[ISN] HBGary's Hoglund identifies lessons in Anonymous hack

From: InfoSec News <alerts_at_private>
Date: Fri, 18 Mar 2011 01:43:47 -0600 (CST)
http://www.csoonline.com/article/677340/hbgary-s-hoglund-identifies-lessons-in-anonymous-hack

By Robert Lemos
CSO
March 17, 2011

On Superbowl Sunday, HBGary CTO Greg Hoglund found himself locked out of 
his own e-mail account. As has since beenwidely reported in the media, 
the hacking group Anonymous leaked thousands of e-mail messages from the 
accounts of Hoglund and HBGary Federal's CEO Aaron Barr, chastising the 
company in a public statement. In this excerpt of an interview with CSO 
correspondent Robert Lemos, Hoglund admits that the company made many 
mistakes in defending its data, but refutes some of the details of the 
hack and highlights lessons that other companies should take to heart.


You've said that much of the information in the media about the hack is 
wrong. What happened?

Hoglund: They didn't get anywhere close to our network. As far as I 
could tell, they were not even aware of its existence. They may have 
become aware of it by reading the e-mails later but that was well after 
the fact. They only got access to our e-mail spool, which was hosted at 
Google, and its cloud based e-mail service. And they got access via a 
stolen password, so they were able to log in. There was really no "hack" 
involved; it was a stolen credential. (Editor's note: They also had some 
access to HBGary Federal's, a related company, hosted Web site and 
Barr's Twitter account.)


You were on the phone with Google as Anonymous was stealing your data?

Yes, I was trying to get Google to shut the site down. Google was trying 
to get me to put a file on my Web site (to authenticate my identity). 
You see the chicken-and-egg problem there. (HBGary had pulled its site 
down.)

Anyone with a cloud-based service needs to have an SLA (software license 
agreement) in the contract that says there is a priority, security 
hotline so that when there is a security event you have priority 
support, rather than what happened to me, which is that I got 
round-robinned to what appeared to be a call center in India. And I'm 
waiting on the phone and I can't do the technical magic tricks, jumping 
through the hoops that Google wanted me to jump through, to get them to 
listen to me. It took me forever to get technical staff on the phone on 
Sunday afternoon, so they could make the necessary changes so that 
Google would even start talking to me. And meanwhile, they are 
downloading my e-mail spool.

I would warn any CISO who is considering cloud in their future to make 
sure that never happens to them, and that is a contractual thing in the 
service level agreement.

[...]


___________________________________________________________      
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/
Received on Fri Mar 18 2011 - 00:43:47 PDT

This archive was generated by hypermail 2.2.0 : Fri Mar 18 2011 - 00:56:01 PDT