[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] scanning
- To: GroundZero Security <fd@xxxxxxx>
- Subject: Re: [Full-disclosure] scanning
- From: "ad@xxxxxxxxxxxxxxxx" <ad@xxxxxxxxxxxxxxxx>
- Date: Fri, 02 Jun 2006 15:26:49 +0200
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<b><span class="postbody"><span style="font-weight: bold;">Port
Scanning: Is it illegal? </span></span></b><span class="postbody">By
Bill Reilly:<br>
</span><i><br>
One of the most common questions I get from crackers, hackers, network
security specialists and law enforcement agents is whether port
scanning is illegal. As of November 2001, there has only been on
federal court to issue a ruling on this point.
<br>
<br>
In Moulton v. VC3, Scott Moulton, a network security consultant,
was arrested and charged with violating the Computer Fraud and Abuse
Act after he port scanned a network where he had a service contract to
perform computer-related work for the a county 911 center. Moulton had
become concerned with the vulnerability of the network link between the
sheriff’s office and the 911 center and performed a series of remote
port scans on the system. The system’s network administrator noticed
the port scanning activity and e-mailed Moulton questioning his reason
for scanning the ports. Moulton quit scanning immediately and informed
the administrator that he had a service contract with the county and he
was concerned about the network’s security. The administrator contacted
the sheriff, who in turn arrested Moulton on state and federal computer
crime charges. Specifically, Moulton was charged with violating 18 USC
Sec. 1030(a)(5)(B), which prohibits the "intentional accessing [of] a
protected computer without authorization, [that] as a result of such
conduct, recklessly causes damage." (He was also charged with a state
computer crime which is beyond the scope of this article.)
<br>
The county denied that they gave him access to conduct port scans
on the system and argued that he “accessed” the computer without
authorization. This subsection essentially has four elements that the
prosecution must prove: 1. The defendant intentionally accessed a
protected computer, 2. the defendant did not have authorization to
access the computer and 3. as a result of the access, the defendant
recklessly caused damage 4. and the damage impaired the integrity or
availability of data, a program, a system, or information that caused a
“loss aggregating at least $ 5000...or threatened public health or
safety." The court didn’t need to address the first three elements
because the county couldn’t meet the “damage” threshold. The
county
claimed that it had to spend time and money to research the scanning
and determine whether there were any penetrations of the system. But
they admitted that Moulton caused no structural damage. <br>
<br>
While port scanning is a useful reconnaissance technique used by
crackers to locate vulnerabilities in systems that are running buggy
services on certain computer ports, it is essentially a passive query
that works within the architecture of TCP/IP. Without the ability to
query remote computer ports to determine the service that is running
and its compatibility with other computers, the Internet would cease to
function. The county argued that port scanning for malicious purposes
brings in the element of criminal intent. For example, many states have
laws that outlaw the criminal use of lockpicking sets. The sets
themselves are not illegal, but the use of the sets to pick locks that
you are not authorized to pick is a crime. Much in the same way, it is
often argued, non-malicious port scanning should be allowed. However,
when the cracker uses this “tool” to commit a crime, then such port
scanning should be illegal. But as with the lock picking laws, the
“criminal intent” of the person is what turns a “good”
tool “bad.” But
since people can’t read minds, “intent” is usually proven by
the
criminal act itself. Since there are legitimate uses for port scanning,
it is impossible to determine the intent of the scanner unless he goes
on to penetrate the system, which is likely a criminal act already. <br>
<br>
In this case, the county argued that the act of port scanning itself
was a crime. And the judge did not buy that argument. The court said
the statute “clearly states that the damage must be an impairment to
the integrity and availability of the network.” But the judge went on
to conclude that the county’s “network security was never actually
compromised and no program or information was ever unavailable as a
result of … Moulton's activities.” If there was no impairment from
the
scanning or the scans weren’t so voluminous that the network’s
availability was interrupted, then there was no “damage.” Without
damage, there is no crime. <br>
<br>
The recently passed USA Patriot Act dramatically changes the Computer
Fraud and Abuse Act. However, it does not change the requirement that
there must be damage and loss. “Damage” still requires impairment to
the integrity or availability of data, a program, a system or
information. Normal port scanning is not likely to cause such
impairments. However, the USA Patriot Act does make it much easier to
meet the definition of “loss,” which must exceed $5,000. Victims can
now add nearly every conceivable expense associated with the incident
to arrive at the $5,000 threshold. <br>
<br>
The court in Moulton arrived at a logical conclusion to anyone even
remotely familiar with network technology. However, the fact that the
country decided to even prosecute under this obvious mistake of fact
should be a word of caution to network security consultants and others
involved in penetration testing. Many clients are unfamiliar with the
details of the technology and can misinterpret passive measures as
criminal acts. It is highly recommended that the initial service or
consulting contract with the client should grant enough leeway to
ensure that they are “authorized” to conduct the tests and the
scope of
the access is essentially open-ended. If the consultant has such
authorization, the only Section 1030(a)(5) computer crime that the
consultant can be liable for causing intentional damage to the system.
