The recent news about the intrusion into the Houston Astro’s network by the St. Louis Cardinals is making waves. For me, cyber security and my love of baseball collide, but the real problem I have with the whole discussion is the skipped piece of evidence that is critical for the discussion. This was not a hack, but a simple intrusion by the Cardinals because they used a former employee’s email list to login into his new network. This is not a story about hacking or the dangers of cyber-attacks, but one of cyber hygiene and basic password security.
Here is the money quote from the New York Times article:
“Investigators believe that Cardinals personnel, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials when they worked for the Cardinals. The Cardinals employees are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.”
Steve Weber recently quipped at an Atlantic Council event, you know my password, it’s my cat’s name plus 1. This is the borderline true reality for most, and generally it does not matter. Simple passwords are a part of life, the troubling problem is when simple passwords can be used to invade critical systems. It’s not that the Astro’s network is all that critical, but it is a symptom of a deeper problem in cyber security. There is a general unwillingness to allow for two step verification or tougher passwords in important networks.
This is the lesson we need to take away from the Astro’s mishap. If you want to keep your networks secure, you need to think more about password security first and also rethink how we operate remote systems. While it might be great to have access to all your trade secrets open all over the United States so your scouts can talk and executives can plan trade deals, the downside of this is that information is out there the public.
I am not even sure it is really corporate espionage because baseball scouts tend to not trust evaluations not done in house. This is clear from Moneyball, so is that information all that valuable? The only reason the FBI was called in was because the Astros assumed it was a malicious intrusion, not baseball on baseball crime.
We all get annoyed when we have to change passwords, when the password system forces us to add a % or a @, but these are the things necessary for critical systems. Our rush to make access simple and easy from anywhere hurts security. This is the real story of the great baseball infiltration because I refuse to call it a “hack”.