Network Administrator Edicate? Opinion? 8

[quell]

Guess this is the best place to post this. I'm just wanting to get some opinions here. It is obvious that if a network administrator wanted to find a vulnerable pc simply look through the IIS logs. I guess my question would be what should an admin do if they discover that an IP (that is not theirs) is vulnerable to an attack or it is used for a bounce?

The reason I ask is cause, after going through my logs I find certain IP's that ask for a strings such as:

x.x.x.x - - [20/Apr/2003:05:25:57 -0600] "GET /robots.txt HTTP/1.1" 401 4617 (IRC hack)
x.x.x.x - - [20/Apr/2003:14:39:10 -0600] &quot;GET /<Rejected-By-UrlScan>?~/default.ida HTTP/1.0&quot; 401 4598 (nimda virus)
x.x.x.x - - [20/Apr/2003:02:11:48 -0600] &quot;GET /<Rejected-By-UrlScan>?~/scripts/..%255c%255c../winnt/system32/cmd.exe HTTP/1.0&quot; 401 4804

After looking up on arin.net to see who the IP belongs to I did a port scan and found multiple ports open 21,25,53,139 just to name a few. Also tried the net use cmd, telnet, ftp, XP Remote Desktop Connection and others for the heck of it . Am I wrong for doing this despite the results? Should I let the owner of this IP know that they are vulnerable to certain attacks? After all we are all in this together, we should help each other out as much as possible. If it was me I would greatly appreciate someone letting me know that my servers were vulnerable, but that's just me. Let me know what you think about this.
Thanks

 

[manarth]

Sleipnir: I do see your perspective - I guess your're basically saying any unauthorised intrusion is unethical.

My own personal attitude is &quot;look but don't touch&quot; - in other words, if I can access it, fine...if I'd have to break something to access it, I wouldn't bother.

As for password crackers, that's just a little too brute force for my taste

All that said, I'm not really here to debate the ethics of hacking - I spent many a midnight hour arguing the cause in my younger years (when I should have been doing that vital IT coursework - oops).

As for the &quot;$5000&quot; worth of damage, I quote:
&quot;He's accused of accessing the system March 8 in an alleged intrusion that cost the county a reported $5,000 to clean up.&quot; and &quot;the alleged intrusion eventually resulted in the county closing its wireless LAN only a month after it was activated&quot;

I wonder if it was $5000 spent on fixing the security flaw that Puffer exposed!
The truth is out there...

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[Craig0201]

Good job all you look but don't touch aren't in the UK.....

Under the Computer Misuse Act, any unauthorised access can be prosecuted with fines of up to £5000 and 6 months imprisonment. And that's just looking. Access with intent to commit further offences is up to 2 years and deliberate damage is up to 5 years. Looks like manarth would be in all sorts of trouble!!

Craig

 

[manarth]

just to clarify - i see nothing ethically wrong - alas, it is illegal, so I do restrict my &quot;attacks&quot; to my own systems. well, my flatmate's system aswell, to be honest, but I'm sure he doesn't mind just kidding al.

The whole point (as far as I'm concerned) is the learning experience; the process of getting in, and the process of prevent access.

I found The Guardian's recent article interesting:

http://www.guardian.co.uk/online/story/0,3605,928098,00.html

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[greyted]

Thank you Craig201, that answers part of my question.
The other part that I asked is could a civil suit follow, would be interested to know?
The reason for my curiosity is for example a tech working for a company committed the offence, who is liable to prosecution, the tech or company who employ him/her?
Has quell or his company any right of redress because they could suffer potential damage due to the other company not having their system secure.
A bit off topic I know but I would be interested in your opinions guy's.


Ted

 

[flapeyre]

Just an FYI Link:

http://www4.law.cornell.edu/uscode/18/1030.html

<disclaimer>
I am not a lawyer, nor do I play one on TV.
</disclaimer>




&quot;When once you have tasted flight, you will forever walk the Earth with your eyes turned skyward, for here you have been, and there you will always long to return.&quot;

--Leonardo da Vinci

 

[sleipnir214]

manarth:
If you entered your house and found someone sitting at your kitchen table, and that person said, &quot;The door was unlocked. I didn't break anything. I was just looking.&quot;, would you accept that as reasonable?


And I completely agree with the goals of the hacking class -- by learning how it's done, you can better assess and fix your own security problems. But the class members have permission to hack the systems in the class, so there is no ethical problem there. It's if you take the info from the class out into the world and start hacking random sites that you cross the line.


Unfortunately, the Republic article xutopia posted about breaking into the courthouse network got its information from what appears to be a badly-written Houston Chronicle article that is no longer available on their website. There are two questions the reporter did not ask: &quot;What did the $5000 cleanup entail?&quot; (your question), and &quot;Who was the county officer and what authority does he have over the network?&quot;.


greyted:
Your question, though not an ethics question, is a good one.

