Info Security

1
Info Security

• Writing and Rootkits.

2
Admin

• Papers
• Topic
• Main Phil
• Backup John
• One from me
• http//www.geek.com/news/geeknews/2005Nov/gee20051
  122033430.htm
• Class times and finals schedule.

3
Papers

• Section headings
• Longer paper, use section headings.
• Look at the assignment, several sections
  required.
• For related work section
• Start new paragraph for each complete experiment
  that you describe.
• When describing work
• Use names, not a journalist or a person, a
  magazine
• Instead
• Sam Smith showed... Chavez at security.com did
  an...

4
Mass vs Count again

• Most modifies
• Plural nouns or mass nouns
• The most chickens
• The most money
• Largest
• Singular nouns
• Largest chicken
• Largest amount.
• Largest portion.

5
Reminders

• A few repeat reminders
• Avoid the passive!!
• Sometimes it can't be helped, but a half dozen
  times in a paper this short should raise alarm
  bells.
• Subject verb agreement
• Make sure antecedents of all pronouns are clear
• '' separates two closely related sentences
• Be careful of simile and metaphor
• A outscored B
• No feelings
• Rarely does it matter what you feel, but what you
  believe

6
Next Draft

• Have a section for each of the sections listed in
  the assignment. (first person ok)
• Intro
• Talk about spam, where it comes from its problems
  etc.
• Related work
• Describe at least two other experiments (with two
  citations)
• Experiment
• Describe the experiment setup. (not the results)
• Use past tense next time (you did this already)
• Results
• Talk about the spam you received and where and
  when

7
Next Draft II

• Discuss results
• Analyze what it means
• What does it mean that email address 3 got more
  spam?
• Conclusion
• Summarize, why is spam bad, results and
  implications for experiment
• Any future work that seems immediately indicated.
• I've made copies so improve your work.

8
Rootkits

• Definition
• Trojan horse backdoor tools that modify existing
  operating system software so that an attacker can
  hide on a machine and keep access to it.
  (skoudis)
• Note difference from everything that we've looked
  at thus far
• Other software inserts itself in addition to
  existing software
• Rootkits replace parts.

9
Rootkits

• Disguised to look like normal parts of the system
• Replace dir command from dos for example.
• Generally new version do not write to log files
• Most administrative actions logged
• Network connections logged too.
• Two types
• Usermode (replace programs that users use)
• Kernal mode (modifies the heart of the operating
  system)
• Don't give admin access
• hide the fact that attacker has it

10
MSWindows RootKit

• Example
• FakeGINA
• User mode rootkit
• Used to logon to windows
• Intercepts username, domain, password from
  winNT/200 machines
• http//ntsecurity.nu/toolbox/fakegina/

11
Windows File protection

• Replaces any modified versions of a system
  program
• Does so transparently
• What are the implications?
• Why is fakeGina not affected?

12
More Next Monday

• Have a good Thanksgiving.