ST. LOUIS • For federal prosecutors to file the most likely criminal charge to result from the hacking of a Houston Astros website, the attack would have to be both malicious and costly, said defense lawyers who have handled such cases.
The Computer Fraud and Abuse Act, which was enacted in the 1980s to go after hackers breaking into and damaging government computers, would be “a perfect fit” based on media reports, said H. Dean Steward, a California lawyer and former federal public defender, “assuming they can prove some sort of malicious intent.”
“You’ve got to be doing something bad. If you’re checking out the website and shouldn’t have been on there, that’s probably not actionable,” he said, but trying to steal scouting reports and get inside information would qualify.
But whether that standard has been met in the Cardinals hacking case is unclear. Meanwhile, one local expert questions whether the standard applies at all.
The hacking investigation began after a 2014 attack. Internal memos and trade discussions from the Astros proprietary baseball operations database, dubbed “Ground Control,” were leaked that June.
Steward initially said that an expert could say that the information was worth “hundreds of thousands of dollars.”
After Astros general manager Jeff Luhnow, Cardinals general manager John Mozeliak and former Cardinals manager Tony La Russa all cast doubt on the value of the hacked information this week, Steward said their opinions could affect his. But, he wrote in an email, it was a “novel question” that could stop the investigation.
In 2008, Steward’s client Lori Drew was found guilty of three misdemeanor computer fraud charges related to her alleged involvement in the creation of a fake MySpace profile blamed for the October 2006 suicide of 13-year-old Megan Meier of Dardenne Prairie. The charges later were overturned by a judge.
Other lawyers disagreed with Steward.
“I don’t know how they would show damages,” said Joel Schwartz, a Clayton lawyer who is defending a man facing a misdemeanor version of the computer fraud charge for allegedly shutting a St. Louis County police union website last fall.
Schwartz said that it wasn’t as if the Astros hacker or hackers had shut down a commercial website, like Nordstrom’s, blocking sales.
He said that it was sounding like “sport or a prank.” “Maybe they did it just to see if they could,” he said.
But Neil Richards, a Washington University Law School professor who specializes in privacy, First Amendment and information law, cautioned that the statute is outdated, poorly designed and is “much criticized.” He said that any unauthorized access to a protected computer could result in a charge. He said that in order for there to be serious penalties, there is a requirement that victims suffer loss or damage of more than $5,000. The Astros could easily have spent more than $5,000 responding to the attack, and lawyers could argue that the team suffered a competitive disadvantage that far exceeded that amount.
William Margulis, who recently represented a man accused of hacking into websites in Israel, cautioned that too much is unknown: “I don’t know if there’s enough facts or information out yet to determine what they did or what they tried to do.”
Richards said prosecutors should be focusing on the data breaches that have affected large corporations and the government.
“Frankly, if I were a federal prosecutor, I would not be looking to push charges here,” said Richards, who pointed out in the interests of impartiality that he was a Red Sox fan.
“This was very naughty by the Cardinals if they did it, but … on the scale of criminal hacking … (this) is really quite low on the list of bad things that are happening,” he said.
HACKERS WEIGH IN
{p style=”text-align: left;”}Two so-called “white hat” or ethical hackers contacted by the Post-Dispatch said that the hack was most likely pulled off in one of two ways. Either the hacker or hackers knew enough information to guess at Astros user names and passwords or they applied “brute force.”
In the first approach, someone with knowledge of past user names could guess what current names and passwords would be.
If an old password was “Cardinals79,” a hacker might think, “I’ll try ‘Astros80,’” said Charlie Miller, a security engineer for Twitter.
But a well-designed website would limit those guesses to perhaps five to 10 at a time, he said.
Luhnow has insisted that he was aware of the need for “password hygiene and best practices.”
“If that’s accurate, he’s probably the only person in the world who’s never reused a password,” said Dave Chronister. He added that a properly designed password can be reused to some degree, just not across websites.
Chronister is founder and managing partner of Parameter Security in St. Charles County.
If Ground Control did not limit password attempts, a hacker could try “brute force,” writing a program that would try thousands of passwords per second. Although such programs are available online, someone would need the skill to customize the program for a specific website, he said.
Once in, the hacker would not necessarily need special skills to download data, Miller and Chronister said.
Both said that there should be a solid trail for investigators to follow.
Investigators are believed to have traced the 2014 hack to a Jupiter, Fla., condominium during spring training. The FBI took computers from Busch Stadium in February, and the Cardinals have turned over “lots of material,” Cardinals Chairman Bill DeWitt Jr. said Thursday.
Chronister and Miller said the Astros should have a log of who accessed the website that would allow investigators to eventually pinpoint the location of the hacker.
The Cardinals should also have logged employees’ computer and Internet use.
Chronister said that investigators are probably correlating those logs to identify both the hacker and the leaker.
Chronister said that had the leaker not posted the information online to Anonbin, it would have made the FBI’s job much more difficult.
On Friday, the Wall Street Journal, citing a person “briefed on the investigation,” reported that one breach passed through the Tor network, a system created out of volunteer computer servers that is designed to protect privacy and ensure anonymity online.
Miller said that the delay between the hacks and their discovery was “pretty typical,” saying it can often take 12 to 18 months for a company to discover an attack.
Miller said there are a lot of ways for companies to detect a hack. Alarms may be tripped if someone starts downloading lots of information, logs in from an unfamiliar IP address or while on vacation, he said. They also may be behaving differently, downloading information instead of uploading, for example.
Chronister said, “I think there’s a lot more that’s going to come out once they get this information and start correlating it.”
They can find out whether it was done on a Cardinals computer, if it was a malicious employee, and perhaps whether the Cardinals organization was unaware.
View the original content and more from this author here: http://ift.tt/1IUfBqJ
from hacker samurai http://ift.tt/1GYFtST
via IFTTT
No comments:
Post a Comment