Educause Security Discussion mailing list archives

Re: NCAA ?!

From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Tue, 24 Jan 2006 16:32:18 -0500

I just went and looked at it and it looks as you say.

However, they do (also) have the SSL version of the
same site running on the server (at the HTTPS) port.

I'd agree that they should probably disable the non-SSL
version of any pages taking pins/passwords/ssns/grades/etc
such as :

http://www.ncaaclearinghouse.net/ncaa/NCAA/college/index_college.html
https://www.ncaaclearinghouse.net/ncaa/NCAA/college/index_college.html

Morrow

- H. Morrow Long, CISSP, CISM, CEH
  University Information Security Officer
  Director -- Information Security Office
  Yale University, ITS



On Jan 24, 2006, at 11:56 AM, Chad McDonald wrote:

Are any of you using NCAA Clearinghouse?  An audit of our athletic
department revealed that the site does not use ssl or any other
mechanisms for security other than username and password.  I find
this disturbing and hope that one of you has already crossed this
bridge and has a solution.  The URL in question is http://
ncaaclearinghouse.net .  For those of you who are unfamiliar with
NCAA, this site is the data mart for high school and college
athletes.  They track SSNs, grades, and other such info needed to
ensure eligibility to play sports.


Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell       478.454.8250
Fax       478.445.1202
Email   chad.mcdonald () gcsu edu

Current thread:

NCAA ?! Chad McDonald (Jan 24)
- <Possible follow-ups>
- Re: NCAA ?! Christopher E. Cramer (Jan 24)
- Re: NCAA ?! Kevin Shalla (Jan 24)
- Re: NCAA ?! H. Morrow Long (Jan 24)