[Owasp-Mumbai] Fwd: Legality of Port Scans

Dinesh O'Bareja dineshbareja at gmail.com
Fri Oct 24 04:25:00 EDT 2008


Well if we draw the attention of CERT to the PwC report on WiFi security
which was published last week, I am sure they have gone against the law.
They have scanned a few thousand networks across the city to record whether
these are secured or not. Then they say that some of the networks are
partially secure and if my knowledge serves me right there is no way you can
make out if the network is fully secure or partially secure ! Which means
that they did try some tricks here to see if they could get in easy or what
?? Big question for PwC and Mr. VeeEmm and the FICCI guys.

Did they have permissions ?

Did they note the SSIDs of the networks and list them according to the area
where they scanned the network !!

Did they have any permission from any authority to do this and if they did
have permission was the public in the area(s) informed about any such
exercise ??

Consent consent and consent ! Do the authorities or people really care about
privacy etc .... my two cents .... no ! All we have is lip service.

-Dinesh




On Thu, Oct 23, 2008 at 9:03 PM, r4y <secureas at gmail.com> wrote:

> I spent the day with CERT yesterday and posed them this question and their
> response was:
>
> "To carry out this activity, there must be consent and preferably in
> writing"
>
> So basically this will have to be an effort coordinated through various
> industry bodies and their member organisations across India. Not
> impossible.. only would require some serious effort.
>
>
> 2008/10/21 Dipak Parmar <dipak at lawyer.com>
>
> Dear All
>>
>> It is very tricky situation...
>>
>> Lets break it into smaller parts and deal with them individually....
>>
>> 1. IT ACT
>>
>> *A. Section 43 "Unauthorised access" & def "Access"*:  and
>>
>>
>> Definitions:
>>
>> Access: *"access" with its grammatical variations and cognate expressions
>>
>> means gaining entry into, instructing *or communicating* with the logical,
>>
>> arithmetical, or memory function resources of a computer, computer system or
>>
>> computer network;*
>>
>>
>>
>>  *43: If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network,
>>
>> (a) accesses or secures access to such  computer, computer system or computer network;
>>
>> ... he shall be liable to pay damages by way of compensation  *not exceeding (means maximum) *one crore rupees to the person so affect.
>>
>> So, if you are not causing any damage then you are not liable to pay any compensation.
>>
>> Now it is question of fact... are you causing any damage?
>>
>>
>>  "damage" means to destroy, alter, delete, add, modifty or rearrange any
>> computer resource by *any means.*
>> **
>> I don't think so...it is prepartory work and will not cause any damage...
>>
>> *Word of caution: But these data will help hackers also (although it may
>> be your intention)*
>>
>> *B. Section 66 "hacking" *
>> **
>> Whoever with
>>
>> a. the intent to cause or
>>
>> b. knowing *(mind you knowledge of it being possible misuse will attract
>> section 66... )*
>>
>> that he is likely to cause wrongful loss or damage to the public or any
>> person
>>
>> i. desteroys or deletes or alters any information residing in a computer
>> resource, or
>>
>> ii. diminishes its value or utility, or
>>
>> iii. *affects it injuriously by any means (very vague and can cover
>> indirect damage )*
>>
>>
>> *Please note that section 72 is not applicable to private individual...*
>> **
>> *Privacy Issue: *
>>
>> You may doing great work for society.... but do you have necessary
>> authority from individuals or state to do the same.
>>
>>
>>
>>
>> With regards
>>
>>
>>
>> Dipak Parmar
>>
>> 022 -22093564
>>
>> 09820196971
>>
>> ----- Original Message -----
>> From: r4y
>> To: "vaibhav aher"
>> Subject: Re: [Owasp-Mumbai] Fwd: Legality of Port Scans
>> Date: Tue, 21 Oct 2008 09:10:53 +0530
>>
>>  Good to see the word "intent" peppered everywhere and this is going to
>> be very debatable as well.
>>
>> Btw I object to section 66 and the use of the word "hacking". Soldering a
>> PCB can also be considered hacking. Its a very loose term and should never
>> be used in a legal document or a bill or Act !
>>
>> 2008/10/20 vaibhav aher <vaibhavaher at gmail.com>
>>
>>>  Hello freinds,
>>> I just tried to justify the question.
>>> Amended IT ACT 2000 describes
>>> Section 43 1 (b) describes that port scanning is illegel as it does first
>>> stage of information gathering, also section 65, 66 and 72 can put a light
>>> on it.
>>>
>>> *43. **Penalty**  **Compensation** for damage to computer, computer
>>> system etc. 14C<http://mail.google.com/mail/?ui=2&view=js&name=js&ver=7rPL228lAkc&am=X_E4pcT3aCGBXoYK6A#_ftn1>
>>> *
>>>
>>> (1) If any person, without permission of the owner or *of* any other
>>> person who is incharge of a *computer resource* computer, computer or
>>> computer network,-
>>>