That is why the definition of “damage” is so important. If there is
no
impairment to the integrity and availability of the network, then there
is no crime. <br>
<br>
Bill Reilly is a California-based network security attorney and a
GIAC-certified Advanced Incident Handler. Bill Reilly can be contacted
at <a href="mailto:reilly@xxxxxxxxxx";>reilly@xxxxxxxxxx</a> or (415)
771-3463. <br>
<br>
Copyright(c) 2001 Bill Reilly. All rights reserved. This article does
not in any way offer legal advice of any kind. Rather, the article is
meant as an analysis of a case and may not be taken for specific legal
advice.
<br>
</i>
<br>
<span class="postbody"><span style="font-weight: bold;">Port Scanning
and its Legal Implications</span> By Abhinav Bhatt:<br>
<br>
</span><i>In the mind of a reader who has knowledge of the technology
that I am
about to throw light upon, the above statement, would surely cause some
amount of apprehension if not criticism at my trying to knot together
two diverse issues. I mean every one knows that the age-old adage means
that 'before acting against another one must be ready to guard one's
own actions.' I admit that at the onset, this meaning does not seem
even distantly in the same context as the act of port scanning. However
it will be my effort through this paper to bring one within the scope
and the context of the other. This is because I feel that that most
lawmakers have failed to appreciate the fact, that hacking or indeed
getting access to another system, whether with authority or without,
does not necessarily remain confined to itself but includes and
involves many other smaller acts, that by themselves create legal
ramifications. In this paper, I would like to explore some of the
rights of the 'scanned' as against the liabilities of the 'scanner'. <br>
What is Scanning?
<br>
<br>
The term 'scan' has emerged from the Latin word 'scandere - which means
to climb or to scale'. The other meanings(1) attributed to this word
include:
<br>
<br>
<br>
look at all parts successfully of (face, horizon etc.), intently or
quickly
<br>
<br>
examine all parts to detect radio activity
<br>
<br>
cause (particular region) to be traversed by controlled (radar etc.)
beam
<br>
<br>
What we are most interested in is the use of this term in modern
day computer terminology. So, for the sake of understanding how far the
English literary definitions hold well under the new use of this word,
let us examine how the same word has been explained under the Indian
Ministry of Information Technology Site Glossary(2).
<br>
Port:An electronic connection that allows data to travel between a
client PC and a server on the network.
<br>
<br>
Port Scan:Data sent by the cracker over the Internet to locate a PC
or network and determine whether it has open ports that will accept a
connection.
