[Dshield] Netbios over tcpip never good ? (was spamcop listed )

allan.vanleeuwen@orangemail.nl allan.vanleeuwen at orangemail.nl
Wed Dec 17 11:47:58 GMT 2003



>MS themselves in their own training courses tells you that netbios does
>not belong over the Internet.  

I did lots of their courses, all I remember them saying is 'netbios was
designed for small networks'
The fact that you can create a website with NTLM authentication shows that
MS thinks it is also suitable for the internet.


>Why on Earth would you do any of the things you indicated unless you had
>no clue how to do them more securely?

Why on earth doesn't everybody drive in a mercedes ?
I wasn't saying these are things I do ... Nor was I saying they are the best
way of doing things, I was merely trying to point out that there are lots of
things going on on the internet that make use of this functioanlity. Should
we just BAN all volkswagen drivers coz their car is not as safe as a
mercedes ?


>If you want to login to a website that uses NTLM, use ssl, not
>difficult.
>If you want to map to a friend's computer, ask they why they are
>exposing their files to everyone! 

Uhm ... If your mother is still driving a volkswagen and asks you to check
her oil, do you ask her why she is driving such a dangerous vehicle ...?
No, you change the bloody oil like she asked you to. 


>Use VPN endpoints.  The traffic is not
>encrypted unless you do so.
>If your servers have netbios exposed to the Internet......you'd better
>freshen up that resume.  That is what VPN is for.

Oh yeah encryption ... Sure encrypt everything, 5 years from now I can
already hear you crying, why did we ever start encrypting all the traffic ?
I can't see fuck all of what my users are doing, can't even see the
difference between a HTTP and an SSH session ... But since it's all
encrypted ... All I can do is allow it ?


>I apologize if this is a bit mean spirited, but I cannot believe anyone
>who subscribes to this list and reads the postings would have this type
>of an uninformed attitude.

I wouldn't call it an uninformed attitude, I'm actually quite well informed
by more then just security mailing lists. I look 
I'm just stubborn. Why not just disable MS Windows everywhere coz its so
insecure ? (You would need to disable Linux as well .. Since 2 major distros
just got owned)
What exactly is so insecure about netbios ? The thing mentioned before about
'user enumeration' is something that can easily be disabled with a registry
key.
The fact that exploits have been found for port 135, 137 and 139 doesn't
mean we have to close them !!  I know many networks with these ports still
open, but with the right setup around it, it doesn't have to be a security
issue. 

That just my opinion though .... I know there will always be the overly
paranoid types who'd rather block all ports, disable all software and
encrypt whats left.

l8r

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of allan.vanleeuwen at orangemail.nl
Sent: Tuesday, December 16, 2003 9:54 AM
To: list at dshield.org
Subject: [Dshield] Netbios over tcpip never good ? (was spamcop listed)


Hi

Sorry but I have to disagree on a lot of your points.
You are obviously somebody who thinks the internet is just FTP, HTTP and
MAIL.

There are lots of reasons why ports 137,139 and 445 could be used for
legal reasons on the internet.

I might want to send a message using the NET SEND command.
I might need to access a website that uses NTLM authentication instead
of plain text. I might want to map a drive to a friends computer.. I
might need to control my servers at work, from home ... Over netbios of
course.

Netbios is used for a lot of other stuff as well.

I think it's wrong to close ports just because there are known
vulnerabilities on it ... My opninion is, it's better to patch the holes
in the software then just disable the whole thing coz it's an 'evil
port'.

Suppose FORD MOTORS sends out an advisory explaining that the door to
the drivers seat could be dangerous to get into, because it has a little
hook somewhere that some ppl have hurt themselves on ... Would you say
'Ok, from now on I'll just get into the other door, and work my way to
the drivers seat someway inside the car', or would you just remove the
hook that FORD has warned about ?


Sorry about my really bad english, I hope the analogy was somewhat
comprehensible to most of you ... English is obviously not my native
language.

