Those in the privacy and data security (or baseball) world should be familiar with the St. Louis Cardinals and Houston Astros hacking incident. Former St. Louis Cardinals’ scouting director, Chris Correa, was recently sentenced to 46 months and ordered to pay restitution after pleading guilty to five counts of unauthorized access of a protected (Astros) computer, bringing an end to the federal criminal investigation. Recapping the hacking highlights, Correa accessed the Astros’ proprietary player information database, Ground Control. Ground Control contained the Astros’ “collective baseball knowledge” drawn from player statistics, impressions and opinions of the team’s scouts, coaches, statisticians and doctors, and other sources. Correa also accessed the email accounts of several members of the Astros front office including “Victim A” (likely former Cardinals executive and present Astros general manager Jeff Luhnow), “Victim B” (likely former Cardinals and present Astros sabermetrician Sig Mejdal), and at least one other person. According to the Astros, Correa accessed Ground Control at least 60 times on 35 different days over a 15-month period; one can only speculate as to breadth and depth of Correa’s access to the Astros’ email system. The intrusions initially appeared to have emanated from a device housed in a condominium in Jupiter, Florida (the Cardinals’ spring training home), but given the lengthy period of time, likely involved other devices in other locations. Correa gained access to the Astros’ systems by having Luhnow’s Cardinals’ passwords which were “similar” to his Astros’ passwords. Correa both reviewed and downloaded Ground Control information.
The Ground Control information was partially published in public sources approximately a year after the first intrusion. This prompted the Houston Chronicle to report on the breach. When the Astros discovered the breach is a bit fuzzy. However, in response to discovering the breach, the Astros sent an internal email noting a change in the Ground Control URL, urging employees of the need to reset passwords and including a temporary new password. Correa, having Astros email access, simply used the temporary password and new URL for Ground Control contained in the email to gain access for another three months.
There are many plays to be had in reviewing this breach incident. Did the Cardinals gain a competitive advantage? What information do the Cardinals still possess (assuming all information was “returned or destroyed”)? How pervasive was the Cardinals’ knowledge of Correa’s actions (to be fair, no one else was charged and the Cardinals have stated Correa acted as a “rogue employee”)? Did the Astros steal the Cardinals’ information (as Correa maintains and the Astros deny)? Most importantly (at least in St. Louis sports radio), what sanctions will Major League Baseball impose on the Cardinals?
All are fine and good topics, but how about this one: What the heck were the Astros thinking? Houston, you had a problem, several in fact. This is not a “blame the victim” piece. Rather it will outline the Astros’ mistakes presenting eight lessons to reduce the possibility of a data breach and one lesson on how to handle a breach should it occur. Most of these are common sense suggestions, yet the mistakes keep happening.
Lesson 1 – do not use the same or derivative passwords of prior passwords and always use strong passwords. Correa gained access to the system by guessing user names and passwords. He had Luhnow’s Cardinals’ passwords (why Correa received Luhnow’s devices and passwords is another interesting topic). From there, Correa guessed Luhnow’s new user name and password. No doubt Luhnow had “complex” passwords for each team. Perhaps for the Cardinals it was “Cardinals2011WSChamps!” and for the Astros it was “Astros2014WSChamps”? Complex in that it has more than eight characters, uses upper and lower cases, numbers and symbols, but we should not confuse “complex” with “strong.” To be strong, a password must be both complex and unique. Many hacks and identity thefts start with the same, similar or derivative passwords of previously used passwords. If you have the old one, the new one is much easier to guess. Obtaining old passwords is notoriously simple. Neither “brute force” (the ability to generate massive numbers of passwords in a short period) nor malware variants were employed in this intrusion. Please, until a more affordable, better system is widely employed, use strong passwords.
Lesson 2 – require frequent password changes. Because the intrusions occurred over a 15-month period, the Astros clearly did not require users to frequently change passwords. Good practice would have required changes at least every three months; critical systems more frequently. Even assuming Lesson 1 was ignored, requiring more frequent password changes would have severely limited the duration and frequency of the breaches.
Lesson 3 – use separate, strong passwords for different systems. It seems apparent that the Astros allowed the same password to be used for multiple, critical systems – email and Ground Control. Had a multiple password system been implemented, even if Lessons 1 and 2 were ignored, intrusion may have been limited to one system.
