I've been noticing that one of my neighbors occassionally spits out the SSID
"hpsetup", unencrypted on channel 1 (2.412Ghz), in adhoc mode.
I'm not going to mess with it, but was curious as to what it may be? A
printer? A previous adhoc connection on one of their computers (laptop)
that is trying to "re-connect" (that WinXP bug)?
The owners appear to be security minded since their main SSID has a unique
SSID and is WPA-PSK'd... Makes me wonder if they even know they are
radiating this unencrypted "hpsetup"....
Out of respect, I moved one of my SSID's off of channel 1 and onto channel
2. I'd move it further, but I'm already clobbering the air here on
channels 2, 6, 11, 52, and 152. (52 and 152 are 802.11a)
In article <469fec60$0$3153$4c368faf@roadrunner.com>,
"Eric" <nobody@nowhere.none.nnn> wrote:
> hpsetup
Hewlett-Packard networked printers are usually configured to have an
ad-hoc
WiFi network with the SSID named "hpsetup". This allows one to print to
the
printer by joining the ad-hoc network. Of course, this assumes that the
SW
drivers have been installed onto the host computer.
The WiFi radio can be disabled via a configuration item in the printers
embedded web server. It is also disabled whenever the Ethernet cable is
attached.
At least according to some fora I got to after googling the above.
"Kurt Ullman" <kurtullman@yahoo.com> wrote in message
news:kurtullman-A8F270.19065819072007@customer-201-125-217-207.uninet.net.mx...
> In article <469fec60$0$3153$4c368faf@roadrunner.com>,
> "Eric" <nobody@nowhere.none.nnn> wrote:
>
>> hpsetup
>
>
> Hewlett-Packard networked printers are usually configured to have an
> ad-hoc
> WiFi network with the SSID named "hpsetup". This allows one to print to
> the
> printer by joining the ad-hoc network. Of course, this assumes that the
> SW
> drivers have been installed onto the host computer.
>
> The WiFi radio can be disabled via a configuration item in the printers
> embedded web server. It is also disabled whenever the Ethernet cable is
> attached.
>
> At least according to some fora I got to after googling the above.
That makes sense. Reading a little about it on HP's website...
Seems kind of a drag though. If you want to talk to one of these printers,
then unless you have two wireless NIC's or a bridge connected to it, you
have to come off your network to talk to the printer... HP site also says
that software needs to be installed from CD. That seems to defeat the whole
purpose if this thing is trying to be a "network printer"? The built-in
wireless seems to give more obstacles than anything else. (?) Call me
crazy, but I'd rather use Bluetooth than that. Or, just attach a wireless
bridge to a real network printer... (?)
On Thu, 19 Jul 2007 18:57:27 -0400, "Eric" <nobody@nowhere.none.nnn>
wrote:
>I've been noticing that one of my neighbors occassionally spits out the SSID
>"hpsetup", unencrypted on channel 1 (2.412Ghz), in adhoc mode.
Yep. He probably has a flashy new HP all-in-one printer with wireless
connectivity in addition to ethernet and USB. What happens is that
the printer gets left on (in fax mode) when he turns off the computer.
The disconnects the ethernet connection, so the printer switches to
wireless and goes hunting for something to connect to. (It will only
do either ethernet or wireless, not both). Since he's not using the
wireless, I guess he's found no reason to configure the wireless
settings in the printer.
>I'm not going to mess with it, but was curious as to what it may be? A
>printer? A previous adhoc connection on one of their computers (laptop)
>that is trying to "re-connect" (that WinXP bug)?
Y'er no fun. Of course you want to mess with it. Let it
automatically connect to your computer by setting up an ad-hoc
connection to the printer. It will be much easier if you determine
the exact printer model and download the HP software. When he turns
off the computah for the evening, setup the connection, and leave him
a few printed pages with "Configure thy your wireless" inscribed in 72
point type. That might get his attention.
>The owners appear to be security minded since their main SSID has a unique
>SSID and is WPA-PSK'd... Makes me wonder if they even know they are
>radiating this unencrypted "hpsetup"....
He probably doesn't. Wanna guess how I found out how all this works?
I dragged into my palatial office a new HP printer for a customer, set
it up and left. The college brat across the road from my office
decided to have fun and printed me a few messages.
