The FBI is investigating one of the best baseball teams in the US after it allegedly broke into a database belonging to one of the worst.
Investigators told the New York Times that the FBI and Department of Justice (DOJ) prosecutors are accusing front-office staff of the St. Louis Cardinals of “hacking” into an internal network of the Houston Astros to steal closely guarded information about players, including internal discussions about trades, proprietary statistics and scouting reports.
Calling it “hacking” is quite a stretch, given what we know about the deed, which allegedly involved:
- Using the old passwords Astros General Manager Jeff Luhnow used when he worked overseeing drafts for the Cardinals, which …
- …Luhnow never bothered to change when he got the job as general manager for the Astros. As well, the not-so-l337 H4x0rs…
- …Allegedly accessed the Astros’ database from their own home, making it simple as pie for the FBI to track them down.
Why the Astros, a team known as a perennial loser?
It sounds like a matter of bad blood between the rival teams.
As the New York Times subsequently reported, Luhnow was a numbers guy who’d been influenced by the film “Moneyball” and focused that type of statistics expertise on acquiring players.
It worked for the Cardinals: the team made it to three World Series and won two of them under Luhnow’s management of its draft.
He took his know-how over to the Astros in 2011, along with Sig Mejdal, a former NASA engineer whose title is director for decision sciences.
Mejdal in turn used his work on astronauts’ decision making to improve the team’s drafting.
Luhnow, with his data analytics approach to baseball, has apparently worked the same kind of magic at the once pathetic Astros that he pulled off in St. Louis: an achievement that Bloomberg Business called “a project unlike anything baseball has seen before”, akin to what Mitt Romney used to do to steel companies while at Bain Capital: “stripped them down with ruthless efficiency to build them back up again, stronger and better than before.”
The Astros are now, in fact, in first place in the American League West division.
This success can’t feel good to the Cardinals, the team that Luhnow left behind.
Theories about the motivation for Cardinals’ front-office staff to allegedly trespass into the Astros’ internal workings include resentment over Luhnow’s departure; bad feelings from when he was with St. Louis, given that he was what the NYT calls a “polarizing figure”; or a suspicion that Luhnow took proprietary information with him to Houston.
Luhnow reportedly built a computer network, called Redbird, while he was with the Cardinals.
It housed all the intel on baseball operations, including scouting reports and player information.
When he joined the Astros – taking some front-office personnel with him – he created a similar program and called it Ground Control.
Investigators told the NYT that they believe that Cardinals’ personnel, concerned that Luhnow had taken such proprietary baseball information to the Astros, examined a master list of passwords Luhnow and the other officials used while working for the Cardinals.
Evidence is pointing to the Cardinals employees having used those same, evidently unchanged passwords to gain access to the Astros’ network, investigators said.
It wasn’t hard to guess the password: after all, the Cardinals had a master list of passwords, which was proprietary information.
That lack of password hygiene is likely what led to 10 months’ worth of Astros’ internal discussions about trades having been posted online at Anonbin, a site where users can anonymously share hacked or leaked information, a year ago.
Major League Baseball notified the FBI, under the impression that the Astros had been hit by a rogue crook – certainly not by another major league baseball team.
That’s when the investigation started. It soon led to a computer at a home that some Cardinals employees had lived in.
As Deadspin’s Tom Ley tells it, every move in this “hacking” game reflects security fouls: reusing passwords (a major security sin), leaving a clear path to your home IP address because you don’t have the brains to use an internet cafe to do your snooping, building a proprietary database and then just tucking it under your arm when you walk out the door, leaving two-factor authentication (2FA) out of the design of this precious repository of baseball knowledge (indeed, 2FA could have made this so-called “hack” impossible to pull off), and showing off your ill-gotten goods on a public paste site for all to see (not what you’d call subtle!).
Who’s on first?
Nobody I’d hire for their security expertise!Follow @NakedSecurity