RE: FW: Legal? Road Runner proactive scanning.[Scanned]

From: Mitchell Rowton (mrowton_at_bdo.com)
Date: 03/15/04

  • Next message: Michael Weber: "is this real?" 
    Date: Mon, 15 Mar 2004 12:20:27 -0500
To: <charles.otstot@ncmail.net>, <feltman@pacbell.net>, <security-basics@securityfocus.com>, <james@wetgoat.net>

    There will always be arguments about whether or not an ISP is
    ethical/legal in doing port scans on equipment they do not own or
    control, especially if the sole purpose of this is to detect and record
    security vulnerabilities.

    What I would point out is that "testing for a relay" or "testing for an
    open proxy" is completely different than scanning ports. I think that
    analogies are terrible in conversations like this because people tend to
    drift away from the facts... but here is my very bad attempt...

    A building manager goes around pushing on windows and recording who
    leaves theirs unlocked. Legal? Probably.

    A building manager goes around pushing on windows to find unlocked
    ones, he then tests this by climbing through the window. Legal?
    Probably not.

    I would also say that "intent" can't be left out of this
    conversation. If you send me an e-mail, does that mean you have done a
    port scan on TCP 25? When I come to work in the morning and see
    thousands of port 137 scans hitting our firewall then I safely assume
    that the "intent" is of a different matter. So we can't get caught up
    in definitions based only on tcp connections (or only on some other
    technical standard).

    In this case road runner doesn't intend on exploiting anything. But
    the building manager doesn't intend on breaking in. Its a fine line and
    I'm not sure my comments help one way or another. But I find any strong
    or emotional argument, either for or against this topic to be
    suspicious.

    >>> "Jef Feltman" <feltman@pacbell.net> 03/12/04 10:22PM >>>
    So if someone comes and knocks on your door at home you shoot them? Do
    you
    consider them a criminal? No, you lock the door and windows.

    If your host is on the internet I consider it public and knocking on
    the
    door to see if the shop is open, is not a problem. If you do not want
    people
    coming in the door lock it and give a key to those who need it.

    Based on your statement no website should not be accessed by anyone
    other
    than an employee. Sending E-Mail would be a violation also, as the port
    must
    be checked to verify it can be opened to receive.

    Port scanning is not an attack it is probe. I have scanned many
    machines
    that have tried to attack my machine trying to verify if it is an
    attack or
    the host has been compromised. Unless the attack is currently in
    progress,
    the host is almost always taken over by a hacker or virus. Scanning the
    host
    allows me to find ports open that prove the host has been attacked and
    taken
    over. Then I am able to inform the ISP or user of the problem. And not
    go
    after some innocent user.

    If a company runs a service on the internet they must place a lock on
    the
    door to keep out the unwanted. Otherwise it is open to the public.
    Remember
    there are private and public ip addresses. Public means anyone can
    access
    them without freely unless they harm or steal from the host, just like
    the
    store on the corner.

    A port scan has never hurt any machine and never will. Only a poorly
    configured host will be hacked. Just as a poorly locked house will be
    broken
    into.

    jef

    I would certainly consider port scanning to be an attack, based on the

    intention(s) implied by such activity.
    Although I am far from a security expert from a technical perspective,

    it seems to me that the answer to this question lies not in technical
    arguments, but rather on determining whether one has the right to
    access
    someone else's network without permission. I, for one, believe that
    noone (and no organization) has the right to access my network or any
    systems on that network without permission. Permission to access a
    given
    resource does not necessarily have to be explicit (i.e accessing a
    publicly hosted web page would generally be permissible), however,
    ordinary
    concepts of reasonableness (what a reasonable person
    would consider ok) certainly apply (e.g. intentionally accessing an
    accidentally accessible resource that is clearly intended to not be
    accessible would be considered improper).
    I would view port scanning, regardless of the source, as improper
    access
    to the network. It seems to me that a reasonable person would not
    consider it permissible for an outside entity (e.g a business
    competitor) to surrepticiously attempt (the breadth and depth of the
    access and the resources accessed without explicit permission would
    help
    one determine whether the attempt.is indeed surrepticious) to access
    resources on the network.
    A port scan against one or more hosts by an outside agent implies an
    attempt to find services with potential holes active on the network.
    That in, and of itself, implies that the scanner will utilize any
    information found to launch (further) attacks against specific hosts in

    an attempt to gain further access to the network. As the "scanee", I
    can
    only consider such access an unwanted, unauthorized intrusion with
    (likely) malicious intent.
    As such, I would necessarily view port scans to be an attack (even if
    only limited) against the network.

    Charlie

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    off
    any course! All of our class sizes are guaranteed to be 10 students or
    less
    to facilitate one-on-one interaction with one of our expert
    instructors.
    Attend a course taught by an expert instructor with years of
    in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills
    of an Ethical Hacker to better assess the security of your
    organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

    NOTICE:
    The contents of this email and any attachments to it may contain privileged and confidential information from BDO Seidman, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO Seidman, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies thereof. If you have received this e-mail in error, please notify BDO Seidman, LLP by e-mail immediately.

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Michael Weber: "is this real?"