Greg Hoglund, CEO of HBGary, admits that lackluster security at his company played a central role in the breach that led to the release of some 50,000 company emails, but also disputes common understanding and reported details of the hack and the group behind it, going so far as to say there was actually no hack at all.

In an interview with CSO Online’s Robert Lemos, Hoglund explains that Anonymous, the hacker-collective of online mischief makers that exposed the trove of HBGary emails, never entered the company’s network, and in fact may not have even been aware of its existence until long after the fact. Instead, Anonymous members used a stolen password to gain access to the companies email spool.

The email spool was hosted in Google’s cloud service. Hoglund reportedly spent the better part of Super Bowl Sunday trying to shut-down the HBGary site but only ended up getting the run-around from a Google service call center in India. As his company was in the process of getting “owned,” so to speak, Google’s call center set up elaborate hoops through which they expected Hoglund to jump in order to validate his identity. By the time he proved himself and was able to get technical support on the phone, the damage had already been done.

Hoglund warns CISOs considering cloud storage to make sure that they establish a contractual emergency service agreement with their provider and suggests setting up a local email retention policy so that a company’s entire email archive is not stored in one accessible location out in the cloud. He also recommends the use of two-factor log-in authentication, a relatively cheap service that Hoglund believes could have prevented the HBGary blunder altogether. And finally, Hoglund advises for the configuration of IP restrictions, so that there is only one administrator account that can only be accessed from one location.

As for Anonymous, Hoglund claims that leading up to the attack, they weren’t even on his radar. He admits to not taking them seriously, and viewing the collective as “a bunch of kids who DDoS sites offline,” something most people see as little more than a virtual sit-in. Besides, he says, his company was focused primarily on securing their customers from advanced persistent threats (APTs) from China.

“That has been the bulk of our research for quite a while because most of our customers have suffered attacks from, what appears to be, state sponsored Chinese intelligence,” Hoglund tells CSO Online. “It’s espionage stuff, so we were heads down on that.”

In the wake of the attack, Hoglund has focused his attention more intently on anonymous, and learned that they aren’t really what they claim to be.

“There aren’t very many, first of all,” he says. “There are not thousands, they are not a legion,” which they claim to be. Hoglund contends these are intimidation tactics, the fruits of a pseudo-journalist fueled, media manipulating propaganda machine that Anonymous uses to instill fear in their opponents.

He goes on to tell Robert Lemos, that through his research he has learned that Anonymous essentially consists of a dozen or so of what he describes as “criminal hackers” engaged in a wide range of activities, including what Hoglund claims is the theft and publication of private company data.

“There have been cases where death threats have been left,” says Hoglund. “It’s just ridiculous, and it’s completely unacceptable. I had no idea about any of this before I was attacked.”

Hoglund says that the most relevant threat right now is malicious insiders with access to a worldwide audience. In that light, Anonymous and its nascent Anonleaks site is just one example of a larger trend that includes Wikileaks, and Crowdleaks, among others. All these groups are recruiting and monetizing insiders, he says.

He draws a line between Wikileaks, which he describes as an entity that at least functions similarly to journalism, keeping their sources anonymous, and the others, who engage in acts of cyber-thuggery by criminally hacking into computers and stealing data.

“Let’s be clear here,” he says, “Anonymous is not protecting Wikileaks. Anonymous is a group that hacks criminally into systems, and we are talking about probably over five corporations that I know of right now in the United States that are being actively targeted by them. When they get access, they are going to steal the data off those systems, e-mail, files off the file system, they are going to do everything they can, and then they are going to leak it and manipulate it and create stories about it. Basically, that is their platform.”

Hoglund’s recommendations and insights are especially timely in light of the recent high profile and sophisticated attack which targeted well-respected security company RSA and resulted in the theft of secrets related to its SecurID two-factor authentication product.

Categories: Data Breaches, SMB Security, Social Engineering, Vulnerabilities

Comments (21)

  1. Anonymous
    1

    Even after directing all his resources to studying Anonymous, Greg still doesn’t have a clue.

    There are thousands and thousands of anons. Only a small percentage
    of them is needed (and skilled enough) to hack into HBGary and expose
    their plans to criminally and unethically destroy Wikileaks – a topic
    conveniently left out of this conversation.

    But that was really just one tiny action of a much larger movement.

    Anyhow, Greg, publish your research. Let us see what your claims are
    based upon. It will become apparant soon enough that your services
    aren’t worth paying for.

