An “Unsophisticated” Breach is Still Bad News for the Cardinals

(Editor’s note: After this article was published, Jeff Luhnow told Sports Illustrated that he does not believe this issue happened due to the re-use of passwords. As no official report has been presented, we will leave this article up until further evidence is provided.)

Baseball met espionage without the help of Moe Berg on Monday, as news broke that the FBI was investigating the St. Louis Cardinals under allegations that they unlawfully accessed the internal database of the Houston Astros, known as Ground Control. Nathanial Grow did an excellent job going over the legal implications over at the mothersite, so make sure to check that out to get a sense of how badly this could end up breaking for St. Louis. But since we’re cover the tech stuff, I want to talk about how something like this could have happened.

In the New York Times article, specific mention is made that the “intrusion did not appear to be sophisticated” and that law enforcement believes that it was perpetrated by Cardinals front-office employees. This seemed to soften the initial blow a bit, making it clear that St. Louis wasn’t employing black hat hackers to crack Houston’s system. Instead, those responsible seemed to have gained access to passwords used by Jeff Luhnow and those he took with him when he left for St. Louis for the Houston GM job. And while this isn’t a malicious as someone trying to forcefully access Ground Control, it still casts the Cardinals in bad light. Low-level or not, the Houston data breach represents some serious security holes found in the IT practices of the Cardinals.

Let’s get one thing out of the way. Using someone’s old password isn’t really “hacking.” For one:

And secondly (language warning):

No, nothing really got hacked. It just got accessed. If Cardinals officials had passwords, all they needed was the user name of Luhnow or the person in his stable (it’s not clear whose actual account was used). But that doesn’t mean this should have occurred. Actions of some kind were still taken. So, how was it done? Well, there are a few possibilities.

Some Dummy Wrote Their Password Down

The Silicon Valley clip above is jokey, but it’s based on a lot of truth. I’ve worked in IT for over a decade. I’ve seem passwords written on Post-Its — sometimes hidden under keyboards, sometimes attached right to computer monitors. Most companies install policies that users need to change their password every three months or so. This … confuses people. They have trouble remembering. They write passwords down. Those tend to get left around. It’s dumb and a little sad, but it’s very possible that this whole scandal comes down to something like this.

Some Dummmy Shared Their Password

This is also all too common. Passwords get sent to assistants all the time. I’ve talked to executives who didn’t know their passwords at all. Their assistants updated their phones and laptops when the time came to change passwords. People in the same departments share login credentials all the time. “Crap, I can’t login. Jerry, give me your password. I need this spreadsheet.” They’re not looking to cause data breaches, they are just unaware of their actions. If some IT people wanted to get access to Ground Control, it would be very easy to search email logs and dig up some passwords.

The Cardinals Stored User Passwords as Plain Text

During Luhnow’s tenure in the front office, the Cardinals apparently used a system similar to Ground Control called Redbird. This most likely utilized some kind of content management system, which is built on top of a database. These databases have user tables that include things like names, contact info, usernames, and passwords. Ideally, the passwords would be hashed. Simply put, hashing passwords means changing plain passwords like “mypassword” into a bunch of numbers and letters — “mypassword” becomes “ajd923if902rnasdf09992on”. This gibberish is actually what’s stored on the database, and the server never sees the actual password. It keeps the hash translations elsewhere and just uses the hash to authenticate when a user logs in.

But that’s in a perfect world. It doesn’t always happen. This happened to the Sony Playstation Network a while back. It happens lots of places. It’s very feasible that Cardinals officials — whoever they were — simply pulled up a user that left and was able to see their password clear as day.

Whatever happened, I would bet it lies somewhere within these three options. Anything above that — attacks on properly-encrypted passwords through dictionary or rainbow table attacks– not only would infer serious maliciousness, it would mean the passwords were obtained by someone with a great deal of computer savvy.

Remember, the FBI was able to associate the Cardinals with this because the unauthorized access was traced to a home where known Cardinals people lived or hung out or whatever. Anyone with the smarts to properly reverse engineer and encrypted password probably would know that pretty much any time anyone accesses a server (Google, Facebook, Amazon, Twitter), their public IP address is logged. A password hacker would know to go to a library or use Tor or some other IP-masking tool. But this does not absolve the Cardinals in the least, and it probably makes it worse.

If a former Cardinal employee cracked the Redbird database to obtain passwords to use on Ground Control, the Cardinals could easily say that they are sorry and have taken measures to upgrade the security in their corporate offices. But if this all happened due to some low-level password-finding mission, it means that whoever is in charge of IT over there is lazy at best, or just plain unqualified. Or perhaps Redbird fell out of the realm of regular IT functions. Either way, it’s not good.

If a couple of interns could get access to user passwords this easily, imagine what could happen if someone who knew what they were doing gave it a go. Emails, text messages, photo backups, contracts, salary information, social security numbers — all of it could be at risk. You think we got some tasty stuff when the Ground Control documents were leaked? Imagine the field day Deadspin would have if someone managed to get a hold of John Mozeliak’s emails. People would be poised for ridicule, embarrassment, even identity theft, all because a company that operates in a field ripe for corporate espionage wouldn’t take steps to properly protect people’s passwords.

It’s a sign of the times. Database teams within baseball clubs are a fairly new thing. There are still bugs to be worked out — no pun intended. However, if this whole boondoggle doesn’t open the eyes of the other 28 MLB teams (and probably some NFL, NBA, and NHL teams as well), then I don’t know what will. I imagine some memos have been sent out this morning outlining new security policies. Or at least they should. Because while cracking passwords has become harder, simply copying them down never will.

(Header image via Pablo BD)