Yes this is a first post, but yes I have used the search function.
Specifically, I’m searching for a way to run the wd tv live box without the notoriously insecure and unreliable SMB and NetBIOS over TCP protocols.
I cannot get the WDTV box to find my Windows XP server machine. This machine is configured with SMB and NetBIOS over TCP turned off because these are two of the most notoriously insecure protocols to ever gain mass adoption. http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP#Security_vulnerabilities Security experts have called these “the most dangerous ports on the internet”. Microsoft and most IT professionals suggest configuring machines without them and blocking their ports at the firewall, so that’s what I’ve done in my home setup. All of my other devices, phones, streaming media devices, …, seem to do fine either by using the newer protocols such as CIFS or by directly typing share names into the client side if the client side does not support the newer more secure protocols, for example \10.0.0.2\media00 I cannot seem to find a way to do this on the wd tv device, although there must be some backdoor way to do it since it is just Linux with a GUI, I think.
I don’t see a way of either forcing the wd tv to use modern protocols or manually configuring it with the antique ones. From what I can see the only mode of operation is through the SMB/NetBIOS over TCP. Is that correct, or did I miss something.
Any help to set this up within modern security guidelines would be appreciated.
Heheh. Good one!
You do realize that CIFS and SMB are the same thing, right?
But anyway, the WD requires NetBIOS for resolution. No way around it.
Thanks for the definitive answer. So I need ports 137, 138, 139 and all of their associated servers fulling running to take advantage of the network share streaming.
Thanks for the CIFS vs SMB clarification.
I always get mixed up on CIFS vs SMB because the last time I configured Samba on my NAS they seemed to mean different things. If I recall correctly configuring for CIFS gets you only the port 445 direct CIFS/SMB while configuring for SMB gets you all of the vairous protocols. This too may have been fixed or moved out from under me at some point. It’s hard to keep up when you’re not a professional IT guy. Looks like I drew the wrong conclusion.
In theory, you’d only need those ports open/running on the server that’s offering the media. Should be no need to change anything on other boxes…
I know that this is a long shot, but I’m guessing that this is a linux based device and that someone has figured out how to root it.
Given that, is there a way to just manually configure the Samba client?
It seems like a perfectly reasonable device other than this NetBIOS flaw.
Still don’t know why these protocols should be any concern when used over a LAN.
The theory is that some OTHER attack vector is used to compromise one machine (Such as a web server or FTP server), and then once that machine is compromised, use of the NetBIOS / SMB suite makes it easier to compromise other machines on the network.
So basically, the idea is that NetBIOS over TCP is dangerous because some other protocol is dangerous.
Samba.org and Microsoft both have done a lot of things to strengthen these protocols. NTLMv2 is a major fix.
Though the WDTVs are running a fairly modern version of Samba, I’m not sure (since I haven’t looked) if they’re using the stronger security protocols or still using LANMAN.
The basic idea is: Do you lock your alarm protected car in your locked alarm protected garage?
Before you answer, I have a friend whose unlocked car with the alarm turned off was stolen from his unlocked garage in which the alarm was off.
Mistakes happen, new vulnerabilities arise, … Setting things up so that each level is secure is good basic practice against the normal course of human error (I tend to make more than most.)
I too would be interested in knowing what versions they are using and whether there is a way of getting around this by rooting the box and directly configuring Samba. The rest of the box seems perfectly reasonable.
Just did a wireshark capture… It can do NTLMv2 with 128-bit encryption if that’s how the server is configured…
Thanks. I don’t have the equipment or expertise to do that. I appreciate it.
beyondChairs wrote:
The basic idea is: Do you lock your alarm protected car in your locked alarm protected garage?
Not the most fitting analogy, IMO. My LIVE is behind a router, so with port forwarding disabled it’s pratically invisible to any outside attackers. If someone manages to breach the router’s security it probably wont make much of a difference what protocol he uses to go any further inside my LAN.
Point well taken. I’m an acknowledged amateur at any real network admin stuff.
My philosophy with each device/protocol has been to enable the most secure version that doesn’t stop me from getting things done. So far, blocking 137, 138, 139 and relying on 445 only hasn’t stopped me from getting things done except on the WD TV device. ( The combination of this issue and the fact that it won’t stream from Amazon will probably result in my returning it.)
Other than “physical access”, which is the weak point of any computer security system, I think I have two vulnerabilities that could get something onto my home network. The WPA TKIP on the wifi seems to have been cracked. A greater weak point is the fact that I use my laptop on public wifi networks like cafes, at&T, … The most likely path to difficulty would be to pick up some worm on a public network with the laptop and then bring it into the home network. In theory, a “personal firewall” prevents that, but I have no idea whether or not those work.
My home machines, including the laptop, have never had a problem, but my work laptop (administered by professionals) has been compromised by malware twice in the last decade. Of course, the sample size is far too small to draw any conclusions.
We’re way off topic here, but it is interesting and educational (for me at least) ;-) Thanks again for the definitive informative answers.
beyondChairs wrote:
The WPA TKIP on the wifi seems to have been cracked.
??? My password has 63 chars (the maximum possible) which makes it quite unlikely to be cracked. As for public networks, this is something entirely different. People can sniff your traffic so you better use VPN.
