Strange SSID in the air...

Hi,

I've been noticing that one of my neighbors occassionally spits out the SSID
"hpsetup", unencrypted on channel 1 (2.412Ghz), in adhoc mode.

I'm not going to mess with it, but was curious as to what it may be? A
printer? A previous adhoc connection on one of their computers (laptop)
that is trying to "re-connect" (that WinXP bug)?

The owners appear to be security minded since their main SSID has a unique
SSID and is WPA-PSK'd... Makes me wonder if they even know they are
radiating this unencrypted "hpsetup"....

Out of respect, I moved one of my SSID's off of channel 1 and onto channel
2. I'd move it further, but I'm already clobbering the air here on
channels 2, 6, 11, 52, and 152. (52 and 152 are 802.11a)

In article <469fec60$0$3153$(E-Mail Removed)>,
"Eric" <(E-Mail Removed)> wrote:

> hpsetup


Hewlett-Packard networked printers are usually configured to have an
ad-hoc
WiFi network with the SSID named "hpsetup". This allows one to print to
the
printer by joining the ad-hoc network. Of course, this assumes that the
SW
drivers have been installed onto the host computer.

The WiFi radio can be disabled via a configuration item in the printers
embedded web server. It is also disabled whenever the Ethernet cable is
attached.

At least according to some fora I got to after googling the above.

"Kurt Ullman" <(E-Mail Removed)> wrote in message
news:kurtullman-(E-Mail Removed)...
> In article <469fec60$0$3153$(E-Mail Removed)>,
> "Eric" <(E-Mail Removed)> wrote:
>
>> hpsetup
>
>
> Hewlett-Packard networked printers are usually configured to have an
> ad-hoc
> WiFi network with the SSID named "hpsetup". This allows one to print to
> the
> printer by joining the ad-hoc network. Of course, this assumes that the
> SW
> drivers have been installed onto the host computer.
>
> The WiFi radio can be disabled via a configuration item in the printers
> embedded web server. It is also disabled whenever the Ethernet cable is
> attached.
>
> At least according to some fora I got to after googling the above.

That makes sense. Reading a little about it on HP's website...

Seems kind of a drag though. If you want to talk to one of these printers,
then unless you have two wireless NIC's or a bridge connected to it, you
have to come off your network to talk to the printer... HP site also says
that software needs to be installed from CD. That seems to defeat the whole
purpose if this thing is trying to be a "network printer"? The built-in
wireless seems to give more obstacles than anything else. (?) Call me
crazy, but I'd rather use Bluetooth than that. Or, just attach a wireless
bridge to a real network printer... (?)

Cheers,
Eric

On Thu, 19 Jul 2007 18:57:27 -0400, "Eric" <(E-Mail Removed)>
wrote:

>I've been noticing that one of my neighbors occassionally spits out the SSID
>"hpsetup", unencrypted on channel 1 (2.412Ghz), in adhoc mode.

Yep. He probably has a flashy new HP all-in-one printer with wireless
connectivity in addition to ethernet and USB. What happens is that
the printer gets left on (in fax mode) when he turns off the computer.
The disconnects the ethernet connection, so the printer switches to
wireless and goes hunting for something to connect to. (It will only
do either ethernet or wireless, not both). Since he's not using the
wireless, I guess he's found no reason to configure the wireless
settings in the printer.

>I'm not going to mess with it, but was curious as to what it may be? A
>printer? A previous adhoc connection on one of their computers (laptop)
>that is trying to "re-connect" (that WinXP bug)?

Y'er no fun. Of course you want to mess with it. Let it
automatically connect to your computer by setting up an ad-hoc
connection to the printer. It will be much easier if you determine
the exact printer model and download the HP software. When he turns
off the computah for the evening, setup the connection, and leave him
a few printed pages with "Configure thy your wireless" inscribed in 72
point type. That might get his attention.

>The owners appear to be security minded since their main SSID has a unique
>SSID and is WPA-PSK'd... Makes me wonder if they even know they are
>radiating this unencrypted "hpsetup"....

He probably doesn't. Wanna guess how I found out how all this works?
I dragged into my palatial office a new HP printer for a customer, set
it up and left. The college brat across the road from my office
decided to have fun and printed me a few messages.

>Out of respect, I moved one of my SSID's off of channel 1 and onto channel
>2. I'd move it further, but I'm already clobbering the air here on
>channels 2, 6, 11, 52, and 152. (52 and 152 are 802.11a)


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

Eric <(E-Mail Removed)> wrote:
> I've been noticing that one of my neighbors occassionally spits out the
> SSID "hpsetup", unencrypted on channel 1 (2.412Ghz), in adhoc mode.

There's an open commercial hotspot in town. Within range of that hotspot
are at least two SSIDs, locked, that are "You Think This Is A Hotspot", or
some contrivance like that. I wonder if they were running unlocked and
unmolested until the shop owner starting advertising his free WiFi.

--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5

(E-Mail Removed) hath wroth:

>There's an open commercial hotspot in town. Within range of that hotspot
>are at least two SSIDs, locked, that are "You Think This Is A Hotspot", or
>some contrivance like that. I wonder if they were running unlocked and
>unmolested until the shop owner starting advertising his free WiFi.

