RE: Malicious use of grc.com

["Nicko Demeter" <nicko () siterra com>]

OK, I will attempt (probably poorly) to sum everything up here:

a) Mr. Gibson has made publicly available a scanning tool that can serve
as an anonymous scanning tool against any potential hosts. I am not sure
I remember mentioning of a potential DoS attack from the advisory. There
was only caution that this host allows information to get to a potential
attacker in a completely undetectable manner thus leading to a potential
intrusion.

b) Mr. Gibson has been VERY vocal about his security skills and views on
several subjects including the snafu with M$'s TCP stack. Several people
have observed the irony of someone that seems like a security expert to
post a program on his site that is vulnerable to some kind of exploit.

c) There have been statements from Mr. Gibson that 1) the problem has
been existent for at least two years and 2) he does not find it
significant enough based on other factors (how many checks you can
spawn, only 200 bytes/sec) to deal with it quite yet.

d) People have taken sides on this issue. One sides views this as equal
as "hacking the Gibson" (sorry, I couldn't resist ;)) while the other
finds it quite insignificant and not even worth making an advisory
about.

So while all this is going on there are several simple solutions. Since
the scan is limited to certain ports then a security expert would know
how not to report those ports as wide open. I mean we're all security
engineers here, right? Also since Mr. Gibson is blessed with static ip's
we could easily block traffic from his network thus eliminating
potential scans from his hosts.

Was the finding significant enough for an advisory? Hell yes. While
ironic it also provided us with an issue that's hot enough to generate
discussion amongst ourselves. And that is the reprecautions one should
take before posting the latest "cool" security tool on his/her site
without first investigating all the angles. And as security experts we
are all kinda blown away that once a flaw is found the author does not
take steps to fix this. Top that is the irony of the individual creating
the flawed software and you got a nifty advisory. I seriously see
nothing wrong with that.

And to touch briefly about port scanning: While it's true it's not
illegal, there is nothing that stops you, the network engineers from
taking any action necessary to protect your network from scans. Just
because someone can see in your house that does not give him the right
to take a peak and you have every reason to pull the blinds if you chose
to. Now if a certain someone had created a tool that allowed him to look
in your house from farther away while undetected it would be up to the
commonality/society/community to scrutinize the inventor of the tool and
it's usefulness. It is fortunate that while the tool has been created we
also have the tools from blocking it.

So while we may all have our individual feelings about the person that
created this tool or the people that wrote the advisories in this case
we are fortunate enough to be able to assess the threat individually and
take any action that we see necessary regardless of the parties'
involved actions.

Nicko Demeter
Systems Engineering
Siterra Corp.



-----Original Message-----
From: H C [mailto:keydet89 () yahoo com]
Sent: Wednesday, November 28, 2001 10:54 AM
To: Aussie
Cc: vuln-dev () securityfocus com
Subject: Re: Malicious use of grc.com



> Is it my ignorance, or does Gibson seem to not
> really understand that the 
> port scans in question HAVE a valid IP...his systems
> and therefore are 
> being returned, via his systems, to the attacker who
> has just effectively 
> hidden his (her?) real IP by using Gibson's IP range
> instead. Is this not 
> a form of spoofing?

I think Gibson fully understands this...and he also
understands that in the US, port scanning is not
illegal.  Therefore, no one can come to him and take
an legal action against him if someone else scans his
site.  After all, even if someone does use the
information returned from a port scan to then attack
and compromise a site, once they start to do so, they
no longer can use Gibson's site (at this point,
anyway).  Once they get the port scan data back, they
have to either attack the target site directly, or
launch their attacks through some other proxy or
port-redirection mechanism.

> Is Gibson suggesting that his unauthorised (by me)
> and unwanted (by me) 
> checks of certain ports on MY system should not be
> defined by me as attacks or intrusion attempts? 

They aren't.  Regardless of what you may think or feel
about the subject, the US legal system (and several
European ones that I'm aware of) do not consider port
scanning illegal.

> Further, by what right does Gibson 
> determine that MY firewall/IDS is faulty because it
> deliberately 
> generates reports to indicate that someone port
> scanned me without my 
> authorisation? If someone scans the 10 ports or so
> that Gibson's Shield-
> Up product scans, I like to think that I have every
> right to determine 
> that the person has attacked and possibly attempted
> an intrusion on my 
> private systems. Maybe I'm completely wrong, after
> all, IANAL.

To be completely honest, your above statement doesn't
make any sense to me...but maybe it's just me.  I've
handled "abuse@" emails for a large telecomm/ISP, and
I've seen threats of legal action for single ICMP
packets.

"I like to think that I have every right to determine 
that the person has attacked and possibly attempted
an intrusion on my private systems."

Well, of course you do.  You have every right to NOT
believe what Gibson says.  But I fail to see how a
couple of SYN packets, most of which are most likely
dropped by the firewall or responded to as closed
ports anyway, constitutes an "attack" or "possible
attempted intrusion".


__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1