  2. Anonymous
    2

    Hoglund is straight up lying about the hack not getting in to his servers. There was evidence that they used their access through rootkit.org to get access to the ticketing software they use for support. Thats the server they escalated privileges on. 

    Also, shifting the blame to Google is shameful. Instead of shifting the blame maybe they should own up and admit they weren’t prepared for a sophisticated attack

  3. Bazz
    3

    This is a great saga — White hats versus black hats but you don’t know whether its a positive or negative  image!

    But there’s more — in the super fast world we live in today proof of identity at snail mail pace prevents preventions from taking place.

    I hope WWIII actions will not be put on hold by some call centre sargent preventing Generals from talking. While millions of rockets are fired!

    OH the space between inner and outer in slowed time of comprehension and sensory overload!!

  4. Bazz
    4

    “We” are allowed to kill, break laws, do anything because our cause is just!

    “You” are a criminal, murderer and deserve to die!

  5. Truth in Advertising
    5

    Greg Hoglund has been lying since the beginning of the entire affair, with a view to deflecting criticism from both himself and his wife who together ran HBGary, Inc.

    Their first bald-faced lie was uttered in an attempt was to try to distance HBGary from HBGary Federal, by stating that HBGary only owned a 15% stake in HBGary Federal, and that HBGary Federal was under separate management.

    When Aaron Barr and Ted Vera joined HBGary, HBGary Federal was described by Hoglund in an email to all staff as a wholly- owned subsidiary of HBGary. Also, HBGary Federal’s incorporation documents were signed by Penny Leavy-Hoglund. Furthermore, those same incorporation documents show that Penny Leavy-Hoglund herself accounted for almost one-half (48%) of the initial start-up capital. That, plus HBGary’s 15% stake gave the Hoglunds an almost two- thirds majority ownership (63%) in the company.

    Greg’s next bald-faced lie was to imply that Anonymous had falsified some of the emails taken. Unfortunately for him, many of Aaron Barr’s emails (including some of the most damning ones) had valid S/MIME digital signatures made with an Individual Class 1 Signing Certificate purchased from VeriSign by Mr. Barr in April 2010. (Some of the other parties involved also used digital certificates as well, also certifying their emails as genuine.)

    Greg now would have us believe that Anonymous didn’t really hack into his systems; instead, he asserts they only used social engineering and relatively simple exploits. If anything, that’s even worse than claiming that they used something new and unforeseeable. He continues to lie in a frantic (not to mention pathetic) attempt to deflect attention and/or blame from his company’s appallingly shoddy security practices.

    Frankly, Mr. Hoglund’s assertions that Anonymous never made it into his network proper, doesn’t pass the smell test. Hoglund has ZERO credibility. Hoglund and his wife lied to the press about the ownership/governance of HBGary Federal; he further lied in insinuating that the emails taken were falsified.

    Only an idiot lies when the documentation exists (and furthermore can be produced) that shows that you are lying. So, having been caught lying to the press — TWICE — why should anyone take anything Hoglund and/or his wife says at face value?

    His company’s reputation (if not continued survival) depends on having people believe that his networks were not penetrated, so he’s going to do everything he can to try to hammer that point home. The problem is, having provably entered-into a pattern of lying, Hoglund’s credibility is in the toilet.

    Finally, whether the attack was sophisticated or not is immaterial — what IS material, is THAT THE ATTACK WORKED.

  6. Anonymous
    6

    If any of what Hoglund says here is true, then why were he and his wife so desperate to keep Anon from releasing more emails?

    Reading over the IRCchat they arranged with Anon suggests that they knew that everything in the emails was accurate and they were extremely worried what kind of damage it would cause to their company. Even then, both Hoglund and his wife were telling lies- lies that could and were easily proven untrue (in realtime by Anon using the emails).   It apparently took them weeks of deliberation to come up with this spin on things and it is probably the best they can come up with but it is totally implausible.

    As far as the charge that the emails were falsified? Most of the emails I saw were of the prosaic type and contained personal information that could have come from no other sources. 

  7. C
    7

    This seems like a bad PR stunt for HBGary. Yes, the email portion of everything didn’t involve a hack, yet still look at the untold damage social engineering did on his companies. Hell, they are facing potential federal investigation as a result. I know he is trying to downplay Anonymous, but he also seems to be downplaying social engineering as a threat. Not to mention that rootkit.org was hacked, but he conveniently glosses over that detail.