<br>
<br>
'Port Scanning' refers to the act of using various open ended
technologies, tools and commands to be able to communicate with another
remote computer system or network, in a stealth mode, without being
apparent, and be able to obtain certain sensitive information about the
system functions and the properties of the hardware and the software
being used by the remote systems. <br>
<br>
Ports are basically entry exit points that any computer has, to be able
to communicate with external machines. Each computer is enabled with 3
or more external ports. These are the ports used by the computer to
communicate with the other computers, printer, modem, mouse, video
game, scanner and other peripherals. The important characteristic about
these 'external ports' is that they are indeed external and visible to
the naked eye. One just has to look at the back of the CPU Tower, to be
able to see the different sockets that are meant to be connected to
various external devices. However these are not the only ports that any
computer has. Every computer is also blessed with virtual ports that
number in a few thousand ... Sixty five thousand five hundred and
thirty six to be precise.
<br>
<br>
Your computer uses these numerous ports to virtually communicate
with other systems when using specific protocols2. As you might know
computers use a certain collection of protocols called TCP/IP suite to
communicate and exchange information. <br>
<br>
Protocols(3) like: <br>
<br>
<br>
File Transfer Protocol (for uploading and downloading of information)
<br>
<br>
Simple Mail Transfer Protocol (used for sending / receiving emails
<br>
<br>
Telnet Protocol (used to connect directly to a remote host)
<br>
<br>
Internet Control Message Protocol (used for checking network errors
e.g. Ping(4)
<br>
<br>
and many others are collectively known as the TCP/IP suite of protocols
and are used to communicate with other computers for specific message
formats. Most of these protocols are tied to specific port numbers that
are used to transfer particular message formats as data. For example
port number 21 is the FTP port. Port number 23 is the telnet port and
all web pages are viewed using the Hyper Text Transfer Protocol (HTTP),
which is tied to the port number 80.
<br>
But not all 65,000 and more port numbers are dedicated ports. Only
ports 1 to 1024 are dedicated ports, the others are used as stand-bys
and can be used by a network administrator for running any applications
or establishing communication channels with other computer systems.
Under normal circumstances all these ports are open and their status is
said to be "listening for connections" which means that they are ready
to establish communication with other machines on a network. In such a
case any external machine wishing to send data shall, unless
restricted, be allowed to communicate directly with your machine.
<br>
<br>
This is definitely a very dangerous proposition that your machine
is such a promiscuous mode that it can be accessed and even controlled
by more than just yourself, in fact by many remote hosts. It leads us
to the imminent risk that your computer might at anytime shut you out
of its control, and may even start acting against you by sending your
important files over to your enemies. Thus all netads and sysops as a
rule will shut all ports that are not in use, and secure access to all
the ports that are open so that no person may remotely use a port to
send data to an unauthorized port in a clandestine fashion.
<br>
<br>
Whatever the case may be, the importance of port scanning cannot be
under stated. All port-scanning tools give the user (adversary /
assessor) the chance to assess the remote system for weaknesses or
vulnerabilities, without letting the computer administrator know about
such an audit. This enables the adversary to plan out an attack against
the remote system, based on his previous reconnoiter, with the victim
being none the wiser. Generally when any information is exchanged
between two computer systems, some logs and records are created on both
ends, as well as the users of the computers are required to participate
in the exchange of information, however, in this case, the computer of
one communicates with the network of another in a stealth mode that
requires no dual participation or log recording.
<br>
<br>
Now let us examine the legality of port scanning.
<br>
<br>
Under the Indian Information Technology Act, 2000, the act of port
scanning does not amount to hacking, (5)
<br>
<br>
which is defined as: <br>
<br>
"Whoever with the intent to cause or knowing that he is likely to
cause wrongful loss or damage to the public or any person destroys or
deletes or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by any means,
commits hacking." <br>
<br>
The essential elements of hacking are <br>
<br>
<br>
Intention or Knowledge
<br>
<br>
Wrongful Loss to Public or Person <br>
<br>
Deletion / Alteration / Destruction or
<br>
<br>
Diminishes Value or Utility
<br>
of information residing in a computer resource
<br>
<br>
Port Scanning will satisfy the first requirement of Knowledge or
Intention.
