Search for: All records

For the third consecutive year, Scholarship for Service (SFS) scholars at the University of Maryland, Baltimore County (UMBC) analyzed the security of targeted portions of the UMBC computer systems. During these hands-on studies, with complete access to sourcecode, students identified vulnerabilities, devised and implemented exploits, and recommended mitigations. We report on our continuing experiences with these project-based learning studies, focusing on the new problems addressed in January 2018 and 2019 and on the lessons we learned. In 2018, students analyzed the WebAdmin custom software that UMBC students, faculty, and staff use to manage credentials and accounts. Students found a beautifully instructive example of a “confused-deputy attack,” wherein an IT staff member—–through carrying out their proper procedures for resetting a user password—–unwittingly executes malware on their own machine by viewing the answers to security questions. In 2019, students analyzed the Virthost system UMBC uses to host student webpages. Organizer Alan Sherman created a powerful learning experience by secretly recruiting one of the participants to serve as a “mole,” passively collecting passwords from the other participants throughout the week. Our students found the collaborative experiences inspirational; students and educators appreciated the authentic case studies; and IT administrators gained access to future employees and received free recommendations for improving the security of their systems.