Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A scan is a scan is a scan - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A scan is a scan is a scan

A scan is a sca

n is a scan


One of our readers provided an update this morning to the ISC of an ongoing educational/research scan of the Internet that will be expanding to include further ports and protocols.  While I appreciate the effort and reasoning behind the educational/research scans, using the internet at large may not necessarily be the way to go about this, so I'm asking for input and comment.


The value in data taken from scans of the internet is very real, no doubt, and I applaud the organizations for efforts to inform the Internet community they are doing.  The impact to the organizations is the hidden cost in this scanning and classification effort, however, and I am afraid the research institute may be overlooking this fact.  


In almost every organization with an IDS or IPS you will have a person responsible for the review and analysis of the activity.  However not all Security Analysts out there read the ISC or other sources of security information on a daily basis.  So when the security analysis notices unidentified addresses or services, the effort to classify the activity begins.  This may take an hour sometimes, and from my experience time is always the resource we never have enough of.  This is where the cost is incurred by the end user being scanned.   The time spent to identify and update their internal databases.


One last thought: The vulnerability data collected by these scans would be a gem in the wrong hands, much like the compromise of the database compromised earlier this year which contained a catalog of existing vulnerabilities in US hydroelectric dams.


So thoughts your thoughts, is this the best way to do this?  Is it the only way?

 

tony d0t carothers @t gmail

Tony

150 Posts
ISC Handler
Personally i would say that a scan with or without direct consent is fine as long as some type of "notice of information" by way of the scanner telling the scannee of there intentions (they know its happening and can identify it even if they agree or disagree). a "notice of information" could also give a contact to the scannee if they see something that maybe a copy-cat (criminal activity under the guise of research) or behavior they strongly disagree with (legal-action)

To say that "vulnerability data collected by these scans would be a gem in the wrong hands" as a reason that it shouldn’t happen is ridiculous. the Vulnerability exists no matter what, shining a light on vulnerabilities is what InfoSec (yes, i said InfoSec. That term everyone seems to have forgotten and replaced with the absolutely idiotic and blatant 'PEBKAC trying to understand what they choose to not': Cyber-Security) does, its not the light that is a problem, its the fact that the one with the vulnerability either waited for someone to find it for them (criminal or not) or naively thought that there was no vulnerability
Krunch

9 Posts
Most scanners use reverse DNS, whois data and, when applicable, application-level headers and clues to inform the attack destination about the benign intentions. It has been done for a very long time in various ways and analysts are fully aware of it, as are semi-automatic analysis systems. Think about Web search engines, the most known example of this behaviour.
Of course it can be wrongly implemented on both sides, and this make it possible to use it as a system to circumvent analysis.
tillo

7 Posts
Perhaps an opt out would be nice. The scanner could have a hostname as followed:

optoutat.securityscans.edu

Go to the site where a form could allow you to enter IP ranges/subnets. Personally, they scans don't bother me but some scans do affect printers and other network devices.
@Miss_Sudo

12 Posts
I strongly agree with the position that it is the vulnerability, not the disclosure, that constitutes 100% of the problem. I also think that the announcement could actually be counter-productive. If I was looking to conduct a widespread scan for malicious purposes, I would certainly evaluate the possibilities for using this project as camouflage.
@Miss_Sudo
10 Posts
Regardless of the research intention; I consider all vulnerability scans or port scans without prior written consent, malicious in nature, as they are attempts to discover and catalog personal data that is private to the operators of the hosts. Furthemore 'research' would be a great disguise for any bad actor -- who can say as to whom the researchers' individualized results will be shared with?

While they as researchers will always claim their intentions are good. The fact of the matter, is a lot of security threats are created by research, because they cover part of the costs in discovery of vulnerabilities, and often the bad guys get greater utility out of results, than security defenders.

Especially when we are talking about research into what code and ports are running; vulnerability research, (rather than research into patterns in security breaches): it is difficult to imagine the malicious applications won't be more prevalent and more lucrative than the legitimate ones.


This is the equivalent of a local security research company, hiring people to visit all the houses in a city, and take notes about how many vehicles are parked out, if anyone appears to be home, and then "trying all the doors" on everyone's house, to see if (1) they are locked, (2) what make and model all the locks are, and (3) gathering the details that can be used to determine which locks might be defective.

And doubtlessly then.... (4) Selling the data to alarm companies, to facilitate product marketing, or to inform white-hat burglars unions as to which kinds of locks, they should concentrate on developing defeats for.


While everyone's house is visible from the street, it is still a privacy violation, to start making database entries for the purpose of studying how the strength of their security could be compromised.


"However not all Security Analysts out there read the ISC or other sources of security information on a daily basis."

Granted, security analysts don't have to read ISC in particular.
But it's not reasonable for a security analyst to not be reading sources of security information on a daily basis, and claim to be doing their job -- since potential threats change so frequently.

