Shostack + Friends Blog Archive

 

MD5s, IPs and Ultra

So I was listening to the Shmoocon presentation on information sharing, and there was a great deal of discussion of how sharing too much information could reveal to an attacker that they’d been detected. I’ve discussed this problem a bit in “The High Price of the Silence of Cyberwar,” but wanted to talk more about it. What struck me is that the audience seemed to be thinking that an MD5 of a bit of malware was equivalent to revealing the Ultra intelligence taken from Enigma decrypts.

Now perhaps that’s because I’m re-reading Neal Stephenson’s Cryptonomicon, where one of the subplots follows the exploits of Unit 2702, dedicated to ensuring that use of Ultra is explainable in other ways.

But really, it was pretty shocking to hear people nominally dedicated to the protection of systems actively working to deny themselves information that might help them detect an intrusion faster and more effectively.

For an example of how that might work, read “Protecting People on Facebook.” First, let me give kudos to Facebook for revealing an attack they didn’t have to reveal. Second, Facebook says “we flagged a suspicious domain in our corporate DNS logs.” What is a suspicious domain? It may or may not be one not seen before. More likely, it’s one that some other organization has flagged as malicious. When organizations reveal the IP or domain names of command and control servers, it gives everyone a chance to learn if they’re compromised. It can have other positive effects. Third, it reveals a detection method which actually caught a bad guy, and that you might or might not be using. Now you can consider if you want to invest in dns logging.

Now, there’s a time to be quiet during incident response. But there’s very real a tradeoff to be made between concealing your knowledge of a breach and aiding and abetting other breaches.

Maybe it’s time for us to get angry when a breach disclosure doesn’t include at least one IP and one MD5? Because when the disclosure doesn’t include those facts, our ability to defend ourselves is dramatically reduced.

One comment on "MD5s, IPs and Ultra"

  • Milena Ristovska says:

    Dear all,

    I would like to invite you to the coming event. I would appreciate your consideration to attend the event happening on May 6, from 9 AM – 3 PM at San Jose Marriott hotel (301 S Market St San Jose, CA 95113) where Libyan government and private sector buyers will be identifying partners and technology for IT and CyberSecurity projects.

    Below is the agenda for the event.

    Look forward to hearing from you.

    Sincerely yours,
    Milena Ristovska

    Contact: Kathy Hopsmith @ Kathy@activemedia.com

    CYBER SECURITY REVERSE TRADE MISSION
    April 29 – May 8, 2013
    Organized by the National U.S-Arab Chamber of Commerce

    BUSINESS BRIEFING AGENDA

    8:00 AM – 9:00 AM Registration & Coffee

    9:00 AM – 9:10 AM Welcome Remarks

    • Carl B. Kress, Regional Director for the Middle East, North Africa, Europe and Eurasia, USTDA
    • David Hamod, President & CEO, National U.S.-Arab Chamber of Commerce

    9:10 AM – 9:40 AM Overview of Libya’s ICT Sector

    • H.E. Mohamed Ali Abdou Allah, Deputy Minister, Ministry of Communications & Informatics

    9:40 AM – 10:20 AM Libyan Delegation Presentations: Part 1

    • Ministry of Communications & Informatics
    Esam Abulkhirat, Acting Director, Information Security Department
    • National Information Security and Safety Authority
    Dr. Ezidin Barka, General Director
    • Central Bank of Libya
    Emad Sherif, Information Security Team Leader and
    Mourad El Mabrouk, Application Analyst and Internet Banking Team Leader
    • General Information Authority
    Dr. Abdurraouf Ali El Bibas, Chairman of the Management Committee

    10:20 AM – 10:30 AM Question & Answer Period

    10:30 AM – 10:50 AM Networking & Coffee Break

    10:50 AM – 11:30 AM Libyan Delegation Presentations: Part 2

    • Libyan Post Telecommunication and Information Technology
    Khaled Gamo, Technology Division Manager
    • Almotkaml Company
    Khaled Mohamed Fellah, General Manager
    • Awal IT Company Specialized & Interactive Systems
    Khaled El Osta, General Manager/Manager
    • Tripoli For Information Technology
    Ahmed Swayeh, Business Development Manager

    11:30 AM – 11:40 AM Question & Answer Period

    11:40 AM – 12:20 PM National Export Initiative Panel

    • USTDA
    Carl B. Kress, Regional Director for the Middle East, North Africa, Europe and Eurasia
    • San Jose (Silicon Valley) Export Assistance Center
    Aileen Nandi, Commercial Officer
    • U.S. Embassy in Libya
    Mohamed Shwehdi, Commercial Specialist

    12:20 PM – 1:20 PM Lunch

    1:20 PM – 5:00 PM B2B Matchmaking Session

Comments are closed.