>Out of respect, I moved one of my SSID's off of channel 1 and onto channel
>2. I'd move it further, but I'm already clobbering the air here on
>channels 2, 6, 11, 52, and 152. (52 and 152 are 802.11a)
Eric <nobody@nowhere.none.nnn> wrote:
> I've been noticing that one of my neighbors occassionally spits out the
> SSID "hpsetup", unencrypted on channel 1 (2.412Ghz), in adhoc mode.
There's an open commercial hotspot in town. Within range of that hotspot
are at least two SSIDs, locked, that are "You Think This Is A Hotspot", or
some contrivance like that. I wonder if they were running unlocked and
unmolested until the shop owner starting advertising his free WiFi.
--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
>There's an open commercial hotspot in town. Within range of that hotspot
>are at least two SSIDs, locked, that are "You Think This Is A Hotspot", or
>some contrivance like that. I wonder if they were running unlocked and
>unmolested until the shop owner starting advertising his free WiFi.
Cute. Most of the SSID's in the off campus residential area for the
local university are obscene or provocative. Another residential
system has some hacked software that belches about 100 different
SSID's. (Security by absurdity). Good luck finding the real SSID in
that mess. The dual SSID Sonicwall system at a local coffee shop is
"hotspot" and "notspot". "Notspot" is of course heavily secured.
On 20 Jul 2007 19:32:38 GMT, Bert Hyman <bert@iphouse.com> wrote:
>jeffl@cruzio.com (Jeff Liebermann) wrote in
>news:q522a3t8qmq395gkq6ub8vsqkq2vlut53q@4ax.com :
>
>> Cute. Most of the SSID's in the off campus residential area for
>> the local university are obscene or provocative.
>One of my neighbor's has an open network with an SSID of "wanna get a
>virus?".
One of my customers found one of those sniffing from a hotel. My
customer decided that an open access point was more convenient than
paying the hotel for wireless service. So, when he returned to town,
I got to spend half a day cleaning the viruses off his laptop.
I found a good one today. A new customer was having problems
configuring their wireless. I found that they had used an online
WEP/WPA key generator to create a suitably cryptic WPA-PSK key.
However, they misunderstood the instructions and also used it to
create an SSID consisting of what looked equally cryptic. That would
have been just an inconvenience but I also found that although the
SSID can be 32 characters long, the DI-624 Rev C was only taking 31
characters. A firmware update solved that problem.
Incidentally, they didn't use cut-n-paste to load the characters, but
typed them in by hand. What are the odds of getting it right? Sigh.
Jeff Liebermann wrote:
> On 20 Jul 2007 19:32:38 GMT, Bert Hyman <bert@iphouse.com> wrote:
>
>> jeffl@cruzio.com (Jeff Liebermann) wrote in
>> news:q522a3t8qmq395gkq6ub8vsqkq2vlut53q@4ax.com:
>>
>>> Cute. Most of the SSID's in the off campus residential area for
>>> the local university are obscene or provocative.
>
>> One of my neighbor's has an open network with an SSID of "wanna get a
>> virus?".
>
> One of my customers found one of those sniffing from a hotel. My
> customer decided that an open access point was more convenient than
> paying the hotel for wireless service. So, when he returned to town,
> I got to spend half a day cleaning the viruses off his laptop.
How would one get a boatfull of viruses simply by using an unsecured
network? I am assuming that one is not indulging in unsafe hex, like
visiting seamy sites or downloading questionable applications etc.
If I disable file and printer sharing, enable Windows firewall, and use
an updated antivirus, will I be safe when using public Wi-Fi networks?
My question is basically: If I simply connect to such a network, will my
laptop automatically get filled with virus/spyware etc? or do I have to
do something stupid while using the network to allow this occur?
>How would one get a boatfull of viruses simply by using an unsecured
>network?
Sigh. If I tell you how it can be done, everyone and his brother, the
script kiddie, is going to be doing the same thing. I really don't
want to be responsible for all the damage that can be done and this is
not the proper place to be discussing exploits in detail.
However, I'll give you a general clue. Think about URL redirection
(splash page) in the router pointing to a rouge web site or server.
Also, open shares. Remember, that since *YOUR* router is now owned by
the evil hacker, there's much more than can be done than on some
random web site on the internet. In effect, the evil router is the
"man in the middle".
>I am assuming that one is not indulging in unsafe hex, like
>visiting seamy sites or downloading questionable applications etc.
No, it's much easier than that. Incidentally, most of the pioneering
work on what can be done with web pages was done by porno web site
designers.