Allan





-----Original Message-----
From: Al Reust [mailto:areust at comcast.net] 
Sent: dinsdag 16 december 2003 7:16
To: General DShield Discussion List
Subject: RE: [Dshield] mail1.giac.net spamcop listed]


Hello All

SCRAPE, as I drag out the Soap Box

I partially agree, there is one thing that I do not agree on. I can see
No 
Reason that NetBIOS over TCP/IP is ever Good! That allows a remote user
to 
do silly thing like enumerate user accounts and password age etc.. That
is 
why we block 135, 137~139, 445 and more at the Firewall.

A statement of what "services" are blocked and various ports associated
for 
a User or a Small Business that are purchasing connectivity should be in

terms of the service agreement. The User expects to be "automatically 
protected," they are upset when they are not. They thought they were 
automatically. One of the recent "complaints" are ISP's are not
proactive 
and allow bad things through. Which side are we on?

* If All ISP's blocked just NetBIOS over TCP/IP the script kiddies would

have to get more knowledgeable and creative. No More browsing the
Network 
Neighborhood no matter which ISP.
* If All ISP's blocked most other ports to Dialup that could get a user
in 
trouble a large number of "Us" or Virus Companies etc.. would not be
needed.
* If All ISP's tailored require ports to what the Small Business needed
we 
would not see various things happening are happening today.
* If all ISP's only accepted port 25 connections to the local mail
server 
from a directly connected IP host, or other allowances via IP only then 
SPAM would not happen.
* If all ISP's did all of the Above we would not have seen 
Blaster/derivatives and MS would not have had to patch the OS or several

other things that are allowed, because of the current state of the
World/OS's.

The World could have gone on in that "ignorant state of bliss," as it
was 
before people found out you really could do things with/across Just
TCP/IP 
connections.

So an appropriate Statement would be, this is done in "Your Protection"
and 
if You have requirements that require other network services we will be 
happy to discuss and accommodate. Our goal is to provide the Safest,
most 
complete services that we can. Then discuss what comes to "our" level of

expertise. "We" then mitigate what needs to happen. Everyone knows after

that discussion.

So we are now stuck, with building Routers that can block large portions
of 
the world and still let script kiddies attempt to break the local 
"administrator" password (NetBIOS derived) on someone else's computer 
across networks.. Then they plant things that make all our lives
miserable. 
While "We" are still putting Pressure on ISP's to protect us.. Why?

Lets get "our" stories straight. If we offer a recommendation to block 
these ports and why then  accommodate the "risks" for small business, it

all can be accommodated/mitigated. But the information has to be 
intelligently presented.

Otherwise we all need to get an AOL 9.0 Account (they are violating 
everything).. If you believe their advertisements it is now the Safest, 
most Sanitized Internet.. and You do not know what they doing... See 
precious threads.. LOL..

Scrape as the soap box goes back into the closet..

R/

Al

If You have a tirade then you are welcome to send me offline.  It any of

this strikes sense in what we have discusses in the over last few
months. 
Then discuss it.
===========================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
alleen bestemd voor de geadresseerde. Indien u dit bericht onterecht
ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender
direct te informeren door het bericht te retourneren. Hoewel Orange
maatregelen heeft genomen om virussen in deze email of attachments te
voorkomen, dient u ook zelf na te gaan of virussen aanwezig zijn
aangezien Orange niet aansprakelijk is voor computervirussen die
veroorzaakt zijn door deze email..

The information contained in this message may be confidential and is
intended to be only for the addressee. Should you receive this message
unintentionally, please do not use the contents herein and notify the
sender immediately by return e-mail. Although Orange has taken steps to
ensure that this email and attachments are free from any virus, you do
need to verify the possibility of their existence as Orange can take no
responsibility for any computer virus which might be transferred by way
of this email.
===========================================================


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
===========================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft
genomen om virussen in deze email of attachments te voorkomen, dient u ook
zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
aansprakelijk is voor computervirussen die veroorzaakt zijn door deze
email..

The information contained in this message may be confidential and is
intended to be only for the addressee. Should you receive this message
unintentionally, please do not use the contents herein and notify the sender
immediately by return e-mail. Although Orange has taken steps to ensure that
this email and attachments are free from any virus, you do need to verify
the possibility of their existence as Orange can take no responsibility for
any computer virus which might be transferred by way of this email.
===========================================================





More information about the list mailing list