 |
 |
What I kind of find interesting is that when you go to the volusion site (which is apparently where this store is built), if you look on the questions on the bottom of their pricing page, there's this statement in one of the questions there: For security reasons, you're required to have a SSL certificate on your store before taking any orders. We offer high-security, affordable SSLs for your convenience. While you don't have to purchase your SSL right now, you'll need to get one before your site goes live. So it's kinda surprising that they were able to take the site live without that being turned on (and implies that volusion probably isn't doing the best job at checking that). On Tue, Aug 16, 2011 at 10:18 AM, Rytlewski, Jamie <[log in to unmask]>wrote: > I thought about contacting shop.msu.edu, but 1) I have no idea who these > contact forms actually go to, 2) I knew I’d probably get a faster response > on the NAG (which happened). **** > > ** ** > > It’s a sad state, but sometimes making a security flaw public gets it fixed > faster than just contacting the people that didn’t fix it to begin with. > This is one case that should have been fixed a long time ago. This is a very > apparent flaw and if it wasn’t fixed by now, my feelings were going public > would fix it sooner.**** > > ** ** > > *From:* Troy Murray [mailto:[log in to unmask]] > *Sent:* Tuesday, August 16, 2011 9:50 AM > *To:* [log in to unmask] > *Subject:* Re: [MSUNAG] shop.msu.edu Insecure**** > > ** ** > > Jamie & Thomas,**** > > ** ** > > I think it's great that you both have an eye on security for something like > this, caught it and want to let others know. I'm hoping you responsibly > reported this directly to the shop.msu.edu staff using the contact > information under "Customer Service" on their home page first before posting > it to a public forum. **** > > ** ** > > *Troy Murray***** > > Michigan State University P: 517-432-3545**** > > College of Medicine F: 517-353-5436**** > > B228 Life Sciences E: [log in to unmask]**** > > RedHat 5 Certified Technician**** > > RedHat 5 Certified Systems Administrator**** > > HL7 V2.6/2.5 Certified Control Specialist **** > > ** ** > > On Aug 16, 2011, at 9:43 AM, Gene Willacker wrote:**** > > > > **** > > AIS is investigating. Please contact me directly with details, rather than > using the public forum, and I will pass the info on to the MSU PCI DSS Team. > > Thanks, Gene > > on 8/16/2011 9:28 AM Thomas A Gish said the following: **** > > On top of that, trying to connect to https://shop.msu.edu fails so it > doesn't even appear to be an option. > > -T > > Quoting "Rytlewski, Jamie" <[log in to unmask]> <[log in to unmask]>: > > > > **** > > So while I was looking at how shop.msu.edu does their forms I found **** > > a > > **** > > few very interesting details. > > > 1) There is no forced security when checking out > > 2) You can see all your data, including Credit Card **** > > information > > **** > > (of course I did not submit my actual information). > > > This is a very huge security risk and with how much the University has > cracked down on other departments for being PCI compliant, how **** > > is > > **** > > that shop.msu.edu is getting away with it being so insecure? Also, **** > > if > > **** > > the university wants us to use CASHnet so much, why is shop.msu.edu not > using it? > > Jamie R. Rytlewski > Information Technologist I > Michigan State University > 517-884-1671 > [log in to unmask] > > **** > > ** ** > > -- > Gene Willacker > RHS Information Services Security Administrator > Michigan State University > 100 University Housing Building > East Lansing, MI 48824-1231 > *517-353-1694, FAX: 517-884-0248***** > > ** ** >