>>> (a) accesses or secures access to such  *computer resource*; computer,
>>> computer system or computer network;
>>>
>>> (b) downloads, copies or extracts any data computer data base or *information
>>> from such computer* *resource*, computer system or computer network including
>>> information or data held or stored in any removable storage medium;
>>>
>>> (c) introduces or causes to be introduced any computer contaminant or
>>> computer virus into any computer *resource*, computer system or computer
>>> network;
>>>
>>> (d) damages or causes to be damaged any computer *resource*, computer
>>> system or computer network, data, computer data base or other programmes
>>> residing in such computer *resource*, computer system or computer
>>> network;
>>>
>>> (e) disrupts or causes disruption or impairment of any computer resource;
>>> computer system or computer network;
>>>
>>> (f) denies or causes the denial of access to any person authorised to
>>> access any computer *resource*, computer system or computer network by
>>> any means ;
>>>
>>> (g) provides any assistance to any person to facilitate access to a
>>> computer *resource*, computer system or computer network in
>>> contravention of the provisions of this Act, rules or regulations made
>>> thereunder ;
>>>
>>> (h) charges the services availed of by a person to the account of another
>>> person by tampering with or manipulating any computer *resource*, computer
>>> system, or computer network,
>>>
>>>
>>> he shall be liable to pay damages by way of compensation not exceeding
>>> one crore rupees to the person so affected.
>>>
>>> *65.* *Tampering with computer source documents.*
>>> **
>>>
>>> Whoever knowingly or intentionally conceals, destroys or alters or
>>> intentionally or knowingly causes another to conceal, destroy or alter any
>>> computer source code used for a computer, computer programme, computer
>>> system or computer network, when the computer source code is required to be
>>> kept or maintained by law for the time being in force, shall be punishable
>>> with imprisonment up to three years, or with fine which may extend up to two
>>> lakh rupees, or with both.
>>>
>>> *Explanation.—*For the purposes of this section, "computer source code"
>>> means the listing of programmes, computer commands, design and layout and
>>> programme analysis of computer resource in any form.
>>> *
>>>
>>> 66. Hacking with computer system.
>>> *
>>>
>>> (1) Whoever with the intent to cause or knowing that he is likely to
>>> cause wrongful loss or damage to the public or any person destroys or
>>> deletes or alters any information residing in a computer resource or
>>> diminishes its value or utility or affects it injuriously by any means,
>>> commits hack:
>>>
>>> (2) Whoever commits hacking shall be punished with imprisonment up to
>>> three years, or with fine which may extend upto two lakh rupees, or with
>>> both.
>>> **
>>> * 72. Penalty for breach of confidentiality and privacy.*
>>>
>>> Save as otherwise provided in this Act or any other law for the time
>>> being in force, any person who, in pursuance of any of the powers conferred
>>> under this Act, rules or regulations made thereunder, has secured access to
>>> any electronic record, book, register, correspondence, information, document
>>> or other material without the consent of the person concerned discloses such
>>> electronic record, book. register, correspondence, information, document or
>>> other material to any other person shall be punished with imprisonment for a
>>> term which may extend to two years, or with fine which may extend to one
>>> lakh rupees, or with both.
>>>
>>> Regards
>>>
>>> --
>>> Vaibhav Aher
>>> ISO27001,C|EH
>>> Security Consultant
>>> +91 09225325661
>>>
>>> ------------------------------
>>>
>>>
>>>
>>>
>>>   On Sun, Oct 19, 2008 at 6:22 PM, Dipak Parmar <dipak at lawyer.com>wrote:
>>>
>>>>  Dear Yogesh/Yash
>>>>
>>>>
>>>>
>>>> As to usage of Port scanning…
>>>>
>>>>
>>>>
>>>> Section 43 of the IT Act, 2000 starts with "If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network…
>>>>
>>>>
>>>>
>>>> So, if you are using it as security personnel (certainly with appropriate authority - either as part of your employment or service contract)then it is legal not otherwise…
>>>>
>>>>
>>>>
>>>> What you are scanning is question of fact… your client is owner of that network or just another user?
>>>>
>>>>
>>>>
>>>> I trust I had answered your query…
>>>>
>>>>
>>>>
>>>> With regards
>>>>
>>>>
>>>>
>>>> Dipak Parmar
>>>>
>>>> 022 -22093564
>>>>
>>>> 09820196971
>>>>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Dinesh O'Bareja <dineshbareja at gmail.com>
>>>> Date: Sun, Oct 19, 2008 at 11:11 AM
>>>> Subject: Re: [Owasp-Mumbai] Legality of Port Scans
>>>> To: Yogesh Badwe <yogeshmb at gmail.com>
>>>> Cc: Yash Kadakia <teccoder at gmail.com>, "owasp-mumbai at lists.owasp.org" <
>>>> owasp-mumbai at lists.owasp.org>
>>>>
>>>>
>>>> Yash - simply put, this is a sticky area. Any scan must be done ONLY
