The research presents techniques for distinguishing legit data leaks from false claims.
The research presents techniques for distinguishing legit data leaks from false claims.

Deloitte, a major player in financial consulting and enterprise risk services, has released research that can help companies determine if they've been the victim of a data leak – or the casualty of an online hoax.

Allison Nixon, a threat researcher at Deloitte & Touche who authored the report called, "Vetting Leaks," (PDF) told SCMagazine.com in a Wednesday interview that her paper helps the public answer a lingering question once a leak is announced: “How concerned should we be?”

Given the frequency with which some hacktivists, or others with a large social media presence, announce data dumps, the report, released Wednesday, gives firms (and media reporting such claims) a guidepost for verifying whether the occurrences present a data security threat.

“The focus of my paper is to empower people to fact check the information that they have in front of them,” Nixon said, adding that the guidance also “raises the bar” for those desiring quick notoriety from dubious leaks.

The report advises organizations to, first, do a quick search online to see if “unique-looking artifacts such as passwords, different names, [or] text snippets from the [attackers'] rant,” are recycled from previous leaks or campaigns.

In the paper, Nixon also directs individuals to check for “email uniqueness,” (including making sure email addresses are traceable to the company's site) and confirming potentially leaked passwords adhere to the targeted service's password policy, if one is place. “It would be suspicious if the policy is generally enforced, but a large number of leaked credentials are not in adherence to the site's password policy,” such as prohibiting the use of simple “123456” passwords, the report said.

Deloitte's paper also divulged more technical methods for verifying leaks, which could require the expertise of a third-party, and explained that the effort (and resources) needed to verify a data dump would obviously vary depending on the nature of the leaked information.

“It is difficult to crack an MD5 hash longer than 13 characters without advanced wordlists and dictionary word combinations. Therefore, highly complex passwords coming from a supposedly cracked hashlist are suspect,” the report pointed out.