Could Qualys offer have a sting in the tail?
By Dan Ilett
Published: 4 May 2005 10:30 GMT
Security vendor Qualys is offering a free scanning service for the 20 most serious vulnerabilities recognised by SANS, a global non-profit security training organisation.
SANS members from within government and business found more than 600 vulnerabilities within their networks in the first quarter of 2005. The 20 that Qualys will look for were chosen to help companies close the most critical holes in their networks.
However, ZDNet UK has found that the service also lets users carry out vulnerability scans on other people's computers. Although Qualys said it has put a number of preventative measures in place to stop this, it hinted that this was possible.
Gerhard Eschelbeck, vice-president of engineering at Qualys, said: "There are a number of precautions we have taken to avoid abuse, such as the email registration process, the click-through (you confirm that you have permission to scan the device), and the audit trail. Nevertheless, the internet has an open architecture, and there are many free tools for download allowing anybody to perform a scan on the internet completely stealthily without any of these precautions."
Eschelbeck added that hackers who want to use a scanning tool for malicious activity are not likely to use a commercial scan service, such as that offered by Qualys, because of the audit trail that's created through the registration process. "They would most likely opt for one of the free scan tools that can be used stealthily," he said.
The vulnerability scan is available here.
Research from SANS found that online criminals have turned their attention to antivirus software and media players, rather than just the operating system or browser, in order to take control of people's computers. But hackers are also continuing to find holes in Microsoft Windows and other operating systems.
Alan Paller, director of research for the SANS Institute, said: "These critical vulnerabilities are widespread, and many of them are being exploited right now.
"We're publishing this list as a red flag for individuals and IT departments who may be unaware of these vulnerabilities, or mistakenly believe their computers are protected," he added.
Dan Ilett writes for ZDNet UK
Ultrasonics, Radiography, Thermography, etc.either by manual application or automatic scanning and report/record results. Tasks To carry out NDT on ...
Our client a NHS organisation in the Manchester / Cheshire area require a "Registration Authority" Agent (RA Agent) on a temporary / contract basis. ...
We will require a current copy of a passport, driving license, ID card or NI card will be required as part of the registration process. The ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Bob Tarzey Why you must rein in your power users When they do damage, it can be catastrophic to your business
Jon Collins Is losing a mobile device really such a big deal? How to minimise the damage to your business