In the U.S., there are the two concepts of liability and negligence. And the canonical illustration is the broken front steps problem.

If the front steps of my house are broken, and you hurt yourself on them, I am liable -- in a civil court case, I would likely be held responsible for compensatory damages. But if you knew about the broken steps and told me and I did nothing about it, if you then get hurt on them, I am negligent -- the court would likely hold me responsible for compensatory damages and add punative damages on top of that. If at one time or another nearly everyone in the neighborhood has gotten hurt on my steps and I've done nothing about them, that's where class-action lawsuits are born.

I would argue that if my system is infected with a worm that then infects your system, I can be held liable for the infection of your machine. The extent of that liability depends on a lot of factors: the steps I have taken to maintain my system, my own skill and resources to keep my system patches, etc.

If the worm from my machine that infects yours is a new one that no published patches could have prevented, my liability is likely very small. If patches existed for my system but I did not know that my machine needed them, then my liability is larger, but we're only talking compensatory damages in a lawsuit. If I know my machine required published patches and I do nothing, then I am negligent if my machine infects yours -- then I am open for punative damages.

flapeyre:
From what I can make of the legaleze on that site, the law described is dealing specifically with digital espionage. It seems to me that you would have to knowingly access classified information and then willfully hands it off to another to run afoul of this one.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[flapeyre]

sleipnir214:

That's how I read it as well. The key phrase is &quot;without authorization&quot;. If someone does any &quot;ethical&quot; hacking to expose security flaws, without the knowledge and consent of the owner, and retrieves the data in any way, the &quot;catch-all section 18 USC 1030 (c) (2) appears to pretty much make that action illegal on any private computer engaged in interstate commerce (which is most of them):

Sec. 1030. - Fraud and related activity in connection with computers

Whoever. . .

(c)intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains. . .

(2)information from any protected computer if the conduct involved an interstate or foreign communication

. . .shall be punished as provided in subsection (c) of this section.


&quot;When once you have tasted flight, you will forever walk the Earth with your eyes turned skyward, for here you have been, and there you will always long to return.&quot;

--Leonardo da Vinci

 

[spikestik]

Why are we asking one another what is ethical and what is not. Let's pose this to the IT management ... that sees IT staff as a cost and not a benefit. Lets pose it to the managers that go to an outsource and without notice and or provication let go of their IT staff. What is ethical and what is not ... Is it ethical for a person that needs to support a family to be let go for the reasons above.....?

Business ethics are a touchy subject and one that should encompass alot more than hacking and cracking.

 

[CajunCenturion]

Some interesting questions spikestik. I suggest that you start a new thread to investigate some of those issues.

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[johnwm]

spikestik

... remembering that this is the Information Technology Ethics Forum and not the business ethics forum


________________________________________________________________
If you want to get the best response to a question, please check out FAQ222-2244 first

'People who live in windowed environments shouldn't cast pointers.'

 

[dilettante]

quell:

What it seems to amount to is that this other party leaves his computer or computers wide open to exploitation (&quot;attractive nuisance&quot. The result of this negligence is that some person or persons are using his computer(s) to attempt entry into yours.

When you find a pattern of log entries like those you described, the way network security laws have been running suggests that you not probe or scan the offending IP address. It might soon be illegal to reverse DNS-lookup the IP adress(es) or request full DNS info on a domain name.

You're really left with the choice of quietly making sure your networks are secure and putting up with it, or turning this neighbor in as an offender.

The only good analogies I can think of include...

Impersonation: the neighbor leaving his car, his clothes, his ID, a firearm registered to HIM, etc. lying around unguarded so that bad guys can come and rattle YOUR doorknobs or drive across your flower beds or worse. If you try to turn in the culprit, you or law enforcement might blame the dumb neighbor.

Dogs running loose: a neighbor who fails to obey leash laws and contain his animals might offer the opportunity to spread a disease through the nieghborhood via this vector (the neighbor's dogs). The loose dogs could be intentionally exposed, and because they are allowed to roam freely could spread the problem around.

Take your pick.

In any case it looks like this &quot;neighbor&quot; has a huge legal exposure here. Don't mess around, turn him in. I think this is just plain SAD but this is where we are as a culture legally. Try to do the &quot;right&quot; thing and you're the offender. Turn in your neighbor and you're a Hero of the People I guess.

Think of all the AOL grannies who'd go to jail for connecting unsafe computers to the Internet if we turned these people in. I get at least 60 hits a day from CodeRed variants and other stuff. My firewall logs are a joke.

It isn't all MS software either, when Slammer hit I backtracked a few IPs myself with a script, simply HTTPing to them to bring back server info. One in 20 was Apache on Linux, trying to hit TCP port 1434!


So in conclusion...

