Greg Hoglund

Michael Gregory Hoglund is an American author, researcher, and serial entrepreneur in the cyber security industry. He is the founder of several companies, including Cenzic, HBGary and Outlier Security. Hoglund contributed early research to the field of rootkits, software exploitation, buffer overflows, and online game hacking. His later work focused on computer forensics, physical memory forensics, malware detection, and attribution of hackers. He holds a patent on fault injection methods for software testing, and fuzzy hashing for computer forensics. Due to an email leak in 2011, Hoglund is well known to have worked for the U.S. Government and Intelligence Community in the development of rootkits and exploit material. It was also shown that he and his team at HBGary had performed a great deal of research on Chinese Government hackers commonly known as APT (Advanced persistent threat). For a time, his company HBGary was the target of a great deal of media coverage and controversy following the 2011 email leak (see below, Controversy and email leak). HBGary was later acquired by a large defense contractor.

Entrepreneurship
Hoglund has founded several security startup companies which were still in operation today:
 * Cenzic, Inc. (formerly known as ClickToSecure, Inc. ) Focused on web application security for the Fortune-500.
 * Bugscan, Inc. Developed an appliance that would scan software for security vulnerabilities without sourcecode.  Acquired in 2004 by LogicLibrary, Inc.
 * HBGary, Inc. Provides a comprehensive suite of software products to detect, analyze, and diagnose Advanced Persistent Threats (APT) and targeted malware. Acquired in 2012 by Mantech International (MANT). HBGary had no outside investors and was owned by the founders and early employees.
 * Outlier Security, Inc. Provides cloud-based, agentless endpoint detection and response (EDR) systems for enterprises. Acquired in 2017 by Symantec (SYMC).

Patents

 * Granted: Fuzzy Hash Algorithm
 * Granted: Fault injection methods and apparatus along with Penny C. Leavy, Jonathan Walter Gary, and Riley Dennis Eller.
 * Applied: Inoculator and antibody for computer security along with Shawn Michael Bracken.
 * Applied: Digital DNA sequence.
 * Applied: Universal method and apparatus for disparate systems to communicate along with Yobie Benjamin, Abhideep Singh, and Jonathan Gary.

Research and authorship
As an author, Hoglund wrote Exploiting Software: How to Break Code, Rootkits: Subverting the Windows Kernel and Exploiting Online Games: Cheating Massively Distributed Systems, and was a contributing author on Hack Proofing Your Network: Internet Tradecraft. He was a reviewer for the Handbook of SCADA/Control Systems Security. He has presented regularly at security conferences such as Black Hat Briefings, DEF CON, DFRWS, FS-ISAC, and RSA Conference, among others. Hoglund drew the attention of the media when he exposed the functionality of Blizzard Entertainment's Warden software, used to prevent hacking in the popular game World of Warcraft.

Books

 * Exploiting Online Games: Cheating Massively Distributed Systems, Addison-Wesley, 2007, ISBN 0-13-227191-5.
 * Rootkits: Subverting the Windows Kernel, Addison-Wesley, 2005, ISBN 0-321-29431-9.
 * Exploiting Software: How to Break Code, Addison-Wesley, 2004, ISBN 0-201-78695-8.

Articles

 * A *REAL* NT Rootkit, patching the NT Kernel, Phrack magazine, 1999

Controversy and email leak
HBGary found controversy in 2011 after corporate emails were leaked from the now defunct sister company HBGary Federal. Of particular note, the founder of HBGary Federal, Aaron Barr, had authored a draft Powerpoint presentation on information warfare (IW) that was the subject of much interpretation by online reporters and bloggers. It outlined controversial information warfare strategies and techniques, including background checks to discredit online reporters/bloggers, OSINT monitoring of detractors, and disinformation to discredit Wikileaks. This presentation was never shown to be used, and the supposed customers of this work were never actually customers of HBGary Federal, and further stated they were not aware of the presentation.

After the incident in 2011, several hackers branded the attack on HBGary as the work of Anonymous. Later, this branding was abandoned and replaced with the hacking group LulzSec. At this time, the identities of the hackers behind LulzSec were not known. In an interview after the attack, Hoglund characterized the group as criminal hackers and revealed that he had recently refocused HBGary's attribution team, previously used to hunt down Chinese APT (Advanced persistent threat), to instead discover the identities of the Lulzsec hackers. Less than six months later, the leader of LulzSec, Hector Xavier Monsegur (aka Sabu), had been secretly arrested by the FBI and turned into an informant against the rest of Anonymous. HBGary admitted to working closely with law enforcement, and was later given credit for their assistance to the FBI in the investigation that lead to the arrest of the LulzSec leader Hector Xavier Monsegur (aka Sabu).

rootkit.com
Hoglund also founded and operated rootkit.com, a popular site devoted to the subject of rootkits. Several well known rootkits and anti-rootkits were hosted from rootkit.com, including Jamie Butler's FU rootkit, Hacker Defender by HF, Bluepill by Joanna Rutkowska and Alexander Tereshkin, ShadowWalker by Sherri Sparks, FUTo by Peter Silberman, BootKit by Derek Soeder (eEye), and AFX Rootkit by Aphex. A complete list can be found on the wayback engine for rootkit.com Last snapshot of rootkit.com on Wayback. Rootkit.com's original site administrators were Greg Hoglund, Charles Weidner (Handle Redacted), Fuzen_Op (Jamie Butler), Barns (Barnaby Jack), Caezar of GhettoHackers (Riley Eller), Talis (JD Glaser of NTObjectives), and Vacuum of Technotronic. At its peak, rootkit.com had 81,000 users.

Rootkit.com was compromised in 2011 via Social engineering (security) as part of the LulzSec attack by Hector Xavier Monsegur (aka Sabu) and the user database was leaked. The leaked user database was then used for research against the Chinese Government-sponsored hacking group commonly known as 'APT1'. The rootkit.com site since remains offline.

Physical memory forensics
Hoglund was an early pioneer in the research and development of physical memory forensics, now considered standard practice in computer forensics in law enforcement. He saw the physical memory as a complex snapshot of interrelated structures and data arrays, instead of just a flatfile full of strings. The original application was not forensics, but rootkit detection and process hiding – showing how physical memory forensics grew partly from rootkit development. With the release of HBGary's product Responder in 2008, Hoglund was one of the first to deliver OS reconstruction to the market, pivotal in the use of physical memory to reconstruct software and user behavior. Responder PRO continues to be a staple tool for law enforcement and incident response today.