Security Pro File: Spam-Inspired Journey From Physics To Security

  /     /     /  
Publicated : 22/11/2024   Category : security


Security Pro File: Spam-Inspired Journey From Physics To Security


SANS Internet Storm Center director Johannes Ullrich talks threat tracking, spam, physics -- and his pick for the World Cup.



Johannes Ullrich was a physicist in the late 1990s when he set up a new cable modem connection for his home Linux machine. Like most Linux servers back then, the machine could be used as an open email relay, forwarding mail for everyone, so it didnt take long before spammers started abusing Ullrichs machine and slowing his connection to a crawl.
My super-fast -- at the time -- cable modem all of a sudden was pretty much as slow as my old dialup modem, which caused me to look at the network traffic in more detail… ultimately discovering the spam, says Ullrich, who is the director of the SANS Internet Storm Center (ISC) and a senior instructor for SANS.
It was Ullrichs first real brush with cybersecurity, after a career specializing in x-ray optics and doing application development. It led me to getting interested in how to secure stuff, he says. I got into security the way most people typically get in: You get breached at some point, and then you get interested in what happened to you.
Ullrich, 45, built an experimental firewall configuration for his home network. I realized with my experiment at home with firewalls... that everyone is sort of after you. If you look at firewall logs, you see China, Russia, [and others] scanning you. I was wondering, is it just me, or is everyone seeing this?
That led him to build the first iteration of what is now the widely used open-source DShield tool, which collects firewall logs from contributors to correlate and get a handle on threats and trends in attacks. Ullrich, who studied physics at university in his native Germany and then earned his PhD in physics at the University of Albany in New York, made the switch to security.
DShield now runs the backend of the operation at SANS ISC, which is Ullrichs day job. DShield was a hobby of mine. This is what got SANS interested in me. Today, a lot of firewall vendors have systems that collect logs from users. DShield was the first one.
SANS ISC serves as a sort of pulse of the security of the Internet, tracking new threats, attacks, and events. Ullrich heads a virtual team of 30 volunteer handlers who take turns manning the operation around the clock. The fun part is theres no real location for ISC, he says. There are no big rooms with big screens or anything like that. I manage DShield from my home office in Jacksonville, Florida.
Thats where a couple of servers, five database servers, and two application servers running the DShield system reside. Its a fairly slim infrastructure. He spends about 60% of his time working and researching for the ISC and the rest of his time as a SANS instructor.
What sets us [the ISC] apart is the community aspect. Our goal is to listen to people, observing and realizing and quickly turning around threat and other information about Internet security, he says.
Ullrich says the
Linksys home router worm infection
this year was a big one for the ISC. Word got to ISC that some small ISPs were seeing strange behavior with certain models of Linksys routers. From there, the ISC coordinated a community response to the attack.
Its not always so simple getting the Internet community to share firewall logs via the ISCs DShield, Ullrich admits, even in times of potentially major events like the Linksys worm. People tend to trust people, not organizations, so it often takes a personal connection to gather logs. One problem we had was getting peoples trust to send us these logs and how to deal with the privacy aspect of it all. Thats one of the big lessons of information sharing.
Then came the
Heartbleed flaw
in April, and the timing was just lousy for the ISC. Heartbleed... happened right during one of our largest SANS conferences. This gave me little time, other than during breaks, to work on Heartbleed. One of the great things is that there are always members of the larger community willing to work on issues like this, which makes it a lot easier, and in many cases even possible, to obtain and convey an accurate picture of a threat like Heartbleed.
Of course, Ullrich and his ISC team are targets, as well. One time a few years ago, one bot had Ullrichs phone number embedded in the malware. Attempted hacks go with the territory. I call it a daily vulnerability scan running on us.
PERSONALITY BYTES
World Cup pick:
Germany. I am hoping for a Germany-Brazil final repeat with the unlikely upset of Germany winning. US may have a chance to make it to the top eight this time.
Worst day ever at work:
In the early days of the DShield database, I had it co-located with a small neighborhood ISP using a little server I built myself for a couple hundred dollars. The machine worked OK, and the site had just been discovered by others, so I saw real submissions, and the data came in at a brisk pace. That is when I got the call from the ISP that smoke came out of the server. No backups, no failover. Luckily, it was just smoke, and the server kept running despite some burned off insulation for a couple more weeks, giving me time to replace it.
Security must-haves:
A good dose of Thats probably nothing to worry about. I tend to be very non-paranoid, which is a bit unusual in the industry. But it makes life and work more fun.
Pets:
One forever dog and one foster dog, as well as a couple of cats (not sure how many of them consider themselves part of the family). The forever dog started out as a foster but turned into a foster failure. Even though she is the best dog -- with over 4,000 Facebook friends -- people who adopted her kept returning her.
Favorite team:
Bavaria Munich soccer team. Im sort of a fair-weather fan, but since they keep winning…
Business hours:
There are non-business hours?
For fun:
Walking the dogs and historic preservation. I am lucky to live in a very walkable neighborhood [with] plenty of awesome houses where there is always something new to discover.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Security Pro File: Spam-Inspired Journey From Physics To Security