Results 1 to 9 of 9

Thread: Legality of Remote Vulnerability Scans?

  1. #1
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002

    Legality of Remote Vulnerability Scans?

    Over the weekend, my IDS equipment picked up approximately 8,000 vulnerability attacks generated by a network consulting company. No actual compromise occurred. Upon further investigation, I discovered that the attacks were conducted at the request of one of my clients. I do not mind the vulnerabitity assessments, however per the client contract any vulnerability scan must be approved by myself prior to the the scan being conducted. This notification is needed so that security personnel do not enact standard procedures of blocking the originating address block and sending logs to the applicable ISP to have the IP address in question blocked from the Internet.

    Now, I realize port scans are legal in the US. But, I am looking for is some legal precedent at the Federal level, that addresses remotely initiated vulnerability/penetration scans without giving the scannee prior notification. So, does anyone have any links to pertinent Federal laws or case law? Ideally I would like generate an article in our newsletter, referencing Federal law, and hopefully preventing the frequency of these type of incidents.
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

  2. #2
    Join Date
    Jun 2003
    To be honest I am not sure that you will find much on this, the Federal Gvt. is trying to stay as nuetral on this as possible, pretty much to say that they don't want to say that this is legal and this isn't. Which is one of the reasons that the Supreme Court had to make the decision on Port Scanning which is sweet. Cause I can now scan the FBI, and laugh when they call my ISP. mwuahhaha

    If you do find anything though let me know, I would be interested in seeing it.

    (As a side note check state law for whichever state your in, states tend to deal with security issues more. Atleast in my reading they have.

  3. #3
    Senior Member
    Join Date
    Apr 2004
    I think that even on USA you can go against them if scan causes damage on your network, such as Server Instability or WAN overload...
    But for lazzy scans.... i dont think you can do anything
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    You will not find Federal case law unless a tangable loss is associated with the act. It then becomes a crime of a different nature...

    You will have to address the issue with your current security policy. Put teeth in there that gives your organization the power to terminate contracts if a contractor violates the policy. Be sure that you have your legal dept review the policy and be sure that it provides the appropriate verbage and bindings to make it enforceable.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Good Ideas fellas.

    I can't restrict to one state because I have clients throughout the U.S. And no damage was done to the systems, just a major annoyance. If any information was stolen I believe that can be construed as theft and since the data would cross state lines then the issue falls into the realm of interstate traffic/theft. (bank stuff) I want to put some fear into their brains before it becomes a serious issue.

    Oh well, if I find anything I'll let you guys know.
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

  6. #6
    Senior Member
    Join Date
    Oct 2001
    If you have a contract with the person who initiated the scan that states that they have to let you know first then they have breached that contract. Your contract should state what will happen if they violate any of the terms agreed to in the contract. Best advice is to contact a lawyer, or fire the customer.

  7. #7
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Here is a Security Focus article on a 2000 ruling:


    You may still be able to get them on the breach of contract.

  8. #8
    Junior Member
    Join Date
    Jan 2003
    I don't think there's much you can do against the person scanning unless like other people said their was data loss or some sort of destruction.

    And I agree with the other guy, put some teeth in the contract.

  9. #9
    Senior Member
    Join Date
    Jan 2002
    One of your terms & conditions should be that a client of yours notifies you if their equipment is likely to be involved in any penetration testing (either way), preferably in writing and with a certain amount of notice, so that you can take this into account in your IDS log monitoring (possibly including disabling IDS for certain addresses over the time period)

    They should also make sure that any pen testing going is is happening with the knowledge and consent of all systems admins, and that they all have contact no.s for the others (i.e. sysadmins, network admins and pen testers) so that should any unintentional DoS occur, it can be rectified as quickly as possible.

    Pen testers might run exploits but it is never their intention to cause DoS, accidental or deliberate.

    I realise this is not a legal thing and you can't from a business perspective enforce it rigidly, but it should be at least a strong recommendation to your clients. It makes sense, after all.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts