THEfirst time most people heard the
name HBGary was in February 2011,
when amorphous ‘hacktivist’ group
Anonymous stole internal emails from
the security software vendor and
published them online.
The cyber attack was in retaliation
for a threat made by the CEO of the
company’s federal division, Aaron
Barr, to name some of the group’s
“senior members”.
HBGary’s overall CEO, Greg Hoglund,
remembers watching company emails
being stolen in real time. Hackers had
discovered Aaron Barr’s personal email
login details, which also gave them
access to his company email and the
HBGary Federal server, because he used
the same password for all three.
“They compromised Aaron Barr’s
server in Colorado, which I had no
control over,” he explains. “Then they
logged into Google Apps. Everyone’s
email was in there, and they
downloaded mine, [other executives’]
and Aaron’s before we shut it off.”
After the emails were stolen, Hoglund
pleaded – unsuccessfully – with the
hackers not to publish them online,
asking them to think of the damage
they would cause his company. One
replied: “greg [this] will be end of you 🙂
and your company”.
But according to Hoglund, the
opposite has been true. HBGary’s third-
quarter revenue this year grew by 85%
over the same quarter in 2010, and
Hoglund says he has seen a big uptick in
the number of commercial clients who
are interested in its services.
No government or business wants to
be hacked. But rather than seeing
HBGary as a security company that
could not even protect itself, customers
seem to see it as kindred spirit, Hoglund
claims. “When it first happened, I was
terrified, to be honest,” he says. “But
what I realised is that our customers
don’t really like Anonymous, and they
view themselves as possible targets.”
Indeed, the episode cast HBGary
as a character in the central narrative
that is currently unfolding in the
security industry today – the move
from perimeter-based protection
against scattershot threats towards
more sophisticated defences against
targeted attacks.
“Companies have started to realise
that their endpoint security solutions
are not sufficient to stop attackers,”
Hoglund says. “They have lost their
confidence in antivirus.”
US-based HBGary is now expanding
abroad, and in the UK it counts an
unnamed UK government department
and a large financial institution among
its customers. “Our presence in the UK
is new, very new, and although we don’t
have staff doing overseas sales yet, it’s
something we’re hoping to do.”
As Hoglund watched his company
emails leak out into the world, he was
on the phone to Google trying to shut
down HBGary’s Google Apps account.
It took close to an hour for the web
giant to confirm his identity, he says,
and the experience has led him to call
for a kill switch to be built into
enterprise cloud services.
Above all, he says that the whole
episode taught him that enterprises
have to understand password reuse.
“If an employee of a big organisation
has an account on a poker site, and
they’re using the same password on that
site as they are on a single-factor
authentication portal in the enterprise,
then if some hackers attack [the poker
site], dump the user details of the
employee and crack his password, they
can just log into your systems. At that
point, firewalls, intrusion detection,
whatever, it doesn’t matter, because
security is switched off.”
Hoglund says he’s now a “religious
believer” in two-factor authentication,
and that HBGary was just about to
implement it at the time of the hack.
“I was a week away from installing
it when this happened,” he recalls.
“It was unbelievable.”
