Chief Information Security Officer Alex Holden of Hold Security, LLC appears during the Black Hat USA 2014 cyber security conference on Wednesday in Las Vegas. Credit: Associated Press

SHARE

By of the

A Milwaukee-area computer security expert found himself at the center of debate Wednesday after his firm uncovered an enormous cache of stolen Internet credentials in the hands of a Russian cyber gang.

The disclosure catapulted Hold Security LLC founder Alexander Holden, who immigrated to Milwaukee with his parents from the former Soviet Union at age 14, onto the front page of The New York Times.

But it also brought out detractors who criticized Hold Security for capitalizing on the news by rolling out a $120-a-year service notifying companies of data breaches.

And while Holden's LinkedIn page indicates he holds an engineering degree from the University of Wisconsin-Milwaukee, and he also told a Journal Sentinel reporter he graduated from the school in 2001, UWM said its records show he only attended and did not graduate.

At the same time, widely respected cybersecurity blogger Brian Krebs, who broke the news last December of the Target data breach, backed Holden on Wednesday. Writing on his blog, KrebsonSecurity, he called Holden "a talented and tireless researcher" whose work has been central to several of Krebs' revelations.

Among them: The scoop last October that hackers stole source code from Adobe Systems Inc. and removed information, including encrypted credit card numbers, on nearly 3 million customers.

As the Times reported Tuesday, Hold Security's latest eye-catching discovery is the massive pile of 1.2 billion stolen Internet credentials — email address and password combinations — being harbored by a group of a dozen Russian cyber thieves.

The massive size of the trove, which Hold calls the largest collection of stolen data, instantly attracted attention. After months of investigation, Hold became aware of the full scope of the cache about 31/2 weeks ago.

Verification work followed, Holden said Wednesday, but it's no coincidence that the news finally emerged during Black Hat, a major computer security conference in Las Vegas. Holden said the timing helped ensure that security professionals would be aware of his firm's findings.

"We are not trying to get business from these people in a way that would be inconsistent or predatory," he said in a telephone interview. "We are just making sure that we are putting ourselves on the map to be heard that this is an issue."

Holden also said it was perfectly appropriate to follow up the announcement with the offer of a paid service to alert clients to data breaches. When Hold previously discovered a batch of 360 million stolen credentials, it informed companies that had been victimized at no charge, Holden said.

"And you know what they did?" he asked rhetorically. "Quite frankly, the vast majority of them said thank you and they went away, they never inquired about our services, they never did anything, and that's their right."

But if Hold can't gather revenue to cover its costly and time-consuming research, "how are we to stay in business?" Holden asked.

Still, some didn't like the combination of the big security scare and the offer to sell services.

"Any report that involves someone stealing 1.2 billion passwords and if you pay me 120 bucks I'll tell you if your stuff has been stolen makes me really suspicious," said David Mortman, a contributing analyst to Securosis, a security research and advisory firm in Phoenix. "The whole thing leaves a bad taste in my mouth."

Holden, 39, said his mother and father were engineers in Kiev — now the capital of Ukraine — before leaving the Soviet Union in 1988 with him; younger brother, Richard; and the boys' grandmother. They settled in Milwaukee because they had friends here.

Richard Holden, 32, said his parents valued education and there was "incessant learning" at home. Their father, Julius, taught the boys problem solving.

"I remember every week, if not more frequently, he would sit us down and say, 'OK, I'm going to tell you how to draw a diagram of a door hinge and we're going to figure out how to take it apart,'" Richard said, describing one of the problem-solving exercises.

Richard Holden, who earned a doctorate in industrial engineering and psychology, said his brother "was a brainiac" in school who liked puzzles and presenting himself with challenges. He also was a straight arrow.

"The stereotype of the hacker gone good doesn't fit him," Richard said. "He was never a hacker. He was never interested in hacking or got into things illegally. He was always one of the good guys."

Richard said a family joke was that Richard "was the academically interested smart one. I got my master's degree before he got his bachelor's degree. Of course, in the meantime he was the vice president of a company, co-founder of another, owner of Hold Security, and he never got the respect. He's kind of the Rodney Dangerfield of our family."

Told that UWM had no record of him earning a degree, Alex Holden said Wednesday, "That is correct. I never finished. I attended but I never finished."

In an interview Tuesday evening, however, Holden had said he graduated from the school in 2001 with a degree in mechanical engineering.

His LinkedIn page, under "Education," says "University of Wisconsin-Milwaukee, BS, Mechanical Engineering, 1993-2001."

Wednesday, Holden said he would change the entry. "I do apologize," he said. "That is incorrect. I don't believe that it was intended, that message. It didn't have an option to say, I believe, at the time when I registered that I don't have a degree but I attended."

Before starting his company, Holden worked in information technology for other firms, including at Milwaukee brokerage Robert W. Baird & Co. from 2000 to 2010. There, according to his LinkedIn page, he was chief information security officer. Baird would not comment.

Holden registered Hold Security as a corporation in February 2013. The firm now employs 20 people, some of them temporary, and is looking to hire up to eight more this year, he said. Its headquarters occupy modestly furnished offices in a Mequon building that also houses a dentist, an insurance agent and a meat broker.

Chris Roberts, founder of Denver-based cybersecurity firm One World Labs, said Holden is known in the field.

"He has done a lot of research on intelligence," Roberts said, adding that he hired Holden in a start-up company several years ago.

"He has gone off and done his own thing. He has his way of doing it — very different than mine." Roberts said Holden can sometimes grow frustrated with corporate clients.

"All of us want them to get better, but we have different ways of approaching it," Roberts said. "Ours is to try to be instructive. His way is very much more of a baseball bat, confrontational."

Writing on his blog, Krebs said he has known Holden for nearly seven years and has been an unpaid adviser at Holden's request.

Krebs described Holden as "forthright and honest," and praised his research skills. He said the discovery of the huge cache of stolen email credentials in Russia was legitimate.

"Alex isn't keen on disclosing his methods," Krebs wrote, "but I have seen his research and data firsthand and can say it's definitely for real. Without spilling his secrets or methods, it is clear that he has a first-hand view on the day-to-day activities of some very active organized cyber crime networks and actors."

Richard Holden said his brother's knowledge of Russian and long-standing interest in Russian and Eastern European music and literature may help him in security.

"He is particularly good at being able to uncover those things related to his home country and his native language," he said.