Dailydave mailing list archives

Re: Shady headlines - Disagree

From: Charisse Castagnoli <charisse () charissec com>
Date: Fri, 4 Apr 2014 18:36:46 -0500

Brian Krebs is a personal friend of mine and he is an amazing journalist who fact checks like crazy, carefully cites,
obtains primary data often directly from underground sites. He has been instrumental in discovering and exposing many
illegal activities in the illegal digital underground.

I think his reporting is fair and accurate. Experian was the legal owner of the contract at the time of notification
by the Secret Service, therefore Experian was part of an ongoing data breach.

As to the potential 200 million records, that was a quote of a fact in a court record. I think that counts as a
primary source.

Quoting dave "Likewise, it seems like it was not Experian's data at all" Exactly what Brian reported "According to
U.S. government investigators, the data was not[emphasis mine] obtained directly from Experian, but rather via
Columbus, Ohio-based US Info Search"

I don't think this reflects poorly on your good friend, but rather shows the limitations of breach detection and due
diligence. Heck he may not have even been involved in the acquisition.

The problem for the public is, Experian is a financial services firm and is thus held to a higher standard of care
(both legally and morally). We expect our financial institutions to go the extra mile with access to our PII.

Heck at Chase you can't even deposit tiny bits of cash into your own account without showing an ID and signing a form,
and you can not deposit cash into any account except your own.

The fact that Experian acquired a company whose identity proofing standards were not up to Experian's is a not only
unfortunate it's a problem, further it was Experian's responsibility to identify in the due diligence phase. (I do
think that is an intractable standard) However, Experian, as a financial services institution is not morally or legally
entitled to hide behind their purchase of "Some random company" but should and probably has accepted responsibility.
(they are certainly entitled to clarify as they did in their post) But just like Bank of America can not escape
liability for the shady home loans they acquired with the Countrywide purchase, Experian has to take responsibility
for their purchase of Court Ventures who created the contract vehicle for the data breach.

As with every data breach there are always nuances that trigger sensitivities on both sides, however your
characterization of Brian's headline as "Shady" is unfair.
The fact that this happened to a company like Experian with an excellent CISO is just a proof point of what the
challenges are in due diligence.

Now if you want some truly erroneous headlines try these
http://www.toptenz.net/top-10-erroneous-newspaper-headlines.php

Charisse Castagnoli
charisse () charissec com

On Apr 4, 2014, at 4:06 PM, Dave Aitel <dave () immunityinc com> wrote:

http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/

So I read the Krebs report today with interest because the CISO of Experian (Stephen Scharf) is an old friend of mine,
and probably one of the better CISO's in the business, imho. So there are a few things I think are funny in the Krebs
report. For example, "Court records just released last week show that Ngo tricked an Experian subsidiary into giving
him direct access to personal and financial data on more than 200 million Americans. " Right now, using Google, I have
direct access to billions of records on both Americans and non-Americans But that doesn't mean I downloaded it and used
it. How much data did this guy even get? Something more on the order of 3 million various things. Likewise, it seems
like it was not Experian's data at all, but the result of some legal agreements that happened before Experian ever got
involved. Also I love the part in the court documentation where the defendant has been hearing voices and is basically
crazy.

I guess the point is, "Some random company Experian bought had an agreement with another company that had an customer
who was shady and then arrested" is not as catchy a title, even if it is more accurate than "U.S. States Investigating
Breach at Experian" which is what Krebs decided to run with this time.

Official Experian response to the whole mess (worth a quick read) is here:
http://www.experian.com/blogs/news/2014/03/30/court-ventures/

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Shady headlines Dave Aitel (Apr 04)
- Re: Shady headlines - Disagree Charisse Castagnoli (Apr 04)
- Re: Shady headlines security curmudgeon (Apr 04)
- <Possible follow-ups>
- Re: Shady headlines brian krebs (Apr 07)