Greg Hoglund, CTO of HBGary, admits that lackluster security played a central role in the breach that led to the release of some 50,000 company emails, but also disputes common understanding and reported details of the hack, going so far as to say there was actually no hack at all.
In an interview with CSO Online’s Robert Lemos, Hoglund explains that Anonymous, the hacker-collective of online mischief makers that exposed the trove of HBGary emails, never entered the company’s network, and in fact may not have even been aware of its existence until long after the fact. Instead, Anonymous members, among whom recent reports claim was a shadowy 17 year old girl calling herself Kayla, used a stolen password to gain access to the companies email spool.
The email spool was hosted in Google’s cloud service. Hoglund reportedly spent the better part of Super Bowl Sunday trying to shut-down the HBGary site but only ended up getting the run-around from a Google service call center in India. As his company was in the process of getting “owned,” Google’s call center set up elaborate hoops through which they expected Hoglund to jump in order to validate his identity. By the time he proved himself and was able to get technical support on the phone, the damage had already been done.
Hoglund warns CISOs considering cloud storage to make sure that they establish a contractual emergency service agreement with their provider and suggests setting up a local email retention policy so that a company’s entire email archive is not stored in one accessible location out in the cloud. He also recommends the use of two-factor log-in authentication, a relatively cheap service that Hoglund believes could have prevented the HBGary blunder altogether. And finally, Hoglund advises for the configuration of IP restrictions, so that there is only one administrator account that can only be accessed from one location.
Hoglund’s recomendations are especially timely in light yesterday’s admission by high profile and well-respected security company RSA that they were the victim of a sophisticated attack that resulted in the theft of secrets related to its SecurID two-factor authentication product.