Friday, January 8, 2016

There's no hacking in baseball - or is there?

The former scouting director of the Cardinals Major League Baseball (MLB) team Chris Correa plead guilty to hacking charges.  I'm reminded of the famous line in "A League of Their Own" where Tom Hanks says "There's no crying in baseball."  I can just about hear Tom Hanks saying the same for hacking - "There's no hacking in baseball."  Alas, this plea deal clearly would prove that inaccurate.

The charges for the guilty plea
There's so much fun here, I really don't know where to start.

When one of the Cardinals employees (Jeff Lunhow) decided to leave for employment with the Astros, he was told to turn his Cardinals owned laptop over to management.  He was also told to provide the login password for his laptop.  So far, this is pretty normal (with the possible exception of having to provide his password for access to files).

Come on man... Password reuse again?!
Things get interesting when Luhnow commits the mortal sin of password reuse as he moves to the Astros, a competing team.  The Astros maintained an online system for storing proprietary (and valuable) scouting information that they called Ground Control.  At some point the URL for the Ground Control became publicly known.  Correa used this URL along with a derivative of Lunhow's Cardinals laptop password to access the Ground Control system using his identity.

After Correa accessed the Ground Control system he may have leaked this data to the press.  In any case, Astros' proprietary data was leaked to the media and this spawned an investigation by the FBI.  According to the plea deal, Correa also illegally accessed another Astros employee's email.

Sentencing
Correa faces up to 5 years jail time and $250,000 for each of the five counts he plead guilty to.  Since he was charged with 12 counts, pleading guilty to only 5 may seem like a walk in the park if the other 7 are dropped.  It is unclear whether there were special sentencing recommendations negotiated as part of the plea deal, but part of the plea agreement stipulates that Correa cannot appeal the sentencing decision.  Sentencing is scheduled for April 11, 2016.

We have nothing anyone would hack us for.
How often do hear this at Rendition Infosec?  Unfortunately, far too often.  And I'm sure we're not alone. The Astros are not an IT company.  They are a major league sports team.  You can imagine that their proprietary systems weren't getting much love from IT and infosec.  The charges indicate that a derivative of Lunhow's Cardinals password (known to Correa) was used for the Astros' Ground Control system.  It seems unlikely that auditing was in use on the system or the failed logins generated while Correa tried different derivatives of Lunhow's password would have been discovered. 

We also need to discuss with employees that they absolutely cannot use passwords (or derivatives) that they used at a previous employer.  This is especially important if the former employer is a competitor.  This is particularly difficult to audit for since we can't expect employees to turn over their passwords used at former employers.  But it needs to be part of our user awareness education nonetheless.

Finally, the sentencing in this case is something we'll definitely be keeping a close eye on.  This is a cut and dry hacking case where the guilty party sought and obtained financial gain for hacking a competitor.  While the Astros' losses are hard to quantify, the loss of their proprietary information was definitely costly.  It will be interesting to see how this case is sentenced and what sort of precedent that sets.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.