My advice: keep watching those logs. Keep your network and your computers as secure as you can. If it reaches denial of service levels only THEN start reporting it. Anything else is a waste of your time or liable to put you on the wrong side of some law. If you choose to report it, report it to your service provider. Good luck.

 

[RCPD700]

I've been out of the office for a week but thought that even though it looks like this has been pretty well hashed out I'd add my $.02.

Xutopia's comment &quot;I feel the analogy is more like walking in to a house that left their door opened to tell them that someone can break in.&quot; is very good. If you noticed your neighbor's door open, knocking on the door and calling out to the neighbor (hopefully inside) is the proper thing to do, and depending on where you live, even entering said neighbor's home to check on their welfare would be appreciated by that neighbor. But most areas these days are quite different. While knocking to notify the neighbor is the appropriate (and very legal) thing to do, entering could get you shot since that act is illegal (trespassing).

IMO, an approach like that of the &quot;neighborhood watch&quot; programs established by local police departments would be the best practice. I see nothing illegal about port scanning (because you're not entering, and you're certainly not modifying, creating or taking any data) to see how open the machine in question is; however, leaving a &quot;note&quot; on that machine is illegal -- at least in California (see Penal Code section 502). The best practice, as suggested by others would be to contact the owner by e-mail, snail mail or phone to let them know their &quot;door is open.&quot; At least you can rest knowing that, as a good neighbor, you tried to warn them of the problem. If they choose to ignore the warning, then they must deal with the consequences of their stupidity.

 

[Stevehewitt]

Although its 00:16am at the moment and I am nearly falling asleep (not though the posts I should add! ) I couldn't help notice that Quell said that there were many ports open, but they were all password protected.

1. I have clients that use Small Business Server. This means you have Win2k Server, SQL, ISA, Exchange, Faxing, IIS and RRAS on one box. To be honest just because ports are open its no invite to hacking or slacking on the admins behalf. If (a BIG if) its a SBS then the majority of those ports would need to be open for remote access. (80 for IIS, Telnet/TS/RRAS for remote admin, smtp/pop3 for exchange email.)
2. Just as the ports are open its not an open invite saying &quot;HACK ME&quot;.

Be very careful!

Steve.

 

[manarth]

Steve - if the ports are open, it's ambiguous. I would have no hesitation in connecting.
If it then asks for a password, it's obviously a private system.
I will then leave well alone.

Of course, if by accident, you've left an un-password-protected server running, how am I supposed to know?
If the port is open, and there is no password, and there is no index file saying &quot;Access prohibited&quot;, I'm afraid I will probably continue accessing until I do find something marked &quot;private and confidential&quot; - which is probably a fairly good giveaway that access to that level is unauthorised.

On the other hand, such a statement - whilst ethically sound for an ethical guy like me .) - is often a red rag to a hacker's bullish nature.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[Tarwn]

And you know the ports are upen before connecting how?

 

[manarth]

Hi all - anyone remember this thread?!

&quot;On March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy it was to gain access to the court's system using only a laptop computer and a wireless LAN card.
{...}
&quot;Puffer, who was employed briefly by the county's technology department in 1999, could get five years in jail and faces a $250,000 fine[...]&quot;

I have a followup:

http://www.theregister.co.uk/content/55/31220.html

&quot;For his efforts, Puffer was investigated by FBI agents, who kicked in his door at 6AM, seized his computers and all electronic media and effectively put him out of business. Then he was indicted by a federal grand jury for violating the federal Computer Fraud and Abuse Act -- with the &quot;damages,&quot; bizarrely, assessed as the money the county spent the close the hole. Efforts to convince the United States Attorney's Office in Texas to dismiss the charges were unsuccessful, and Puffer eventually had to stand trial -- at a cost of tens of thousands of his own and taxpayer dollars. The jury acquitted him in 15 minutes.&quot;

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[PCLine]

lol, an interesting read. Even just writing about computer security can get you in trouble. That reminded me of GURPS Cyberpunk[/b] from way back...so I have had a look and came up with this interesting (IMO) story;

http://www.sjgames.com/SS/

All the best.

 

[manarth]

good read

I especially like the logs that the agents based their bust on!

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[SteveTheGeek]

I'm late getting into this discussion, but after reading this entire thread, I have a quick question: why, when we talk about the ethics of handling an automated attack via a third-party host, do we bring up the old &quot;front door open in someone's house&quot; analogy? The analogy is only valid if there is someone upstairs with a rifle taking potshots at cars. We're trying to protect other systems (and, more to the point, our own) from the continuing automated attacks - notifying the administrator of the compromised system is a means to the end, not the end in itself.

I think Dilettante has the right idea. Certainly, attempt (non-intrusively) to notify the offending system administrator of their negligence first. If there's no response, notify law enforcement and let them take care of it (this assumes that their system is not currently DOSing yours). If law enforcement doesn't care... Ummm, start another Tek-tips thread to discuss it.
-Steve