Friday, January 8, 2016

Friday Late-night Links: Cardinals breach of Astros

I'll have some thoughts on the Cardinals breach of the Astros systems below. Here are some links to get you started.

David Barron is killing it (as usual): Chris Correa has pleaded guilty to five of 12 counts of unauthorized access to a computer owned by the Astros. Sentencing is April 11. Which as Barron notes is the home opener for both the Cardinals and Astros.

MLBTradeRumors is also killing it (as usual), with a well rounded update of the days actions.

Here's the actual indictment of United States of America v. Christopher Correa. It's only a five page read (anyone in information security will get a kick out of it).

Walkthrough and thoughts

Perusing the web, most people seem interested in what the Cardinals punishment will be and/or what the Astros will get out of this. I don't have any insight into what could happen here. This is uncharted territory for MLB. The Astros most likely can't sue the Cardinals and the case will have to be handled in house.

What I can speak to is how this went down and lessons learned.

Per the indictment, Chris Correa got access to the Astros database because of password reuse. Plain and simple. When Victim A turned in his equipment to Correa, he was asked for his password. Victim A gave Correa his password. Why would he do this? I'm not entirely sure, but my inclination would be that Victim A had important information on that laptop that Correa needed. Either way a password change of Victim A's Cardinal account or admin account would have accomplished the same thing.

Then Victim A reused or used something similar when setting up his Astros database and email account. This gave Correa the password or something similar to the password. A few character changes and he gets in. That's it.

Correa is now longing into the Astros system, with a legitimate account, accessing information that give the Cardinals a leg up in trade and draft scenarios. This is something that would be very hard to detect, especially with personnel traveling all over the world.

The Astros then have Ground Control featured in the Houston Chronicle, and whoops the non-public URL for logging into the database is in a photo prominently displayed on the Houston Chronicles website. They decide to reset all passwords. Good move. Except that it gave Correa even more access than he already had.

Passwords for the database were reset for everyone (but not email). An email was sent out with a new default password for everyone. Correa, still having access to email, got that password and was now able to login to any account that didn't change the default password. Which how Correa got into Victim B's account. Which had quite the trove of information.

Correa is the criminal here. He accessed the Astros database unauthorized. Whether or not he was looking for proprietary data is irrelevant. His timing coincided with both the trade deadline and the draft. This wasn't about what the Astros took, it's what the Cardinals took and gained an advantage from. Whether or not Correa shared the information with GM is irrelevant. He was in a position to gain from the position he accessed.

On the other side, this was preventable. Password reuse is a big one. Giving a password to another person is even worse. Even with that two-factor authentication prevents this entirely. The password reset is a good idea for keeping people on the outside from getting in. When someone's already in it's much tougher to defend again.

I'm not sure how the database was setup, but sending the same default password to everyone is a bad idea. So is sending a password in an email in general a bad idea. Forcing a password reset the next time someone logs in is probably the best way. Correa could have changed the password for his account access, but that would have sent up a red flag when that person tried to login and his password didn't work.

My question is who and why was internal data dumped on pastebin. Correa had an inside on the Astros database that he could have maintained for a really long time. The pastebin dump was the big red flag that someone was in the Astros database and likely prompted the organization to call in the FBI to investigate. Correa was using TOR but wasn't likely doing enough to clean up his tracks on the inside the database and outside to keep from getting caught.

There's still plenty to follow in this story, but it looks like it's finally winding down. Sentencing, MLB's investigation results, and punishment (or lack-thereof).

This has been fun. Remember kids, never give your password to strangers or anyone for that matter.


Scott Whitt said...

Luhnow has always stated that it was not password reuse. He knows not to use old passwords. Plus, mm when fake Correa said he found St Louis property the judge didn't press him. He effectively let fake Correa take the spotlight off him and cast doubt on Houston. Plus didn't seem to be any questioning about fake Correa acting alone or under directions. He did this at a house used by multiple Crdinals officials.

County Mountie said...

Password reuse is in the indictment, item 8.

The indictment does not specify whether it was Luhnow or another employee. So what Luhnow said is likely true and that it was someone else.

The reason why the judge didn't press Correa, was because his excuse requires a different investigation. This investigation deals with Correa unauthorized access of Astros systems. Why he was in there is irrelevant

JoeinAlaska said...

My bet is that Correa will get a large fine and suspended sentence. The MLB will not punish the Cardinals in any way. They'll just say whatever punishment the court hands out is enough. Manfred does not want the bad PR to continue, so he'll sweep it under the rug as quick as possible.