Greg Hoglund, CEO of HBGary, admits that lackluster security at his company played a central role in the breach that led to the release of some 50,000 company emails, but also disputes common understanding and reported details of the hack and the group behind it, going so far as to say there was actually no hack at all.

In an interview with CSO Online’s Robert Lemos, Hoglund explains that Anonymous, the hacker-collective of online mischief makers that exposed the trove of HBGary emails, never entered the company’s network, and in fact may not have even been aware of its existence until long after the fact. Instead, Anonymous members used a stolen password to gain access to the companies email spool.

The email spool was hosted in Google’s cloud service. Hoglund reportedly spent the better part of Super Bowl Sunday trying to shut-down the HBGary site but only ended up getting the run-around from a Google service call center in India. As his company was in the process of getting “owned,” so to speak, Google’s call center set up elaborate hoops through which they expected Hoglund to jump in order to validate his identity. By the time he proved himself and was able to get technical support on the phone, the damage had already been done.

Hoglund warns CISOs considering cloud storage to make sure that they establish a contractual emergency service agreement with their provider and suggests setting up a local email retention policy so that a company’s entire email archive is not stored in one accessible location out in the cloud. He also recommends the use of two-factor log-in authentication, a relatively cheap service that Hoglund believes could have prevented the HBGary blunder altogether. And finally, Hoglund advises for the configuration of IP restrictions, so that there is only one administrator account that can only be accessed from one location.

As for Anonymous, Hoglund claims that leading up to the attack, they weren’t even on his radar. He admits to not taking them seriously, and viewing the collective as “a bunch of kids who DDoS sites offline,” something most people see as little more than a virtual sit-in. Besides, he says, his company was focused primarily on securing their customers from advanced persistent threats (APTs) from China.

“That has been the bulk of our research for quite a while because most of our customers have suffered attacks from, what appears to be, state sponsored Chinese intelligence,” Hoglund tells CSO Online. “It’s espionage stuff, so we were heads down on that.”

In the wake of the attack, Hoglund has focused his attention more intently on anonymous, and learned that they aren’t really what they claim to be.

“There aren’t very many, first of all,” he says. “There are not thousands, they are not a legion,” which they claim to be. Hoglund contends these are intimidation tactics, the fruits of a pseudo-journalist fueled, media manipulating propaganda machine that Anonymous uses to instill fear in their opponents.

He goes on to tell Robert Lemos, that through his research he has learned that Anonymous essentially consists of a dozen or so of what he describes as “criminal hackers” engaged in a wide range of activities, including what Hoglund claims is the theft and publication of private company data.

“There have been cases where death threats have been left,” says Hoglund. “It’s just ridiculous, and it’s completely unacceptable. I had no idea about any of this before I was attacked.”

Hoglund says that the most relevant threat right now is malicious insiders with access to a worldwide audience. In that light, Anonymous and its nascent Anonleaks site is just one example of a larger trend that includes Wikileaks, and Crowdleaks, among others. All these groups are recruiting and monetizing insiders, he says.

He draws a line between Wikileaks, which he describes as an entity that at least functions similarly to journalism, keeping their sources anonymous, and the others, who engage in acts of cyber-thuggery by criminally hacking into computers and stealing data.

“Let’s be clear here,” he says, “Anonymous is not protecting Wikileaks. Anonymous is a group that hacks criminally into systems, and we are talking about probably over five corporations that I know of right now in the United States that are being actively targeted by them. When they get access, they are going to steal the data off those systems, e-mail, files off the file system, they are going to do everything they can, and then they are going to leak it and manipulate it and create stories about it. Basically, that is their platform.”

Hoglund’s recommendations and insights are especially timely in light of the recent high profile and sophisticated attack which targeted well-respected security company RSA and resulted in the theft of secrets related to its SecurID two-factor authentication product.

Categories: Vulnerabilities

Comments (21)

  1. Anonymous

    Even after directing all his resources to studying Anonymous, Greg still doesn’t have a clue.

    There are thousands and thousands of anons. Only a small percentage
    of them is needed (and skilled enough) to hack into HBGary and expose
    their plans to criminally and unethically destroy Wikileaks – a topic
    conveniently left out of this conversation.

    But that was really just one tiny action of a much larger movement.

    Anyhow, Greg, publish your research. Let us see what your claims are
    based upon. It will become apparant soon enough that your services
    aren’t worth paying for.

  2. Anonymous

    Hoglund is straight up lying about the hack not getting in to his servers. There was evidence that they used their access through to get access to the ticketing software they use for support. Thats the server they escalated privileges on. 

    Also, shifting the blame to Google is shameful. Instead of shifting the blame maybe they should own up and admit they weren’t prepared for a sophisticated attack

  3. Bazz

    This is a great saga — White hats versus black hats but you don’t know whether its a positive or negative  image!

    But there’s more — in the super fast world we live in today proof of identity at snail mail pace prevents preventions from taking place.

    I hope WWIII actions will not be put on hold by some call centre sargent preventing Generals from talking. While millions of rockets are fired!