>If I disable file and printer sharing, enable Windows firewall, and use
>an updated antivirus, will I be safe when using public Wi-Fi networks?
That covers about 80% of the possible attacks. It will not protect
you against phishing (counterfeit web sites), password sniffing (in
the router), simple trickery, DNS redirection, or a few other things I
don't wanna get into. Again, remember that the evil hacker owns
*YOUR* router (or rather the router that you're using). That opens up
many possibilities.
>My question is basically: If I simply connect to such a network, will my
>laptop automatically get filled with virus/spyware etc? or do I have to
>do something stupid while using the network to allow this occur?
You are probably safe with the security measures mentioned against
everything except password sniffing and faked web sites. In the case
of password sniffing, you don't have to do anything. In the case of
fake web sites, you have to click on something. I don't really want
to describe what my customer did to get a bunch of viruses (actually a
downloader) installed. I'm afraid many of us would have done the same
thing.
>Aloke
Here's a cute example. When you sign up for Comcast service, the CMTS
delivers a rather interesting DNS server. It doesn't matter what you
try to lookup, it always points to the Comcast service signup site.
Now pretend that instead of always pointing to the legitimate site, I
setup a static DNS table that points various ecommerce or banking
sites to my handy phishing web server. To you, it looks like
everything is working just fine as most other sites work normally.
However, when you try to do some banking, you get redirected to the
fake site. Whether you can detect the fake site is largely dependent
on your attention to detail and alarms. Most people will not notice
and simply inscribe their login and password.
In short, this potential for abuse and similar potential problems is
why I don't use many private open wireless access points very much.
In article <uo94a3thkb00jl942cq2vs6t8ko2uoshfq@4ax.com>,
Jeff Liebermann <jeffl@cruzio.com> wrote:
> In short, this potential for abuse and similar potential problems is
> why I don't use many private open wireless access points very much.
The places that I go to that require passwords (specifically to sign
on to Yahoo and the webmail for my REAL e-mail address are all secure
sockets (the lock is locked). Does this have any impact on trying to
sniff passwords?
I've followed this thread with interest, as I'm learning about wireless
networking from scratch. I also know about the cracking being done and all
the programs that allow some password cracking, sniffing, etc.
However, I'm wondering if we are all not just a bit paranoid about all
this.....
Take Win for example. If MS wasn't such a big target, then all these
updates, patches, etc wouldn't be needed and our lives would be much
simpler. It also seems to me that AV sofware benefits from virii, since they
become a needed commodity.
Which brings me to my point. With all the "security consultants" out there
looking for work, wouldn't it be a good thing (for them) to hype the holes
in wifi?
Say I've got a wifi router, set to AES security, shared pass phrase, and
limited range. How "actually" vulnerable am I really?
So, OK< the public spots may be more problematic. So, can you not use common
sense and be done with it?
I'm not trying to start a flame war, just a little discussion..........
>In article <uo94a3thkb00jl942cq2vs6t8ko2uoshfq@4ax.com>,
> Jeff Liebermann <jeffl@cruzio.com> wrote:
>
>> In short, this potential for abuse and similar potential problems is
>> why I don't use many private open wireless access points very much.
> The places that I go to that require passwords (specifically to sign
>on to Yahoo and the webmail for my REAL e-mail address are all secure
>sockets (the lock is locked). Does this have any impact on trying to
>sniff passwords?
I don't know any easy way to circumvent SSL/TLS security. It is
possible to do a man in the middle attack on SSL.
<http://www.sans.org/reading_room/whitepapers/threats/480.php>
I'm not sure exactly how to impliment this, but I suspect that having
the hacker own the users connecting router certainly makes things
easier.
In article <3ef4a3t64h9a4f641tei8f09nfn9m5slbv@4ax.com>,
Jeff Liebermann <jeffl@cruzio.com> wrote:
> Kurt Ullman <kurtullman@yahoo.com> hath wroth:
>
> >In article <uo94a3thkb00jl942cq2vs6t8ko2uoshfq@4ax.com>,
> > Jeff Liebermann <jeffl@cruzio.com> wrote:
> >
> >> In short, this potential for abuse and similar potential problems is
> >> why I don't use many private open wireless access points very much.
>
> > The places that I go to that require passwords (specifically to sign
> >on to Yahoo and the webmail for my REAL e-mail address are all secure
> >sockets (the lock is locked). Does this have any impact on trying to
> >sniff passwords?
