From: Justin Ross (RossJ@sddpc.org)
Date: Mon Mar 05 2007 - 14:51:14 EST
I have to side with others who recommend not approaching companies out of the blue with scan results, etc. I am not a lawyer but as far as the legalities go, that would of course be dependant on the applicable laws of the jurisdiction in question, but you would be in a very grey and potentially dangerous area personally and professionally.
If we are talking about port scanning, we are talking about accessing services, even though the risk (or damage potential) of access is mitigated to a syn/syn ack, or query/response (other flags), or perhaps even a connect() port scan it is still utilizing and accessing resources. Any response the company may take to your port scans, such as configuring ACL's, modifying/Tuning IDS/IPS in response, human resource examining the logs for your host and access attempts (time pay/loss of revenue pay) among other things would be recoverable or used to calculate fines/punishment.
In California for example (I cut out irrelevant sections and paragraphs):
California Penal Code 502
(a) It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data. The Legislature further finds and declares that protection of the integrity of all types and forms of lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals as well as to the well-being of financial institutions, business concerns, governmental agencies, and others within this state that lawfully utilize those computers, computer systems, and data.
(b) For the purposes of this section, the following terms have the following meanings:
(1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.
...
(4) "Computer services" includes, but is not limited to, computer time, data processing, or storage functions, or other uses of a computer, computer system, or computer network.
...
(c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense:
...
(3) Knowingly and without permission uses or causes to be used computer services.
....
(d)
...
(2) Any person who violates paragraph (3) of subdivision (c) is punishable as follows:
(A) For the first violation which does not result in injury, and where the value of the computer services used does not exceed four hundred dollars ($400), by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment.
(B) For any violation which results in a victim expenditure in an amount greater than five thousand dollars ($5,000) or in an injury, or if the value of the computer services used exceeds four hundred dollars ($400), or for any second or subsequent violation, by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment.
The likelihood of being prosecuted for port scanning is very low; however, I think saying it is "lawful" is arguable at best, and could be very costly at worst. A better approach might be to contact companies and speak with their CTO/IT Manager and offer a free third-party port scanning service, with their written permission. It could also be a good way to talk about the differences from your competition, and other services you may offer.
Just my 0.02
Justin.Ross
CCNA, CCSE, MCSE, CISSP
>>> "David Swafford" <dswafford@alterhighschool.org> 3/5/2007 6:55:43 AM >>>
Hi Barry,
Here are my suggestions regarding your message.
In terms of approaching an "insecure" organization, I would not suggest
that you do this outright. Most organizations/clients that I have
worked with would immediately take the offensive side if you were to
approach them out of the blue regarding their network. Some feel that
this is an invasion of privacy, etc. In talking with others I have
heard that it is best to let them find you via word of mouth and from
other clients that you have worked with, also publishing research
information in the community helps spread your name as well.
In terms of the legal perspective (I am not an attorney nor is this the
absolute truth) but in my opinion I think your cross the line of doing
ethical hacking and into black hat hacking when you start to probe a
network without the appropriate contract / "get out of jail free"
documentation. If you were to approach a company whom you never worked
for and present evidence of a port scan or even a further probe they may
take the offensive and immediately see you as the bad guy, also keep in
mind that probing a network is all that you need to have the possibility
of a lawsuit against you.
I think that a client who thinks they are secure though they are not is
one of the more challenging ones to work with. I would not try to
convince them that their network is insecure directly but show them
commonly misunderstood insecurities from a sales pitch perspective. For
example contact a company and ask to have a meeting and come in and
demonstrate that you have knowledge that can help them--show them some
common items that are often forgotten in terms of the security view
point and explain to them that you would be willing to help bring
another perspective in to aid them in protecting their network. It also
helps if you have already done similiar work with other companies as
then you have some better references to provide to new clients (with the
previous client's permission of course).
Hope this insight helps, I'm interested in what others have to say as
well as I'm still relatively new to the security field though I've done
network specific work for a few years now.
David.
CEH, CCNA, SECURITY+, NETWORK+
>>> Barry Fawthrop <barry@ttienterprises.org> 3/1/2007 8:46 pm >>>
Hi All
Curious to hear other views, where does the legal and illegal line
stand
in doing a pen test on a third party company?
Does it start at the IP Address/Port Scanning Stage or after say once
access is gained?? very vague I know
I'm also curious to hear from other external/3rd party pen-test
consultants, how they have managed to solve the problem
Where they approach a client who is convinced they have security, and
yet there is classic signs that they don't?
You know that if you did a simple pen-test you would have the evidence
to prove your point all would be mute
But from my current point that would be illegal, even if no access was
gained. (maybe I'm wrong) ??
Perhaps this is just a problem here where I am or perhaps it exists
elsewhere also?
I look forward to your input
Barry
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:38 EDT