|
United States Soccer FederationRead ALL of this document!SPECIAL HACKER ALERT! |
|
|||
Lately, our system has been the target of a least one persisitent hacker that is working very hard at trying to break into our system. To some extent, they have been successful. Our overall system security has done an excellent job of keeping unauthorized people out, so the question is "How have they been successful?" The Problem: So what do they do when they get into the system as "YOU"? If they come in as a LAC, they have made assignments or changed them, assigning you to games you shouldn't be on (1800 mile travel for a PDL game? hmmm), or taking you off games you belong on. Luckily enough, all assignments are "staged" by the assignors and only an administrator can release the assignment. After screwing up a couple of games we caught the problem. If they get in as an official or an assessor they can.. decline games you want before you ever see them, costing you money, or declining a game you already accepted and you go to the game thinking you are still on the game. They can also foul up your availability information by marking out many dates you really have open that will prevent the assignor from using you, or vice versa, by making you available on days you already flagged as unavailable. (And here, you thought you were going to the lake that first weekend in August). If they get in as an assessor, they can at least temporarily foul up your future as an official by providing a truly "original" assessment of your game performance! The Solution: Report anything you may feel suspicious to a system administrator. (Casey, Mike or Paul and your LAC). Are you missing e-mails you thought you should have received, or gotten strange ones like replies to an e-mail you never sent. Anything that smells rotten, may be. If you have an email account through hotmail.com or yahoo, these are very vulnerable since they do NOT go through your local ISP whom you would have to contact to add or change an email address. If you dropped a hotmail or yahoo account anyone else can reuse the account once deactivated by you. Hotmail and Yahoo also do not need ISP setup info in your mail program as they can be accessed via your web browser. LACs... do NOT give out userids or passwords unless you are
absolutely sure who you are talking to. It may be inconvenient, but
may be best if you originate a phone call to a known phone number for
the person and verify who you are talking to. Maybe even setup a pass
code for each of your officials. Overkill? Not if you have to go back
and assign many games you thought you had covered and are now declined. Officials and assessors... change your passwords on a regular
basis, at least once a month. NEVER share your password with
anyone (your userid is OK, but never your password). Don't even
give out your password to an administrator or a LAC (assignor) since
you may not be sure it is really them. Administrators and LACs can look
up your passwords. Anyway, the only reason a LAC should need to know
your password is to give it to you. To all... make sure your email address also has a good, secure, hard to hack password. This will help to keep hackers from accessing your email account. What makes a good password? Password Formation Rules: To make a secure password it should:
Change your password monthly. This limits the time someone can use your password. Are we being paranoid?? NO! Just trying to keep an existing problem from growing. You won't think we are paranoid if you are affected by this problem. Please help us keep a lid on it. Our software security system is doing its job. The hackers are trying to get the information they need to get into the system by going outside the system. Don't let yourself be exploited. Remember.. the data the hackers change may be yours!!! The good news??? We have several people in our system that work for Federal law enforcement. They have helped us with a similar problem in the past (successfully) and are currently working on this (and future) attempts to violate the integrity of our system. 11/29/2007 |