Greg Hoglund

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Greg Hoglund
Spouse(s)Penny C. Leavy[1]

Michael Gregory Hoglund is an American author, researcher, and serial entrepreneur in the cyber security industry. He is the founder of several companies, including Cenzic, HBGary and Outlier Security. Hoglund contributed early research to the field of rootkits, software exploitation, buffer overflows, and online game hacking. His later work focused on computer forensics, physical memory forensics, malware detection, and attribution of hackers. He holds a patent on fault injection methods for software testing, and fuzzy hashing for computer forensics. Due to an email leak in 2011, Hoglund is well known to have worked for the U.S. Government and Intelligence Community in the development of rootkits and exploit material.[2][3] It was also shown that he and his team at HBGary had performed a great deal of research on Chinese Government hackers commonly known as APT (Advanced persistent threat). For a time, his company HBGary was the target of a great deal of media coverage and controversy following the 2011 email leak (see below, Controversy and email leak). HBGary was later acquired by a large defense contractor.[4]


Hoglund has founded several security startup companies which were still in operation today:

  • Cenzic, Inc. (formerly known as ClickToSecure, Inc.[5]) Focused on web application security for the Fortune-500.[6]
  • Bugscan, Inc. Developed an appliance that would scan software for security vulnerabilities without sourcecode. Acquired in 2004 by LogicLibrary, Inc.[7]
  • HBGary, Inc. Provides a comprehensive suite of software products to detect, analyze, and diagnose Advanced Persistent Threats (APT) and targeted malware. Acquired in 2012 by Mantech International (MANT).[8] HBGary had no outside investors and was owned by the founders and early employees.
  • Outlier Security, Inc. Provides cloud-based, agentless endpoint detection and response (EDR) systems for enterprises. Acquired in 2017 by Symantec (SYMC).


  • Granted: Fuzzy Hash Algorithm[9]
  • Granted: Fault injection methods and apparatus[10] along with Penny C. Leavy, Jonathan Walter Gary, and Riley Dennis Eller.
  • Applied: Inoculator and antibody for computer security[11] along with Shawn Michael Bracken.
  • Applied: Digital DNA sequence.[12]
  • Applied: Universal method and apparatus for disparate systems to communicate[13] along with Yobie Benjamin, Abhideep Singh, and Jonathan Gary.

Research and authorship[edit]

As an author, Hoglund wrote Exploiting Software: How to Break Code, Rootkits: Subverting the Windows Kernel and Exploiting Online Games: Cheating Massively Distributed Systems, and was a contributing author on Hack Proofing Your Network: Internet Tradecraft. He was a reviewer for the Handbook of SCADA/Control Systems Security. He has presented regularly at security conferences such as Black Hat Briefings, DEF CON, DFRWS, FS-ISAC, and RSA Conference, among others. Hoglund drew the attention of the media when he exposed the functionality of Blizzard Entertainment's Warden software, used to prevent hacking in the popular game World of Warcraft.


  • Exploiting Online Games: Cheating Massively Distributed Systems, Addison-Wesley, 2007, ISBN 0-13-227191-5.
  • Rootkits: Subverting the Windows Kernel, Addison-Wesley, 2005, ISBN 0-321-29431-9.
  • Exploiting Software: How to Break Code, Addison-Wesley, 2004, ISBN 0-201-78695-8.


  • A *REAL* NT Rootkit, patching the NT Kernel, Phrack magazine, 1999[14]

Controversy and email leak[edit]

HBGary found controversy in 2011 after corporate emails were leaked from the now defunct sister company HBGary Federal. Of particular note, the founder of HBGary Federal, Aaron Barr, had authored a draft Powerpoint presentation on information warfare (IW) that was the subject of much interpretation by online reporters and bloggers. It outlined controversial information warfare strategies and techniques, including background checks to discredit online reporters/bloggers, OSINT monitoring of detractors, and disinformation to discredit Wikileaks. This presentation was never shown to be used, and the supposed customers of this work were never actually customers of HBGary Federal, and further stated they were not aware of the presentation.[15]

After the incident in 2011, several hackers branded the attack on HBGary as the work of Anonymous.[16] Later, this branding was abandoned and replaced with the hacking group LulzSec. At this time, the identities of the hackers behind LulzSec were not known. In an interview after the attack, Hoglund characterized the group as criminal hackers and revealed that he had recently refocused HBGary's attribution team, previously used to hunt down Chinese APT (Advanced persistent threat), to instead discover the identities of the Lulzsec hackers.[17] Less than six months later, the leader of LulzSec, Hector Xavier Monsegur (aka Sabu), had been secretly arrested by the FBI and turned into an informant against the rest of Anonymous. HBGary admitted to working closely with law enforcement, and was later given credit for their assistance to the FBI in the investigation that lead to the arrest of the LulzSec leader Hector Xavier Monsegur (aka Sabu).[18][edit]

