Educause Security Discussion mailing list archives

Re: NCAA ?!

From: "Christopher E. Cramer" <chris.cramer () DUKE EDU>
Date: Tue, 24 Jan 2006 12:12:32 -0500

Interesting.  It looks like you can use SSL and the link for student
login/registration does use https.  Have you tried contacting them?
Perhaps they're willing to redirect all requests to the SSL encrypted
version.  Given the sensitivity of the data and that they have SSL
available and even use it for the student login suggests that they might
be willing to make that change.

-c

--
Christopher E. Cramer, Ph.D.
University Information Technology Security Officer
Duke University,  Office of Information Technology
334 Blackwell St., Suite 2106, Durham, NC 27701
PH: 919-660-7003  FAX: 919-668-2953  CELL: 919-210-0528


On Tue, 24 Jan 2006, Chad McDonald wrote:

Are any of you using NCAA Clearinghouse?  An audit of our athletic
department revealed that the site does not use ssl or any other mechanisms
for security other than username and password.  I find this disturbing and
hope that one of you has already crossed this bridge and has a solution.
The URL in question is http://ncaaclearinghouse.net .  For those of you who
are unfamiliar with NCAA, this site is the data mart for high school and
college athletes.  They track SSNs, grades, and other such info needed to
ensure eligibility to play sports.


Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell       478.454.8250
Fax       478.445.1202
Email   chad.mcdonald () gcsu edu

Current thread:

NCAA ?! Chad McDonald (Jan 24)
- <Possible follow-ups>
- Re: NCAA ?! Christopher E. Cramer (Jan 24)
- Re: NCAA ?! Kevin Shalla (Jan 24)
- Re: NCAA ?! H. Morrow Long (Jan 24)