Lesson 4 – employ lockouts. Ok, maybe Correa guessed Luhnow’s password in a few tries. However, I’m guessing it took more than five attempts, which seems like a good default number before someone is “locked out” of the system and has to contact IT (or at least wait some time before retrying login). Further, if frequent password changes go unheeded, users should be locked out by the passage of time. Perhaps, having been locked out at the beginning (as Correa probed the system), “Victim A” might have called IT and said “I can’t get in…help.” IT might have replied “you are locked out because you have unsuccessfully tried to login five times in the last 30 minutes. We’ll need to reset you. Give me your password.” To which Victim A retorted, “Uh, my password is “Astros2014WSChamps?” but I have not tried to login since yesterday.” At which point an attempted intrusion would have been apparent and IT should have recognized the password was not sufficiently strong. Finally, repeated lockouts of the same user or device should set off the “intruder alert” alarm.
Lesson 5 – know your devices. Everyone should have an inventory of approved devices and a mechanism for tracking unapproved devices. Sure, users might login from a hotel business suite or mom’s house, but these infrequent logins from unknown devices and places should at least raise curiosity and perhaps a small barrier to entry. Correa used at least one device located in a condominium in Jupiter, Florida. This “new” device should have been detected by the Astros and someone should have contacted the authorized user, if for no other reason than to verify the device and add it to the “approved list.” Contact should have been made by phone or in person – see Lesson 7.
Lesson 6 – know what is happening to your data. Correa did not add content to Ground Control. He only viewed or downloaded materials. Ground Control was clearly an interactive system. We would expect Ground Control’s users to act in a reasonably similar way on any device. Bells should have sounded when actions varied dramatically between devices. Be aware when “users” and devices act in unexpected ways.
Lesson 7 – use “low tech” when appropriate. Notifying people to change passwords is fine, even a best practice. Notifying your employees that they need to change passwords after you have had a breach and providing a temporary password by the same email that was hacked, err…not so much. Here’s a thought – send the temporary email in a decidedly low tech way, avoiding the compromised systems you are trying to fix. Temporary password delivery by interoffice mail, hand delivery or by phone works. Perhaps this low-tech delivery method is a bit inconvenient, but better than allowing another intrusion for three months by using a compromised system to work around the same compromised system. In the aftermath of the breach revelation, Luhnow, in his words, used “a pencil and paper.”
Lesson 8 – follow through. The Astros discovered the breach in March 2014. Yet Correa apparently used the temporary password sent at this time to access Ground Control for another three months. “Temporary” is for a short duration, perhaps hours or a few days at most. “Temporary” should not be interpreted to mean “when I get around to it.” Someone needed to follow through to insure the temporary password was replaced by a new, strong password in short order. In such situations combine a temporary password, delivered other than by email, with a time lockout for implementation of a new, strong password – golden!
Lesson 9 – know your story and pick your storyteller wisely. In the aftermath of the initial breach, the Astros put out a rather perfunctory statement indicating the Astros were aware of the breach, working with MLB security and the FBI to determine the parties responsible, intending to prosecute those responsible, and noting some of the released information was fabricated (apparently as a sop to anyone mentioned – “Billy, we don’t know where that one came from. You’re the foundation of this franchise!”). The statement is fine as far as it goes, but the Astros should have made a fuller statement including addressing those not affected by the breach. Something as simple as adding: “Because this is an on-going criminal investigation, we can provide few additional details. However, we want to assure our fans that none of their personal information was compromised, including any of their financial or credit card information.” Compounding the inadequate statement, the Astros contemporaneously held a press conference to address the breach by sending out…you guessed it…Jeff Luhnow. Notwithstanding Luhnow being the General Manager, he was absolutely the last person that should have been handling this press conference as the breach involved him, his email account and the system he created. While it is fortunate Astros beat writers interviewed him and not Brian Krebs, his answers were rambling and poorly informed. This situation calls for a well-rehearsed, perhaps scripted, presentation by a spokesperson removed from the actual breach; in short, anyone other than Jeff Luhnow. The Astros did not appear to have a good plan in place for handling a data breach before it occurred.
These Lessons will not prevent all attacks, but, properly implemented, they can eliminate or minimize many avoidable data security incidents and inform on properly conveying your message should one occur.