>
> I don't know any easy way to circumvent SSL/TLS security. It is
> possible to do a man in the middle attack on SSL.
> <http://www.sans.org/reading_room/whitepapers/threats/480.php>
> I'm not sure exactly how to impliment this, but I suspect that having
> the hacker own the users connecting router certainly makes things
> easier.
So, would you call this a minor, major or no concern to people using
the WIFI at Paneras or your local Holiday Inn or Starbucks?
I rented a house last Jan and Feb in FL and plugged directly into
the modem for real high value stuff like my bank. Any reason this is
overkill or is this more prudent surfing>?
>However, I'm wondering if we are all not just a bit paranoid about all
>this.....
Yes. Only the paranoid survive (which was the title of a book by
Andrew Grove of Intel).
>Take Win for example. If MS wasn't such a big target, then all these
>updates, patches, etc wouldn't be needed and our lives would be much
>simpler. It also seems to me that AV sofware benefits from virii, since they
>become a needed commodity.
Sure. Enforcement and compliance are big business. Where would crime
fighters be without crimes? If you eliminate one crime, just create a
new one to fill in the shortfall. Same with security. If it weren't
for hackers, bugs, exploits, etc, there wouldn't be any need for
prophylactic software.
>Which brings me to my point. With all the "security consultants" out there
>looking for work, wouldn't it be a good thing (for them) to hype the holes
>in wifi?
They are doing exactly that. Almost all the major security holes have
been discovered and announced by various "security researchers".
However, it's not just to promote their consulting business. It's
because the various culprits (Microsoft et al) aren't really thrilled
about admitting they have problems. Someone has to do the research
and annoucements. Who else would you prefer to do it? The
governmint?
>Say I've got a wifi router, set to AES security, shared pass phrase, and
>limited range. How "actually" vulnerable am I really?
I have no idea. Security is a systems problem. Just because one
component is secure doesn't mean the system also is secure. For
example, one of my corporate customers bought a very expensive
wireless bridge with more than adequate security and encryption. They
asked me to verify that it couldn't be sniffed or hacked. Instead, I
picked the lock on the wiring closet in the hallway, and plugged into
the their unencrypted ethernet network, thus bypassing all their
security. I've done the same thing to other companies with
unprotected ethernet ports. If I really wanted to break into your
system, I couldn't do it via wireless. Instead, I would find where
your ethernet connects, and simply install a wireless bridge radio. I
can make it look like a wall wart so you would probably not even
notice.
Also, you mentioned "shared pass phrase". I think that's marginal
security. If I can get physical to your computah, I can usually
extract the shared WPA key from your Windoze registry. For example:
<http://www.wirelessdefence.org/Contents/Aircrack-ng_WinWzcook.htm>
I was at a party about a week ago and did exactly that to the owners
wireless network. I was playing on my laptop using his wireless
network. The owner is an IT manager at a large organization and
almost immediately asked how the (deleted explitive) I had managed to
hack into his wireless network. It took me exactly 12 seconds (I
timed it) to recover the key with a scripted USB memory dongle, and
about 2 minutes of fumbling to configure WPA-PSK on my laptop.
In other words, the wireless was quite secure from external attack,
but not from internal attack. He's looking into getting a RADIUS
server to prevent a repetition.
>So, OK< the public spots may be more problematic. So, can you not use common
>sense and be done with it?
Sure you can. It doesn't take much to stop the well known attacks and
script kiddies. However, anyone with a good understanding of how the
system works, can easily cause problems. Just make a list of the
possible exploits and assign a number to the probability you'll be
attacked using each exploit. Sort. Then, you can easily determine
what to worry about. (Note: I haven't done this as it's too much
work).
Drivel: One of my coffee shop hot spots has quite a bit of wireless
traffic. They're showing 19 users on a Saturday morning. Business
must be good. I've been logging how often and how long the various
VPN tunnels are being used (IPSec, PPTP, and L2TP) for about 2 weeks.
I see IPSec 3 times, and PPTP 8 times (2 of which are me). So much
for VPN hot spot security.
>> I don't know any easy way to circumvent SSL/TLS security. It is
>> possible to do a man in the middle attack on SSL.
>> <http://www.sans.org/reading_room/whitepapers/threats/480.php>
>> I'm not sure exactly how to impliment this, but I suspect that having
>> the hacker own the users connecting router certainly makes things
>> easier.
