Baseball Rivalry Takes the Low Road In Potential Data Hack

William Kellermann
June 16, 2015

Step aside Video-gate and Deflate-gate. Baseball inter-team rivalry has taken a new turn to the dark side. In the first known case of corporate espionage involving sports teams, the St. Louis Cardinals are under investigation for hacking the corporate network of the Houston Astros. The F.B.I. and Justice Department prosecutors are investigating whether one of the most successful teams in baseball over the past two decades hacked into internal networks of a rival team to steal closely guarded information about player personnel. Investigators have uncovered evidence that Cardinals officials broke into a network of the Houston Astros that housed special databases the team had built.

Of all teams to hack, why the Astros? The motive appears to be revenge executed by front-office employees against a former colleague. Astros general manager Jeff Luhnow was a highly successful executive with the Cardinals until 2011. At St. Louis, Luhnow built a computer network called Redbird housing databases of all the Cardinal’s baseball operations information, including scouting reports and player personnel information. Luhnow used the databases to create the best minor league system in baseball and engineer a “Moneyball” style re-tooling leading to the Cardinal’s 2011 World Series championship. After leaving to join the Astros, Luhnow created a similar program in Houston known as Ground Control. Under Luhnow, the Astros have accomplished a striking turn-around, now leading the American League West.

How did the Cardinals employees allegedly accomplish the hack? Investigators believe the employees used a master password list created by Luhnow and other executives who left St. Louis with him for the Astros. Beginning in 2013, the executives accessed Houston’s Ground Control network purportedly using the passwords that previously gave access to their own Redbird system. Last year, some of the information was posted anonymously including details of trade discussions between Houston and other teams. When asked about the leaks, Luhnow stated, “Today I used a pencil and paper in all my conversations.”

In the seminal 2015 Trustwave Global Security Report, cyber-security firm Trustwave indicates that of the 574 Data Compromise incidents it investigated last year, 28% resulted from weak passwords. Weak passwords were the most-used mechanism to institute a security breach. The most common database security weakness are default or weak passwords, often for highly privileged, shared accounts. Trustwave found that “Password1” is still the most common password in use on corporate networks and databases, followed by “Welcome1”, “P@ssword”, Summer1!” and “password” to round out the top five. Further eight character passwords are in use 39% of the time.

Such passwords can be cracked in less than a day. Conversely, it would take almost two years to crack a 10-character password. The most likely explanations for finding these common passwords in use are network administrators setting easy passwords for new employees or as part of a password change request. These passwords are never changed. Typically businesses do not force a user to change a temporary password on first-access or are not enforcing password expiration dates.

A separate, but related issue exposed by the Cardinals-Astros hack is the propensity of employees, especially executives, to reuse the same password for multiple, unrelated systems.

Unfortunately, as with many cyber-security incidents, the fix is obvious but chronically difficult to implement.

Passwords are intended to prevent unauthorized access to information. As such a strong password policy and related IT procedures should be implemented and enforced. At a minimum the policy should address the following best practices:

  • Passwords cannot contain the user name or parts of a user’s full name, such as a first name.
  • Users must keep passwords confidential and not share with anyone, ever. (But consider the utility of password aggregators like LastPass.)
  • Set a minimum password length. Passwords should now be at least 10 characters in length – 14 characters is better.
  • Enforce password history policies. Previous passwords cannot be reused. Set minimum and maximum password aging.
  • Force an immediate password change when first accessing a system after a password re-set by an administrator.
  • Store passwords using encryption
  • Never write down a password and keep it near an end-point
    Never send both login and temporary password information in the same email. Send the login and then call the user with the temporary password.
  • Passwords must meet complexity requirements – a password policy should require the following characters be used:
    • Uppercase Letter
    • Lowercase Letters
    • Special Characters
    • Numbers

Information security is not just an IT problem. All employees must take security seriously and one place to start is personal accountability for passwords. Password policy, along with other issues of social engineering are a persistent threat that can be best addressed both systemically, with common sense and with ongoing information security training as part of a broader, proactive Information Security plan.