Tuesday, June 16, 2015

Analyzing the Cardinals breach of the Astros

A year ago when the Houston Astros' breach was reported I wrote up a piece analyzing the breach for the Crawfish Boxes. There wasn't a lot to analyze based on the details at the time, but that changed today with the running of this New York Times article by Michael S. Schmidt.

More details on motivation and who

According to the article:

The F.B.I. and Justice Department prosecutors are investigating whether front-office officials for the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, hacked into internal networks of a rival team to steal closely guarded information about player personnel.
Corporate espionage by the Cardinals appears to be the answer to motivation and whodunit questions. The article goes deeper though,

Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager who had been a successful and polarizing executive with the Cardinals until 2011.
Luhnow was not a popular person among some groups within the Cardinals organization, which isn't surprising. We've known about that for a while now. What is a bit surprising is that someone disliked Luhnow so much, that they would risk their reputation, the Cardinals organization reputation, and possibly some jail time just to get back at them.

How did they get in

This was the burning question last year and it appears we've now got an answer. If you'll remember the Houston Chronicle ran a piece on Ground Control, which is apparently similar to the Cardinals computer network, aptly named, Redbird. The picture on the article displayed an external link for Ground Control.

It appears that the breach may have occurred before the article, however:

But in 2013, before their revival at the major league level, their internal deliberations about statistics and players were compromised, law enforcement officials said.
 Finding an external link without the help of a news organization is still possible. Link aside here's what the New York Time's article also had to say about getting in:
Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.
A "master list of passwords" is likely a spreadsheet that was used to store all passwords, that the Cardinals had in their possession. This seems to indicate that Luhnow and everyone who followed him to Houston involved in Ground Control used those same passwords. That's just bad operational security, if true.

Once the attacker got in, if Ground Control was built with a similar infrastructure and the attacker was in fact from the Cardinals organization, then they had a good understanding of layout of the system and knew where important information is stored. Where the Cardinals employee goofed up was not hiding his home IP address through a proxy or logging in from the house of a Cubs employee.

How could this have been avoided 

With the information we have available, two-factor authentication. 

With two-factor authentication turned on the attacker likely doesn't get in, even if they had the passwords. 

Punishment and compensation

Several have asked what the punishment for the Cardinals and/or compensation to the Astros will be and to be honest I don't know. The law is where my expertise ends. I don't know if government will pursue legal action against the people involved or if MLB will be allowed to handle this on their own. With the recent high profile breaches, the government has taken a strong stance on making attackers accountable for their actions. This breach falls in corporate espionage, so I'm not sure if they will take as hard of a line on this or even really care. MLB on the other hand will probably want to take a strong stance on this. This was embarrassing for the Astros last year and it's even more embarrassing now that another MLB team is involved.

It will certainly be interesting to see the outcome of this episode.


Chris Cupp said...

Tim, you leave crawfish boxes, only to start contributing to Astros County?

I shouldn't be complaining. At least I get to read something from you ;)

And I loved your use of OPSEC. Right on.

Timothy De Block said...

James asked me to put something together. =)

Anonymous said...

The good news is that Bud Selig and Uncle Drayton aren't around anymore to deal with this. Bud woulda let the Cards slide and figured out a way to actually blame the Astros. He probably woulda said " the Astros are at fault for simply existing and as a result, will sacrifice beloved 1st round draft picks to the Cards, Cubs, and Brewers for the next 10 years."

All joking aside, this is a really nasty situation. I seriously doubt the Astros are the only team that the Cards went snooping on. Looks like the so-called "model organization" is a collection of snake in the grass cheaters.

JoeinAlaska said...

I doubt the Feds will prosecute because its corporate crime. They leave it up to the MLB to handle. I have no idea what Commish Manfred will do as this will be his first big issue to deal with since taking over. Chances are he'll want to use this to make a statement and will come down hard on the Cards. I susspect he'll fine them, no loss of draft picks.

Anonymous said...

Two things:

very very unlikely there was such a thing as a "master password list"lying around in the Cardinals offices....that kind of information could only be obtained by a person with system administrator authority to the system.Pretty sure these folks will be examined closely.

also, once they have the list and begin trying passwords and variations, they might need only one hit and they're in....not fair to assume that everyone from Luhnow on down was not observing good password practices, although it's true that most people do not even when warned repeatedly.

think the whole thing was probably a prank by some twisted little mooks in the Cardinal offices...but for some reason they weren't smart enough to cover their tracks.