Cute. Most of the SSID's in the off campus residential area for the
local university are obscene or provocative. Another residential
system has some hacked software that belches about 100 different
SSID's. (Security by absurdity). Good luck finding the real SSID in
that mess. The dual SSID Sonicwall system at a local coffee shop is
"hotspot" and "notspot". "Notspot" is of course heavily secured.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

(E-Mail Removed) (Jeff Liebermann) wrote in
news:(E-Mail Removed):

> Cute. Most of the SSID's in the off campus residential area for
> the local university are obscene or provocative.

One of my neighbor's has an open network with an SSID of "wanna get a
virus?".

--
Bert Hyman | St. Paul, MN | (E-Mail Removed)

On 20 Jul 2007 19:32:38 GMT, Bert Hyman <(E-Mail Removed)> wrote:

>(E-Mail Removed) (Jeff Liebermann) wrote in
>news:(E-Mail Removed) :
>
>> Cute. Most of the SSID's in the off campus residential area for
>> the local university are obscene or provocative.

>One of my neighbor's has an open network with an SSID of "wanna get a
>virus?".

One of my customers found one of those sniffing from a hotel. My
customer decided that an open access point was more convenient than
paying the hotel for wireless service. So, when he returned to town,
I got to spend half a day cleaning the viruses off his laptop.

I found a good one today. A new customer was having problems
configuring their wireless. I found that they had used an online
WEP/WPA key generator to create a suitably cryptic WPA-PSK key.
However, they misunderstood the instructions and also used it to
create an SSID consisting of what looked equally cryptic. That would
have been just an inconvenience but I also found that although the
SSID can be 32 characters long, the DI-624 Rev C was only taking 31
characters. A firmware update solved that problem.

Incidentally, they didn't use cut-n-paste to load the characters, but
typed them in by hand. What are the odds of getting it right? Sigh.



--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

Jeff Liebermann wrote:
> On 20 Jul 2007 19:32:38 GMT, Bert Hyman <(E-Mail Removed)> wrote:
>
>> (E-Mail Removed) (Jeff Liebermann) wrote in
>> news:(E-Mail Removed):
>>
>>> Cute. Most of the SSID's in the off campus residential area for
>>> the local university are obscene or provocative.
>
>> One of my neighbor's has an open network with an SSID of "wanna get a
>> virus?".
>
> One of my customers found one of those sniffing from a hotel. My
> customer decided that an open access point was more convenient than
> paying the hotel for wireless service. So, when he returned to town,
> I got to spend half a day cleaning the viruses off his laptop.

How would one get a boatfull of viruses simply by using an unsecured
network? I am assuming that one is not indulging in unsafe hex, like
visiting seamy sites or downloading questionable applications etc.

If I disable file and printer sharing, enable Windows firewall, and use
an updated antivirus, will I be safe when using public Wi-Fi networks?

My question is basically: If I simply connect to such a network, will my
laptop automatically get filled with virus/spyware etc? or do I have to
do something stupid while using the network to allow this occur?

Aloke
--
remove the numbers and invalid to email

Aloke Prasad <(E-Mail Removed)> hath wroth:

>How would one get a boatfull of viruses simply by using an unsecured
>network?

Sigh. If I tell you how it can be done, everyone and his brother, the
script kiddie, is going to be doing the same thing. I really don't
want to be responsible for all the damage that can be done and this is
not the proper place to be discussing exploits in detail.

However, I'll give you a general clue. Think about URL redirection
(splash page) in the router pointing to a rouge web site or server.
Also, open shares. Remember, that since *YOUR* router is now owned by
the evil hacker, there's much more than can be done than on some
random web site on the internet. In effect, the evil router is the
"man in the middle".

>I am assuming that one is not indulging in unsafe hex, like
>visiting seamy sites or downloading questionable applications etc.

No, it's much easier than that. Incidentally, most of the pioneering
work on what can be done with web pages was done by porno web site
designers.

>If I disable file and printer sharing, enable Windows firewall, and use
>an updated antivirus, will I be safe when using public Wi-Fi networks?

That covers about 80% of the possible attacks. It will not protect
you against phishing (counterfeit web sites), password sniffing (in
the router), simple trickery, DNS redirection, or a few other things I
don't wanna get into. Again, remember that the evil hacker owns
*YOUR* router (or rather the router that you're using). That opens up
many possibilities.

>My question is basically: If I simply connect to such a network, will my
>laptop automatically get filled with virus/spyware etc? or do I have to
>do something stupid while using the network to allow this occur?

You are probably safe with the security measures mentioned against
everything except password sniffing and faked web sites. In the case
of password sniffing, you don't have to do anything. In the case of
fake web sites, you have to click on something. I don't really want
to describe what my customer did to get a bunch of viruses (actually a
downloader) installed. I'm afraid many of us would have done the same
thing.

>Aloke

Here's a cute example. When you sign up for Comcast service, the CMTS
delivers a rather interesting DNS server. It doesn't matter what you
try to lookup, it always points to the Comcast service signup site.
Now pretend that instead of always pointing to the legitimate site, I
setup a static DNS table that points various ecommerce or banking
sites to my handy phishing web server. To you, it looks like
everything is working just fine as most other sites work normally.
However, when you try to do some banking, you get redirected to the
fake site. Whether you can detect the fake site is largely dependent
on your attention to detail and alarms. Most people will not notice
and simply inscribe their login and password.

In short, this potential for abuse and similar potential problems is
why I don't use many private open wireless access points very much.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558