> So, would you call this a minor, major or no concern to people using
>the WIFI at Paneras or your local Holiday Inn or Starbucks?
I don't know. I'm not a security expert. My guess(tm) is that it's
minor because it appears to be very difficult. However, the history
of the computer security seems to be punctuated by minor concerns
becoming major headaches overnight immediately after someone writes a
scripted exploit. Assuming nobody has wiretapped the house network,
you're probably fairly safe from a man in the middle SSL attack.
> I rented a house last Jan and Feb in FL and plugged directly into
>the modem for real high value stuff like my bank. Any reason this is
>overkill or is this more prudent surfing>?
The banks all use some form of SSL security. As long as you use
something like BofA's SiteKey:
<http://www.bankofamerica.com/privacy/sitekey/>
to prevent phishing, I think you're safe for now. BofA is also a PITA
for missing passwords. One typo and they ask you to re-enter all your
personal info. I guess it's more secure, but it's sure an irritation.
Anyway, SSL/TLS is end to end security, so sniffing or man in the
middle is difficult.
Incidentally, one very real danger to online banking is a keylogger
capturing your login and password. If you're in the habit of making
big online bank transactions, I strongly suggest you ask about "one
time key" dongles for generating passwords:
<http://www.networkworld.com/news/2007/050207-verisign-to-use-one-time-passwords.html>
<http://en.wikipedia.org/wiki/Security_token>
It's fairly new and none of the major banks are doing this for small
accounts. However, I expect to see it quite commonly used immediately
after the next security disaster. There's also rumors that PayPal
might offer the service. Dunno.
In article <dgj4a3pdilef7q3qtek47g1a2pjsb66nj1@4ax.com>,
Jeff Liebermann <jeffl@cruzio.com> wrote:
> The banks all use some form of SSL security. As long as you use
> something like BofA's SiteKey:
> <http://www.bankofamerica.com/privacy/sitekey/>
> to prevent phishing, I think you're safe for now. BofA is also a PITA
> for missing passwords.
Anything I get e-mail from my bank or utility or other, I just call
teh appropriate 800 number from statement. That precludes any phishing
problems at all. And sometimes I let the bank know of a new phishing
attempt.
> Incidentally, one very real danger to online banking is a keylogger
> capturing your login and password. If you're in the habit of making
> big online bank transactions, I strongly suggest you ask about "one
> time key" dongles for generating passwords:
> <http://www.networkworld.com/news/200...e-time-passwor
> ds.html>
> <http://en.wikipedia.org/wiki/Security_token>
I'll check into this with my peeps at the bank. It is a combined
checking/broker account. I check on it pretty much daily because of
that.
"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
news:78b0a3d3kv8i70uvq88agfdqnli0scoi59@4ax.com...
> Y'er no fun. Of course you want to mess with it. Let it
> automatically connect to your computer by setting up an ad-hoc
> connection to the printer. It will be much easier if you determine
> the exact printer model and download the HP software. When he turns
> off the computah for the evening, setup the connection, and leave him
> a few printed pages with "Configure thy your wireless" inscribed in 72
> point type. That might get his attention.
>
"Aloke Prasad" <aprasad123@columbus.rr.invalid.com> wrote in message
news:46a1f8ec$0$8047$4c368faf@roadrunner.com...
> How would one get a boatfull of viruses simply by using an unsecured
> network? I am assuming that one is not indulging in unsafe hex, like
> visiting seamy sites or downloading questionable applications etc.
Two words: Captive Portal. Jeff answered everything else.
> If I disable file and printer sharing, enable Windows firewall, and use an
> updated antivirus, will I be safe when using public Wi-Fi networks?
Don't forget about social engineering. Like already said in the thread, the
MitM can make anything you "connect to" look legit. At minimum, all the
MitM needs to do is to simply run a web server and change his hosts file.
> My question is basically: If I simply connect to such a network, will my
> laptop automatically get filled with virus/spyware etc? or do I have to
> do something stupid while using the network to allow this occur?
Not necessarily, but do you want to be automatically strobed and probed for
vulnerabilities? If you are doing all the above, plus using Firefox, you
will "likely" be okay. No guarantees though. The MitM is counting on
connectees with little security, who are using Internet Explorer. They
won't last seconds...
Security is a two way street. So much attention has been put on securing
your own wireless networks, while relatively little has been given towards
security from the client connectee perspective. This seems to changing
though. That open, unencrypted, default SSID that looks tempting to use in
public could very well be a honeypot. First line of security should be
common sense...
