Educause Security Discussion mailing list archives
Re: Pearson MyLab & Mastering SSL Concerns & Vulnerabilities
From: Lanita Rae Collette <Lanita.Collette () NAU EDU>
Date: Thu, 3 Dec 2015 15:35:19 +0000
Just posted this to the CIO list, repeating here: Brady, We discovered this security issue in the fall of 2013 and discussed with Pearson. At that time they had no plan to remediate the issue. Glad to see they will be addressing in the near future. Happy to provide more detail off line if it would be helpful. Lanita Lanita Collette University Information Security Officer Northern Arizona University (928) 523-8438 ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Fackrell, Brady [bfackrell () SHERIDAN EDU] Sent: Wednesday, December 02, 2015 9:54 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Pearson MyLab & Mastering SSL Concerns & Vulnerabilities There was a post<http://listserv.educause.edu/scripts/wa.exe?A2=ind1410&L=security&F=&S=&P=19234> similar to this, last year, that went unanswered. However, I feel I should share what we have learned with all of you so that you can reach out to Pearson yourselves and let us know if any of you have the same concerns: Our ITS helpdesk staff noticed that while they were assisting with issues related to MyMathLab the URLs being accessed were not utilizing SSL. As we dug further into the issue we found that most of the “MyLab & Mastering” products (MyMathLab, MyStatLab, etc) had the same issue. Pearson’s site has users login at an HTTPS encrypted login screen, however, once logged in the users are redirected to HTTP addresses for the rest of their session. They bounce around to several internal Pearson addresses and their session is completely unencrypted for nearly the entire time. Yesterday we had a call with 6 Pearson representatives including their product director for MyMathLab. We briefly outlined our issues, observations and concerns to them. The product director confirmed that everything we outlined was accurate and they have been aware of these issues for about a year. They stated that it was a “high priority” to get this resolved but they did not have a definitive timeline for doing so. They hoped to have it resolved by Q1 or Q2 of next year but did not provide a specific deadline. Our institution is concerned but we haven’t seen posts or inquiries from other schools on listservs or blogs. We are curious if other institutions have looked into this with Pearson or have addressed this internally? Thanks in advance. Regards, Brady Fackrell [Description: Description: IT_NWCCD-small] Brady Fackrell Director of Information Technology Services (CIO) Northern Wyoming Community College District: Sheridan College * Gillette College * Sheridan College in Johnson County 3059 Coffeen Avenue Sheridan, WY 82801<http://maps.google.com/maps?q=3059+Coffeen+Ave,+Sheridan,+WY+82801,+USA&sa=X&oi=map&ct=title> Internet: bfackrell () sheridan edu<mailto:bfackrell () sheridan edu> www.sheridan.edu<http://www.sheridan.edu/sc/services/its> Phone: (307) 674-3399 Fax: (307) 672-7121 Follow ITS@NWCCD on Twitter, Facebook & Google+ : [Description: Description: link-twitter]<http://www.twitter.com/ITS_NWCCD>[Description: Description: link-facebook]<http://www.facebook.com/pages/Sheridan-WY/Information-Technology-Services-Department-at-NWCCD/102974096409191>[Description: Description: gplus-16]<https://plus.google.com/105575739749260887245?prsrc=3> [http://www.cisco.com/global/EMEA/brand/signature/capital/green.gif]Think before you print.
Current thread:
- Pearson MyLab & Mastering SSL Concerns & Vulnerabilities Fackrell, Brady (Dec 02)
- Re: Pearson MyLab & Mastering SSL Concerns & Vulnerabilities Lanita Rae Collette (Dec 03)
- Re: Pearson MyLab & Mastering SSL Concerns & Vulnerabilities Ben Woelk (Dec 03)
- <Possible follow-ups>
- Re: Pearson MyLab & Mastering SSL Concerns & Vulnerabilities Bradden Wondra (Dec 04)
- Re: Pearson MyLab & Mastering SSL Concerns & Vulnerabilities Lanita Rae Collette (Dec 03)