Looking at laws that might apply if Cards hacked Astros

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://kcur.org/post/feds-investigate-whether-cardinals-hacked-astros-ny-times-reports

The FBI and Justice Department are investigating whether front office
personnel for the St. Louis Cardinals hacked into Houston Astros' computer
networks that contained player statistics, information about trades and
other sensitive data, The New York Times reports.

"Law enforcement officials believe the hacking was executed by vengeful
front-office employees for the Cardinals hoping to wreak havoc on the work
of Jeff Luhnow, the Astros’ general manager who had been a successful and
polarizing executive with the Cardinals until 2011," the Times report says.

The Cardinals issued this statement Tuesday morning: “The St. Louis
Cardinals are aware of the investigation into the security breach of the
Houston Astros’ database.  The team has fully cooperated with the
investigation and will continue to do so.  Given that this is an ongoing
federal investigation, it is not appropriate for us to comment further.”

The actual intrusion

According to the New York Times, the alleged intrusion was not very
sophisticated. Jeff Luhnow was an executive with the St. Louis Cardinals
before he became the Astros general manager in December 2011. The Cardinals
officials had allegedly kept a list of passwords used by former executives,
including Luhnow, and used that information to gain access to the Houston
network.

“As a Cardinals fan, I’m disappointed. As a cybersecurity practitioner, I’m
not surprised to find that a password hadn’t been changed,” said Paul
Frazier, a cybersecurity expert and adjunct professor at Webster
University. “That’s the first thing we teach in cybersecurity is change
your password, so the developers can’t find their way back in.”

It’s not that hard for the FBI to figure out that someone’s been somewhere
in cyberspace they shouldn’t be, Frazier said.

“Everybody leaves a trace as to where they’re talking from,” he said. “So
through the use of their machine access codes and internet protocols, [the
FBI] will be able to go back and figure out right down to the machine and
time of day the hack occurred, and whether or not the machine was owned by
a person in the St. Louis Cardinals organization. They’ll even be able to
tell who was logged in at the time.”

Cybersecurity law

The vast majority of so-called “hacking” cases are prosecuted under 18 USC
§ 1030, the Computer Fraud and Abuse Act, though various state and local
laws also apply. The federal law has been around in its current form since
1986.

“It’s a broad and very powerful tool for the federal government,” said Paul
Ohm, a former prosecutor for the U.S Department of Justice’s Computer Crime
and Intellectual Property Section who is now an associate professor at the
University of Colorado Law School. “It’s often analogized to physical
trespass.”

At its most basic level, the law punishes those who obtain information
after accessing a computer without permission. The “hack” must also result
in a person obtaining information, but that’s a pretty low threshold to
meet, Ohm said.

“Courts have said, ‘look Congress didn’t say you have to download and save
a copy of information,’” Ohm said. “If it crosses the network and appears
on your screen, that’s good enough for a crime. Casual poking around still
satisfies the criminal provision.”

Ohm said the alleged intrusion is like dozens of others prosecuted by the
federal government day in and day out.

“What seems most novel about this to me is the actors involved,” he said.
“If this was just two titans of industry fighting it out and one of them
allegedly crossed the line and FBI got involved, I doubt most of the world
would have taken this much notice. I certainly wouldn’t have.”

What’s at stake

The Computer Fraud and Abuse Act authorizes prison sentences of up to 20
years, though Ohm said it’s unlikely that first-time offenders would
receive penalties that stiff. He said the Astros could also pursue civil
claims against the Cardinals for theft of trade secrets.

Chip Pitts, a former chief legal officer for Nokia and lecturer at Stanford
Law School, said he did not believe such inter-team hacking was widespread
in baseball.

“Baseball learned its lesson from the earlier corruption scandals in the
20th century that it is a prized institution, and the best results for the
teams and their stakeholders come from fair competition on the field.”

And he said any allegations of impropriety could hit the Cardinals
especially hard.

“When they’re accused of cheating, it’s really unfortunate,” Pitts said.
“It’s somewhat reminiscent of Lance Armstrong. When a perceived winner
cheats, it’s even worse.”

Both the Cardinals  and Major League Baseball said they were aware of the
federal investigation into the security breach, and were cooperating fully.
The league went on to say, “Once the investigative process has been
completed by federal law enforcement officials, we will evaluate the next
steps and make decisions promptly.”

A spokeswoman for the FBI office in St. Louis referred all questions to the
Houston bureau. A spokeswoman there would not confirm or deny the existence
of that investigation, but released the following statement:

"The FBI aggressively investigates all potential threats to public and
private sector systems.  Once our investigations are complete, we pursue
all appropriate avenues to hold accountable those who pose a threat in
cyberspace."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!