Unsporting Espionage

If you think about IP security – or more specifically, the problem of IP espionage – the mind is inevitably drawn to the big corporates in the banking and pharmaceutical sectors. After all, these are considered the people with the highest-value intellectual property. Actually, that’s not necessarily the case, and perhaps misses the point – stealing information isn’t always about short-term financial gain. This brings us nicely to the growing problem of IP espionage and more general infosecurity issues in sports.

The Digital Crown Jewels

Richard Keighley, part of Deloitte’s security team, argues that high-value sports teams have digital crown jewels, those things that give them the all-important competitive edge – be it the suspension or engine tuning secrets of a particular Formula 1 racing car, or the precise composition of a hi-tech racing bicycle.

“There are extensive physical security controls at team locations to prevent unauthorized access”, Keighley explains, as well as protocols for protecting equipment trackside, “even down to the shredding of custom sports clothing after use”.

It isn’t just about money, however, it’s often the far less tangible, yet far more motivating ‘prestige factor’ that drives people to win, and drives them to IP espionage within the sports sector. According to Keighley, “this means that it’s not just the casual thief or organized criminal they have to defend against, but potentially state-backed attackers”.

Unsporting Motivation

Of course, as Giri Sivanesan, senior manager for policy, risk and compliance at Pentura reminds us, “international events bring unparalleled financial rewards for the host nation”, so you can’t discount the monetary motivation entirely. It’s this mixing of motivations that presents perhaps the biggest problems for the information security industry when it comes to protecting sporting IP. Knowing your enemy and understanding their tactics are always useful weapons in the infosec arsenal, but it becomes a little more complex when, in addition to protecting the network, you have to take into account that “covert surveillance can be used to collect information on training patterns, intensity and strategy, giving rival teams the competitive advantage”, Sivanesan says.

Then take into consideration the third front, as it were – those who want to compromise infosecurity for neither financial gain nor national sporting pride: the hacktivists. As has been demonstrated by the ‘Anonymous’ group in the wake of the WikiLeaks cables publication, distributed denial-of-service attacks can be deployed against the biggest of corporate targets relatively quickly and with devastating effect. What better way to make a point, to exact an act of cyber-retaliation guaranteed to grab the headlines, than to disrupt a major sporting event?

High-Value Targets

So are any particular sports, or events for that matter, more vulnerable than others? It’s a question we put to Ron Meyran, director of security products at Radware, who admitted that sport has been strewn with IT security espionage but pointed in particular toward Formula 1. “F1 racing team Renault revealed that their computer system was infiltrated by hackers”, Meyran explains. “This has lead to Renault having to change design details of a radical new engine because of fear that their rivals could have been sold the information.”

Richard Keighley, meanwhile, suggests that any high-value sport that makes increasing use of technology is at risk, and that means cycling and sailing, as well as motorsports. Oh yes, and football (or soccer, for you Americans and Canadians). During the professional football transfer window there are extensive communications going on from all sides: between the different teams, the players and their agents. “This means that participants need to take care in securing their discussions from eavesdropping”, Keighley warns, “from the competition and the press”. Taking care of PDAs and smartphones, as well as the network, in case of loss or theft is essential, as is ensuring that preventions are in place to stop them from being hacked into.

An Olympic Effort

Sporting bodies with major events coming up, such as Moto GP, the Wimbledon tennis championships, and perhaps most of all, the 2012 Olympic Games, are obvious targets for those who would pilfer from sport. “Whether it’s stealing designs or even training videos of the team”, Meyran insists, “the hackers are expected, all you can do is wait”.

Much of the media attention will, no doubt, focus on the mundane – such as ticketing fraud – yet the bad guys will have a much broader brief; especially if you are talking about the bad guys at a state-sponsored level. Take drug testing, for example, a procedure that can break the career of an athlete and ruin the reputation of a national sporting body.

It should come as no surprise, as Keighley tells us, that security runs deeper than the physical controls over taking samples and transporting them for testing. “A strong evidentiary chain has to be demonstrated throughout”, meaning secure “electronic access controls and monitoring in place” to detect for any signs of fraudulent activity. Then there’s the integrity of the entire IT landscape at such an event, including the scoring and timing systems.

Infosec at the Olympics is not just about confidentiality, says Keighley. “Remember the ‘I – integrity’ and ‘A – availability’ of the ‘CIA’ of security”, he recounts. A lot of information at the Olympics isn’t sensitive, but it does need accuracy, and that requires system integrity. “They want everyone to know who won the 100 meters, but they also need the timing system to correctly display the winning time”, Keighley continues. “There are extensive controls in place to maintain the integrity of such information and resilience is built into communications and AV systems to ensure high availability”.

Can You Bet on IT?

Professional sports are big business everywhere these days, and multi-million global sponsorship deals mean that team tactics and the technology behind the equipment are just as important as the man kicking the ball, racing the car, or sailing the boat. There’s money to be made when a sporting fixture can be won or lost, courtesy of the technology tweaking the tactics or the equipment.

There’s also money to be made on the results of those fixtures the old fashioned way – by betting on the results – and technology can be the deciding factor here as well. From tampering with trackside technology (think tripping of the false start mechanisms, for example) to influencing the betting odds (through the use of online betting services, although sophisticated analysis software usually sniffs this out these days) and blackmail.

“More and more distributed denial-of-service attacks have targeted financial institutions during 2010”, Catalin Cosoi, head of the BitDefender online threats lab told us, adding “ever since 2009, sports betting services have been attacked by the groups of cyber-criminals behind the BlackEnergy botnet. The attacks are generally carried out on the evening of major events in order to maximize the potential losses.”

Not all betting fraud is aimed at the bookie, however, as some is quite clearly targeted at the punter. Cosoi highlights phishing messages impersonating legitimate betting offers from high-profile institutions, in order to trick victims into disclosing their banking details, which offer free betting credits.

Then there’s the ‘prediction software scam’, which sells, or gives away, software that supposedly uses complex algorithms to predict a winning bet but actually just installs malware.

Perhaps of most concern, though, are the malware variants targeting online betting that use man-in-the-middle techniques to hijack money transfers as a bet is being placed. Online betting security is, naturally, taken very seriously, from PCI DSS compliance through to the monitoring for fraudulent activity. According to Richard Keighley, several such organizations already have certification to ISO 27001.