Shadowserver Archive

Of Privacy, Security, and the Art of Scanning

Introduction

With all the recent news and attention on world events the concept and concern around privacy has increased over the last several years.  This is an excellent progression of personal protection and should be pursued vigorously.  However there seems to be a lot of confusion around the concepts of privacy and security.  It has been developing that many people and organization attempting to promote privacy are considering them synonymous.  In reality, they are two separate issues that can work together or may be mutually exclusive.  It is entirely possible to have privacy without security and security without privacy.  To consider one the same as the other creates a condition where one believes that one confers the other.  This will lead to bad decisions as well as conditions for failure of both.

Privacy

pri·va·cy
ˈprīvəsē/
noun
noun: privacy
  1. the state or condition of being free from being observed or disturbed by other people.
    “she returned to the privacy of her own home”
    synonyms: seclusion, solitude, isolation,freedom from disturbance,freedom from interference

    “protecting one’s privacy”
    • the state of being free from public attention.
      “a law to restrict newspapers’ freedom to invade people’s privacy”

Personal and organizational privacy is something everyone should consider important and look to improve wherever possible.  Trying to act with greater constraint and concern is difficult in these days of social media where the slightest flaw of control is easily exposed for many to see.  Keeping your personal privacy is difficult and a constant struggle against the ease of use of the many things we use daily on the Internet.

Security

se·cu·ri·ty
səˈkyo͝orədē/
noun
noun: security; plural noun: securities
  1. 1.
    the state of being free from danger or threat.
    “the system is designed to provide maximum security against toxic spills”
    • the safety of a state or organization against criminal activity such as terrorism, theft, or espionage.
      “a matter of national security”
      synonyms: safety, freedom from danger, protection,invulnerability

      “the security of the nation’s citizens”
      antonyms: vulnerability, danger
    • procedures followed or measures taken to ensure the safety of a state or organization.
      “amid tight security the presidents met in the Colombian resort”
      synonyms: safety measures, safeguards, surveillance, defense, protection

      “security at the court was tight”
    • the state of feeling safe, stable, and free from fear or anxiety.
      “this man could give the emotional security she needed”
      synonyms: peace of mind, feeling of safety, stability, certainty, happiness, confidence

      “he could give her the security she needed”
      antonyms: disquiet
  2. 2.
    a private police force that guards a building, campus, park, etc.

The other part is to conduct your Internet presence with greater care and safety.  Take precautions on not only how to interact with the Internet but also on how to properly connect your computers and systems to the Internet.  A strong defensive posture with sufficient due diligence should be required.  You cannot expect your computer out of the box to be able to be protected any more than you can expect your young child to understand the perils of surfing and sharing on the Internet.

Scanning the Internet

Not all scanning is malicious, nor is all of it benign.  The Shadowserver Foundation and many other organizations do scan the Internet on a variety of protocols.  Some of these organizations like Shadowserver do this for the purpose of alerting and reporting the issues to the network owners so that the misconfigurations or vulnerabilities can be corrected.  Some of the organizations scan for the purpose of selling the data and some for malicious activity.  Shadowserver has never hidden our purposes, nor the systems that we scan from.  In fact every single system can be found by looking at the DNS records for every system that does scanning.  They are all labeled with something like “scan-xxx.shadowserver.org” making it clear what their purpose is.

We take this data and make it available for free to any network owner in the world.  You can see this link on how to get reports, and this blog to see what we are doing as well as being able to look over the statistics of any protocol we scan.

A very disturbing trend we have begun to see with some privacy organizations is the giving of some very, very poor advice.  Most of the better known organizations that scan have public interfaces and clearly identified systems. It is easy to create lists of these scanning systems.  The extremely poor advice is to block all the scans from only these organizations.  Much better would be to advise on how to secure your firewall, or how to block all of the ports being scanned, or almost anything else that does not bury the issue.  Yes, bury or hide the issue is what is this advice advocates.  The more malicious scanning is not so easily identified.  This means that bad actors are still finding these misconfigured or vulnerable devices.  All that such system administrators manage to accomplish is to continue to leave machines freely available to malicious acts while hiding from some of the organizations that attempt to assist.

Having the Internet scanned is a fact of life.  It is not illegal, nor will it ever stop.  You may hate it, you might revile organizations that conduct it, but it is something that has been occurring from the beginning and will continue to the end.  That does not make it right or wrong, but by hiding your systems from the mostly non-malicious scanners does not make you any more secure, nor does it supply any additional privacy protection, and in fact will only continue your vulnerability to the issues that are now concealed.

Conclusion

Do not equate privacy for security or vice-versa.  Do not accept that hiding from some public scanners is sufficient.  Actually look at what real security and privacy measures you can put into place that are actually effective.  Just because you read something on the Internet that says it will improve your life, privacy, or security, does not mean it will.