Both Kelly Jackson Higgins and Brian Krebs had columns yesterday on a report by Allison Nixon of Deloitte on how to vet a data dump. The report should be required reading for journalists as the reputation harm that can occur by publishing or repeating false claims of a hack can be significant. While many will immediately think of Dropbox’s recent attempt to reassure users they had not been hacked, remember that Dropbox was also in the news earlier this year over a claimed hack that was not a hack at all.
Regular readers know that this blog and DataLossDB.org instituted policies of attempting to verify breach claims with the breached entity before publishing claims of a breach by anonymous hackers or hacktivists. It’s been a useful policy. Although it may delay publication of “news,” it reduces the risk of falsely reporting an entity has been compromised when they haven’t been. Unfortunately, not all entities respond to inquiries or requests, often leaving us with a “Go – No Go” decision to make. The techniques Nixon describes are not foolproof (see the discussion of “combolists”), but it’s a lot better than just repeating claims without investigation.
Brian has kindly uploaded a copy of the report here (pdf).