Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Scanning Your Network For Copyrighted Material

Note: This blog was first posted on November 27, 2006. Since then, plugin ID #11777, which enumerates files that potentially represent copyright violations, has been rewritten.  It is now dependent on plugin ID #23973 which enumerates files hosted on SMB shares and checks for a much broader range of file extensions. 

Nessus includes three plugins to look for systems containing movies and music files being served through web servers, ftp servers and SMB shares. This blog entry will discuss why this is something you might want to look for, how these plugins work and how you can use the Security Center to analyze these results.

Background

Plugins #11777, #11778 and #11779 look for files with the following extensions:

.mp3
.mpg
.mpeg
.ogg
.avi
.wma
.vob

These files are normally associated with movies, music and DVDs that have been obtained from the Internet through P2P file sharing such as Bittorrent, BearShare, eMule, Kazaa and WinMX. 

Having a movie or music file on a computer is not a crime, however, having data that is copyrighted can be a crime. If users on your network are sharing this sort of data illegally, they may be exposing your organization to potential investigations from the Recording Industry Association of America (RIAA) or the Motion Picture Association of America (MPAA).

Tenable's university customers (and even our corporate customers) regularly tell us that if a user starts to blatantly use the network for sharing files with music or movie content, that they can expect to get a letter from the RIAA or MPAA. This can take time for the IT staff to respond to.

Internally, any organization that hosts a file server containing copyrighted material may be open to lawsuits or even embarrassment if news of this leaves the organization.

There are also a great deal of security threats from shared illegal content such as this. The SANS Q4 Top 20 list identifies both media players (C5) and P2P applications (C3) as being targeted by malicious users. An attacker who wishes to compromise a large number of systems could create a music or movie file with very appealing content, such as a popular song or movie, and also include an exploit which attacks iTunes, Media Player or Quicktime.

The NASL Scripts

Tenable has produced three different plugins to search for files with these extensions in SMB shares, on FTP servers and on Web servers.

#11777  SMB share hosting copyrighted material

This plugin uses the current scan credentials to find file archives of movies and music on SMB shares. For performance reasons, the script only looks for three levels of recursion deep.

#11778 Web Server hosting copyrighted material

This plugin is dependent on the webmirror.nasl script. The webmirror.nasl script creates a virtual archive of all content on the scanned web server. Plugin #11778 then searches this archive in the Nessus knowledge base for any file extensions which match those of movies and music.

Typically, users will find web archives on port 80 servers, but if a user is more savvy, they may try to hide their web server on a high port. If Nessus is performing a full port scan, it will find this port, identify it as a web server and log in. If performing a full port scan is not an option for all systems, using the Passive Vulnerability Scanner (PVS) to monitor network traffic to find web servers on non-standard ports is suggested.

#11779 FTP server hosting copyrighted material

This plugin logs into detected FTP servers and traverses the directories of hosted files for archives of movies and music. For performance reasons, the script only looks for three levels of recursion deep.

As with off-port web servers, if Nessus finds an FTP server not running on port 21, it will still attempt to perform this analysis. The PVS will also find off-port FTP servers.

Interpreting The Results

Finding a movie or a music file does not imply that the host is indeed violating someone else's copyrighted material. Many of the following situations occur on modern enterprise networks:

  • legally obtained content is being shared unintentionally
  • content intended for downloads (such as podcasts, movie trailers, .etc) is found
  • content included with applications and operating systems is found

When analyzing systems with this data on them, consider the following concepts:

  • Is this data something required for normal usage?
  • Is this data consuming network bandwidth or storage?
  • Does this data contain offensive material or subjects?

Analyzing Results with the Security Center

Below is an image of a server at 192.168.20.23 that was hosting copyrighted material over an SMB share:

Copysc3

This system had a few movies (Cars and Monster House) as well as some MP3s. If we had many hundreds (or even thousands) of servers with this condition, how could we use the Security Center to narrow these down into different groups? There are several things we could do:

  • The Security Center has a "Search Vuln Text" field. If we wanted to find just movies, just music, .etc we could refine our search there. For example, we could type "cars.avi" and we'd find just systems that had that movie.
  • We could extend this concept to look for "dirty" words which were associated with pornographic material. This would find systems potentially hosting adult entertainment content.
  • We could also extend this concept to look for music of popular bands and title such as "ColdPlay", "U2" and "Madonna". 
  • These filters could also be used to create a Security Center dynamic asset list. These rules could either simply match plugins #11777, #11778 and #11779 or have a more refined algorithm by also performing a text search to look for specific content. 
  • Lastly, once these dynamic asset rules were in place, the Log Correlation Engine could be used to analyze network traffic (via direct sniffing or netflow) going to and from these devices to look for who has been accessing this data and how long they've been accessing it. 

For more Information

If this type of monitoring is interesting, Tenable customers should request a copy of our "Realtime Compliance Monitoring" paper. It has a section for strategies on dealing with RIAA and MPAA inquiries. All request for the paper should be sent to [email protected].

Also, both the PVS and Nessus have extensive families for detecting P2P applications in use. The Nessus plugin family for identifying P2P apps is available for analysis online. The PVS is a commercial product. If there is interest in that, please contact [email protected].

Lastly, we've previously blogged about using the PVS for corporate monitoring

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.