Operations // Careers & People
6/17/2014
05:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Security Pro File: Spam-Inspired Journey From Physics To Security

SANS Internet Storm Center director Johannes Ullrich talks threat tracking, spam, physics -- and his pick for the World Cup.

Johannes Ullrich was a physicist in the late 1990s when he set up a new cable modem connection for his home Linux machine. Like most Linux servers back then, the machine could be used as an open email relay, forwarding mail for everyone, so it didn't take long before spammers started abusing Ullrich's machine and slowing his connection to a crawl.

"My super-fast -- at the time -- cable modem all of a sudden was pretty much as slow as my old dialup modem, which caused me to look at the network traffic in more detail… ultimately discovering the spam," says Ullrich, who is the director of the SANS Internet Storm Center (ISC) and a senior instructor for SANS.

It was Ullrich's first real brush with cybersecurity, after a career specializing in x-ray optics and doing application development. "It led me to getting interested in how to secure stuff," he says. "I got into security the way most people typically get in: You get breached at some point, and then you get interested in what happened" to you.

Ullrich, 45, built an experimental firewall configuration for his home network. "I realized with my experiment at home with firewalls... that everyone is sort of after you. If you look at firewall logs, you see China, Russia, [and others] scanning you. I was wondering, is it just me, or is everyone seeing this?"

That led him to build the first iteration of what is now the widely used open-source DShield tool, which collects firewall logs from contributors to correlate and get a handle on threats and trends in attacks. Ullrich, who studied physics at university in his native Germany and then earned his PhD in physics at the University of Albany in New York, made the switch to security.

DShield now runs the backend of the operation at SANS ISC, which is Ullrich's day job. "DShield was a hobby of mine. This is what got SANS interested in me. Today, a lot of firewall vendors have systems that collect logs from users. DShield was the first one."

SANS ISC serves as a sort of pulse of the security of the Internet, tracking new threats, attacks, and events. Ullrich heads a virtual team of 30 volunteer "handlers" who take turns manning the operation around the clock. "The fun part is there's no real location" for ISC, he says. "There are no big rooms with big screens or anything like that. I manage DShield from my home office in Jacksonville, Florida."

That's where a couple of servers, five database servers, and two application servers running the DShield system reside. "It's a fairly slim infrastructure." He spends about 60% of his time working and researching for the ISC and the rest of his time as a SANS instructor.

"What sets us [the ISC] apart is the community aspect. Our goal is to listen to people, observing and realizing and quickly turning around" threat and other information about Internet security, he says.

Ullrich says the Linksys home router worm infection this year was a big one for the ISC. Word got to ISC that some small ISPs were seeing strange behavior with certain models of Linksys routers. From there, the ISC coordinated a community response to the attack.

It's not always so simple getting the Internet community to share firewall logs via the ISC's DShield, Ullrich admits, even in times of potentially major events like the Linksys worm. "People tend to trust people, not organizations," so it often takes a personal connection to gather logs. "One problem we had was getting people's trust to send us these logs and how to deal with the privacy aspect of it all. That's one of the big lessons of information sharing."

Then came the Heartbleed flaw in April, and the timing was just lousy for the ISC. "Heartbleed... happened right during one of our largest SANS conferences. This gave me little time, other than during breaks, to work on Heartbleed. One of the great things is that there are always members of the larger community willing to work on issues like this, which makes it a lot easier, and in many cases even possible, to obtain and convey an accurate picture of a threat like Heartbleed."

Of course, Ullrich and his ISC team are targets, as well. One time a few years ago, one bot had Ullrich's phone number embedded in the malware. Attempted hacks go with the territory. "I call it a daily vulnerability scan running on us."

Johannes Ullrich, director, SANS Internet Storm Center
Johannes Ullrich, director, SANS Internet Storm Center

PERSONALITY BYTES

World Cup pick: Germany. I am hoping for a Germany-Brazil final repeat with the unlikely upset of Germany winning. US may have a chance to make it to the top eight this time.

Worst day ever at work: In the early days of the DShield database, I had it co-located with a small neighborhood ISP using a little server I built myself for a couple hundred dollars. The machine worked OK, and the site had just been discovered by others, so I saw real submissions, and the data came in at a brisk pace. That is when I got the call from the ISP that smoke came out of the server. No backups, no failover. Luckily, it was just smoke, and the server kept running despite some burned off insulation for a couple more weeks, giving me time to replace it.

Security must-haves: A good dose of "That's probably nothing to worry about." I tend to be very non-paranoid, which is a bit unusual in the industry. But it makes life and work more fun.

Pets: One "forever" dog and one foster dog, as well as a couple of cats (not sure how many of them consider themselves part of the family). The forever dog started out as a foster but turned into a foster failure. Even though she is the best dog -- with over 4,000 Facebook friends -- people who adopted her kept returning her.

Favorite team: Bavaria Munich soccer team. I'm sort of a fair-weather fan, but since they keep winning…

Business hours: There are non-business hours?

For fun: Walking the dogs and historic preservation. I am lucky to live in a very walkable neighborhood [with] plenty of awesome houses where there is always something new to discover.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/18/2014 | 1:02:05 PM
Re: Security must have-have
I loved Johannes' comment that what turned him to security was what has turned so many others: getting "hacked" and wanting to get to the bottom of it. 
sans_isc
50%
50%
sans_isc,
User Rank: Apprentice
6/18/2014 | 12:53:07 PM
Re: Security must have-have
I should have added: It helps to have a good packet sniffer to be sure that there is nothing to worry about :)
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/18/2014 | 12:08:46 PM
Re: Security must have-have
I wish I could reach that level of security zen.  I usually run myself in circles because I "just have to be sure".
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/18/2014 | 10:18:05 AM
Security must have-have
I love your attitude -- "That's probably nothing to worry about."  You must be the voice of calm for your team in this nerve-wracking business! 
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/17/2014 | 9:43:04 PM
Re: Handler Team Structure
@sans_isc

Thanks for the link!  It seems like a solid group of volunteers; I'd encourage more folks to do it.  There's nothing like dedicating time to something without expectation of monetary return, contributing to a long-term good and adding value to the digital experience for the average person.  Kudos. 
sans_isc
100%
0%
sans_isc,
User Rank: Apprentice
6/17/2014 | 7:48:23 PM
Re: Handler Team Structure
You can see a list of our handlers here:

https://isc.sans.edu/handler_list.html 

Also, to become a handler, check our roadmap:

https://isc.sans.edu/handlerroadmap.html
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/17/2014 | 6:31:25 PM
Handler Team Structure
I'd be curious to know the make-up of the handlers on the team.  Sounds like a dream job, then you see it's volunteer work, similar to those who work in Free and Open Source Software (FOSS).  Perhaps it's just me, but 30 seems like a small number. 

If anyone happens to know what the backgrounds are of some of the volunteers, what they do and how they do it, I'd love to know.  I imagine a variety of folks, from teen hackers to college dropouts, and a smattering of MS and PhD holders who do hardcore research.  I imagine there is data mining and AI tossed onto the traffic looking for patterns and predicting new intrusions based upon that data.

Nice overview; and nice to see yet another person propelled into software and security by GNU/Linux!
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?