Educause Security Discussion mailing list archives
Re: NCAA ?!
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Tue, 24 Jan 2006 16:32:18 -0500
I just went and looked at it and it looks as you say. However, they do (also) have the SSL version of the same site running on the server (at the HTTPS) port. I'd agree that they should probably disable the non-SSL version of any pages taking pins/passwords/ssns/grades/etc such as : http://www.ncaaclearinghouse.net/ncaa/NCAA/college/index_college.html https://www.ncaaclearinghouse.net/ncaa/NCAA/college/index_college.html Morrow - H. Morrow Long, CISSP, CISM, CEH University Information Security Officer Director -- Information Security Office Yale University, ITS On Jan 24, 2006, at 11:56 AM, Chad McDonald wrote:
Are any of you using NCAA Clearinghouse? An audit of our athletic department revealed that the site does not use ssl or any other mechanisms for security other than username and password. I find this disturbing and hope that one of you has already crossed this bridge and has a solution. The URL in question is http:// ncaaclearinghouse.net . For those of you who are unfamiliar with NCAA, this site is the data mart for high school and college athletes. They track SSNs, grades, and other such info needed to ensure eligibility to play sports. Chad McDonald, CISSP Chief Information Security Officer Georgia College & State University Phone 478.445.4473 Cell 478.454.8250 Fax 478.445.1202 Email chad.mcdonald () gcsu edu
Current thread:
- NCAA ?! Chad McDonald (Jan 24)
- <Possible follow-ups>
- Re: NCAA ?! Christopher E. Cramer (Jan 24)
- Re: NCAA ?! Kevin Shalla (Jan 24)
- Re: NCAA ?! H. Morrow Long (Jan 24)