Security Incidents mailing list archives
Scanning. Is it a consumer right?
From: prestone () BULLDOG GEORGETOWN EDU (ethan preston)
Date: Tue, 2 May 2000 22:12:11 -0400
Security is a two-way street and I think the issue of scanning brings that to the forefront. Our own security (which should be something like a natural right in computer science)is threatened by the insecurity of others. If no other machines were ever compromised, crackers would be less able to disguise their origin in a meaningful way. Therefore we would be able to focus on tracking crackers down and deterring them, rather than playing catch-up on plugging the hole in our system that we haven't found yet. So you have an interest in keeping other's servers secure. IANAL, but I'm about a year out from graduation. (This isn't legal advice, you have not formed a client-attorney relationship, blah, blah, blah.) The idea that third-party servers that are negligent in securing their system should be liable (in order to provide incentive to make people take reasonable steps to secure their system) has been much discussed in legal circles. It seems to me that, if the legal system has given us an interest in third-party security, consumers should have a corresponding right to ensure that they are not ensuring their credit card number to a server that has a three-year old vulnerability (that's been patched for almost as long) in their implementation of Front Page and has 3y3oWnj00 as a user in their NetBIOS register. The consumer can find this out from a scan by Nessus, but I think a lot of us would think that a full Nessus scan crosses the line between mere OS fingerprinting and into invasive scanning. We all depend, to some degree, on third party security. Consumers may place their privacy and their credit card numbers in the hands of servers that can be negligent. If we decide consumers SHOULDN'T have a right to scan, then their only recourse is legal. (Which is great for me and every other lawyer, but would be an overall loss to society, I think.) Allowing consumers to scan reduces the transaction costs of poor security; if you have poor security, consumers know it and stay away from you, rather than trusting you and having to buy lawyers when you are r00ted seven months later. Obviously, one way around this is to let consumers request permission to scan, but somehow I don't think this is going to be a real solution. If faced with such a request, I wonder how many of you would agree to be scanned? It's a matter of trust, because who's to say that the consumer isn't a cracker (or won't become one)? ----- Original Message ----- From: Russell Fulton <r.fulton () AUCKLAND AC NZ> Date: Monday, May 1, 2000 2:35 pm Subject: Re: Scanning. Is it dangerous?
On Sat, 29 Apr 2000 17:12:54 +0200 Sarunas Krivickas <KrivickasS () PASTAS KAM LT> wrote:Lets go to discuss a little bit about subject! My question is how the recognized simple scanning is describedin your ITsecurity policy and why scanning is so dangerous for you?Our security policy includes scanning under the heading of "security experiments" and our user are forbidden to perform such experiments with the exception of Systems and Network Administrators testing their own security. If they want to do this from off campus they need my (Security Officer's) permission otherwise they will likely loose their ISP account ;-) We report all inbound scans (providing we can find someone to report them too without to much trouble). In bound scans are not dangerous in themselves, however the information obtained from scanning may well be -- why else to crackers do it? There are two main reason we report scans: 1/ most come from machine that have already been compromised. I believe it behoves us as good net citizens to warn the owners of systems that have been compromised that they have problems. It may be me next time. 2/ Scans originating from dail-up servers at ISP are likely to be naivescript kiddies. A warning from an ISP to the kids parents may well save him/her from getting into more serious trouble later. We also see quite a few scans from local ISPs, these I persue fairly virgorously. My guess is that most of these scans are initiated by our own students from home (they do tend to focus on the the machines that supply student services and control their access to the net ;-) I want to get the message to our students that if they muck with our systems then they will get caught and will be dealt with. My personal belief is that ISPs should have a 3 teir warning system: 1/ First complaint gets an email notice. 2/ Second gets a phone call to the person in whoes name the account is held warning them that any more complaints will result in cancellation of the account. 3/ Third the account is cancelled. Unfortunately ISPs have to be very careful in this process because it it very easy to lay false complaints and very difficult for an ISP to detect that they are in fact false. Cheers, Russell.
Current thread:
- Scanning. Is it dangerous? Sarunas Krivickas (Apr 29)
- Re: Scanning. Is it dangerous? Sebastian (May 01)
- Re: Scanning. Is it dangerous? Roelof Temmingh (May 01)
- DNS Probes Damian Gerow (May 01)
- Re: Scanning. Is it dangerous? John D. Burkett (May 01)
- Re: Scanning. Is it dangerous? Rune Kristian Viken (May 07)
- Re: Scanning. Is it dangerous? Ryan Russell (May 01)
- Re: Scanning. Is it dangerous? jms (May 02)
- Re: Scanning. Is it dangerous? Jose Nazario (May 03)
- Scanning. Is it a consumer right? ethan preston (May 02)
- Re: Scanning. Is it dangerous? jms (May 02)
- Re: Scanning. Is it dangerous? Russell Fulton (May 01)
- <Possible follow-ups>
- Re: Scanning. Is it dangerous? -reply Joseph, Lorne (May 01)
- Re: Scanning. Is it dangerous? Don Tansey (May 01)
- Re: Scanning. Is it dangerous? Igor Gashinsky (May 02)