<br>
<br>
But the second essential is not met, as port scanning does not
necessarily cause any wrongful loss. E.g. if a network administrator,
scans his own network for security reasons, then he will not intend to
create any wrongful loss.
<br>
<br>
Also, all the other elements of hacking are also not invoked as
port scanning merely scans the crust of the network without affecting
any information resource residing within it. <br>
<br>
Thus Port Scanning definitely does not attract the offence of
'hacking', unless it is used by a cracker, with the intention to crack
the system, and in conjunction with any other tool that actually
changes any information that resides in the computer. <br>
<br>
Under the US Computer Fraud and Abuse Act, as well as under cyber laws
of other countries, the element of "unauthorized access" is generally
found to sufficiently cover the act of port scanning. Specifically 18
USC Sec. 1030(a)(5)(B) of the American Act has been applied to the act
of port scanning in a previous case.
<br>
<br>
This subsection essentially has six elements that the prosecution must
prove.
<br>
<br>
<br>
The defendant intentionally accessed a protected computer, <br>
<br>
The defendant did not have authorization to access the computer <br>
<br>
As a result of the access, the defendant recklessly caused damage <br>
<br>
The damage impaired the integrity or availability of data, a program, a
system, or information <br>
<br>
That caused a loss aggregating at least $5000 or <br>
<br>
Threatened public health or safety
<br>
When we compare this section with the Section 66 of the Information
Technology Act, 2000 we find a few similarities as far as 'causing
intentional damage to data or information' however the similarity ends
here as this section, under US law, also extends to unauthorized access
of a protected computer, and covers unintentional or reckless damage,
of the value of 5000 $ or above. In the Indian scenario, intention and
knowledge have to be present in the act of doing the damage also.
Lastly, this section of the American Act, also takes in any act that
threatens public health and safety which S. 66 of the IT Act, does not.
<br>
<br>
In November 2001 a federal US court has dealt with a case of port
scanning in the Moulton v. VC3 case under 18 USC Sec. 1030(a)(5)(B), of
the Computer Fraud and Abuse Act of America. The facts of the case were
as follows.
<br>
<br>
Scott Moulton was a network security consultant, who had a service
and maintenance contract with the county 911 Center to perform computer
network related work. He was arrested and charged with violating the
Computer Fraud and Abuse Act after he port scanned the 911 center's
computer network. The defendant stated that he was concerned with the
security of the network and had been authorized by the county in the
service contract to maintain the networks. The defendant scanned the
vulnerability of the LAN network between the sheriff's office and the
911 Center and performed a series of remote port scans on the system.
The system's network administrator was using a network analyzer and a
firewall system and he was able to immediately notice the port scanning
activity. The Sysop then e-mailed the defendant questioning him the
reason and the motive for scanning the ports. On being challenged, the
defendant behaved in a suspicious manner, by quitting the scanning
activity and immediately emailed back, informing the administrator that
he had a service contract with the county and he was authorized to
check the security of the network. <br>
<br>
Concerned about the network's security and the act of the defendant,
the network administrator then contacted the sheriff, who in turn
arrested the defendant on state and federal computer crime charges. <br>
<br>
Charge:
<br>
Specifically, Moulton was charged with violating 18 USC Sec.
1030(a)(5)(B), which prohibits the "intentional accessing [of] a
protected computer without authorization, [that] as a result of such
conduct, recklessly causes damage." <br>
<br>
Argument:
<br>
The county denied that they gave him authority or 'access' to conduct
port scans on the system and argued that he accessed the computer
unlawfully and with intention. Additionally the County alleged that it
had to spend time and money to research the scanning and determine
whether there were any penetrations of the system. But they admitted
that Moulton caused no structural damage. In this case, the county
argued that the act of port scanning itself was a crime. But the judge
did not accept that argument. <br>
<br>
Held:
<br>
The court said the statute clearly states that the damage must be
impairment to the integrity and availability of the network. Since the
county's network security was never actually compromised and no program
or information was ever unavailable as a result of the defendant's
activities. If there was no impairment from the scanning or the scans
weren't so excessive or load bearing that the network's availability
was interrupted, then there was no damage. Without damage, there is no
crime, which is what the Courts held in the case. The court didn't need
to address the damage element since the County failed to prove it
conclusively.
