Many network administrators have security toolkits that include security scanners and other vulnerability test tools, but not everyone understands how to use those tools ethically. Using software packages on your network to test for vulnerabilities is one thing, but testing somebody else's network for vulnerabilities is an entirely different matter.
It seems obvious that you need permission to scan someone else's network or system. The reason is simple: Someone else's network is neither your property nor your responsibility. Furthermore, mounting an attack on someone's system isn't a wise way to gain notoriety, especially for new security consulting firms. However, not everybody understands that, and I read about a case in point over the weekend.
A security company, ForensicTec Solutions, a 4-month-old startup company, apparently decided it would impress people with its ability to detect vulnerabilities. However, some rookie ForensicTec consultants chose to perform such detection on someone else's network. To compound that poor judgment, that "someone else" turned out to be the US government. According to a report from "The Washington Post," ForensicTec consultants decided to investigate the security of various Department of Defense (DoD) networks and computer systems.
The report said that 2 months ago, while working with a client, the ForensicTec consultants detected other networks and IP addresses. They investigated those IP addresses and learned that they belonged to computers running on DoD networks located in Fort Hood, Texas. Out of curiosity, they proceeded to gain access to those military networks, then used that access to gain further access to other government networks, such as those that the National Aeronautics and Space Administration (NASA) operates.
According to the report, the consultants discovered that they could access systems that contained detailed sensitive information, sometimes by using common passwords such as "administrator" and "password." They found information about "radio encryption techniques, the use of laser targeting systems and other field procedures. Another \[system they accessed\] maintained hundreds of personnel records containing Social Security numbers, security clearance levels and credit card numbers. A NASA computer contained vendor records, including company bank account and financial routing numbers." Still other systems contained "e-mail messages, confidential disciplinary letters and, in one case, a memo naming couriers to carry secret documents and their destinations."
After locating such sensitive information, the company apparently waited 2 months before reporting its findings. When it reported its findings to the military 2 weeks ago, it also contacted "The Washington Post" to report the exploits. The newspaper contacted the government to determine whether ForensicTec's information was accurate.
As a result of its actions, ForensicTec found itself the subject of a Federal Bureau of Investigation (FBI) forensic investigation. According to another report from "The Washington Post," the FBI raided the company's offices over the weekend.
As you might expect, ForensicTec said it acted as it did to gain some exposure for itself and to help the government realize its networks were exposed to intruders. A spokesperson for the Army Criminal Investigation Command in Virginia said, "Regardless of the stated intent, unauthorized entry into Army computer systems is a federal offense."
The moral of this story is at least threefold: Never use easy-to-guess passwords; never turn rookie security consultants loose on others' networks; and never investigate anyone's network without first obtaining explicit permission, preferably in writing, for the investigations you might perform.