Free security scan raises questions

Qualys offers a free scanning service, but could it be used by outsiders to look for vulnerabilities in other people's systems?

2 min read
Security vendor Qualys is offering a free scanning service for the 20 most serious vulnerabilities recognized by SANS, a global nonprofit security training organization.

SANS members from within government and business found more than 600 vulnerabilities within their networks in the first quarter of 2005. The 20 vulnerabilities Qualys will look for were chosen to help companies close the most critical holes in their networks.

However, ZDNet UK has found that the service also lets users carry out vulnerability scans on other people's computers. Though Qualys said it has put a number of preventative measures in place to stop this, it hinted that this was possible.

"There are a number of precautions we have taken to avoid abuse, such as the e-mail registration process, the click-through (you confirm that you have permission to scan the device), and the audit trail," said Gerhard Eschelbeck, vice president of engineering at Qualys. "Nevertheless, the Internet has an open architecture, and there are many free tools on the Internet for download allowing anybody to perform a scan on the Internet completely stealthily without any of these precautions."

Eschelbeck told CNET News.com that hackers who want to use a scanning tool for malicious activity are not likely to use a commercial scan service such as that offered by Qualys, because of the audit trail that's created through the registration process. "They would most likely opt for one of the free scan tools that can be used stealthily," he said.

The vulnerability scan is available here.

Research from SANS found that online criminals have turned their attention to antivirus software and media players, rather than just the operating system or browser, in order to take control of people's computers. But hackers are also continuing to find holes in Microsoft Windows and other operating systems.

"These critical vulnerabilities are widespread, and many of them are being exploited right now," said Alan Paller, director of research for the SANS Institute. "We're publishing this list as a red flag for individuals and IT departments who may be unaware of these vulnerabilities, or mistakenly believe their computers are protected."

Dan Ilett of ZDNet UK reported from London.