Department of Computer Science and Electrical Engineering
University of Maryland, Baltimore County
Friday, February 14, 2020
January 13–17, 2020, UMBC scholars in the CyberCorps: Scholarship for Service (SFS) and the DoD Cybersecurity Scholarship (CySP) programs collaboratively analyzed the security of UMBC’s Sponsored Awards Management System (SAMS). Students found numerous serious issues, including code-injection and cross-site scripting attacks, configuration errors, developer backdoors, and denial-of-service attacks. We present findings and recommendations from this study.
To support administrative tracking of research grants, about ten years ago the UMBC Chemistry Department developed SAMS, allowing authorized users to create, view, modify, and approve grant-related purchase requests. Developed without oversight from UMBC’s Division of Information Technology (DoIT), SAMS offers an instructive case study in potential security vulnerabilities caused by “custom shadow IT” that plague many organizations. Since 2014, SAMS operates as a PHP web front-end to a Microsoft SQL database server. Until our study, SAMS had never undergone any security review.
Participants comprised BS, MS, MPS, and PhD students studying computer science, computer engineering, information systems, and cybersecurity, including SFS scholars who transferred from Montgomery College (MC) and Prince George’s Community College (PGCC) to complete their four-year degrees at UMBC. To help participants appreciate the danger of insider attacks, organizer Dr. Sherman recruited two moles to launch a simple passive insider attack. 84% of the participants fell victim to the attack by inserting a rogue USB stick into their devices.
About the Speaker:
Enis Golaszewski is a PhD student and former SFS scholar in computer science working with Dr.
Sherman on formal analysis of PAKE protocols.
Alan T. Sherman, email@example.com
Support for this event was provided in part by the National Science Foundation under SFS grant DGE-1753681.