<br>
<br>
Looking at the above case we do realize that in certain cases even
though port scanning does not inherently cause any damage, yet the very
act should create legal liability. This is because 'port scanning' is
an inherently dangerous activity which although it does not cause
direct damage to any computer system, it enables a cracker to launch a
successful attack against your system, and if an offence is a crime
then the preparation should also be punishable, which sadly is not the
case.
<br>
<br>
For example, the Criminal Procedure Code has made the carrying /
possession of house breaking implements an offence for which the Police
Officer may arrest without a warrant, and the burden of proving the
reason for carrying the implements shall lie upon the possessor of
those implements. The implements themselves are not illegal, but the
possession of the implements shall authorize a Police Officer to arrest
you on the mere suspicion that you might be involved in or preparing
for a crime of house breaking. In such a case the person found with the
implement would have to give the Police, the reason and the intention
with which such person was in possession of the implements. In absence
of a reasonable explanation, the Police Officer would have sufficient
cause to arrest the person.
<br>
<br>
Though the Information Technology Act, 2000 does not cover acts
like port scanning under the offence of 'hacking' yet in certain cases,
where the security of certain systems is utmost priority like in case
of defense and strategic installations, port scanning can be covered.
Section 70 of the IT Act talks about unauthorized access of a protected
system.
<br>
<br>
The sub section (3) states
<br>
<br>
"Any person who secures access or attempts to secure access to a
protected system(6) in contravention of the provisions of this section
shall be punished with imprisonment of either description for a term
which may extend to ten years and shall also be liable to fine." Thus
although this section only covers systems that are notified as
protected systems it is able to afford protection to the important and
strategic installations and systems of the country from acts of port
scanning by making access as well as attempt to secure access
punishable up to 7 years, thus acting as a sufficient deterrent to
crackers that might intend to launch attacks against the vital security
of our nation. <br>
<br>
Conclusion:
<br>
While port scanning is a useful reconnaissance technique used by
crackers to locate vulnerabilities in systems that are running services
on certain computer ports, it is essentially a passive query that works
within the architecture of TCP/IP. Without the ability to query remote
computer ports to determine the service that is running and its
compatibility with other computers, the Internet would cease to
function. Many argue that port scanning and other tools like network
analyzers, packet sniffers etc. normally used for analyzing networks
and their vulnerabilities are used for malicious purposes having the
element of criminal intent. Thus, the use of these should be made
illegal, even if the use was innocent and did not cause any real
damage. <br>
<br>
However, only when a cracker uses this tool to commit a crime, then
such port scanning should be illegal. But as with the "House Breaking"
law, the criminal intent of the person is what turns a good tool bad.
But since people can't read minds, intent is usually proven by the
criminal act itself. Since there are legitimate uses for port scanning,
it is impossible to determine the intent of the scanner unless he goes
on to penetrate the system, which is a criminal act already u/s 66 of
the Information Technology Act. <br>
<br>
The recently passed USA Patriot Act dramatically changes the Computer
Fraud and Abuse Act. However, it does not change the requirement that
there must be damage and loss. Damage still requires impairment to the
integrity or availability of data, a program, a system or information.
Normal port scanning is not likely to cause such impairments. However,
the USA Patriot Act does make it much easier to meet the definition of
loss, which must exceed $5,000. Victims can now add nearly every
conceivable expense associated with the incident to arrive at the
$5,000 threshold. <br>
<br>
The court in Moulton arrived at a logical conclusion to anyone even
remotely familiar with network technology. However, the fact that the
county decided to even prosecute under this obvious mistake of fact
should be a word of caution to network security consultants and others
involved in penetration testing. Many clients are unfamiliar with the
details of the technology and can misinterpret harmless measures as
criminal acts. It is highly recommended that the initial service or
consulting contract with the client should grant enough leeway to
ensure that they are authorized to conduct the tests and the scope of
the access is essentially open-ended. If the consultant has such
authorization, the only computer crime that the consultant can be
liable for is causing intentional damage to the system under S. 66 in
case of hacking but not unauthorized access. Thus, you see, those who
live in glass houses ... shouldn't peep into others lives.
