Security Basics mailing list archives
Re: Nmap Online
From: Sean Swayze <sean.swayze () gmail com>
Date: Fri, 8 Dec 2006 20:19:40 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Shain,Thanks for your input and rebuttal. I'm not convinced with your comparison
however. Webmail and nmap are decidedly different and although thepotential for abuse of webmail is apparent it is not as potentially harmful as an open nmap scan facility. While it's true that both have the potential for DoS the real truth is that Webmail is an acceptable risk and those issues
with respect to spam can be mitigated with proper configuration.I agree that this is a security-basics list, and it's a good thing that David had the foresight to publish the existence of his nmap service so that admins and security personnel would get a heads up so as to block spurious scans from his domain. I still maintain that even in the beginning stages of a security administrator's career path that they would have already completed the ground
work that would allow them to install and configure nmap for themselves.It's true we don't all have the time to RTFM but that's what separates a true
security admin from a wannabe.I do agree that like gasoline, there are many benign uses for network scanning tools, and the existence of these tools is in and of itself 'risky' but it's a risk that is necessary for exactly the benign uses. I would submit that making this scanner available to all and sundry would undo the fact that it takes some effort, knowledge, and persistence to get nmap compiled and installed. The average script kiddie might not have the wherewithal to complete such a task, but now has a fully functional vulnerability scanner at their disposal without the exposure and trouble that it would normally entail. Furthermore, given that it's a publicly available service, it could be quite difficult to trace back to the user that requested
the scan, yet it would be quite clear where the scan was coming from. I stick by my original assessment. Best. Sean Swayze On 8-Dec-06, at 5:33 PM, Shain Singh wrote:
Sean Swayze wrote:I concur with Craig. Making nmap available through a publicly available service can only allow for two or three things: 1. Increase the exposure of innocent networks to vulnerability scanning.<snip>Any security personnel or pen-testers that are out there that can't configure nmap, or won't aren't worth the effort of providing this free service for.Valid points, but this list is not only for 'those in the know' but also for people who may be still in their infancy stage with tools such as nmap. Also, does this mean that anyone wishing to offer a free webmail service should abstain because of their well meaning intentions having potential forbeing abused for generating spam?I don't necessarily advocate a bunch of sites sprouting with online scanning tools, but having them around is not necessarily a bad thing. Stopping abuse of a tools is not mitigated by "making it easier" to use I believe - if you don't do it, someone else will anyways. If anything the fact that a site like that has been posted to this list it gives administrators the option oftaking extra measures for the said domain/netblock. -- Shaineel Singh MakePeace Media LTD http://mpm.org.au/shsingh pgp id: 0xA9D8D351 fp: 38 0D A8 C8 74 A2 33 5E CE 0E 5A FA D5 A0 04 7C This message was written entirely with recycled electrons.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFeg8t5CKNk9e5yFQRAlH/AJ0YydiL8lta1pQwNritj/+9j3P1MgCfeFkS 2ZVxOWEDyTqhGL/jWwjj1iM= =9/ST -----END PGP SIGNATURE----- --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- Re: Nmap Online ascii (Dec 01)
- <Possible follow-ups>
- Re: Nmap Online Cor Rosielle (Dec 01)
- Re: Nmap Online Zapotek (Dec 01)
- RE: Nmap Online Tony Mihaljevic (Dec 04)
- Re: Nmap Online Tasos Laskos (Dec 04)
- RE: Nmap Online Tony Mihaljevic (Dec 04)
- RE: Nmap Online Shain Singh (Dec 06)
- Re: Nmap Online Craig Van Tassle (Dec 06)
- Re: Nmap Online Sean Swayze (Dec 07)
- RE: Nmap Online Shain Singh (Dec 12)
- Re: Nmap Online Sean Swayze (Dec 12)
- RE: Nmap Online Shain Singh (Dec 12)
- Re: Nmap Online Sean Swayze (Dec 07)
- Re: Nmap Online etropos (Dec 07)
