According to its website and Wikipedia page, USSA is “an Olympic sports organization providing leadership and direction for tens of thousands of young skiers and snowboarders” with “over 30,000 athletes, officials and coaches, with a network of over 100,000 parents, volunteers and supporters” and a staff of over 150. The association is clearly impressive and fulfills a need for winter sports enthusiasts.
But when it comes securing their IT infrastructure and its member’s data, it doesn’t come close to receiving a gold medal. Future blog posts will exhibit how misconfigured servers, exposed credentials, and vulnerable software make USSA an easy target for hackers. These vulnerabilities still exist. The final post will reveal a hacked USSA website.
Despite attempting to contact USSA for three months, the association has yet to respond to any messages from the UtahCyberCheck project. Reports were also given to the Utah Department of Public Safety which helped resolve one issue, but other issues were not addressed by USSA. Without any indication USSA will secure their infrastructure, it has come to this unfortunate conclusion of responsible disclosure.
Posts regarding USSA (Kept updated):
I began the UtahCyberCheck project to help struggling Utah education and government organizations. USSA has a presence on Utah education infrastructure and is a National Governing Body and falls within the scope of the project. You can read the initial announcement of UtahCyberCheck and subsequent reasons.
Update 4/1/2020 Changed featured image; Added article.