Jeff Liebermann wrote:
> Aloke Prasad <aprasad123@columbus.rr.invalid.com> hath wroth:
>
>> How would one get a boatfull of viruses simply by using an unsecured
>> network?
>
> Sigh. If I tell you how it can be done, everyone and his brother, the
> script kiddie, is going to be doing the same thing. I really don't
> want to be responsible for all the damage that can be done and this is
> not the proper place to be discussing exploits in detail.
>
> However, I'll give you a general clue. Think about URL redirection
> (splash page) in the router pointing to a rouge web site or server.
> Also, open shares. Remember, that since *YOUR* router is now owned by
> the evil hacker, there's much more than can be done than on some
> random web site on the internet. In effect, the evil router is the
> "man in the middle".
URL redirection: will some of the anti-phishing features in Firefox or
IE7 help in this case? This is a serious problem if people are unable
to detect this on public network.
How can I verify if any of this is happening on my home network (with
the cable modem assigning Gateway+DNS to the Linksys router etc.)?
....
>> If I disable file and printer sharing, enable Windows firewall, and use
>> an updated antivirus, will I be safe when using public Wi-Fi networks?
>
> That covers about 80% of the possible attacks. It will not protect
> you against phishing (counterfeit web sites), password sniffing (in
> the router), simple trickery, DNS redirection, or a few other things I
> don't wanna get into. Again, remember that the evil hacker owns
> *YOUR* router (or rather the router that you're using). That opens up
> many possibilities.
Is the "Evil hacker owning the router" scenario applicable for public
routers at airports, Starbucks etc?While those are administered by
professionals (I hope), I suppose it is safest to assume that they could
be compromised.
How do I detect password sniffing in the (public) router? I'm assuming
that this will not happen on my home router (WRT54GS). What about my
ISP's router? How do I detect password sniffing in general?
>> My question is basically: If I simply connect to such a network, will my
>> laptop automatically get filled with virus/spyware etc? or do I have to
>> do something stupid while using the network to allow this occur?
>
> You are probably safe with the security measures mentioned against
> everything except password sniffing and faked web sites. In the case
> of password sniffing, you don't have to do anything. In the case of
> fake web sites, you have to click on something. I don't really want
> to describe what my customer did to get a bunch of viruses (actually a
> downloader) installed. I'm afraid many of us would have done the same
> thing.
What If I save a bunch of bookmarks (like the bank's login page) with IP
addresses instead of domain names. I bet the IP addresses of commercial
pages don't change that often.
Password sniffing has me worried, though. How to detect/deal with that?
Aloke
--
remove the numbers and invalid to e-mail me
>URL redirection: will some of the anti-phishing features in Firefox or
>IE7 help in this case? This is a serious problem if people are unable
>to detect this on public network.
Good question. No. It won't be detected at all:
<http://www.mozilla.com/en-US/firefox/phishing-protection/>
Try the test site at:
<http://www.mozilla.com/firefox/its-a-trap.html>
The problem is that Firefox, IE, Norton, etc require a list of "known
phishing sites" to be effective. Chances that a coffee shop web site
was reported and verified to be a phishing site is zero.
>How can I verify if any of this is happening on my home network (with
>the cable modem assigning Gateway+DNS to the Linksys router etc.)?
Sigh. Another good question. Probably not detectable. The problem
with a hacker controlled router at the user end is that there's no way
to verify that DNS lookups actually point to the real web site.
You can test the problem easily on your own machine.
First, clear the DNS cache with:
start -> run -> cmd <enter>
ipconfig /flushdns
Under XP or W2K go to the hosts file at:
C:\WINNT\system32\drivers\etc\hosts
Add a line at the bottom of the hosts file with:
74.125.19.147 www.wellsfargo.com
The IP address is one of Googles many servers. Now, fire up your
favorite browser and go to: http://www.wellsfargo.com
Guess what? You went to Google instead. No warning, no indication
that it's been redirected, and everything looks just fine. Note that
some anti-virus and anti-spyware programs will detect changes to the
hosts file, but that's not the point. This is just a simulation of
what can be done by manipulating DNS. If this were the real thing,
the changes would be made in the router, where the anti-whatever
program would not be able to see or detect anything. When you're done
tinkering and testing, run:
ipconfig /flushdns
to clear the bogus entries from your machine.