>>>> after obtaining a clearly defined scope from the client. Having said that,
>>>> the investigator must also ensure that he / she is not being asked to scan
>>>> any networks which do not belong to the client.
>>>>
>>>> It will be good for the health :) to keep any such urges under strict
>>>> control which entice you to "go where no man has been nefore" !!
>>>>
>>>> This is regular common sense advice, and I shall try to get some legal
>>>> stuff out to the group in time.
>>>>
>>>> regards
>>>> Dinesh.
>>>>
>>>>
>>>> On Fri, Oct 17, 2008 at 9:45 AM, Yogesh Badwe <yogeshmb at gmail.com>wrote:
>>>>
>>>>> Yash,
>>>>>
>>>>> *IT Act 2000*
>>>>>
>>>>> *                          Definitions:* *
>>>>>
>>>>> Access: *"access" with its grammatical variations and cognate
>>>>> expressions means gaining entry into, instructing *or communicating*with the logical, arithmetical, or memory function resources of a computer,
>>>>> computer system or computer network;*
>>>>>
>>>>>                             Sections:*
>>>>> *
>>>>> Chapter IX - Penalties and Adjudication*
>>>>>
>>>>> *43: penalty for damage to computer* : Sets the penalty for damage to
>>>>> a computer or network at INR 10 million for any damage or *unauthorized
>>>>> access* to a computer system.
>>>>>
>>>>> Correlating the Definition and the Section --> implies "illegal"
>>>>>
>>>>> I am not a lawyer ...but hope it helps !!
>>>>>
>>>>> -Yogesh Badwe
>>>>>
>>>>>
>>>>>   On Thu, Oct 16, 2008 at 8:48 AM, Yash Kadakia <teccoder at gmail.com>wrote:
>>>>>
>>>>>>   Hey,
>>>>>>
>>>>>> I was having a discussion with someone the other day and we started
>>>>>> talking about whether Port Scanning is illegal in India or not. We couldn't
>>>>>> really come to any definite answer and even after going through the relevant
>>>>>> http://cybercellmumbai.com/cyber-laws/ <- Cyber Laws several times
>>>>>> there is no clear answer for the same.
>>>>>>
>>>>>> In my opinion, I do not think it is illegal since
>>>>>> http://www.cybercellmumbai.com/cyber-laws/chapter-9 really only talks
>>>>>> about post-data theft, network compromise, virus infection etc.
>>>>>>
>>>>>> I just wanted to throw this out there and see if any of you have any
>>>>>> ideas about the same.
>>>>>>
>>>>>> Yash Kadakia
>>>>>>
>>>>>> Co-Founder/ Chief Technology Officer
>>>>>> Security Brigade
>>>>>> Information Security Solutions
>>>>>>
>>>>>> Mobile: +91-09833375290
>>>>>> Fax: +91-651-2444545
>>>>>> E-mail: yash at securitybrigade.com
>>>>>> Web: http://www.securitybrigade.com/
>>>>>> Blog: http://www.yashkadakia.com/
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Mumbai mailing list
>>>>>> OWASP-Mumbai at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>  Please consider your environmental responsibility.
>>>>>         Before printing this e-mail, ask yourself: "Do I need a hard
>>>>> copy?"
>>>>>
>>>>>
>>>>>
>>>>> Yogesh . M . Badwe
>>>>> Disclaimer - This email and any files transmitted with it are
>>>>> confidential and contain privileged or copyright information. You must not
>>>>> present this message to another party without gaining permission from the
>>>>> sender. If you are not the intended recipient you must not copy, distribute
>>>>> or use this email or the information contained in it for any purpose other
>>>>> than to notify us.
>>>>>
>>>>> If you have received this message in error, please notify the sender
>>>>> immediately, and delete this email from your system. I do not guarantee that
>>>>> this material is free from viruses or any other defects although due care
>>>>> has been taken to minimise the risk.
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Mumbai mailing list
>>>>> OWASP-Mumbai at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> With kind regards,
>>>>
>>>> DIPAK G. PARMAR
>>>> 13/A, Nalawala Building,
>>>> Ground Floor,
>>>> Bhaijivanji Lane,
>>>> Thakurdwar Road,
>>>> Mumbai - 400 002
>>>> India
>>>> (9122) 22093564
>>>>
>>>>
>>>> -- Be Yourself @ mail.com!
>>>> Choose From 200+ Email Addresses
>>>> Get a *Free* Account at www.mail.com <http://www.mail.com/Product.aspx>
>>>> !
>>>>
>>>> _______________________________________________
>>>> OWASP-Mumbai mailing list
>>>> OWASP-Mumbai at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Mumbai mailing list
>>> OWASP-Mumbai at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>
>>>
>>
>>
>> With kind regards,
>>
>> DIPAK G. PARMAR
>> 13/A, Nalawala Building,
>> Ground Floor,
>> Bhaijivanji Lane,
>> Thakurdwar Road,
>> Mumbai - 400 002
>> India
>> (9122) 22093564
>>
>>
>> --
>> See Exclusive Video: * Hollywood Life's 5th Annual Style Awards *<http://www.hollywoodlife.net/Awards.aspx?AwardsID=style2008/>
>>
>
>
> _______________________________________________
> OWASP-Mumbai mailing list
> OWASP-Mumbai at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20081024/e7c0c66b/attachment-0001.html 


More information about the OWASP-Mumbai mailing list