Ok, couple of points here for anyone who might care:

__________________________________________________

1. Quote[

"Moulton was tasked to install a connection between the 911 center and a local police department, and he became concerned that the system might be vulnerable to attack through the new link, or though other interconnections.

Apparently prompted by that concern, Moulton scanned the network on which the 911 system resided, and in the process touched a Cherokee County web server that was owned and maintained by VC3, a South Carolina-based IT firm. "My client started investigating who was connected to the 911 center, where he worked," says Erin Stone, Moulton's civil attorney. "He wound up finding VC3's firewall." "

]End Quote

This indicates Moulton was performing a port scan on the 911 network itself, which he should have had every right to do. And though not specifically stated, it sounds like Moulton was looking to find out what all was on the network and most likely didn't know yet (ergo could not notify VC3 since he didn't know they were there).

For anyone in network admin type work who's ever changed jobs, there's an orientation period where you're trying to figure out how things work. If the folks there before you didn't leave behind a good network diagram (or did but it's potentially out of date, which is often the case), the quick way to find out what's on your network is to do a scan. More on this below.

__________________________________________________

2. A "port scan" is technically the scanning of ports at a single IP address; e.g., seeing if anything comes back on port 21 (FTP), 23 (TELNET), 25 (SMTP), 80 (HTTP), etc. From the description in the article, it sounds more like Moulton performed an "auto discovery", which normally consists of two stages: a) a "ping sweep" of a given subnet to find available hosts at given IP addresses (this tells you what IP addresses are in use at that moment); and b) the actual "port scan" of each of those available IP addresses to find out what's running on them. This second stage is performed to determine whether a box is running a webserver, an FTP server, and often to determine what kind of box it is. This information is critical from a network administration point of view, as it lets you know "what's out there", and as long as you do it on your own network, how can this be illegal?

Granted, word semantics aside, let's make sure we have the definition of "port scanning" clear. Did Moulton ONLY port scan the IP address of VC3's firewall, or did he do an entire ping sweep of the subnet and then go back and see what each found device was?

__________________________________________________

3. "Auto discovery" tools are found in every single network management software (NMS) solution that's worth its salt. Why? Because it's usually the first thing you want to do when you setup NMS. Take your pick: Castle Rock Computing's SNMPc, Cabletron/Aprisma's Spectrum, CA's NetworkIT Pro, HP's OpenView, Tivoli's NetView, etc. They all offer "auto discovery" tools for doing what it appears Moulton did.

And when you perform an "auto discovery" of your network, you're bound to "touch" on its perimeters with your ISP(s) and whatever else is connected at the fringes of your network. This isn't illegal. It's doing your job and protecting your ass.

Granted, doing such an "auto discovery" will likely trigger firewall alarms (as occurred once to me while setting up an SNMPc box), but in and of itself is not an illegal activity (nor does it definitively show "intent" to commit a crime).

__________________________________________________

4. Now, if what has been written above is true and Moulton performed this "port scan"/"auto discovery" from his OWN IP address (from this I assume it means he was NOT sitting on the Cherokee County 911's network at the time), then I can see how it might have looked to VC3. They would've seen the port scan occurring on their firewall and figured the worst. Yes, port scans are often preludes to attacks. But there are legitimate reasons for doing them as well.

And it may have been possible for Moulton to send out notification to the Cherokee Cty 911 folks that he was going to perform this "auto discovery" ahead of time, though I'm really suspecting it was just that...an "auto discovery" to find out what was "out there", which inherently implies he did not know in advance WHO to contact (other than his client the 911 group).

And ideally, Moulton should have performed this "auto discovery" FROM the Cherokee County 911 network itself.

However, talking things through as technical people afterwards should've resolved any confusion between VC3 and Moulton.

__________________________________________________

5. Quote from comment thread[

"Interesting. I would like to know an instance when port scanning someone that you do not do security business with has benifical results."

]End Quote

a) You're a DOT COM/E-BUSINESS/blah blah blah who wants to map the Internet, not unlike Quova as reported here at

http://www.securityfocus.com/news/56

only instead of doing a geographical type mapping you want to show the preponderance of webservers in given areas (e.g., Red Hat looking to find out where they should target their marketing of Red Hat/Apache, etc.). Ok, it's a stretch, but it's possible.

Do I like the idea much? No. But it would be an example of port scanning that didn't involve the intent to hack/crack/attack/defraud/commit a crime.

b) You're an ISP and you're noticing a lot of bandwidth saturation on various clients' pipes. Maybe you're pro-active and want to make sure the client has sufficient bandwidth as their business grows. Or maybe a particular client is a cranky bastard who says all they do is basic e-mail and claim their pipe should wide open, so you cover your ass by verifying that the client isn't running more than they think. Again, the INTENT is not to hack. It's to gather information.

__________________________________________________

6. Finally, following on the heels of the last remark, and this is just my personal opinion, the gathering of information itself should not be restricted, lest we open Pandora's box and all that goes with it...from censorship (already being debated with U.S. Congress' pending legislation on content filtering of federally funded schools and libraries) to Nazi-esque tactics trying to prevent the disemination of information.

* If you're worried about someone probing your network, then throw up a firewall. That's what they're designed for. VC3 had one, and it worked like a champ, blocking potential "barbarians at the gate." No harm done.

* In the U.S., you are innocent until proven guilty (at least in theory). We do not prosecute based on what you MIGHT do in the future. We can only prosecute you for what you have DONE (be it action or planning to act...as in "conspiracy to committ...", not just thinking to yourself). Talk to lawyers. They'll explain this to you. Port scanning in and of itself is harmless (unless the port scan is constant and repetitive to the point of creating a DoS type attack).

* Keep in mind that if today we pass a law that forbids port scans, what will tomorrow bring? Does that mean I can sue my ISP when, in order to verify and update their network topology, their NMS scans my link to the Net (provided thru them)? I say this tongue-in-cheek, but realize that what we joke about often comes to pass. Just think of all the frivolous patents that have been passed in the last few years, and how some companies have tried enforcing them.

It's a complex world out there. Let's try to simplify things a bit, shall we?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/126/4128#4128