenticate you.
Click the link we sent to , or click here to sign in.