To scan or not to scan?

WHERE CAN STUDENTS PRACTICE SECURITY? 

To continue talking about various certifications in the security world…

For example, let’s assume that someone – a student – gets Certified Ethical Hacker certification. To recap, CEH  requires  knowing:

·         ethics and legal issues

·         footprinting

·         scanning

·         enumeration

·         system hacking

·         Trojan programs and backdoors

·         sniffers

·         denial of service

·         social engineering

·         session hijacking

·         hacking web servers

·         web application vulnerabilities

·         web-based password cracking techniques

·         SQL injection

·         hacking wireless networks

·         viruses and worms

·         hacking novell

·         hacking Linux

·         intrusion detection systems, firewalls, honeypots

·         buffer overflows

·         cryptography

Students LOVE the idea of hacking AND they are eager to practice …. but they forget that it has many consequences. School computers cannot be used for hacking purposes. Being caught can expel you from school…. Also, there are state and federal laws. Federal laws exist for hacking into government and financial institutions. Hacking into government sites can carry serious monetary and jail penalties.

Many state laws are designed to address hacking into private individuals’ computers.

There are very fine lines as to what is allowed and what is not allowed, and sometimes it all looks very innocent but is not allowed, or the hacking activity does seem intrusive but the rules for being caught and persecuted are not clear.

For example, let us start from simple hacking tools, such as ping. Ping is always allowed and nobody can say anything about anyone pinging. However, if you start excessively (or even not excessively) pinging a “sensitive” computer, you might get reprimanded. How? The site admin will see your IP address, will do a reverse DNS lookup, and talk to your ISP. 

Then there are other activities such as port scanning. Is port scanning legal? It is a lot more “close and personal” than ping, because it provides a lot more information. You will know which OS the computer is running, what kind of services are running, what kind of software. This knowledge is clearly suitable for attack purposes. There are tools that can port scan for you very quickly, in great quantity. nmap is a classic tool, and is free and easily available. So, should you use nmap to practice port scanning on … your school, your ISP, or any random IP? 

Port scanning seems like a rather innocent thing to do, it is like rattling a door knob to see if anyone is home. There is no theft conducted. Therefore, police should not be able to persecute you. However, at their discretion, police can choose to take action. 

In short, your legal safety when port scanning depends on the location where you are hacking. Some states have laws that consider port scanning an illegal activity. Also, the organization where you are using the computer and your ISP can have rules. The wording can be tricky, for example, doing one port scan is ok but “repeatedly testing for vulnerabilities” is not. This hacker got a rude awakening when FBI charged him for felony for hacking and cyberstalking: https://www.wired.com/2015/02/hacker-claims-feds-hit-44-felonies-refused-fbi-spy/  because he repeatedly scanned a website for vulnerabilities. 

Specifically, University of Hawaii does NOT allow port scanning. https://manoa.hawaii.edu/housing/guide/resnetpolicy Port scanning is treated as a “malicious activity” together with spamming and DOS attacks, and results in expulsion.

In summary: if you are going to practice hacking, find a class with a designated lab, or even some friendly friends that you can play pranks on, and stay away from hacking into “official” resources.

.