Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

6/17/2014
05:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Security Pro File: Spam-Inspired Journey From Physics To Security

SANS Internet Storm Center director Johannes Ullrich talks threat tracking, spam, physics -- and his pick for the World Cup.

Johannes Ullrich was a physicist in the late 1990s when he set up a new cable modem connection for his home Linux machine. Like most Linux servers back then, the machine could be used as an open email relay, forwarding mail for everyone, so it didn't take long before spammers started abusing Ullrich's machine and slowing his connection to a crawl.

"My super-fast -- at the time -- cable modem all of a sudden was pretty much as slow as my old dialup modem, which caused me to look at the network traffic in more detail… ultimately discovering the spam," says Ullrich, who is the director of the SANS Internet Storm Center (ISC) and a senior instructor for SANS.

It was Ullrich's first real brush with cybersecurity, after a career specializing in x-ray optics and doing application development. "It led me to getting interested in how to secure stuff," he says. "I got into security the way most people typically get in: You get breached at some point, and then you get interested in what happened" to you.

Ullrich, 45, built an experimental firewall configuration for his home network. "I realized with my experiment at home with firewalls... that everyone is sort of after you. If you look at firewall logs, you see China, Russia, [and others] scanning you. I was wondering, is it just me, or is everyone seeing this?"

That led him to build the first iteration of what is now the widely used open-source DShield tool, which collects firewall logs from contributors to correlate and get a handle on threats and trends in attacks. Ullrich, who studied physics at university in his native Germany and then earned his PhD in physics at the University of Albany in New York, made the switch to security.

DShield now runs the backend of the operation at SANS ISC, which is Ullrich's day job. "DShield was a hobby of mine. This is what got SANS interested in me. Today, a lot of firewall vendors have systems that collect logs from users. DShield was the first one."

SANS ISC serves as a sort of pulse of the security of the Internet, tracking new threats, attacks, and events. Ullrich heads a virtual team of 30 volunteer "handlers" who take turns manning the operation around the clock. "The fun part is there's no real location" for ISC, he says. "There are no big rooms with big screens or anything like that. I manage DShield from my home office in Jacksonville, Florida."

That's where a couple of servers, five database servers, and two application servers running the DShield system reside. "It's a fairly slim infrastructure." He spends about 60% of his time working and researching for the ISC and the rest of his time as a SANS instructor.

"What sets us [the ISC] apart is the community aspect. Our goal is to listen to people, observing and realizing and quickly turning around" threat and other information about Internet security, he says.

Ullrich says the Linksys home router worm infection this year was a big one for the ISC. Word got to ISC that some small ISPs were seeing strange behavior with certain models of Linksys routers. From there, the ISC coordinated a community response to the attack.

It's not always so simple getting the Internet community to share firewall logs via the ISC's DShield, Ullrich admits, even in times of potentially major events like the Linksys worm. "People tend to trust people, not organizations," so it often takes a personal connection to gather logs. "One problem we had was getting people's trust to send us these logs and how to deal with the privacy aspect of it all. That's one of the big lessons of information sharing."

Then came the Heartbleed flaw in April, and the timing was just lousy for the ISC. "Heartbleed... happened right during one of our largest SANS conferences. This gave me little time, other than during breaks, to work on Heartbleed. One of the great things is that there are always members of the larger community willing to work on issues like this, which makes it a lot easier, and in many cases even possible, to obtain and convey an accurate picture of a threat like Heartbleed."

Of course, Ullrich and his ISC team are targets, as well. One time a few years ago, one bot had Ullrich's phone number embedded in the malware. Attempted hacks go with the territory. "I call it a daily vulnerability scan running on us."

Johannes Ullrich, director, SANS Internet Storm Center
Johannes Ullrich, director, SANS Internet Storm Center

PERSONALITY BYTES

World Cup pick: Germany. I am hoping for a Germany-Brazil final repeat with the unlikely upset of Germany winning. US may have a chance to make it to the top eight this time.

Worst day ever at work: In the early days of the DShield database, I had it co-located with a small neighborhood ISP using a little server I built myself for a couple hundred dollars. The machine worked OK, and the site had just been discovered by others, so I saw real submissions, and the data came in at a brisk pace. That is when I got the call from the ISP that smoke came out of the server. No backups, no failover. Luckily, it was just smoke, and the server kept running despite some burned off insulation for a couple more weeks, giving me time to replace it.

Security must-haves: A good dose of "That's probably nothing to worry about." I tend to be very non-paranoid, which is a bit unusual in the industry. But it makes life and work more fun.

Pets: One "forever" dog and one foster dog, as well as a couple of cats (not sure how many of them consider themselves part of the family). The forever dog started out as a foster but turned into a foster failure. Even though she is the best dog -- with over 4,000 Facebook friends -- people who adopted her kept returning her.

Favorite team: Bavaria Munich soccer team. I'm sort of a fair-weather fan, but since they keep winning…

Business hours: There are non-business hours?

For fun: Walking the dogs and historic preservation. I am lucky to live in a very walkable neighborhood [with] plenty of awesome houses where there is always something new to discover.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/18/2014 | 1:02:05 PM
Re: Security must have-have
I loved Johannes' comment that what turned him to security was what has turned so many others: getting "hacked" and wanting to get to the bottom of it. 
sans_isc
50%
50%
sans_isc,
User Rank: Apprentice
6/18/2014 | 12:53:07 PM
Re: Security must have-have
I should have added: It helps to have a good packet sniffer to be sure that there is nothing to worry about :)
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/18/2014 | 12:08:46 PM
Re: Security must have-have
I wish I could reach that level of security zen.  I usually run myself in circles because I "just have to be sure".
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/18/2014 | 10:18:05 AM
Security must have-have
I love your attitude -- "That's probably nothing to worry about."  You must be the voice of calm for your team in this nerve-wracking business! 
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/17/2014 | 9:43:04 PM
Re: Handler Team Structure
@sans_isc

Thanks for the link!  It seems like a solid group of volunteers; I'd encourage more folks to do it.  There's nothing like dedicating time to something without expectation of monetary return, contributing to a long-term good and adding value to the digital experience for the average person.  Kudos. 
sans_isc
100%
0%
sans_isc,
User Rank: Apprentice
6/17/2014 | 7:48:23 PM
Re: Handler Team Structure
You can see a list of our handlers here:

https://isc.sans.edu/handler_list.html 

Also, to become a handler, check our roadmap:

https://isc.sans.edu/handlerroadmap.html
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/17/2014 | 6:31:25 PM
Handler Team Structure
I'd be curious to know the make-up of the handlers on the team.  Sounds like a dream job, then you see it's volunteer work, similar to those who work in Free and Open Source Software (FOSS).  Perhaps it's just me, but 30 seems like a small number. 

If anyone happens to know what the backgrounds are of some of the volunteers, what they do and how they do it, I'd love to know.  I imagine a variety of folks, from teen hackers to college dropouts, and a smattering of MS and PhD holders who do hardcore research.  I imagine there is data mining and AI tossed onto the traffic looking for patterns and predicting new intrusions based upon that data.

Nice overview; and nice to see yet another person propelled into software and security by GNU/Linux!
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.