[Dshield] Port 135

Micheal Patterson micheal at cancercare.net
Sat Oct 19 15:28:49 GMT 2002


----- Original Message -----
From: "J. Foobar" <jfoobar1 at yahoo.com>
To: <list at dshield.org>
Sent: Friday, October 18, 2002 5:16 PM
Subject: RE: [Dshield] Port 135


> Playing the devil's advocate (attorney for the
> defendent) here...
>
> --- John Hardin <johnh at aproposretail.com> wrote:
> > Putting up a web server or mail server and knowingly
> > allowing the
> > traffic through your firewall is implicit
> > authorization for the public
> > to access that server.
>
> So my client is required to have specific knowledge of
> your *intent* in allowing a port through your
> firewall?
> Do I need to establish your intent in leaving port 80
> open before I connect to your web server?
>
> The lack of presence of software on your end, e.g., a
> web server or a mail server, does not illegitimize a
> port that you leave open.
>
> > Having an unusual service running by default, that
> > you may not even be
> > aware of, and by accident or oversight - but *not*
> > knowingly - allowing
> > traffic through your firewall to that service, is
> > not something I would
> > call authorization for public access.
>
> "Unusual service?"
>
> *cue "expert" witness to speak on this subject*
>
> > Ignorance perhaps, clumsiness perhaps, but not
> > authorization. Thus the
> > access is unauthorized.
>
> You have no explicit intent to do harm, no definable
> monetary loss, and a prosecution that relies on
> showing that the "attacker" must have known that port
> 135 was off limits because anyone that would leave
> such an "unusual service" open to the Internet would
> have to be "ignorant" or "clumsy."
>
> Your honor, we find for the defendent.


A decent prosecuting attorney would more than likely point out that a web
server is exactly that.

Devils Advocate:

---------------------


Ladies and Gentlemen, a Web Server is a program that listens for connections
on an established port with the intent on serving web pages to any
connecting remote client. A client is determined to be authorized to use it
based on the access limitations held within it's configuration file(s).
This is a server that requires specific configuration to determine who does
and does not have access to the file(s) it serves.

Now, the RPC service in Windows NT/2K/XP/.NET is similar in regards that it
listens for remote connections, however, it is NOT common knowledge that it
activates a listening port that has no access controls on it whatsoever
after OS install. This has been admitted to by the OS vendor.  This would be
negligent of the OS vendor for not informing it's clients that there is a
potential security hole here. However, this is not why we're here as that
would be something for another court to decide.

The defendant, knowing that this port was available and knowing what it's
functionality is for, and knowingly accessed this port shows a willingness
to access a remote network without proper authorization. If your client has
the knowledge to do this, then I'm sure that he has the knowledge to speak
to those in control over the remote network to seek permission to use this
service.  The right thing to do here, would to have at least made the effort
to contact the remote network to seek permission. However, the defendant did
nothing of the sort. The defendant, INSTEAD, took it upon him /herself to
assume authorization was given without even bothering to consult with the
administrative body of the remote network. That is nothing short of
negligence and surreptitious behavior.  As it is evident that the defendant
is aware of this port and it's use, aware that it is active and listening,
then it is quite obvious that he /she has background knowledge in how a
network works. It is also quite apparent that he / she is irresponsible in
the fact that he / she failed to obtain permission to access it. The
defendant willingly used this port to spread unsolicited messages to well
over XX number of connected workstations resulting in mass confusion in the
work place. Causing a great panic in the administrative body and resulted in
the loss of XX number of operation critical documents. Ladies and gentleman,
just think, what would have happened if this had been the IRS during tax
time? What if this had been a security system of the US government? What
would have happened, if this had taken place on a 911 computer network in a
large metropolitan city?

Ladies and Gentlemen, what I have described to you is nothing short of a
common computer Hacker. These individuals do nothing but to seek out
insecure networks and exploit them. They get a thrill our of causing havoc
and causing pain and suffering.  They cause hundreds and sometimes millions
of dollars in damages throughout the world. They threaten national security.
They do not seek to assist individuals or the networks they run, they seek
to destroy them. They seek to undermine our entire way of life.

Ladies and Gentlemen, do you ever walk out into your back yard and leave
your doors unlocked in the front? Is it not against the law for someone to
enter into your home without your consent? Isn't it against the law to take
your personal property and vacate your premises in this fashion? The
individual knows he / she does not live there yet they entered, stole your
items and left. This is illegal in any state.

Has the defendant ever walked into a home / residence that doesn't belong to
him simply because the door was unlocked? More than likely not since it has
previously been common knowledge that it is trespassing and illegal to do
so.

I propose that the defendant did exactly the same thing here. They willingly
entered a remote networks system(s), broadcast their message to all
connected parties and left without any regard to whatever damage may have
been done. They got their message across, that's what's important.  Knowing
full well that they were not part of that organization and knowing that it
was wrong. Your client clearly knows that it is illegal to enter a home /
residence without the permission of the resident. Why would they not think
otherwise when entering a remote system that they don't have any business
being into either?

Ladies and Gentlemen of the court, I propose to prove that this individual
is nothing more than what is known as a cyber terrorist.

----------------

If you get two attorneys in this type of environment, anything is possible.
This is the same legal issues that were occurring 10 years ago when the
world was still interested in computer BBS's and who was and was not
authorized to access them. It's the same issues. Simply on a larger scale.


--

Micheal Patterson
Network Administration
Cancer Care Network




More information about the list mailing list