Snoop fears sparked by security scans

Security vendor Qualys is offering a free scanning service for the 20 most serious vulnerabilities recognised by SANS, a global non-profit security training organisation.

SANS members from within government and business found more than 600 vulnerabilities within their networks in the first quarter of 2005. The 20 that Qualys will look for were chosen to help companies close the most critical holes in their networks.

However, ZDNet UK has found that the service also lets users carry out vulnerability scans on other people's computers. Although Qualys said it has put a number of preventative measures in place to stop this, it hinted that this was possible.

Gerhard Eschelbeck, vice-president of engineering at Qualys, said: "There are a number of precautions we have taken to avoid abuse, such as the email registration process, the click-through (you confirm that you have permission to scan the device), and the audit trail. Nevertheless, the internet has an open architecture, and there are many free tools for download allowing anybody to perform a scan on the internet completely stealthily without any of these precautions."

Eschelbeck added that hackers who want to use a scanning tool for malicious activity are not likely to use a commercial scan service, such as that offered by Qualys, because of the audit trail that's created through the registration process. "They would most likely opt for one of the free scan tools that can be used stealthily," he said.

The vulnerability scan is available here.

Research from SANS found that online criminals have turned their attention to antivirus software and media players, rather than just the operating system or browser, in order to take control of people's computers. But hackers are also continuing to find holes in Microsoft Windows and other operating systems.

Alan Paller, director of research for the SANS Institute, said: "These critical vulnerabilities are widespread, and many of them are being exploited right now.

"We're publishing this list as a red flag for individuals and IT departments who may be unaware of these vulnerabilities, or mistakenly believe their computers are protected," he added.

Dan Ilett writes for ZDNet UK