Greg Hoglund, CEO of HBGary, admits that lackluster security at his company played a central role in the breach that led to the release of some 50,000 company emails, but also disputes common understanding and reported details of the hack and the group behind it, going so far as to say there was actually no hack at all.
In an interview with CSO Online’s Robert Lemos, Hoglund explains that Anonymous, the hacker-collective of online mischief makers that exposed the trove of HBGary emails, never entered the company’s network, and in fact may not have even been aware of its existence until long after the fact. Instead, Anonymous members used a stolen password to gain access to the companies email spool.
The email spool was hosted in Google’s cloud service. Hoglund reportedly spent the better part of Super Bowl Sunday trying to shut-down the HBGary site but only ended up getting the run-around from a Google service call center in India. As his company was in the process of getting “owned,” so to speak, Google’s call center set up elaborate hoops through which they expected Hoglund to jump in order to validate his identity. By the time he proved himself and was able to get technical support on the phone, the damage had already been done.
Hoglund warns CISOs considering cloud storage to make sure that they establish a contractual emergency service agreement with their provider and suggests setting up a local email retention policy so that a company’s entire email archive is not stored in one accessible location out in the cloud. He also recommends the use of two-factor log-in authentication, a relatively cheap service that Hoglund believes could have prevented the HBGary blunder altogether. And finally, Hoglund advises for the configuration of IP restrictions, so that there is only one administrator account that can only be accessed from one location.
As for Anonymous, Hoglund claims that leading up to the attack, they weren’t even on his radar. He admits to not taking them seriously, and viewing the collective as “a bunch of kids who DDoS sites offline,” something most people see as little more than a virtual sit-in. Besides, he says, his company was focused primarily on securing their customers from advanced persistent threats (APTs) from China.
“That has been the bulk of our research for quite a while because most of our customers have suffered attacks from, what appears to be, state sponsored Chinese intelligence,” Hoglund tells CSO Online. “It’s espionage stuff, so we were heads down on that.”
In the wake of the attack, Hoglund has focused his attention more intently on anonymous, and learned that they aren’t really what they claim to be.
“There aren’t very many, first of all,” he says. “There are not thousands, they are not a legion,” which they claim to be. Hoglund contends these are intimidation tactics, the fruits of a pseudo-journalist fueled, media manipulating propaganda machine that Anonymous uses to instill fear in their opponents.
He goes on to tell Robert Lemos, that through his research he has learned that Anonymous essentially consists of a dozen or so of what he describes as “criminal hackers” engaged in a wide range of activities, including what Hoglund claims is the theft and publication of private company data.
“There have been cases where death threats have been left,” says Hoglund. “It’s just ridiculous, and it’s completely unacceptable. I had no idea about any of this before I was attacked.”
Hoglund says that the most relevant threat right now is malicious insiders with access to a worldwide audience. In that light, Anonymous and its nascent Anonleaks site is just one example of a larger trend that includes Wikileaks, and Crowdleaks, among others. All these groups are recruiting and monetizing insiders, he says.
He draws a line between Wikileaks, which he describes as an entity that at least functions similarly to journalism, keeping their sources anonymous, and the others, who engage in acts of cyber-thuggery by criminally hacking into computers and stealing data.
“Let’s be clear here,” he says, “Anonymous is not protecting Wikileaks. Anonymous is a group that hacks criminally into systems, and we are talking about probably over five corporations that I know of right now in the United States that are being actively targeted by them. When they get access, they are going to steal the data off those systems, e-mail, files off the file system, they are going to do everything they can, and then they are going to leak it and manipulate it and create stories about it. Basically, that is their platform.”
Hoglund’s recommendations and insights are especially timely in light of the recent high profile and sophisticated attack which targeted well-respected security company RSA and resulted in the theft of secrets related to its SecurID two-factor authentication product.