Deloitte, a major player in financial consulting and enterprise risk services, has released research that can help companies determine if they've been the victim of a data leak – or the casualty of an online hoax.
Allison Nixon, a threat researcher at Deloitte & Touche who authored the report called, "Vetting Leaks," (PDF) told SCMagazine.com in a Wednesday interview that her paper helps the public answer a lingering question once a leak is announced: “How concerned should we be?”
Given the frequency with which some hacktivists, or others with a large social media presence, announce data dumps, the report, released Wednesday, gives firms (and media reporting such claims) a guidepost for verifying whether the occurrences present a data security threat.
“The focus of my paper is to empower people to fact check the information that they have in front of them,” Nixon said, adding that the guidance also “raises the bar” for those desiring quick notoriety from dubious leaks.
The report advises organizations to, first, do a quick search online to see if “unique-looking artifacts such as passwords, different names, [or] text snippets from the [attackers'] rant,” are recycled from previous leaks or campaigns.
In the paper, Nixon also directs individuals to check for “email uniqueness,” (including making sure email addresses are traceable to the company's site) and confirming potentially leaked passwords adhere to the targeted service's password policy, if one is place. “It would be suspicious if the policy is generally enforced, but a large number of leaked credentials are not in adherence to the site's password policy,” such as prohibiting the use of simple “123456” passwords, the report said.
Deloitte's paper also divulged more technical methods for verifying leaks, which could require the expertise of a third-party, and explained that the effort (and resources) needed to verify a data dump would obviously vary depending on the nature of the leaked information.
“It is difficult to crack an MD5 hash longer than 13 characters without advanced wordlists and dictionary word combinations. Therefore, highly complex passwords coming from a supposedly cracked hashlist are suspect,” the report pointed out.
Deloitte also published tips for identifying legitimate credit card data dumps which entailed checking formatting rules for card information.
Lastly, the firm said that a smell test – “determining whether or not the action taken is rational and typical of how the action may likely be carried out" – can be used to verify leaks on a “case by case basis.”
In her interview, Nixon said that the techniques in the paper may “vary depending on how the data is presented,” but the research “fundamentally relies on what a real data dump looks like.”
“Some of the [techniques] will tell you 100 percent if this [incident] is fake, but most will tell you that this data dump is more suspicious,” because of the information presented, she explained. Nixon noted in the paper that the verification steps can help “demonstrate a leak is fake, not that compromise has or hasn't occurred," at a organization.
“Additionally, fake leaks can be released after genuine online breaches occur,” she wrote in the report, later adding that “only the victim company can provide a full and accurate analysis” of whether a breach has taken place.