United States Soccer Federation

Read ALL of this document!

SPECIAL HACKER ALERT!

Lately, our system has been the target of a least one persisitent hacker that is working very hard at trying to break into our system. To some extent, they have been successful. Our overall system security has done an excellent job of keeping unauthorized people out, so the question is "How have they been successful?"

The Problem:
The latest ploy is that they are passing themselves off as people in our system (YOU). Somehow, they have obtained YOUR identity and used it to prompt administrators of the system or LACs to give out "forgotten" passwords to "you". Yes, at least electronically, they have made themselves look like you by somehow using your old e-mail addresses, assuming new ones and saying they are you, etc. They have also passed themselves off as people attempting to gain technical knowledge about the system in order to assess if they would like to buy it! We do not supply that type of information!

So what do they do when they get into the system as "YOU"?

If they come in as a LAC, they have made assignments or changed them, assigning you to games you shouldn't be on (1800 mile travel for a PDL game? hmmm), or taking you off games you belong on. Luckily enough, all assignments are "staged" by the assignors and only an administrator can release the assignment. After screwing up a couple of games we caught the problem.

If they get in as an official or an assessor they can.. decline games you want before you ever see them, costing you money, or declining a game you already accepted and you go to the game thinking you are still on the game. They can also foul up your availability information by marking out many dates you really have open that will prevent the assignor from using you, or vice versa, by making you available on days you already flagged as unavailable. (And here, you thought you were going to the lake that first weekend in August). If they get in as an assessor, they can at least temporarily foul up your future as an official by providing a truly "original" assessment of your game performance!

The Solution:
You are the solution!!!

Report anything you may feel suspicious to a system administrator. (Casey, Mike or Paul and your LAC). Are you missing e-mails you thought you should have received, or gotten strange ones like replies to an e-mail you never sent. Anything that smells rotten, may be. If you have an email account through hotmail.com or yahoo, these are very vulnerable since they do NOT go through your local ISP whom you would have to contact to add or change an email address. If you dropped a hotmail or yahoo account anyone else can reuse the account once deactivated by you. Hotmail and Yahoo also do not need ISP setup info in your mail program as they can be accessed via your web browser.

LACs... do NOT give out userids or passwords unless you are absolutely sure who you are talking to. It may be inconvenient, but may be best if you originate a phone call to a known phone number for the person and verify who you are talking to. Maybe even setup a pass code for each of your officials. Overkill? Not if you have to go back and assign many games you thought you had covered and are now declined.
If someone calls you and you have Caller ID, check the person's name and or phone number to insure it is coming from their house.
Change your password often, at least once a month.
LACs, keep track of your assignments on paper in case you need to reassign games to the correct people, or to double check a suspected tampering.

Officials and assessors... change your passwords on a regular basis, at least once a month. NEVER share your password with anyone (your userid is OK, but never your password). Don't even give out your password to an administrator or a LAC (assignor) since you may not be sure it is really them. Administrators and LACs can look up your passwords. Anyway, the only reason a LAC should need to know your password is to give it to you.
Check your availablity dates often to make sure it has not been tampered with.

To all... make sure your email address also has a good, secure, hard to hack password. This will help to keep hackers from accessing your email account.

What makes a good password?

Password Formation Rules:
Password must be at least six (6) characters long and no longer than Eight (8)
You can mix letters and numbers, no spaces or special characters.
Write down your password and save it!

To make a secure password it should:

• not be full of repetitive characters, like "aaaaaaa"
• not be the name of your wife or any other family member, your dog or your nickname
• not be your birthdate, phone number or license plate
• not be anything that can easily be associated with you. ie, don't use soccer related terms as this is a "no brainer" to a hacker trying to access a site for soccer people

Change your password monthly. This limits the time someone can use your password.

Are we being paranoid?? NO! Just trying to keep an existing problem from growing. You won't think we are paranoid if you are affected by this problem. Please help us keep a lid on it. Our software security system is doing its job. The hackers are trying to get the information they need to get into the system by going outside the system. Don't let yourself be exploited. Remember.. the data the hackers change may be yours!!!

The good news??? We have several people in our system that work for Federal law enforcement. They have helped us with a similar problem in the past (successfully) and are currently working on this (and future) attempts to violate the integrity of our system.

11/29/2007