MD5s, IPs and Ultra

by adam on March 25, 2013

So I was listening to the Shmoocon presentation on information sharing, and there was a great deal of discussion of how sharing too much information could reveal to an attacker that they’d been detected. I’ve discussed this problem a bit in “The High Price of the Silence of Cyberwar,” but wanted to talk more about it. What struck me is that the audience seemed to be thinking that an MD5 of a bit of malware was equivalent to revealing the Ultra intelligence taken from Enigma decrypts.

Now perhaps that’s because I’m re-reading Neal Stephenson’s Cryptonomicon, where one of the subplots follows the exploits of Unit 2702, dedicated to ensuring that use of Ultra is explainable in other ways.

But really, it was pretty shocking to hear people nominally dedicated to the protection of systems actively working to deny themselves information that might help them detect an intrusion faster and more effectively.

For an example of how that might work, read “Protecting People on Facebook.” First, let me give kudos to Facebook for revealing an attack they didn’t have to reveal. Second, Facebook says “we flagged a suspicious domain in our corporate DNS logs.” What is a suspicious domain? It may or may not be one not seen before. More likely, it’s one that some other organization has flagged as malicious. When organizations reveal the IP or domain names of command and control servers, it gives everyone a chance to learn if they’re compromised. It can have other positive effects. Third, it reveals a detection method which actually caught a bad guy, and that you might or might not be using. Now you can consider if you want to invest in dns logging.

Now, there’s a time to be quiet during incident response. But there’s very real a tradeoff to be made between concealing your knowledge of a breach and aiding and abetting other breaches.

Maybe it’s time for us to get angry when a breach disclosure doesn’t include at least one IP and one MD5? Because when the disclosure doesn’t include those facts, our ability to defend ourselves is dramatically reduced.

One comment

Dear all,

I would like to invite you to the coming event. I would appreciate your consideration to attend the event happening on May 6, from 9 AM – 3 PM at San Jose Marriott hotel (301 S Market St San Jose, CA 95113) where Libyan government and private sector buyers will be identifying partners and technology for IT and CyberSecurity projects.

Below is the agenda for the event.

Look forward to hearing from you.

Sincerely yours,
Milena Ristovska

Contact: Kathy Hopsmith @

April 29 – May 8, 2013
Organized by the National U.S-Arab Chamber of Commerce


8:00 AM – 9:00 AM Registration & Coffee

9:00 AM – 9:10 AM Welcome Remarks

• Carl B. Kress, Regional Director for the Middle East, North Africa, Europe and Eurasia, USTDA
• David Hamod, President & CEO, National U.S.-Arab Chamber of Commerce

9:10 AM – 9:40 AM Overview of Libya’s ICT Sector

• H.E. Mohamed Ali Abdou Allah, Deputy Minister, Ministry of Communications & Informatics

9:40 AM – 10:20 AM Libyan Delegation Presentations: Part 1

• Ministry of Communications & Informatics
Esam Abulkhirat, Acting Director, Information Security Department
• National Information Security and Safety Authority
Dr. Ezidin Barka, General Director
• Central Bank of Libya
Emad Sherif, Information Security Team Leader and
Mourad El Mabrouk, Application Analyst and Internet Banking Team Leader
• General Information Authority
Dr. Abdurraouf Ali El Bibas, Chairman of the Management Committee

10:20 AM – 10:30 AM Question & Answer Period

10:30 AM – 10:50 AM Networking & Coffee Break

10:50 AM – 11:30 AM Libyan Delegation Presentations: Part 2

• Libyan Post Telecommunication and Information Technology
Khaled Gamo, Technology Division Manager
• Almotkaml Company
Khaled Mohamed Fellah, General Manager
• Awal IT Company Specialized & Interactive Systems
Khaled El Osta, General Manager/Manager
• Tripoli For Information Technology
Ahmed Swayeh, Business Development Manager

11:30 AM – 11:40 AM Question & Answer Period

11:40 AM – 12:20 PM National Export Initiative Panel

Carl B. Kress, Regional Director for the Middle East, North Africa, Europe and Eurasia
• San Jose (Silicon Valley) Export Assistance Center
Aileen Nandi, Commercial Officer
• U.S. Embassy in Libya
Mohamed Shwehdi, Commercial Specialist

12:20 PM – 1:20 PM Lunch

1:20 PM – 5:00 PM B2B Matchmaking Session

by Milena Ristovska on May 2, 2013 at 4:21 pm. Reply #

Leave your comment

Not published.

If you have one.