A Scanning Tool Or A Tool Scanning?
A while back someone tweeted about amihackerproof.com’s new “tool” for scanning “your” website and checking if you are vulnerable. This “scan” was allegedly being carried out using Rapid 7 from what I was hearing and if so, this was not likely within the bounds of the legal agreements put out by Rapid 7 when they sell their product. There was talk about how this was potentially illegal (copyright abuse) and the flap seemed to just kind of go away. I had heard though, that someone had in fact scanned their own IP and watched the traffic to see just what the “scan” was doing for the money that amihackerproof wanted to charge.
The results of the scan I was told at the time, came out to be pretty much useless so someone else went on to actually set up a “Damn Vulnerable Linux” install for the tool to scan. This is of course no reflection on Rapid 7 but instead the implementation that likely was allowed by only using a “free trial” version of their product by amihackerproof. The further scan of the damned vulnerable linux install was even less accurate and missed just about all of the vulns on the system. This of course, should be no surprise given the past experiences with the scans previous. What is more worrying though, is that the scanner online at amihackerproof.com really has no restrictions on it as to who it may scan so you can just put in an IP or domain name and click can to hit some unsuspecting sod’s systems using this site.
Which bings me to the next problematic thing about this site and its service.. Anyone can scan anything and it seems many have. If you go to the site and click on the “results” link you will be presented with a searchable database of IP addresses and domain names that were scanned by this system and you can purchase them. That’s right Mark Zuckerberg! You now can see if facebook.com is easily pwn-able thanks to amihackerproof.com! Now, the questions become these..
1) Is the site actually scanning for vulnerabilities when it is given an address as it claims it is?
2) If so, the intent is that you are the owner of said site, but, as you can see, I doubt Mr. Zuckerberg decided to try amihackerproof that many times to see if he is pwn’d
3) If one is not the owner giving tacit approval for a scan, does this then make what is happening with this site (people scanning other domains not their own) illegal?
4) If one cannot prove, or there is no way to really prove, that you are the owner of the site you are buying the report of, is this not in fact selling illegal vulnerability scans of unknowing sites?
All questions that one might ask themselves before signing up for a scan of their domain, or, alternatively, buying someone else’s scan for instance. All of this should make us all take a step back and look at the industry today. If the industry harbors this kind of behavior from the likes of this small site, what must others be selling out there under the radar as well? I also have to wonder at the rules of engagement here as well. If any one of us were to set up such a scanner and just allow the internet at it, would we be charged at some point for illegal activities? Is there a law against this? Or is this just a case of poor ethics and bad technical skills on the part of one company?
An old adage of mine I got from an old Unix gnome from IBM is the following “A fool with a tool.. Is still a fool” it would seem that truly this is the case with a good percentage of the security “industry” as many of us lament about. There are so many “tools” and zillions of “fools” running them to make a quick buck today that we all kinda have to hang our heads. Sure we rail against it, and lament, but, just what mechanisms has the security community come up with to really deal with such hucksterism? I see no real laws, no means of shaming or driving those who are doing ill to actually clean up their acts.
Nope, we just moan and whine…
Guess then this site and it’s ersatz scanner is just the cost of doing business in this “industry” huh?
HEY ZUCKY! YOUR SHIT IS PWNABLE!!