Hoglund also founded and operated,[19] a popular site devoted to the subject of rootkits. Several well known rootkits and anti-rootkits were hosted from, including Jamie Butler's FU rootkit, Hacker Defender by HF, Bluepill by Joanna Rutkowska and Alexander Tereshkin, ShadowWalker by Sherri Sparks, FUTo by Peter Silberman, BootKit by Derek Soeder (eEye), and AFX Rootkit by Aphex. A complete list can be found on the wayback engine for Last snapshot of on Wayback.[20]'s original site administrators were Greg Hoglund, Fuzen_Op (Jamie Butler), Barns (Barnaby Jack), Caezar of GhettoHackers (Riley Eller), Talis (JD Glaser of NTObjectives), and Vacuum of Technotronic. At its peak, had 81,000 users. was compromised in 2011 via Social engineering (security) as part of the LulzSec attack by Hector Xavier Monsegur (aka Sabu) and the user database was leaked.[21] The leaked user database was then used for research against the Chinese Government-sponsored hacking group commonly known as 'APT1'.[22] The site since remains offline.

Physical memory forensics[edit]

Hoglund was an early pioneer in the research and development of physical memory forensics, now considered standard practice in computer forensics in law enforcement. He saw the physical memory as a complex snapshot of interrelated structures and data arrays, instead of just a flatfile full of strings. The original application was not forensics, but rootkit detection and process hiding – showing how physical memory forensics grew partly from rootkit development.[23] With the release of HBGary's product Responder in 2008, Hoglund was one of the first to deliver OS reconstruction to the market, pivotal in the use of physical memory to reconstruct software and user behavior. Responder PRO continues to be a staple tool for law enforcement and incident response today.


  1. ^ Nate Anderson (February 10, 2011). "How one man tracked down Anonymous—and paid a heavy price". Ars Technica.
  2. ^ Nate Anderson (19 February 2011). "Black ops: how HBGary wrote backdoors for the government". Ars Technica.
  3. ^ Tim Greene (19 February 2011). "Stolen HBGary e-mails indicate it was planning a "new breed of rootkit"". Network World. Archived from the original on 15 October 2012.
  4. ^ staff (2 April 2012). "HBGary acquisition by ManTech complete". Sacramento Business Journal.
  5. ^ "About Us : Reverse Engineering Rootkits by Greg Hoglund, HBGary & Rich Cummings, HBGary". Black Hat. Retrieved 2011-06-20.
  6. ^ "Web Application Security". Archived from the original on 2014-08-30. Retrieved 2011-06-20.
  7. ^ Krill, Paul (2004-09-14). "LogicLibrary buys BugScan | Developer World". InfoWorld. Archived from the original on 2008-05-15. Retrieved 2011-06-20.
  8. ^ MandaSoft (2 April 2012). "ManTech International Corporation will acquire HBGary Inc". BusinessWire.
  9. ^ US grant 8484152, Michael Gregory Hoglund, "Fuzzy Hash Algorithm", published 2009-6-26 
  10. ^ US grant 7620851, Michael Gregory Hoglund, "Fault injection methods and apparatus", published 2007-1-31 
  11. ^ US applied 20120110673, Michael Gregory Hoglund, "Inoculator and antibody for computer security", published 2011-9-23 
  12. ^ US applied 20110067108, Michael Gregory Hoglund, "Digital DNA sequence", published 2011-9-23 
  13. ^ US applied 20010013052, Greg Hoglund, "Universal method and apparatus for disparate systems to communicate", published 2001-8-09 
  14. ^ "Phrack Magazine". Retrieved 2011-06-20.
  15. ^ Eric Lipton (11 February 2011). "Hackers Reveal Offers to Spy on Corporate Rivals". New York Times.
  16. ^ Brian Krebs (7 February 2011). "HBGary Federal Hacked by Anonymous". Krebs on Security.
  17. ^ Rob Lemos (22 March 2011). "HBGary's Hoglund sheds light on Anonymous". Computerworld.
  18. ^ U.S. Attorney's Office (6 March 2012). "Hacker of Sacramento Company HBGary Pleads Guilty". Federal Bureau of Investigation.
  19. ^ "Archived copy". Archived from the original on 2007-04-06. Retrieved 2013-10-19.{{cite web}}: CS1 maint: archived copy as title (link)
  20. ^ "rootkit - dot com". Archived from the original on 5 February 2011.
  21. ^ Lucian Constantin (14 February 2011). " Compromise Poses Risks to Other Sites". softpedia.
  22. ^ Gerry Smith (19 February 2013). "Anonymous Helps Researchers Link Hackers To Chinese Army". Huffington Post.
  23. ^ Greg Hoglund (25 May 2011). "A Brief History of Physical Memory Forensics". Fast Horizon.

External links[edit]