[ISN] Let the Web Server Beware

From: mea culpa (jerichoat_private)
Date: Fri Dec 25 1998 - 09:26:08 PST

  • Next message: mea culpa: "[ISN] U.S. Allows Export Of Crypto Product"

    Forwarded From: 7Pillars Partners <partnersat_private>
    Let the Web Server Beware
    by Christopher Jones 
    2:00 p.m. 23.Dec.98.PST
    In a decision that sets a precedent in the realm of hacking, the Norwegian
    supreme court ruled Tuesday that probing computer networks linked to the
    Internet is not illegal.
    The University of Oslo charged a private security-software company, Norman
    Data Defense Systems, with attempted break-ins and disruptions on machines
    linked to its computer network. Norman Data conducted the network probes
    in 1995 on behalf of a Norwegian public news network, which was filming a
    program about the Internet and wanted to demonstrate the inner workings of
    open systems and the pitfalls therein.
    "The essence of [the ruling] is that if you want to join the Internet, you
    have to assure that you're protected," said Gunnel Wullstein, president
    and CEO of Norman Data Security. "If you don't want to be visited, close
    your ports."
    The case also illustrates the fine line between hackers and crackers. The
    former describes those who merely want to explore computer systems, while
    the latter refers to intruders with malicious intent. They exploit
    networks using specialized tools and tricks of the trade, including
    unauthorized access operations. 
    During the experiment, the company's engineers used finger commands to
    find out which users were logged on to the university's machines and
    information related to their session. They used telnet - a remote login
    command - to verify email addresses on the university's mail port. They
    also ran scans to see if any ports were open.
    The University of Oslo could not be contacted in time for this story.
    One of the engineers involved in the experiment, who asked not to be
    identified, stressed that all of these operations are based on open
    protocols and were not designed to break into systems. Rather, the test
    was done to show what information is freely available from machines hooked
    to the Internet.  During the experiment, he said, no user IDs or other
    such information was retrieved.
    We wanted to help [the news service] tell the world that when you surf you
    leave your IP address all over the place, especially if you use the same
    machine,"  said the engineer. "This information can be used to find out
    quite a bit about you."
    Hackers and crackers will often use commercial port-scanning tools, or war
    dialers, as a way to identify easy entries into computer networks. Norman
    Data said it only limited port scans and found no open ports during the
    "I would say that it's not hacking [to show] if you go on the Internet,
    you expose yourself," said Wullstein. "It is up to you to decide which
    part you want to be exposed and which you do not." 
    When an Oslo court first ruled in the case, it found the company guilty of
    an attempted break-in on a computer network and misuse of other people's
    machine resources, causing inconvenience. Both charges carried a steep
    fine, and the company was also ordered to pay for repairs to the
    university's network. After Norman appealed the decision, a district court
    overturned the more serious break-in charge, but upheld the misuse charge.
    In Tuesday's supreme court decision, however, the engineer and the company
    were cleared on both charges.
    "This is very principal, the first time the [supreme] court has taken a
    standpoint in a case like this," said Frode Pedersen, news editor at
    Aftenposten, a daily newspaper in Oslo. "The high court said that if you
    have a service on the Internet not directly protected, you have to stand
    for people searching for security holes." 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:14:35 PDT