:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/35031605/451205470.0.jpg)
As I'm sure you've heard by now, the Astros had a breach about a month ago and some of the information involved in the breach made it's way to Anonbin, a site that allows individuals to discretely make files publicly available. This is the first time I can remember hearing of a professional sports team being breached like this.
As some of you know, by day I make my living as an information security professional and I've had the unfortunate opportunity of having to deal with situations like these at my place of employment. I live in constant state of paranoia, because security is not an absolute. New vulnerabilities and techniques are discovered daily. One little mistep and you'll be pwned.
So where to start? How about when the breach occurred.
In his comments to the media, Jeff Luhnow said:
It didn’t start today, we knew this — we were informed about this about a month ago.
About a month ago puts this right before the June Amateur Draft. I know what you're thinking:
"they were trying to figure out the number one pick!"
The thing is, that was when they were informed that a breach had or was occurring.
The file that was uploaded to Anonbin that had information about this past offseason stops at March 18, 2014. It's possible the actual breach itself occurred between the end of March and late May to early June, but there's nothing to say that the attackers weren't in there much longer than just a few months. According to Verizon's 2013 breach report it took 66% of organizations months or years to identify they had been breached.
How did they discover the breach?
"We found — it came to our attention that it was out there. And we found it and tried to adjust it at that time and for a while it was not there and then it came back."
This quote from Jeff Luhnow is interesting. It almost sounds like the Astros found some data from their database somewhere on the internet and were able to get it taken down. Clarification from the Astros on what this means would be great. It could mean that they saw their data outside the agency first and realized they had a problem, but again, that's just speculation.
What's more likely is that an alarm was triggered within the organization and an investigation by the security team began. Logs were sifted through and the authorities, in this case the FBI, were called.
Who stole the data?
"Yes. It was definitely an outside entity that decided to come in illegally and try and take information."
This is a bit tricky, because as I'm sure many of you know, there are these things called proxies which allow you to reroute your connection to the internet through other systems. Possibly a system, somewhere outside of the Houston Astros broadcast rights area. A smart attacker that plans to break into somewhere he's not supposed to be is going to route his connection to the internet through several different proxies around the globe, which makes it very hard to track.
What we can ascertain is that the individual(s) who broke in are considered criminals and being pursued as criminals.
"When you’re attacked criminally by an unknown source, an unknown entity, it’s frustrating. You don’t know. We have law enforcement and they will do whatever they need to do."
Which makes me wonder what all they took.
We know they took records of communications between the Astros and several other clubs. Is that a criminal offense? Actually, yes. They took property from the Astros, not meant for public consumption. What worries me, though, is the Astros have not come out and said no financial or personal information was taken from their organization.
During the major league season Minute Maid Park handles transactions for services and goods. If they got into Ground Control what other systems did they get into? Credit card information is very valuable on the black market, especially if a breach hasn't been disclosed to the public.
Taking into account Luhnow's opening comments:
"It’s a very unfortunate circumstance. When somebody illegally from the outside breaks into (a) proprietary database that we have"
I don't think financial or personal information was accessed, but I can't entirely take it off the table and I would love for the Astros to come out and say whether or not that kind of data was taken. In the meantime, If you've been to Minute Maid Park recently, I would keep a keen eye on your credit card statements. It's actually not a bad habit to get into.
What was the motivation?
Usually, when breaches like this occur, organizations are quick to point out that credit card or personal information had or had not been compromised. The Astros have indicated neither. Criminals in the digital world are for the most part motivated by one thing, money. Communications between the Astros and other teams isn't valuable to a lot of people, but credit card information for million(s) of people that attend Minute Maid Park each year are.
Yes, this next motivation should be thrown in the tin-foil-hat bin, but espionage does happen in the corporate world and I think it could happen in the professional sports world, where millions of dollars are at stake for organizations. It's unlikely, but it is possible that another team was trying to get an edge on the Astros and if they could get into Ground Control, they would have a significant advantage over the Astros.
There's also the always fun situation of the "disgruntled employee". With the Astros overhaul of its front office and internal staff, there are plenty of those around.
Then there are people who just like to watch the world burn. They hack stuff because they can. Enjoy the thrill of breaking into places they shouldn't be and getting away with it.
Anyone of these motivations could be a viable option for getting into the Astros network.
How did they get in?
There are any number of ways to get into a network.
- In regards to a disgruntled employee, an active account that was supposed to be deactivated.
- A vulnerability in some software or public facing website used by the organization.
- An employee gave up login information via spear phishing (yes, people still do fall for those), malware or social engineering.
- Open ports on the database or server.
- Code injection
- Not changing network information that had been posted on the internet.
Evan Drellich had this tweet earlier today:
The day that the Chronicle published the Ground Control feature, the URL of the website was visible in a photo. URL was quickly changed.
— Evan Drellich (@EvanDrellich) June 30, 2014
I also had a story on my personal site earlier this year about how one of the journalists tweeted out a picture with the Astros Pressbox WiFi Info on it. The WiFi like the photo from the chronicle was taken down, but all that information needed to be compromised was for it to be up on the internet for exactly one second. Just long enough to take a screenshot.
The press WiFi, I'm guessing, is likely segmented from the rest of the Astros network and is probably run by MLB's IT department since the SSID and passwords seem to be used across multiple ballparks. Hopefully, the Astros or MLB took the precaution to change that information. Likewise, the URL that appeared on Houston Chronicle article should have been changed and could be changed relatively easily.
Another potential attack vector not mentioned above are people who travel a lot, and the Astros are organization that has people traveling year round. A connection to the wrong WiFi network could compromise that system. The Astros network boundary isn't just around Minute Maid Park; It's around every Astros front office member that travels with a laptop and remotes back into the network. Any one of those machines gets owned or lost and it's a potential avenue back into the Astros network.
In our TCB email thread, I was asked what the easiest way to get in would have been and I think it would be via a spear phishing email. A spear phishing email is not the Nigerian prince phishing email. it's a more sophisticated targeted attack against an individual. A spear phishing email will be crafted in a way that it appears to be from someone or and organization you deal with on a regular basis. Get someone with access to Ground Control and boom you're in.
I have no inside knowledge of the Astros network, so I can't really speculate on how the attackers got in and got the data that they did (nor would I really share if I did). There are just too many potential attack vectors, some of which they may not have known about.
Fallout
The Astros have conducted a review of their security measures and policies and have adjusted accordingly. There's a good chance they already know how the breach occurred and closed that security hole.
They'll have the public relations mess to deal with other teams and players, but that will eventually be forgotten and it will be business as usual. The embarrassment will also eventually be forgotten. Well, as long as it was just some communications and some statistical data taken from Ground Control.
I was asked what would happen to the person that did this, if they get caught? I am not a lawyer, and maybe some of our lawyer readers can clarify what could happen, but a lot of cases like this are being prosecuted under the Computer Fraud and Abuse Act (CFAA). The CFAA is a very antiquated law that allows organizations to put people away for a very long time.
Could the breach have been avoided?
Without knowing the exact details and what systems and procedures the Astros use, it's hard to tell. Being a multi-million dollar company, I would expect they have the best systems and the best people in place to manage those systems that protect their information.
Going forward, I expect we'll see more of these breaches involving professional sports teams. More and more organizations are being breached every year which is a point that was made in the Verizon breach report I noted above.
There is no absolute when it comes to security. New vulnerabilities, bugs and techniques are being discovered daily. All an organization can do is minimize its risk. The question in today's digital age is not about if a breach is going to occur, it's when and whether or not you're prepared for it.