Tuesday, June 16, 2015

Analyzing the Cardinals breach of the Astros

A year ago when the Houston Astros' breach was reported I wrote up a piece analyzing the breach for the Crawfish Boxes. There wasn't a lot to analyze based on the details at the time, but that changed today with the running of this New York Times article by Michael S. Schmidt.

More details on motivation and who

According to the article:

The F.B.I. and Justice Department prosecutors are investigating whether front-office officials for the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, hacked into internal networks of a rival team to steal closely guarded information about player personnel.
Corporate espionage by the Cardinals appears to be the answer to motivation and whodunit questions. The article goes deeper though,

Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager who had been a successful and polarizing executive with the Cardinals until 2011.
Luhnow was not a popular person among some groups within the Cardinals organization, which isn't surprising. We've known about that for a while now. What is a bit surprising is that someone disliked Luhnow so much, that they would risk their reputation, the Cardinals organization reputation, and possibly some jail time just to get back at them.

How did they get in

This was the burning question last year and it appears we've now got an answer. If you'll remember the Houston Chronicle ran a piece on Ground Control, which is apparently similar to the Cardinals computer network, aptly named, Redbird. The picture on the article displayed an external link for Ground Control.

It appears that the breach may have occurred before the article, however:

But in 2013, before their revival at the major league level, their internal deliberations about statistics and players were compromised, law enforcement officials said.
 Finding an external link without the help of a news organization is still possible. Link aside here's what the New York Time's article also had to say about getting in:
Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.
A "master list of passwords" is likely a spreadsheet that was used to store all passwords, that the Cardinals had in their possession. This seems to indicate that Luhnow and everyone who followed him to Houston involved in Ground Control used those same passwords. That's just bad operational security, if true.

Once the attacker got in, if Ground Control was built with a similar infrastructure and the attacker was in fact from the Cardinals organization, then they had a good understanding of layout of the system and knew where important information is stored. Where the Cardinals employee goofed up was not hiding his home IP address through a proxy or logging in from the house of a Cubs employee.

How could this have been avoided 

With the information we have available, two-factor authentication. 

With two-factor authentication turned on the attacker likely doesn't get in, even if they had the passwords. 

Punishment and compensation

Several have asked what the punishment for the Cardinals and/or compensation to the Astros will be and to be honest I don't know. The law is where my expertise ends. I don't know if government will pursue legal action against the people involved or if MLB will be allowed to handle this on their own. With the recent high profile breaches, the government has taken a strong stance on making attackers accountable for their actions. This breach falls in corporate espionage, so I'm not sure if they will take as hard of a line on this or even really care. MLB on the other hand will probably want to take a strong stance on this. This was embarrassing for the Astros last year and it's even more embarrassing now that another MLB team is involved.

It will certainly be interesting to see the outcome of this episode.