HBGary's Hoglund identifies lessons in Anonymous hack

On Superbowl Sunday, HBGary CTO Greg Hoglund found himself locked out of his own e-mail account. As has since been widely reported in the media, the hacking group Anonymous leaked thousands of e-mail messages from the accounts of Hoglund and HBGary Federal's CEO Aaron Barr, chastising the company in a public statement. In this excerpt of an interview with CSO correspondent Robert Lemos, Hoglund admits that the company made many mistakes in defending its data, but refutes some of the details of the hack and highlights lessons that other companies should take to heart.

Also see: Teenage rampage: What Anonymous can teach us about the youth

You've said that much of the information in the media about the hack is wrong. What happened?Hoglund: They didn't get anywhere close to our network. As far as I could tell, they were not even aware of its existence. They may have become aware of it by reading the e-mails later but that was well after the fact. They only got access to our e-mail spool, which was hosted at Google, and its cloud based e-mail service. And they got access via a stolen password, so they were able to log in. There was really no "hack" involved; it was a stolen credential. (Editor's note: They also had some access to the company's hosted Web site and Barr's Twitter account.)

You were on the phone with Google as Anonymous was stealing your data?Yes, I was trying to get Google to shut the site down. Google was trying to get me to put a file on my Web site (to authenticate my identity). You see the chicken-and-egg problem there. (HBGary had pulled its site down.)

Anyone with a cloud-based service needs to have an SLA (software license agreement) in the contract that says there is a priority, security hotline so that when there is a security event you have priority support, rather than what happened to me, which is that I got round-robinned to what appeared to be a call center in India. And I'm waiting on the phone and I can't do the technical magic tricks, jumping through the hoops that Google wanted me to jump through, to get them to listen to me. It took me forever to get technical staff on the phone on Sunday afternoon, so they could make the necessary changes so that Google would even start talking to me. And meanwhile, they are downloading my e-mail spool.

I would warn any CISO who is considering cloud in their future to make sure that never happens to them, and that is a contractual thing in the service level agreement.

What other suggestions do you have for companies?Set an e-mail retention policy and don't store your entire e-mail archive in the cloud. You can store it locally somewhere in the corporate environment, so you can still access it for doing your daily work, looking up data as well as for e-discovery purposes, but it shouldn't be stored in an accessible location out in the cloud.

Second, enable two-factor authentication. Anything that requires a log-in should be enabled for two-factor authentication. If I had enabled two-factor authentication for Google apps that I had HBGary subscribed to, then these hackers from Anonymous would not have been able to log in.

It was a newly available option, but we hadn't enabled it. The cost of two-factor authentication is significantly lower today than it has been in the past. It doesn't cost much, so anybody using the cloud should enable two factor, it it's an option. If they have any services on the road, such as sales people or technical people, they should have two-factor authentication.

Another thing they should do is configure IP restriction on any administration of the site. So, you should only have one administrator account and it should be IP restricted to a single location. And then if you have a compromise, you don't have to worry about someone getting access to the administrative parts of the cloud services.

Read more about cloud security in CSOonline's Cloud Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags HBGaryGoogle securityapplicationsGooglesecurityData Protection | Cloud Securitywikileakscloud securitysoftwaredata protection

More about etworkGoogleISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place