Re: [m0n0wall] Howto workaround new NetBIOS vuln.

From:	Francisco Artes <falcor at netassassin dot com>
To:	Quark Group - Hilton Travis <Hilton at quarkgroup dot com dot au>
Cc:	Richard Parvass <richard dot parvass at aaland dot co dot uk>, "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Howto workaround new NetBIOS vuln.
Date:	Tue, 29 Dec 2009 12:39:58 -0800
Barring parallels to STDs, as interesting an analogy as that is, the common person really doesn't
have the ware-with-all to understand this world with the same safety they might say... your drunk
girl analogy.  A bit off-topic for just m0n0wall, but really you can't protect the masses from
themselves.  Nor should any of us be expected to do so in a public network where we are not given
unlimited funds for IPS, monitoring, etc.  The smart user will relax in their hotel, use the wifi
unencrypted long enough to establish a VPN to a trusted network and then conduct their business. 
For my mother and others traveling who start checking their webmail, surfing the web, doing online
banking, etc. on a public network with no idea who or what is monitoring or doing other nefarious
acts... well, sadly this type of situational awareness has to inculcate itself into society over
time and until it does the sheep will be easy pickings for the wolves.  While those of us with
security and networking backgrounds can test the security of a network we are using, e.g. test for
client isolation in this relevant case, the common person has no way to do this.  Or for that matter
any inkling that something like this would be preferable to say an open repeated wifi
infrastructure.  Some vendors, like Cisco, have client isolation set by default... others have it
buried deep in the settings, if at all.  

If you are a good guy and happen to control the system, I say hats-off to you if you take the
reasonable measures to help secure the masses from themselves.  Always good to help people, and it
will probably payoff in the end with fewer calls for identity theft, hacked computers, etc. as
someone, somewhere, will want logs or data.  


On Dec 29, 2009, at 11:55 AM, Quark Group - Hilton Travis wrote:

> G'day Richard,
> 
> Totally - configuring *your* DHCP Server to disable NetBIOS won't do diddly squat to protect a
laptop in a public area or hotel and the Microsoft article referred to doesn't take that into
consideration at all.  Also, hoping the AP in the Hotel you're staying in - unless it is one in
which you maintain the Wi-Fi setup - has client isolation enabled is like hoping the drunk girl you
slept with at that party the other night that you can almost remember some of didn't have an STI -
it isn't a good nor reliable way of staying safe.  :)
> 
> Disabling "Automatically detect settings" on any laptops you support will ensure this NetBIOS
attack won't work on them, however it then relies on the Hotel knowing what the settings are for any
proxies - which REALLY should be transparent proxies if the truth be told!  :)
> 
> --
> 
> http://hiltont.blogspot.com/
> 
> Regards,
> 
> Hilton Travis                       Phone: +61 (0)7 3105 9101
> (Brisbane, Australia)               Phone: +61 (0)419 792 394
> Manager, Quark IT                   http://www.quarkit.com.au
>         Quark Group                http://www.quarkgroup.com.au
> 
> War doesn't determine who is right.  War determines who is left.
> 
> 
> -----Original Message-----
> From: Richard Parvass [mailto:richard dot parvass at aaland dot co dot uk]
> Sent: Tuesday, 29 December 2009 11:48 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Cc: Lee Sharp
> Subject: RE: [m0n0wall] Howto workaround new NetBIOS vuln.
> 
> Lee,
> 
> You cannot necessarily rely on disabling NetBIOS via DHCP, as a client
> machine may have the option set to always enable NetBIOS on its WINS
> settings tab, thus defeating the DHCP option and leaving it vulnerable.
> 
> Assuming a wireless infrastructure in the hotel as is the norm,
> configure the APs for client isolation so that no client can communicate
> with another. This will mitigate the problem.
> 
> Richard
> 
> 
> This document and any attachments are for the intended recipient only.
> It may contain confidential, privileged or copyright material which
> must not be disclosed or distributed without prior approval.
> 
> Quark Group Pty Ltd :: ABN 23 114 975 772
> Trading As Quark AudioVisual, Quark Automation, Quark IT
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>