    OH the space between inner and outer in slowed time of comprehension and sensory overload!!

  4. Bazz

    “We” are allowed to kill, break laws, do anything because our cause is just!

    “You” are a criminal, murderer and deserve to die!

  5. Truth in Advertising

    Greg Hoglund has been lying since the beginning of the entire affair, with a view to deflecting criticism from both himself and his wife who together ran HBGary, Inc.

    Their first bald-faced lie was uttered in an attempt was to try to distance HBGary from HBGary Federal, by stating that HBGary only owned a 15% stake in HBGary Federal, and that HBGary Federal was under separate management.

    When Aaron Barr and Ted Vera joined HBGary, HBGary Federal was described by Hoglund in an email to all staff as a wholly- owned subsidiary of HBGary. Also, HBGary Federal’s incorporation documents were signed by Penny Leavy-Hoglund. Furthermore, those same incorporation documents show that Penny Leavy-Hoglund herself accounted for almost one-half (48%) of the initial start-up capital. That, plus HBGary’s 15% stake gave the Hoglunds an almost two- thirds majority ownership (63%) in the company.

    Greg’s next bald-faced lie was to imply that Anonymous had falsified some of the emails taken. Unfortunately for him, many of Aaron Barr’s emails (including some of the most damning ones) had valid S/MIME digital signatures made with an Individual Class 1 Signing Certificate purchased from VeriSign by Mr. Barr in April 2010. (Some of the other parties involved also used digital certificates as well, also certifying their emails as genuine.)

    Greg now would have us believe that Anonymous didn’t really hack into his systems; instead, he asserts they only used social engineering and relatively simple exploits. If anything, that’s even worse than claiming that they used something new and unforeseeable. He continues to lie in a frantic (not to mention pathetic) attempt to deflect attention and/or blame from his company’s appallingly shoddy security practices.

    Frankly, Mr. Hoglund’s assertions that Anonymous never made it into his network proper, doesn’t pass the smell test. Hoglund has ZERO credibility. Hoglund and his wife lied to the press about the ownership/governance of HBGary Federal; he further lied in insinuating that the emails taken were falsified.

    Only an idiot lies when the documentation exists (and furthermore can be produced) that shows that you are lying. So, having been caught lying to the press — TWICE — why should anyone take anything Hoglund and/or his wife says at face value?

    His company’s reputation (if not continued survival) depends on having people believe that his networks were not penetrated, so he’s going to do everything he can to try to hammer that point home. The problem is, having provably entered-into a pattern of lying, Hoglund’s credibility is in the toilet.

    Finally, whether the attack was sophisticated or not is immaterial — what IS material, is THAT THE ATTACK WORKED.

  6. Anonymous

    If any of what Hoglund says here is true, then why were he and his wife so desperate to keep Anon from releasing more emails?

    Reading over the IRCchat they arranged with Anon suggests that they knew that everything in the emails was accurate and they were extremely worried what kind of damage it would cause to their company. Even then, both Hoglund and his wife were telling lies- lies that could and were easily proven untrue (in realtime by Anon using the emails).   It apparently took them weeks of deliberation to come up with this spin on things and it is probably the best they can come up with but it is totally implausible.

    As far as the charge that the emails were falsified? Most of the emails I saw were of the prosaic type and contained personal information that could have come from no other sources. 

  7. C

    This seems like a bad PR stunt for HBGary. Yes, the email portion of everything didn’t involve a hack, yet still look at the untold damage social engineering did on his companies. Hell, they are facing potential federal investigation as a result. I know he is trying to downplay Anonymous, but he also seems to be downplaying social engineering as a threat. Not to mention that was hacked, but he conveniently glosses over that detail.

    And I reject them as being whitehat at this point. HBGary Federal was up to some pretty sleazy shit according to those emails that were leaked, something else Hoglund has been conveniently not addressing.

    Whatever I guess, repeat something enough times and it becomes true in the public eye.

  8. Bazz

    White – Black is difficult to view if the negative is quickly flashed with the positive. And after a while difficult to tell which is positive – negative! Take LSD!

    Troy was lost with the trophy left by the “losers”, the “winners” not realizing what was happening all 3000 years ago!  The irony is that Cassandra the future seer was not listen too.###

    It is this ambivalence that I love.

    ITS  WWCD ( NOT What would Christ do)

    ITS  What would China do!  

    What would Caliphate do!


    ###  Troy were impregnable yet lost by infighting
    backstabbing disunity open fighting and not heeding advice and accepting gifts from the enemy!

    But it was the birth of ROME.

  9. Anonymous

    Anonymous is not “thousands.”  It’s not even hundreds any more.  During today’s “strike” against Warner Bro.s, their LOIC “hive” had TWELVE users.






  10. Anonymous

    We now would have believe that Anonymous didn’t really hack into his systems; instead, he asserts they only used social engineering etui mobile and relatively simple exploits. If anything, that’s even worse than claiming that they used something new and unforeseeable. He continues to lie in a frantic (not to mention pathetic) attempt to deflect attention and/or blame from his company’s appallingly shoddy security practices. 

Comments are closed.