<br>
<br>
(1) As per the Concise Oxford Dictionary of Current English, 7th
Edition.
<br>
<br>
(2)<a class="moz-txt-link-freetext"
href="http://www.itsecurity.gov.in";>http://www.itsecurity.gov.in</a>
<br>
<br>
(3) Protocols are like languages that computer use to communicate
with each other for transmitting data across. Formal description of
message formats as well as the rules that computers must follow to
exchange those messages.
<br>
<br>
(4) Packet Internet Gopher -made famous by the "Ping of Death
Attack" uses a small 32 bytes data packet to check if remote host is
alive on the network.
<br>
<br>
(5) Section 66 (1) of the Information Technology Act, 2000 <br>
<br>
(6) The appropriate Government may, by notification in the Official
Gazette, declare that any computer, computer system or computer network
to be a protected system. S. 70 (1)<br>
</i>
<br>
<span class="postbody"><span style="font-weight: bold;">Port scans
legal, judge says</span> by Kevin Poulsen:<br>
<br>
</span><i>Federal court finds that scanning a network doesn't cause
damage, or threaten public health and safety. <br>
<br>
A tiff between two IT contractors that spiraled into federal court
ended last month with a U.S. district court ruling in Georgia that port
scanning a network does not damage it, under a section of the
anti-hacking laws that allows victims of cyber attack to sue an
attacker.
<br>
<br>
Last week both sides agreed not to appeal the decision by judge
Thomas Thrash, who found that the value of time spent investigating a
port scan can not be considered damage. "The statute clearly states
that the damage must be an impairment to the integrity and availability
of the network," wrote the judge, who found that a port scan impaired
neither.
<br>
<br>
"It says you can't create your own damages by investigating
something that would not otherwise be a crime," says hacker defense
attorney Jennifer Granick. "It's a good decision for computer security
researchers."
<br>
<br>
A port scan is a remote probe of the services a computer is
running. While it can be a precursor to an intrusion attempt, it does
not in itself allow access to a remote system. Port-scanning programs
are found in the virtual tool chests of both Internet outlaws and cyber
security professionals.
<br>
<br>
Scott Moulton, president of Network Installation Computer Services
(NICS), is still facing criminal charges of attempted computer trespass
under Georgia's computer crime laws for port scanning a system owned by
a competing contractor.
<br>
<br>
Protecting 911? According to court records, the case began last
December, while Moulton was under a continuing services contract with
Cherokee County, Georgia to maintain the county's emergency 911 system.
<br>
<br>
Moulton was tasked to install a connection between the 911 center and a
local police department, and he became concerned that the system might
be vulnerable to attack through the new link, or though other
interconnections.
<br>
<br>
Apparently prompted by that concern, Moulton scanned the network on
which the 911 system resided, and in the process touched a Cherokee
County web server that was owned and maintained by VC3, a South
Carolina-based IT firm. "My client started investigating who was
connected to the 911 center, where he worked," says Erin Stone,
Moulton's civil attorney. "He wound up finding VC3's firewall." <br>
<br>
When a VC3 network administrator asked Moulton in an email to explain
the scan, "Moulton terminated the port scan immediately and responded
that he worked for Cherokee County 911 Center and was testing
security," according to the federal court's finding of fact. <br>
<br>
VC3 went on to report the "suspicious activity" to the police, and
Moulton soon lost his contract with Cherokee County. Several weeks
later, the Georgia Bureau of Investigation arrested him.
