Educause Security Discussion mailing list archives
Pearson MyLab - SSL issues
From: "Fowler, Becky Thurmond" <ThurmondR () MISSOURI EDU>
Date: Tue, 7 Oct 2014 13:58:16 +0000
Hello, I'm wondering if anyone on this list has dealt with the Pearson MyLab products. We've done our standard contractual review and inserted procurement language into our agreement with them. The setup our educational technology folks identified back when this whole thing started was that the Pearson labs would interface with a Blackboard Building Block and authentication would be handled in that manner. It's since come to our attention that Pearson reps are (probably unintentionally) skirting this process and setting faculty up with MyLab products where the students authenticate directly to a Pearson website. http://portal.mypearson.com/mypearson-login.jsp The rub? The login page isn't using SSL so a quick Wireshark capture reveals the username and a raw md5 hash of the user's password in plain text. (To add insult to injury, professors are encouraging students to use their University login/password pair because doing so makes the transfer of grades back to Blackboard easier.) We actually have a meeting this morning with some reps because once we reported this issue we were told the "good news" that Pearson will be encryption all passwords by the end of Q1 2015. We're pushing back hard on this - I'm not sure what technical reason they have for not encrypting the login session but I'm sure I'll get some creative excuses at my 9:30 meeting. Has anyone else had these discussions with Pearson? If so, what were the results? Thanks! Becky Thurmond Fowler Manager, Security Assessments & Incident Response Division of IT - Information Security & Access Management University of Missouri-Columbia becky () missouri edu<mailto:becky () missouri edu> 573.882.5182
Current thread:
- Pearson MyLab - SSL issues Fowler, Becky Thurmond (Oct 07)