    And I reject them as being whitehat at this point. HBGary Federal was up to some pretty sleazy shit according to those emails that were leaked, something else Hoglund has been conveniently not addressing.

    Whatever I guess, repeat something enough times and it becomes true in the public eye.

  8. Bazz
    9

    White – Black is difficult to view if the negative is quickly flashed with the positive. And after a while difficult to tell which is positive – negative! Take LSD!

    Troy was lost with the trophy left by the “losers”, the “winners” not realizing what was happening all 3000 years ago!  The irony is that Cassandra the future seer was not listen too.###

    It is this ambivalence that I love.

    ITS  WWCD ( NOT What would Christ do)

    ITS  What would China do!  

    What would Caliphate do!

     

    ###  Troy were impregnable yet lost by infighting
    backstabbing disunity open fighting and not heeding advice and accepting gifts from the enemy!

    But it was the birth of ROME.

  9. Anonymous
    11

    Anonymous is not “thousands.”  It’s not even hundreds any more.  During today’s “strike” against Warner Bro.s, their LOIC “hive” had TWELVE users.

     

    Twelve.

     

     

    LOL

  10. Anonymous
    12

    We now would have believe that Anonymous didn’t really hack into his systems; instead, he asserts they only used social engineering etui mobile and relatively simple exploits. If anything, that’s even worse than claiming that they used something new and unforeseeable. He continues to lie in a frantic (not to mention pathetic) attempt to deflect attention and/or blame from his company’s appallingly shoddy security practices. 

  11. Anonymous
    13

    What are you smoking?  This was *NOT* a “sophisticated attack”.  This was one of the easiest and most obvious attacks that even Greg himself carried out back before he sold out.

    But wait, before you flame me — this actually makes this whole thing EVEN WORSE!  If it was a sophisticated attack then Greg could simply play it off as “oh wow, cool they got us with something really good…” instead he is faced with explaining why the most elementary type of attack was easily sucessful.

    There is no one to blame here but Greg and of course Aaron.  Oh, and don’t believe the lie that HBGary Fed is different than HBGary.  Yes, they are different corporations, but this is only due to various hoops one must jump through to become a governement contractor — most companies that do fed work end up going this route.  On paper, different companies.  In reality, the same.  The ownership and the stradegy are common across both entities and obviously they worked very closely together on everything.

    If Greg actually has done his research and does in fact know who the handful of anonymous people are — then Greg needs to go old school and drop dox like he did back in the day.  Let us not forget where Mr. HBGary came from.. there was a time that he too would have been anonymous.

    Oh, and to ThreatPost — has anyone gotten a comment out of the “B” in HBGary?  I bet Jamie Butler has a few things to say about this whole thing…….

  12. Anonymous
    14

    Well said. As I read through this I just kept thinking, “He still does not get it. At all.”

  13. niggaornotdotcom
    15

    Bazz, I wouldn`t call HBGary “white hat.”  More like “Grey Hay with phederal phriends.”

  14. Anonymous
    16

    Troy may not have even existed, and the Aeneid is a work of fiction. Thus, Troy has nothing to do with Rome. Rome was born from nomadic Indo-European peoples via Greece and the Minoan Civilization. Read a book.

  15. Bazz
    17

    Tell that to the Turks who want returned Gold from Troy (one of the 10 city levels) returned from Germany!

    The myth which is Roman is that the remanants of Troy ended up in Rome — But I prefer the other Twin myth of ROMULUS & REMUS because it teaches u something! Ah BUT WHAT?

    The bible is a work of fiction that billions believe!

    “Rome was born from nomadic Indo-European peoples via Greece and the Minoan Civilization”   ...WELL where an I wrong.

    ‘HBGary’  is what people believe – see my other posts.

     

  16. Anonymous
    18

    I checked and actually most of the emails didn’t have those SMIME headers you were talking about, FYI.