<br>
<br>
Suit, Counter-suit While still facing state criminal charges,
Moulton counter-attacked in February by suing VC3 in federal court,
accusing the company of making false and defamatory criminal
allegations against him. In deciding the case last month, Judge Thrash
rejected Moulton's claim, finding that VC3's statements to the police
were privileged. "We're the victim in a criminal case that got sued for
cooperating with police," says VC3 attorney Michael Hogue. The company
filed a counter-claim under an increasingly popular provision of the
federal computer fraud and abuse act that allows victims to sue a
cyber-attacker if they've suffered damages of at least $5000. <br>
<br>
While VC3 acknowledged that Moulton's port scan did no direct harm, the
company argued that the time spent investigating the event was a form
of damage. "If somebody does some type of attack, and you are a good
service provider, you spend all your time verifying that it did not
cause a significant problem," says Hogue. "The time that it takes to do
all that searching is the damage that we were claiming."
<br>
<br>
The judge rejected that claim, as well as an argument that the port
scan, and a throughput test Moulton allegedly aimed at the VC3 system,
threatened public health and safety. "[T]he tests run by Plaintiff
Moulton did not grant him access to Defendant's network," wrote the
judge. "The public data stored on Defendant's network was never in
jeopardy."
<br>
<br>
The ruling does not affect criminal applications of the
anti-hacking law, but federal law enforcement officials are generally
in agreement that port scanning is not a crime. <br>
<br>
The decision may help define the statute's civil boundaries at a time
when more companies are eyeing lawsuits against computer intruders as
an alternative to relying on government prosecution. <br>
<br>
"This is probably the first of many decisions that will come out
pertaining to the civil component of the computer fraud and abuse act,"
says former computer crime prosecutor David Schindler, now an attorney
with the law firm of Latham & Watkins. "If a client came to me and
said that someone had pinged on their network and nothing else, I
probably would not advise them to take civil action."
</i>
<br>
<br>
<span class="postbody"><span style="font-weight: bold;">Can I take
legal actions against port scanning?</span> by SANS:<br>
<br>
</span><i>Port scanning is like ringing the doorbell to see whether
someone's at
home. The police usually can't do anything about it. They have to wait
until a crime is committed. For example, in Germany and Singapore, port
scanning cannot be prosecuted. However, consult your local lawyer to
see if this is true in your country. Sometimes, if a computer system is
affected too much by a port scan, one can argue that the port scan was,
in fact, a denial-of-service (DoS) attack, which is usually an offense.</i><br>
<br>
<br>
GroundZero Security wrote:
<blockquote cite="mid035b01c6863e$44d67ec0$0100a8c0@nuclearwinter"
type="cite">
<blockquote type="cite">
<pre wrap="">Blacklist all .br/.kr/.jp/.cn IPs on your firewall already is
what I say.
</pre>
</blockquote>
<pre wrap=""><!---->That would work for your home computer, but on a business
server
not a very bright idea.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Is it illegal if I perform a vulnerability scan on a site
without
permission from the owner? How about a simple port scan? thanks..
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
As far as i know (and i'm very sure about that), vulnerability scans are
illegal in most countries, at least in those that have computer laws.
Especially if you use something like CoreImpact or Canvas, since
they actively exploit a vulnerability, resulting in illegal access to the
System.
A simple port scan however, is most likely not illegal, since all it does is
see what
public services a server may offer. I never heard of a single case where
someone got sued for a simple port scan.
-sk
<a class="moz-txt-link-freetext"
href="http://www.groundzero-security.com";>http://www.groundzero-security.com</a>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a>
__________ NOD32 1.1575 (20060602) Information __________
This message was checked by NOD32 antivirus system.
<a class="moz-txt-link-freetext"
href="http://www.eset.com";>http://www.eset.com</a>
</pre>
</blockquote>
<br>
</body>
</html>
begin:vcard
fn:Arnaud Dovi / Ind. Security Researcher
n:Dovi;Arnaud
email;internet:ad@xxxxxxxxxxxxxxxx
tel;work:Independent Security Researcher
version:2.1
end:vcard
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/