In the security field we seem to be going over the same ground over and over.
The reason for this is that security should be easy and an afterthought, but when it is treated that way problems come up sooner or later…
I did not lead with the Cardinals versus Astros story, but the story reminded me of “the devil is in the details”
The NY times broke the story: http://www.nytimes.com/2015/06/17/sports/baseball/st-louis-cardinals-hack-astros-fbi.html
Image is from recent game with both teams – the image rights belong to Major League Baseball and the respective teams.
The official press releases from both teams state they are abiding by the FBI investigation and will let us know when it finishes.
What exactly happened? That is the big question. Apparently there has been some personnel changes from the front office of the St. Louis Cardinals to the Houston Astros.
Jeff Luhnow the current Astros general manager was with the Cardinals until 2011
Apparently Mr. Luhnow had passwords for access to computer databases and general connections (user ids?). the current guesstimate is that the password used in 2011 is also being used in Houston 4 years later.
So some mischievous and energetic St Louis Cardinal front officeperson was apparently given the password from Mr Luhnow 1st mistake
Now this knowledge was used to access the Houston Astros network/ database – (why is the Houston Astros database or network structure the same as the St. Louis Cardinals? 2nd mistake
In that access attempt Mr. Luhnow used the same username and password which was supposedly used to access the Houston system. 3rd mistake
let’s recap:
1. Never give your password to another person – if you have to your password must be changed – NO EXCEPTIONS. 1st mistake averted
2. When one person moves from one organization to another it is good to change passwords – do not reuse passwords for years – change passwords every 90-120 days. This may be a difficult task but make it part of your life. 2nd mistake averted
3. Have somebody make sure that the username and passwords are not easily guessed by running password crackers against a database periodically. (this is a highly sensitive task but very useful) 3rd mistake averted
4. Usernames construct should not be a simple to guess (i.e. firstname.lastname )or another similar construction. (If Mr. Luhnow had to change his username construct plus change passwords in 4 years 1st through 3rd mistake averted)
Other “detail oriented news” :
LastPass was hacked(from their blog): https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
Their network was compromised:
{ We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised. }
If you look at the important points: ‘suspicious activity on our network’ lastPass account email addresses, password reminders, server per user salts, and authentication salts.
The last piece of information is why the LastPass organization decided to issue an informational message of change your password.
The hackers accessed the account email addresses (the usernames) and the password reminders, which means they can change the passwords if they are crafty enough.
Details matter, that is why it is good to sometimes have somebody check your work, someone who is not on your payroll and will not be affected by the thinking of the current employees. Create Policies that do not allow these basic mistakes
Update to this story(6/19/2015):
http://www.crawfishboxes.com/2015/6/18/8803541/luhnow-responds-to-the-ground-control-hacking-story
Astros GM Luhnow responds to hacking story:
{His passwords were not the problem and plenty secure, thank you very much. He said,
I absolutely know about password hygiene and best practices. I’m certainly aware of how important passwords are, as well as of the importance of keeping them updated. A lot of my job in baseball, as it was in high tech, is to make sure that intellectual property is protected. I take that seriously and hold myself and those who work for me to a very high standard. }
But he also said:
{Further, Luhnow added, the idea that one team’s outdated intellectual property would have remained helpful to a rival even in the short term is illogical. “If you were to take a snapshot of the database of one team, within a month it would not be useful anymore, because things change so quickly,” he said. “Not to mention that the types of analysis you would do back in 2011, versus 2012 or ’13 , is evolving so quickly because of new tools like PitchFX and StatCast. I wouldn’t trust another team’s analysis even if I had it.”}
Interesting to note that on the one hand he says he knows password management practices (of course does not go into details) and on the other hand he says even if they got access to our “old” information it is of no use.
So –go ahead and hack us– to be clear I am inferring that
Personally this is just CYA press release from Mr. Luhnow.