First of all, in almost any e-commerce site, http should not be acceptable anymore. If the https is “broken”, it should never switch to use http as being an acceptable solution. The site should just stop working and blow an error. I can tell it’s always been “broken” as http should not be acceptable for an e-commerce site. That’s all there is to it. Also, it’s not like I uncovered some 0-day exploit or anything, I just noticed that shop.msu.edu does not use https and all the information is sent plain text. The thing is this is more of a problem for the users of the site, not the site itself. Which is why I brought it up in the public forum. It’s not like what I brought up is going to bring down the site (except to fix it now I see). This was a protection for the USERS of the site. I was informing the USERS in a sense to look twice at shop.msu.edu before buying anything as your information is being sent clear text. Everyone makes it seem as though I put out information to hack the site and bring it down. I’m just warning people about buying stuff from shop.msu.edu until it gets fixed and maybe bringing up a bigger issue that people should look twice in the URL before sending sensitive information. Just because it’s a “trusted” site does not mean it’s trustworthy.

 

From: Troy Murray [mailto:[log in to unmask]]
Sent: Tuesday, August 16, 2011 11:24 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] shop.msu.edu Insecure

 

Jamie,

 

I can certainly relate to the frustration of not seeing things fixed once you've reported them to a vendor and they sit on them.  However I could feel a little differently in this case, and I should be clear that I'm not tied to the shop.msu.edu site in anyway.  The page that I referenced doesn't have one of those ambiguous "contact us" forms with no other methods available, but actually has a phone number to call.  My past experience when I've contacted departments where I found a security issue in their web presence and told them I need to report such always put me in contact with the person responsible.

 

You mention that this should have been fixed a long time ago.  Had you reported this to them and they didn't fix it?  Do we know if this has always been broken?  Was this a result of the issue last week which affected so many of the MSU websites, including the shop.msu.edu website?  Did it just stop working this morning after some update?

 

I commend your desire to see things corrected.  I may have done the same as you if I'd contacted them and they didn't resolve it within a reasonable amount of time before altering, not just the "good guys" but any possible "bad guys" that subscribe to this list as well.  As someone that's responsible for creating web applications, I know I'd appreciate a phone call about an issue like this before having it go public where it could cause more problems.

 

Just my $0.02 

 

-t

 

 

 

 

 

On Aug 16, 2011, at 10:18 AM, Rytlewski, Jamie wrote:



I thought about contacting shop.msu.edu, but 1) I have no idea who these contact forms actually go to, 2) I knew I’d probably get a faster response on the NAG (which happened).

 

It’s a sad state, but sometimes making a security flaw public gets it fixed faster than just contacting the people that didn’t fix it to begin with. This is one case that should have been fixed a long time ago. This is a very apparent flaw and if it wasn’t fixed by now, my feelings were going public would fix it sooner.

 

From: Troy Murray [mailto:[log in to unmask]] 
Sent: Tuesday, August 16, 2011 9:50 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] shop.msu.edu Insecure

 

Jamie & Thomas,

 

I think it's great that you both have an eye on security for something like this, caught it and want to let others know.  I'm hoping you responsibly reported this directly to the shop.msu.edu staff using the contact information under "Customer Service" on their home page first before posting it to a public forum.    

 

Troy Murray

Michigan State University        P: 517-432-3545

College of Medicine                 F: 517-353-5436

B228 Life Sciences                                  E: [log in to unmask]

RedHat 5 Certified Technician

RedHat 5 Certified Systems Administrator

HL7 V2.6/2.5 Certified Control Specialist

 

On Aug 16, 2011, at 9:43 AM, Gene Willacker wrote:




AIS is investigating. Please contact me directly with details, rather than using the public forum, and I will pass the info on to the MSU PCI DSS Team.

Thanks, Gene

on 8/16/2011 9:28 AM Thomas A Gish said the following:

On top of that, trying to connect to https://shop.msu.edu fails so it doesn't even appear to be an option. 

-T 

Quoting "Rytlewski, Jamie" <[log in to unmask]>: 



So while I was looking at how shop.msu.edu does their forms I found

a 


few very interesting details. 


1)      There is no forced security when checking out 

2)      You can see all your data, including Credit Card

information 


(of course I did not submit my actual information). 


This is a very huge security risk and with how much the University has cracked down on other departments for being PCI compliant, how

is 


that shop.msu.edu is getting away with it being so insecure? Also,

if 


the university wants us to use CASHnet so much, why is shop.msu.edu not using it? 

Jamie R. Rytlewski 
Information Technologist I 
Michigan State University 
517-884-1671 
[log in to unmask] 


 

-- 
Gene Willacker
RHS Information Services Security Administrator
Michigan State University
100 University Housing Building
East Lansing, MI 48824-1231
517-353-1694, FAX: 517-884-0248