LISTSERV 16.0 - MSUNAG Archives

I thought about contacting shop.msu.edu, but 1) I have no idea who these contact forms actually go to, 2) I knew I'd probably get a faster response on the NAG (which happened).

It's a sad state, but sometimes making a security flaw public gets it fixed faster than just contacting the people that didn't fix it to begin with. This is one case that should have been fixed a long time ago. This is a very apparent flaw and if it wasn't fixed by now, my feelings were going public would fix it sooner.

From: Troy Murray [mailto:[log in to unmask]]
Sent: Tuesday, August 16, 2011 9:50 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] shop.msu.edu Insecure

Jamie & Thomas,

I think it's great that you both have an eye on security for something like this, caught it and want to let others know.  I'm hoping you responsibly reported this directly to the shop.msu.edu<http://shop.msu.edu> staff using the contact information under "Customer Service" on their home page first before posting it to a public forum.

Troy Murray
Michigan State University        P: 517-432-3545
College of Medicine                 F: 517-353-5436
B228 Life Sciences                                  E: [log in to unmask]<mailto:[log in to unmask]>
RedHat 5 Certified Technician
RedHat 5 Certified Systems Administrator
HL7 V2.6/2.5 Certified Control Specialist

On Aug 16, 2011, at 9:43 AM, Gene Willacker wrote:


AIS is investigating. Please contact me directly with details, rather than using the public forum, and I will pass the info on to the MSU PCI DSS Team.

Thanks, Gene

on 8/16/2011 9:28 AM Thomas A Gish said the following:
On top of that, trying to connect to https://shop.msu.edu<https://shop.msu.edu/> fails so it doesn't even appear to be an option.

-T

Quoting "Rytlewski, Jamie" <[log in to unmask]><mailto:[log in to unmask]>:


So while I was looking at how shop.msu.edu<http://shop.msu.edu> does their forms I found
a

few very interesting details.


1)      There is no forced security when checking out

2)      You can see all your data, including Credit Card
information

(of course I did not submit my actual information).


This is a very huge security risk and with how much the University has cracked down on other departments for being PCI compliant, how
is

that shop.msu.edu<http://shop.msu.edu> is getting away with it being so insecure? Also,
if

the university wants us to use CASHnet so much, why is shop.msu.edu<http://shop.msu.edu> not using it?

Jamie R. Rytlewski
Information Technologist I
Michigan State University
517-884-1671
[log in to unmask]<mailto:[log in to unmask]>


--
Gene Willacker
RHS Information Services Security Administrator
Michigan State University
100 University Housing Building
East Lansing, MI 48824-1231
517-353-1694, FAX: 517-884-0248