  17. Disappointed Old Schooler
    19

    ROFLMFAO – obviously this struck a chord given the anon-troll turnout.  You accuse Hoglund of lying?  Almost everything Anonymous has spoon-fed to the press about HBGARY has been __crafted__ to match their agenda.  Meanwhile, I think this is the first time I’ve seen HBGary actually say anything about their side of the story?  A good hack can be respected - you anonymous guys wouldn’t be so bad if you weren’t so full of shit.  You are so new school.  Oh, wait, lets take some select quotes from Anon:

    Feb 13 08:37:23 <case> now we are in possession of a dangerous virus that could attack nuclear facilities
    Feb 13 08:37:26 <case> it’s so easy to spin
    Feb 13 08:37:42 <Buzzard> spin is the keyword

    Feb 11 22:42:32 <BarrettBrown> will be here until I’m satisfied at the destruction we have caused today

    Yes, it seems it IS all about spin, isn’t it?  Anonymous rewards those journalists who espouse their message.  Parmy Olsen is one of their favorites:

    19:56 <@Topiary> [00:52:39] Topiary: Well, I understand, we do sometimes do very harsh things.
    19:56 <@Topiary> [00:52:47] Topiary: Or just mindless things.
    19:56 <@Topiary> [00:53:38] Parmy Olson: For lulz.
    19:56 <@Topiary> Shit, I think I’ve converted this Forbes writer to Anon

    20:53 <@Topiary> I’ve already converted the fuck out of Russia Today’s producer Jenny Churchill – she LOLs hard at Anon lulz
    20:53 <@Topiary> Parmy Olson next
    20:53 <@Laurelai> yes…turn them all to the dark side

    17:13 <@kayla> yeh :D Parmy Olson said she wanted to speak to me so i might aswell lol xD
    17:14 <@molly> heh .. yeah why not.
    17:14 <@molly> i mean… it’s all out anyway
    17:15 <@kayla> yeh she seems nice :D
    17:17 <@molly> wrote good stuff about us so far.. she talked with Topiary i think
    17:17 <@molly> he has her seduced i guess
    17:17 <@Topiary> I’ve spoken with her about 100 times
    17:17 <@Topiary> since December
    17:18 <@Topiary> almost as seduced as Alyona
    17:18 <@Topiary> http://www.youtube.com/watch?v=4bU6fT9pulg
    17:19 <@Topiary> was curious about that
    17:19 <@Topiary> “can’t help but think that Alyona is boning one of the leaders of Anonymous..and if she isn’t…does she want to? ;)
    17:19  * Topiary zips up
    17:20 <@kayla> lol :D
    17:20 <@kayla> naughty!!!
    17:20 <@kayla> :D

    But let’s not stop with Parmy and Alyona, how about Steve Ragan over at Tech Herald?  Maybe not as seduced as Parmy, but obviously their ‘man’ (Steve3D is Steve Ragan):

    23:12 <&Sabu> I actually loved this hack. it was mad exciting
    23:12 <&Sabu> especially the social engineering
    23:13 <&Sabu> the thing is
    23:13 <&Sabu> you guys were here with me

    23:13 <&marduk> we gave the press all the gory details before
    23:13 <&marduk> and it was lulzy

    23:14 <&Sabu> I think I saw that on techdirt
    23:14 <&marduk> tech herald was first
    23:14 <&marduk> he got it wrong tho the first time
    23:14 <&marduk> wrong target
    23:14 <&marduk> but corrected
    23:14 <&marduk> Steve3D is our man :)

    Good game, Sabu sciddied his way onto an obscure machine and the planets aligned.  You dumped Hoglund’s email which was a good read for a night, but frankly no surprises there – YAWNZ!  You got the biggest ‘hack’ you will ever get, you were sciddies when you started, and you are sciddies now.  Your attempts at manipulating the press is far more scary than your pangolin scriptz.

  18. Anonymous
    20

    Sophisticated? There was nothing sophisticated about the attack, which is what makes its success  all that more embarassing against a so-called security company. The BIG lesson here, as everybody knows, is practice what you preach. Greg was surrounded by idiots and that’s what did him in.  He’s made it very clear that his production network was not penetrated, but still, those emails were bad enough. I agree he can’t blame google for his own decision to use google for email. Lessons were learned all around, that’s about the only common conclusion here.

  19. Bazz
    21

    “Greg was surrounded by idiots and that’s
    what did him in”

    We’re seeing idiots suddenly everywhere Japan,
    nuclear industries, Libya — preparation or “war games”
    failures everywhere.

    Human responses, as Google’s call center
    indicates, are billions of times slower than the acts we’re
    trying to prevent!

    The mere fact that simple unforeseen faults occur
    is the indictment of our intelligence. AND a indication of our
    somnambulism, without consciousness of the dangers we made!

    Greg took council and accepted idiots advice!

    Greg is responsible and where the buck stops!

    Anything else and we
    can free all prisoners.

Comments are closed.