[Owasp-Mumbai] Fwd: Legality of Port Scans

vaibhav aher vaibhavaher at gmail.com
Mon Oct 20 00:53:42 EDT 2008


Hello freinds,
I just tried to justify the question.
Amended IT ACT 2000 describes
Section 43 1 (b) describes that port scanning is illegel as it does first
stage of information gathering, also section 65, 66 and 72 can put a light
on it.

*43. **Penalty**  **Compensation** for damage to computer, computer system
etc. 14C<http://mail.google.com/mail/?ui=2&view=js&name=js&ver=7rPL228lAkc&am=X_E4pcT3aCGBXoYK6A#_ftn1>
*

(1) If any person, without permission of the owner or *of* any other person
who is incharge of a *computer resource* computer, computer or computer
network,-

(a) accesses or secures access to such  *computer resource*; computer,
computer system or computer network;

(b) downloads, copies or extracts any data computer data base or *information
from such computer* *resource*, computer system or computer network including
information or data held or stored in any removable storage medium;

(c) introduces or causes to be introduced any computer contaminant or
computer virus into any computer *resource*, computer system or computer
network;

(d) damages or causes to be damaged any computer *resource*, computer system
or computer network, data, computer data base or other programmes residing
in such computer *resource*, computer system or computer network;

(e) disrupts or causes disruption or impairment of any computer
resource; computer
system or computer network;

(f) denies or causes the denial of access to any person authorised to access
any computer *resource*, computer system or computer network by any means ;

(g) provides any assistance to any person to facilitate access to a computer
*resource*, computer system or computer network in contravention of the
provisions of this Act, rules or regulations made thereunder ;

(h) charges the services availed of by a person to the account of another
person by tampering with or manipulating any computer *resource*, computer
system, or computer network,


he shall be liable to pay damages by way of compensation not exceeding one
crore rupees to the person so affected.

*65.* *Tampering with computer source documents.*
**

Whoever knowingly or intentionally conceals, destroys or alters or
intentionally or knowingly causes another to conceal, destroy or alter any
computer source code used for a computer, computer programme, computer
system or computer network, when the computer source code is required to be
kept or maintained by law for the time being in force, shall be punishable
with imprisonment up to three years, or with fine which may extend up to two
lakh rupees, or with both.

*Explanation.—*For the purposes of this section, "computer source code"
means the listing of programmes, computer commands, design and layout and
programme analysis of computer resource in any form.
*

66. Hacking with computer system.
*

(1) Whoever with the intent to cause or knowing that he is likely to cause
wrongful loss or damage to the public or any person destroys or deletes or
alters any information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means, commits hack:

(2) Whoever commits hacking shall be punished with imprisonment up to three
years, or with fine which may extend upto two lakh rupees, or with both.
**
* 72. Penalty for breach of confidentiality and privacy.*

Save as otherwise provided in this Act or any other law for the time being
in force, any person who, in pursuance of any of the powers conferred under
this Act, rules or regulations made thereunder, has secured access to any
electronic record, book, register, correspondence, information, document or
other material without the consent of the person concerned discloses such
electronic record, book. register, correspondence, information, document or
other material to any other person shall be punished with imprisonment for a
term which may extend to two years, or with fine which may extend to one
lakh rupees, or with both.

Regards

-- 
Vaibhav Aher
ISO27001,C|EH
Security Consultant
+91 09225325661

------------------------------




On Sun, Oct 19, 2008 at 6:22 PM, Dipak Parmar <dipak at lawyer.com> wrote:

