Image via Flickr user Adam Thomas
The New York Times account of how the St. Louis Cardinals are being investigated by the FBI and the U.S. Justice Department for logging into the Houston Astros' internal database and stealing information used words such as "hacking", "corporate espionage", and "vengeful front-office employees", although the alleged crimes appear to be much less nefarious than that. This was no Soderbergh blockbuster, for sure.In the understatement of the week, the Times says the intrusion "did not appear to be sophisticated." What actually happened is the stuff of middle school hijinks:"Investigators believe Cardinals officials, concerned that [current Astros general manager and former Cardinals executive] Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros' network, law enforcement officials said."This was "a very formulaic approach to espionage," security expert Ira Winkler, president of Secure Mentem, told me over the phone. He added that this case had a slight twist: "usually a person hacks into their past organization, not the other way around."If the allegations are true, Winkler says the Cardinals officials violated "many crimes" including the Computer Fraud and Abuse Act (CFAA), most infamously known as the main charge against Reddit cofounder Aaron Swartz. Still, Winkler says this is a straightforward case. "They logged into a system they didn't have access to with someone else's information."But according to the Times quote above, Luhnow may have committed a crime as well. "If he created data while employed with the Cardinals," Winkler told me, "he might have violated laws as well because he couldn't have taken it with him." Any algorithms or data Luhnow made while employed by the Cardinals belonged to the Cardinals. This would have been a more traditional—but still illegal—form of industrial espionage.As far as Winkler is concerned, all parties involved practiced very poor security awareness. The Cardinals should never have had a "master list of passwords" for the system; Luhnow should never have used the same passwords at his new employer; the Astros should have instructed Lunhow to make sure he used different passwords; and the Astros should have used multifactor authentication, a basic security feature that requires users to log in from pre-determined but separate devices.Even with these incredibly basic measures freely available, calling this hack unsophisticated falsely presents other hacks as something more sophisticated. But Winkler says this isn't the case. "Lately, all of the significant hacks we've seen have been password-based attacks."The Sony hack, for example, was a password-based attack that began with phishing—which requires no technical prowess whatsoever—and was exacerbated because too many Sony employees used the same passwords for work and personal accounts. So while everyone involved in the story may be, as Deadspin quipped, an idiot, there are far more idiots out there than most people think."Even attacks called sophisticated are actually unsophisticated," Winkler said. "This is what most attacks are."
Advertisement