4/4/2020 UPDATE: I am now in contact with USSA. There is indication of some issues that prevented USSA from receiving my reports and were consequently unaware of them. More information to come at a later time.
4/20/2020 UPDATE: After a dialogue with USSA, it became clear USSA did not received most UtahCyberCheck reports. This contributed to confusion and miscommunication. Since this time, USSA has been responsive and are able to quickly address issues brought to their attention as future blog posts will detail.
According to its website and Wikipedia page, USSA is “an Olympic sports organization providing leadership and direction for tens of thousands of young skiers and snowboarders” with “over 30,000 athletes, officials and coaches, with a network of over 100,000 parents, volunteers and supporters” and a staff of over 150. The association is clearly impressive and fulfills a need for winter sports enthusiasts.
But when it comes securing their IT infrastructure and its member’s data, it doesn’t come close to receiving a gold medal. Future blog posts will exhibit how misconfigured servers, exposed credentials, and vulnerable software make USSA an easy target for hackers. These vulnerabilities still exist. The final post will reveal a hacked USSA website.
Despite attempting to contact USSA for three months, the association has yet to respond to any messages from the UtahCyberCheck project. Reports were also given to the Utah Department of Public Safety which helped resolve one issue, but other issues were not addressed by USSA. Without any indication USSA will secure their infrastructure, it has come to this unfortunate conclusion of responsible disclosure.
Posts regarding USSA (Kept updated):
- USSA Poor Security Practices Leads to Leaked IT Credentials
- USSA Remediates Vulnerable Server during COVID-19 Pandemic, Earthquake
- USSA Shuts Down Forum Website after Hack
I began the UtahCyberCheck project to help struggling Utah education and government organizations. USSA has a presence on Utah education infrastructure and is a National Governing Body and falls within the scope of the project. You can read the initial announcement of UtahCyberCheck and subsequent reasons.
Update 4/1/2020 Changed featured image; Added article.
Update 4/4/2020: Added “Developing Story” to first paragraph, added 4/4/2020 update in body of article.
Update 4/20/20: Added note about USSA not receiving all reports.