Feeds

Port scans are legal

No threat to civilisation, US judge finds

  • alert
  • submit to reddit

Intelligent flash storage arrays

A tiff between two IT contractors that spiralled into federal court ended last month with a US district court ruling in Georgia that port scans of a network do not damage it, in reference to a section of the anti-hacking laws that allows victims of cyber attack to sue an attacker.

Last week both sides agreed not to appeal the decision by judge Thomas Thrash, who found that the value of time spent investigating a port scan can not be considered damage. "The statute clearly states that the damage must be an impairment to the integrity and availability of the network," wrote the judge, who found that a port scan impaired neither.

"It says you can't create your own damages by investigating something that would not otherwise be a crime," says hacker defence attorney Jennifer Granick. "It's a good decision for computer security researchers."

A port scan is a remote probe of the services a computer is running. While it can be a precursor to an intrusion attempt, it does not in itself allow access to a remote system. Port-scanning programs are found in the virtual tool chests of both Internet outlaws and cyber security professionals.

Scott Moulton, president of Network Installation Computer Services (NICS), is still facing criminal charges of attempted computer trespass under Georgia's computer crime laws for port scanning a system owned by a competing contractor.

Protecting 911?
According to court records, the case began last December, while Moulton was under a continuing services contract with Cherokee County, Georgia to maintain the county's emergency 911 system.

Moulton was retained to install a connection between the 911 centre and a local police department, and he became concerned that the system might be vulnerable to attack through the new link, or though other interconnections.

Apparently prompted by that concern, Moulton scanned the network on which the 911 system resided, and in the process touched a Cherokee County Web server which was owned and maintained by VC3, a South Carolina-based IT firm. "My client started investigating who was connected to the 911 centre, where he worked," says Erin Stone, Moulton's civil attorney. "He wound up finding VC3's firewall."

When a VC3 network administrator asked Moulton in an email to explain the scan, "Moulton terminated the port scan immediately and responded that he worked for Cherokee County 911 Centre and was testing security," according to the federal court's finding of fact.

VC3 reported the "suspicious activity" to the police, and Moulton soon lost his contract with Cherokee County. Several weeks later, the Georgia Bureau of Investigation arrested him.

Suit, Counter-suit

While still facing state criminal charges, Moulton counter-attacked in February by suing VC3 in federal court, accusing the company of making false and defamatory criminal allegations against him. In deciding the case last month, Judge Thrash rejected Moulton's claim, finding that VC3's statements to the police were privileged. "We're the victim in a criminal case that got sued for cooperating with police," says VC3 attorney Michael Hogue.

The company filed a counter-claim under an increasingly popular provision of the federal computer fraud and abuse act that allows victims to sue a cyber-attacker if they've suffered damages of at least $5000.

While VC3 acknowledged that Moulton's port scan did no direct harm, the company argued that the time spent investigating the event was a form of damage. "If somebody does some type of attack, and you are a good service provider, you spend all your time verifying that it did not cause a significant problem," says Hogue. "The time that it takes to do all that searching is the damage that we were claiming."

The judge rejected that claim, as well as an argument that the port scan, and a throughput test Moulton allegedly aimed at the VC3 system, threatened public health and safety. "[T]he tests run by Plaintiff Moulton did not grant him access to Defendant's network," wrote the judge. "The public data stored on Defendant's network was never in jeopardy."

The ruling does not affect criminal applications of the federal anti-hacking law, but federal officials are generally in agreement that port scanning is not a crime.

The decision may help define the statute's civil boundaries at a time when more companies are eyeing lawsuits against computer intruders as an alternative to relying on government prosecution.

"This is probably the first of many decisions that will come out pertaining to the civil component of the computer fraud and abuse act," says former computer crime prosecutor David Schindler, now an attorney with the law firm of Latham & Watkins. "If a client came to me and said that someone had pinged on their network and nothing else, I probably would not advise them to take civil action."

© 2000 SecurityFocus.com. All rights reserved.

Internet Security Threat Report 2014

More from The Register

next story
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.