>  Dear Yogesh/Yash
>
>
>
> As to usage of Port scanning…
>
>
>
> Section 43 of the IT Act, 2000 starts with "If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network…
>
>
>
> So, if you are using it as security personnel (certainly with appropriate authority - either as part of your employment or service contract)then it is legal not otherwise…
>
>
>
> What you are scanning is question of fact… your client is owner of that network or just another user?
>
>
>
> I trust I had answered your query…
>
>
>
> With regards
>
>
>
> Dipak Parmar
>
> 022 -22093564
>
> 09820196971
>
>
>
> ---------- Forwarded message ----------
> From: Dinesh O'Bareja <dineshbareja at gmail.com>
> Date: Sun, Oct 19, 2008 at 11:11 AM
> Subject: Re: [Owasp-Mumbai] Legality of Port Scans
> To: Yogesh Badwe <yogeshmb at gmail.com>
> Cc: Yash Kadakia <teccoder at gmail.com>, "owasp-mumbai at lists.owasp.org" <
> owasp-mumbai at lists.owasp.org>
>
>
> Yash - simply put, this is a sticky area. Any scan must be done ONLY after
> obtaining a clearly defined scope from the client. Having said that, the
> investigator must also ensure that he / she is not being asked to scan any
> networks which do not belong to the client.
>
> It will be good for the health :) to keep any such urges under strict
> control which entice you to "go where no man has been nefore" !!
>
> This is regular common sense advice, and I shall try to get some legal
> stuff out to the group in time.
>
> regards
> Dinesh.
>
>
> On Fri, Oct 17, 2008 at 9:45 AM, Yogesh Badwe <yogeshmb at gmail.com> wrote:
>
>> Yash,
>>
>> *IT Act 2000*
>>
>> *                          Definitions:* *
>>
>> Access: *"access" with its grammatical variations and cognate expressions
>> means gaining entry into, instructing *or communicating* with the
>> logical, arithmetical, or memory function resources of a computer, computer
>> system or computer network;*
>>
>>                             Sections:*
>> *
>> Chapter IX - Penalties and Adjudication*
>>
>> *43: penalty for damage to computer* : Sets the penalty for damage to a
>> computer or network at INR 10 million for any damage or *unauthorized
>> access* to a computer system.
>>
>> Correlating the Definition and the Section --> implies "illegal"
>>
>> I am not a lawyer ...but hope it helps !!
>>
>> -Yogesh Badwe
>>
>>
>>   On Thu, Oct 16, 2008 at 8:48 AM, Yash Kadakia <teccoder at gmail.com>wrote:
>>
>>>   Hey,
>>>
>>> I was having a discussion with someone the other day and we started
>>> talking about whether Port Scanning is illegal in India or not. We couldn't
>>> really come to any definite answer and even after going through the relevant
>>> http://cybercellmumbai.com/cyber-laws/ <- Cyber Laws several times there
>>> is no clear answer for the same.
>>>
>>> In my opinion, I do not think it is illegal since
>>> http://www.cybercellmumbai.com/cyber-laws/chapter-9 really only talks
>>> about post-data theft, network compromise, virus infection etc.
>>>
>>> I just wanted to throw this out there and see if any of you have any
>>> ideas about the same.
>>>
>>> Yash Kadakia
>>>
>>> Co-Founder/ Chief Technology Officer
>>> Security Brigade
>>> Information Security Solutions
>>>
>>> Mobile: +91-09833375290
>>> Fax: +91-651-2444545
>>> E-mail: yash at securitybrigade.com
>>> Web: http://www.securitybrigade.com/
>>> Blog: http://www.yashkadakia.com/
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Mumbai mailing list
>>> OWASP-Mumbai at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>
>>>
>>
>>
>> --
>>  Please consider your environmental responsibility.
>>         Before printing this e-mail, ask yourself: "Do I need a hard
>> copy?"
>>
>>
>>
>> Yogesh . M . Badwe
>> Disclaimer - This email and any files transmitted with it are confidential
>> and contain privileged or copyright information. You must not present this
>> message to another party without gaining permission from the sender. If you
>> are not the intended recipient you must not copy, distribute or use this
>> email or the information contained in it for any purpose other than to
>> notify us.
>>
>> If you have received this message in error, please notify the sender
>> immediately, and delete this email from your system. I do not guarantee that
>> this material is free from viruses or any other defects although due care
>> has been taken to minimise the risk.
>>
>> _______________________________________________
>> OWASP-Mumbai mailing list
>> OWASP-Mumbai at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>
>>
>
>
>
> With kind regards,
>
> DIPAK G. PARMAR
> 13/A, Nalawala Building,
> Ground Floor,
> Bhaijivanji Lane,
> Thakurdwar Road,
> Mumbai - 400 002
> India
> (9122) 22093564
>
>
> -- Be Yourself @ mail.com!
> Choose From 200+ Email Addresses
> Get a *Free* Account at www.mail.com <http://www.mail.com/Product.aspx>!
>
> _______________________________________________
> OWASP-Mumbai mailing list
> OWASP-Mumbai at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20081020/29e680bb/attachment-0001.html 


More information about the OWASP-Mumbai mailing list