Port Scanning: Is it illegal?

By Bill Reilly

One of the most common questions I get from crackers, hackers, network security specialists and law enforcement agents is whether port scanning is illegal. As of November 2001, there has only been on federal court to issue a ruling on this point.

In Moulton v. VC3, Scott Moulton, a network security consultant, was arrested and charged with violating the Computer Fraud and Abuse Act after he port scanned a network where he had a service contract to perform computer-related work for the a county 911 center. Moulton had become concerned with the vulnerability of the network link between the sheriff's office and the 911 center and performed a series of remote port scans on the system. The system's network administrator noticed the port scanning activity and e-mailed Moulton questioning his reason for scanning the ports. Moulton quit scanning immediately and informed the administrator that he had a service contract with the county and he was concerned about the network's security. The administrator contacted the sheriff, who in turn arrested Moulton on state and federal computer crime charges.

Specifically, Moulton was charged with violating 18 USC Sec. 1030(a)(5)(B), which prohibits the "intentional accessing [of] a protected computer without authorization, [that] as a result of such conduct, recklessly causes damage." (He was also charged with a state computer crime which is beyond the scope of this article.)

The county denied that they gave him access to conduct port scans on the system and argued that he "accessed" the computer without authorization. This subsection essentially has four elements that the prosecution must prove: 1. The defendant intentionally accessed a protected computer, 2. the defendant did not have authorization to access the computer and 3. as a result of the access, the defendant recklessly caused damage 4. and the damage impaired the integrity or availability of data, a program, a system, or information that caused a "loss aggregating at least $ 5000...or threatened public health or safety." The court didn't need to address the first three elements because the county couldn't meet the "damage" threshold. The county claimed that it had to spend time and money to research the scanning and determine whether there were any penetrations of the system. But they admitted that Moulton caused no structural damage.

While port scanning is a useful reconnaissance technique used by crackers to locate vulnerabilities in systems that are running buggy services on certain computer ports, it is essentially a passive query that works within the architecture of TCP/IP. Without the ability to query remote computer ports to determine the service that is running and its compatibility with other computers, the Internet would cease to function. The county argued that port scanning for malicious purposes brings in the element of criminal intent. For example, many states have laws that outlaw the criminal use of lockpicking sets. The sets themselves are not illegal, but the use of the sets to pick locks that you are not authorized to pick is a crime. Much in the same way, it is often argued, non-malicious port scanning should be allowed. However, when the cracker uses this "tool" to commit a crime, then such port scanning should be illegal. But as with the lock picking laws, the "criminal intent" of the person is what turns a "good" tool "bad." But since people can't read minds, "intent" is usually proven by the criminal act itself. Since there are legitimate uses for port scanning, it is impossible to determine the intent of the scanner unless he goes on to penetrate the system, which is likely a criminal act already.

In this case, the county argued that the act of port scanning itself was a crime. And the judge did not buy that argument. The court said the statute "clearly states that the damage must be an impairment to the integrity and availability of the network." But the judge went on to conclude that the county's "network security was never actually compromised and no program or information was ever unavailable as a result of … Moulton's activities." If there was no impairment from the scanning or the scans weren't so voluminous that the network's availability was interrupted, then there was no "damage." Without damage, there is no crime.

The recently passed USA Patriot Act dramatically changes the Computer Fraud and Abuse Act. However, it does not change the requirement that there must be damage and loss. "Damage" still requires impairment to the integrity or availability of data, a program, a system or information. Normal port scanning is not likely to cause such impairments. However, the USA Patriot Act does make it much easier to meet the definition of "loss," which must exceed $5,000. Victims can now add nearly every conceivable expense associated with the incident to arrive at the $5,000 threshold.

The court in Moulton arrived at a logical conclusion to anyone even remotely familiar with network technology. However, the fact that the country decided to even prosecute under this obvious mistake of fact should be a word of caution to network security consultants and others involved in penetration testing. Many clients are unfamiliar with the details of the technology and can misinterpret passive measures as criminal acts. It is highly recommended that the initial service or consulting contract with the client should grant enough leeway to ensure that they are "authorized" to conduct the tests and the scope of the access is essentially open-ended. If the consultant has such authorization, the only Section 1030(a)(5) computer crime that the consultant can be liable for causing intentional damage to the system. That is why the definition of "damage" is so important. If there is no impairment to the integrity and availability of the network, then there is no crime.

Credits:

Bill Reilly is a California-based network security attorney and a GIAC-certified Advanced Incident Handler. Bill Reilly can be contacted at reilly@ebutik.com or (415) 771-3463.

Copyright(c) 2001 Bill Reilly. All rights reserved.

This article does not in any way offer legal advice of any kind. Rather, the article is meant as an analysis of a case and may not be taken for specific legal advice.