Hacking the Wins

It’s the dawn of cyber-attacks, even the biggest corporations are prone to disaster (just ask Skynet) and MLB teams are no different.
It’s the dawn of cyber-attacks, even the biggest corporations are prone to disaster (just ask Skynet) and MLB teams are no different.

A Tale of Major League Espionage

By Patrick R. Malone

When it comes to winning baseball, building from within is a more long-term and sustainable solution. Smaller market teams not named the New York Yankees or Boston Red Sox, who have a history of throwing money at players to win, have approached this method with great success.

To get there though, teams must go through the Major League Baseball draft. It’s one of baseball’s key contributors for stocking a team’s farm system and building ‘homegrown’ success. It also is known for being one of the biggest crapshoots as far as professional sports drafts go. It is this reason alone that it’s no surprise that teams will do whatever it takes to get a leg up on their competition with trickery and spy tactics (Google Spygate).

So when the public heard that one MLB team ‘hacked’ another for information on the draft, it almost came as no surprise. Almost. But that doesn’t mean teams aren’t worried about their own networks.

“While we do have a number of security measures in place to safeguard access to our system, the (Houston) Astros’ recent exposure only further emphasizes our need to be more vigilant in securing our system,” said Thad Levine, assistant general manager of the Texas Rangers.

The incident Levine is referring to is the St. Louis Cardinals/Astros hacking case that took place last summer. Reports surfaced that then-St. Louis Scouting Director Christopher Correa ‘hacked’ the Astros’ system during the MLB Draft using an old password used by ex-Cardinals’ exec turned Astros General Manager Jeff Luhnow. The FBI-led investigation showed that Correa also reused the same method to access the Astros MLB trade deadline notes.

Now, just eight months later, Correa’s superior scouting skills will be punished. Correa was indicted in January on five of the 12 charges brought against him. He faces up to five years in prison, restitution and a $250,000 fine for each charge.

“I accept responsibility in this case,” the former scouting director told U.S. District Judge Lynn Hughes at the hearing. “I trespassed repeatedly.”

Correa, who told the judge “it was stupid,” will receive his  sentencing April 11, ironically, the date of the Cardinals’ home opener.

Meanwhile, the Astros certainly won’t be the last victim. In this cyber era that incorporates all things Internet, hacking is a thing of normality. Since the start of 2014, Sony, Ashley Madison, Target, JP Morgan Chase, Home Depot, EBay, Staples, Premera, Carefirst, the IRS, oh, and the U.S. government (just to name a few) were all hacked, according to Hackmegeddon.com, a database for information security timelines and statistics. And that’s only a handful of examples. The list goes on.

So how does the MLB prevent this plague from infiltrating (if it hasn’t already) and affecting other teams?

ESPN’s Jim Bowden published his ideas recently on the matter and how MLB Commissioner Rob Manfred should handle not only the Cardinals punishment, but prevent future attacks on other organizations.

His take on the whole situation includes fining the Cardinals at least $1.7 million, which was the “estimated value of the unauthorized information.” He goes on to discuss taking away draft picks and repaying legal fees, but where it gets interesting is where he talks about “new computer requirements.”

“Manfred should put together a task force that would make sure all 30 teams have sufficient security for their baseball operations systems so that hacking is nearly impossible,” Bowden said. “These systems can either be checked on a regular basis or be monitored from a central location (i.e. the commissioner’s office).”

Now, Correa’s actions of keeping some ex-employee’s password for safekeeping for a later date hardly constitute as actual hacking. If teams really wanted to hack another team for information, having a roadmap of sorts already laid out of what to do and what not to do would allow them to certainly tiptoe around and avoid certain exploits. Not to mention that all a team would have to do is hire a third-party hacker and said team’s hands would be completely clean.

All that said, security measures, as well as doling out punishments, should be put into place to possibly avoid future headlines and headaches. And if Manfred continues down the fantastic path he’s already on, he will indeed carry out some possible solutions. Here are a couple of areas MLB and its teams might address.

First things first: when changing organizations completely, one must simply not keep the same password and add a 1, 2 or 3 to the end of it. Changing your password every 90 days to a completely new password is a good way to prevent any future idiocy, albeit, accidental idiocy. Call it a self-governing firewall if you will, or better yet, a fireball (get it?).

To further the point, a homeowner buys a  security system to protect themselves and their belongings, but leaves the front door unlocked.

In other words, corporate compliance could go a long ways for MLB teams. For those who don’t know, corporate compliance is “a system which is designed to detect and prevent violations of law by the agents, employees, officers and directors of a business,” according to corporatecompliance.com.

It shouldn’t stop there though for teams and their employees. They should also invest into their own cyber security. Don’t rely on just the league to take care of everyone’s business, not that they aren’t capable. Teams are a business and like big business they all more than likely have networks using team computers and such.

Sophos, a security software and hardware company that develops products for communication endpoint, encryption, network security, email security and mobile security as well as unified threat management, identifies three possible solutions to safeguard a network from cyber-attacks.

The first is “network-based mitigation.” Yikes. There really isn’t a simpler way to address this other than it’s basically the action of reducing the severity or seriousness, and in most cases prevention, of a cyber-attack through the use of firewalls and “filtering network traffic addressed to the attacked network through high-capacity networks with ‘traffic scrubbing’ filters.”

The second is “host-based mitigation.” Sophos explains that network administrators should ensure HTTP and Transmission Control Protocol (TCP) sessions’ time out at a reasonable time.

The third is “proactive measures,” which apparently are for those with the “know-how” to fight back…as if any of the other measures can be taken easily by the average Joe. But anyways, these are different action items MLB and teams could be doing. Who knows, they could already be implementing these strategies into their networks as we speak.

Correa’s actions are just the beginning of the headlines. It’s the dawn of cyber-attacks, even the biggest corporations are prone to disaster (just ask Skynet) and MLB teams are no different. It’s already known that teams will do anything to beat their rivals. This could be the beginning of a major-league-sized problem for Manfred and all 30 teams. Just remember, it all starts with this: one man’s password is another man’s draft information.