Info Security Writing and Rootkits Slide 1 By

Info Security Writing and Rootkits. Slide 1 By: Date: 09/03/2003

Admin Papers Topic Main: Phil Backup: John One from me http: //www. geek. com/news/geeknews/2005 Nov/ gee 20051122033430. htm Slide 2 Class times and finals schedule. By: Date: 09/03/2003

Papers Section headings Longer paper, use section headings. Look at the assignment, several sections required. For related work section Start new paragraph for each complete experiment that you describe. When describing work Slide 3 Use names, not “a journalist” or “a person”, “a By: Date: 09/03/2003 magazine” Instead

Mass vs Count again Most modifies Plural nouns or mass nouns The most chickens The most money Largest Singular nouns Largest chicken Largest amount. Slide 4 Largest portion. By: Date: 09/03/2003

Reminders A few repeat reminders Avoid the passive!! Sometimes it can't be helped, but a half dozen times in a paper this short should raise alarm bells. Subject verb agreement Make sure antecedents of all pronouns are clear '; ' separates two closely related sentences Be careful of simile and metaphor A outscored B Slide 5 No feelings By: Date: 09/03/2003 Rarely does it matter what you feel, but what you believe

Next Draft Have a section for each of the sections listed in the assignment. (first person ok) Intro Talk about spam, where it comes from its problems etc. Related work Describe at least two other experiments (with two citations) Experiment Describe the experiment setup. (not the results) Slide 6 Use past tense next time (you did this already) Results By: Date: 09/03/2003 Talk about the spam you received and where and when

Next Draft II Discuss results Analyze what it means What does it mean that email address 3 got more spam? Conclusion Summarize, why is spam bad, results and implications for experiment Slide 7 Any future work that seems immediately indicated. By: Date: 09/03/2003 I've made copies so improve your work.

Rootkits Definition: Trojan horse backdoor tools that modify existing operating system software so that an attacker can hide on a machine and keep access to it. (skoudis) Note difference from everything that we've looked at thus far: Slide 8 Other software inserts itself in addition to existing software Rootkits replace parts. By: Date: 09/03/2003

Rootkits Disguised to look like normal parts of the system Replace dir command from dos for example. Generally new version do not write to log files Most administrative actions logged Network connections logged too. Two types: Usermode (replace programs that users use) Slide 9 Kernal mode (modifies the heart of the operating system) Don't give admin access By: Date: 09/03/2003

MSWindows Root. Kit Example Fake. GINA User mode rootkit Used to logon to windows Intercepts username, domain, password from win. NT/200 machines http: //ntsecurity. nu/toolbox/fakegina/ Slide 10 By: Date: 09/03/2003

Windows File protection Replaces any modified versions of a system program Does so transparently What are the implications? Why is fake. Gina not affected? Slide 11 By: Date: 09/03/2003

More Next Monday Have a good Thanksgiving. Slide 12 By: Date: 09/03/2003