Re: Pearson MyLab & Mastering SSL Concerns & Vulnerabilities

[Lanita Rae Collette <Lanita.Collette () NAU EDU>]

Just posted this to the CIO list, repeating here:

Brady,

We discovered this security issue in the fall of 2013 and discussed with Pearson. At that time they had no plan to 
remediate the issue. Glad to see they will be addressing in the near future.

Happy to provide more detail off line if it would be helpful.

Lanita

Lanita Collette
University Information Security Officer
Northern Arizona University
(928) 523-8438
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Fackrell, Brady 
[bfackrell () SHERIDAN EDU]
Sent: Wednesday, December 02, 2015 9:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Pearson MyLab & Mastering SSL Concerns & Vulnerabilities

There was a post<http://listserv.educause.edu/scripts/wa.exe?A2=ind1410&L=security&F=&S=&P=19234> similar to this, last 
year, that went unanswered.  However, I feel I should share what we have learned with all of you so that you can reach 
out to Pearson yourselves and let us know if any of you have the same concerns:

Our ITS helpdesk staff noticed that while they were assisting with issues related to MyMathLab the URLs being accessed 
were not utilizing SSL.  As we dug further into the issue we found that most of the “MyLab & Mastering” products 
(MyMathLab, MyStatLab, etc) had the same issue.  Pearson’s site has users login at an HTTPS encrypted login screen, 
however, once logged in the users are redirected to HTTP addresses for the rest of their session. They bounce around to 
several internal Pearson addresses and their session is completely unencrypted for nearly the entire time.

Yesterday we had a call with 6 Pearson representatives including their product director for MyMathLab.  We briefly 
outlined our issues, observations and concerns to them.  The product director confirmed that everything we outlined was 
accurate and they have been aware of these issues for about a year. They stated that it was a “high priority” to get 
this resolved but they did not have a definitive timeline for doing so. They hoped to have it resolved by Q1 or Q2 of 
next year but did not provide a specific deadline.

Our institution is concerned but we haven’t seen posts or inquiries from other schools on listservs or blogs.  We are 
curious if other institutions have looked into this with Pearson or have addressed this internally?

Thanks in advance.

Regards,
Brady Fackrell

[Description: Description: IT_NWCCD-small]

Brady Fackrell
Director of Information Technology Services (CIO)

Northern Wyoming Community College District:
Sheridan College * Gillette College * Sheridan College in Johnson County


3059 Coffeen Avenue Sheridan, WY 
82801<http://maps.google.com/maps?q=3059+Coffeen+Ave,+Sheridan,+WY+82801,+USA&sa=X&oi=map&ct=title>






Internet:
bfackrell () sheridan edu<mailto:bfackrell () sheridan edu>
www.sheridan.edu<http://www.sheridan.edu/sc/services/its>


Phone: (307) 674-3399
Fax: (307) 672-7121

Follow ITS@NWCCD on Twitter, Facebook & Google+ :
[Description: Description: link-twitter]<http://www.twitter.com/ITS_NWCCD>[Description: Description: 
link-facebook]<http://www.facebook.com/pages/Sheridan-WY/Information-Technology-Services-Department-at-NWCCD/102974096409191>[Description:
 Description: gplus-16]<https://plus.google.com/105575739749260887245?prsrc=3>

[http://www.cisco.com/global/EMEA/brand/signature/capital/green.gif]Think before you print.