Mysid

146 Posts
"I consider all vulnerability scans or port scans without prior written consent, malicious in nature, as they are attempts to discover and catalog personal data..."
so if i gave you the analogy that a scan is similar to a girl scout troop knocking on doors to sell cookies and in so doing the troop was able to find homes that were empty and unlocked, you under this rationale would say "arrest the girl scouts!"?. what your saying, to stick with the analogy, is that is not my fault (the person who left the door unlocked) but instead the person (Girl Scouts) who brought it to light that this was unlocked, That is absolutely momentously ridiculous. (word to the wise its called personal responsibility. Dont leave your door unlocked)

"While they as researchers will always claim their intentions are good. The fact of the matter, is a lot of security threats are created by research..."
so under this rationale theres no point to learning because someone might use that knowledge for bad, thats a just cause of not teaching

"...and often the bad guys get greater utility out of results, than security defenders."
because the majority of idiots are on the "defenders" side complaining about how they have so much work and the attacker has so little..grow up and realize what industry your in, if you got in to InfoSec because of movie and TV portrayals thinking it would be bubble gum and rainbows i would advise you to find a new occupation.

"While everyone's house is visible from the street, it is still a privacy violation..."
this wrong again. a Global-Unicast address is not a house and you dont own it. /0 is IANA not you, you are a renter and to say a scan is "privacy violation", no matter the intentions, is (this is as nice as i can make it) dumb

Under Mysid opinion the world would be flat (why bring to light the Pope was wrong) and you would be reading a book because Allen Turing would have had no need to build a A-Machine because it might be used to scan a box with a GLOBAL-unicast address

Thinking about the ways someone can misuse something is not a reason to not do it. The ways to misuse dont go away because you put them in a box. If you need an example look at nuclear states and see if the united states is the only one... hint its not

NOTE. Support your local Girl Scouts
Krunch

9 Posts
Scan from:

Name: researchscan032.eecs.umich.edu
Address: 141.212.121.32

Details:

Jun/12/2013 01:51:05 Drop TCP src:141.212.121.32:55711 dst:myIP:443

Accessing http://researchscan032.eecs.umich.edu

gives:


Why am I receiving connection attempts from this machine?
This machine is part of an Internet-wide network survey being conducted by computer scientists at the University of Michigan. The survey involves making TCP connection attempts to large subsets of the public IP address space and analyzing the responses. We select addresses to contact in a random order, and each address receives only a very small number of connection attempts. We do not attempt to guess passwords or access data that is not publicly visible at the address. The goal of this research is to better understand the global use of Internet protocols, including HTTPS and SSH.



To have your host or network excluded from future scans, please contact scan-admin@umich.edu.
_____________________


Well, at least they have an "opt-out" mechanism.



Anonymous
@Krunch
"girl scout troop knocking on doors to sell cookies and in so doing the troop was able to find homes that were empty; you under this rationale would say "arrest the girl scouts!"?"

Yeah, if they're testing all my locks. Girl scouts can do this, as long as they live in the neighborhood, and they are not a stranger: there is kind of an implicit invitation, even though the activity might be illegal.

"under this rationale theres no point to learning because someone might use that knowledge for bad, thats a just cause of not teaching"

No, but they don't get an exception from the rules, for the purpose of learning.



@Krunch
"A Global-Unicast address is not a house and you dont own it."

Neither is an e-mail address domain name, but that doesn't give spammers a right to probe my domain for accepted users.

Neither is a phone number something you own, but that doesn't give telemarketers a right to wardial all my phone numbers.

Mysid

146 Posts
@Mysid

telemarketers ,spamming, and phishing are direct, with a intent to compromise (Im grouping telemarketers as a compromise solely based on there financial interests). a scan is passive, to use the same analogy there is a difference between twisting the **** of a door and smashing in a window but both correlate to an a attempt to enter (with or without consent) but at the same time both have two different motives. the twisting of a door **** can be shown as malicious intent or curiosity (which can be used to commit criminal activity but it in itself is not criminal activity) depending upon your own bias but i believe everyone would agree that smashing in a window is definitive malicious intent or at least suspicion

Who determines the rules? no one there is only common curiosity in the ability to be cognitive of a research project, by way of being informed by the scanner, and if you prefer to not par-take than opt-out but to charge all scans as "malicious in nature" because vulnerabilities maybe discovered is too far from reality. i said it once i will say it again:

To say that "vulnerability data collected by these scans would be a gem in the wrong hands" as a reason that it shouldnt happen is ridiculous. the Vulnerability exists no matter what, shining a light on vulnerabilities is what InfoSec does, its not the light that is a problem, its the fact that the one with the vulnerability either waited for someone to find it for them (criminal or not) or naively thought that there was no vulnerability
Krunch

9 Posts
how is ' k n o b ' censored?
Krunch

9 Posts
common courtesy not curiosity
Krunch

9 Posts
> how is ' k n o b ' censored?

Back in the early 1960's, there was a pop-song with a line "baby, baby, can't you hear my heart beat". At that time, In the locker-room at the summer hockey school (summer hockey? yes, a truly Canadian tradition), one 13-year-old wit changed that line to "baby, baby, can't you FEEL my KN()B THR()B". Many chortles resulted. :-)
Anonymous

Sign Up for Free or Log In to start participating in the conversation!