Information Security and NFL Espionage

In late January 2007 several NFL-related web sites were hacked, to include www.dolphinsstadium.com and www.miamidolphins.com. Considering the Miami Dolphins stadium was about to host the NFL’s biggest game of the year, Superbowl XLI, this seemed a reasonable enough target. The sites were modified to serve malicious JavaScript code that would compromise victim’s computers, providing a good dose of nastiness to vulnerable clients. Some additional details on the incident are available in this Websense alert.

Over the past several weeks, just as the the 2007-08 NFL regular season comes into full swing, the contents of email boxes everywhere have shifted from being bombarded with e-card Storm malware spam, to yet another NFL-driven social engineering vector, as outlined by our friends at TrendsLabs. And, of course, given that this is employing social engineering vectors, a slightly more inviting version of the spammed malware email has been introduced. In the latter edition, the involved miscreants have got themselves an actual domain name in the included link, rather than an IP address, and replaced most of the text with some nifty graphics, raising the bar from quite obviously malicious to just obviously malicious. Both messages profess to provide unsuspecting users a free game tracking system.

As if this weren’t enough, now fans are being duped by coaches and players themselves.. One of many recent events involves Coach Bill Belichick and his New England Patriots, who last week were punished by the NFL for illegally videotaping defensive signals of their competitors. Now, clearly, they’re not the only ones that have done this, but they are the first to get caught. With the Patriots often being touted as the NFL’s model team, it was sure to disappoint.

And, as you might expect, such behavior is typically followed by considerable additional scrutiny. For example, as discussed here, last season the Green Bay Packers “had issues with a man wearing Patriots credentials who was carrying a video camera on their sideline” and “There also are questions regarding the Patriots’ use of radio frequencies during the game”. There were even reports of untimely audio problems experienced by competing teams, problems that just may have been masterminded by the Patriots.

If the Patriots were able to decode the defensive signals real-time and relay match-ups to their offensive squad on the field via helmet communications systems, surely they’d be capable of adjusting to mismatches and afforded a huge competitive advantage. Else, perhaps at half-time they could train Patriots’ quarterback Tom Brady and team to read the signals themselves, detecting blitzes and the like and adjusting by calling audibles to accommodate.

Interestingly enough, radio communications for defensive signal calling has been voted down again, to include just last year. Now, one might think that if it were approved that this wouldn’t have happened; i.e., filming of competing teams wouldn’t yield defensive signals. Well, perhaps that is the case. Or, perhaps lip readers and body language experts would then be put to use. Or RF interception, or taps or other communications snooping mechanisms, all of which would occur even further behind the scenes.

If I heard the commentators correctly (the television was on in the other room), this evening during the New England/San Diego game the NFL purportedly had scanning gear looking for “stray signals” (whatever those are) and the NY Jets were planning to file something with the league regarding the Patriots having their defensive players miked during earlier games.

The Patriots’ code interception incident got me thinking: If the Denver Broncos are looking for a CISO (or a new field goal kicker), I’m local, so no relocation required. And, well, after today, it’s obvious they’re not spying on anyone.

Comments are closed.