>Is the "Evil hacker owning the router" scenario applicable for public
>routers at airports, Starbucks etc? While those are administered by
>professionals (I hope), I suppose it is safest to assume that they could
>be compromised.
Assumption, the mother of all screwups. In this case, we have to
assume that they are professionally administered by a competent
service company with an active concern for the security of their
customers data. It would not due to have the lack of adequate
protection precipitate an identity theft, and have the customer turn
around and sure the provider. I think that's a fair assumption for
most large hotspots.
However, it is NOT a good assumption for the do it thyself variety
found in hotels, coffee shops, and in particular home users. If you
must use one of these, kindly invest in a VPN/SSL/TLS tunneling
service:
<http://wireless.wikia.com/wiki/Wi-Fi#SSL.2FTLS>
Or arrange something with your ISP.
>How do I detect password sniffing in the (public) router?
You can't. Passive sniffing does not require the sniffer to send any
data. If the data moving on the wireless or wired part of the network
are unencrypted, sniffing is trivial. Even if the wireless part were
encrypted, it would still be possible to sniff the traffic in the
backhaul or at the wired connection.
>I'm assuming
>that this will not happen on my home router (WRT54GS). What about my
>ISP's router? How do I detect password sniffing in general?
Again, you can't. The government requires ISP's to provide sniffing
services to fight crime or some such rubbish.
<http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act>
<http://en.wikipedia.org/wiki/Carnivore_(FBI)>
>What If I save a bunch of bookmarks (like the bank's login page) with IP
>addresses instead of domain names. I bet the IP addresses of commercial
>pages don't change that often.
You'll lose your bet. Most large web sites have a number of gateway
servers, all over the world. They're controlled by a load balancer
which usually delivers the IP address of a server with minimal
utilization for new connection requests. The idea is to prevent users
from overloading one server, while another remains under-utilized.
This is most often done with DNS redirection, which prevents you from
using a static IP address. You can go to a site by IP address, but
then there's no guarantee that you won't hit a very busy server, or
one that is temporarily down for maintenance or backups. It also gets
really complicated if your ISP is running anycast DNS servers, where
the IP address of the DNS server can also change.
4 different IP addresses for Google. If I try it later tonite, it
will probably be a different collection.
>Password sniffing has me worried, though. How to detect/deal with that?
>Aloke
You can't detect sniffing. Make sure you never send you password in
the clear. That means you have to go through a long list of really
dumb applications that are not very smart about encrypting passwords.
In particular, telnet, ftp, POP3, authenticated SMTP, and various web
forms. Take each application INDIVIDUALLY and determine exactly how
it deals with passwords. Also realize that your "saved passwords" is
a perfect target for hackers. I have 400 passwords, so it's
impossible to use unique passwords for all of these accounts. So,
divide up the list by priority. Anything that involves a movement of
money or might cause problems with identity theft if leaked gets:
1. A unique non-dictionary pronounceable password.
2. Does NOT get saved on my various machines.
3. Is stored on my removable USB dongle. Both the file and the
entire dongle are encrypted.
4. Backed up to an identical USB dongle and buried in my safe deposit
box.
5. The really important (banking, finance, medical) passwords get
changed regularly.
Gee.. You have taken all the fun out of using WiFi on the road :-)
Seriously, thanks for all your replies. It has been a learning experience.
Aloke
--
Remove invalid and the numbers to send me e-mail
Jeff Liebermann wrote:
> Aloke Prasad <aprasad123@columbus.rr.invalid.com> hath wroth:
>
>> URL redirection: will some of the anti-phishing features in Firefox or
>> IE7 help in this case? This is a serious problem if people are unable
>> to detect this on public network.
>
> Good question. No. It won't be detected at all:
> <http://www.mozilla.com/en-US/firefox/phishing-protection/>
> Try the test site at:
> <http://www.mozilla.com/firefox/its-a-trap.html>
> The problem is that Firefox, IE, Norton, etc require a list of "known
> phishing sites" to be effective. Chances that a coffee shop web site
> was reported and verified to be a phishing site is zero.
>
>> How can I verify if any of this is happening on my home network (with
>> the cable modem assigning Gateway+DNS to the Linksys router etc.)?
>
> Sigh. Another good question. Probably not detectable. The problem
> with a hacker controlled router at the user end is that there's no way
> to verify that DNS lookups actually point to the real web site.
>
> You can test the problem easily on your own machine.
> First, clear the DNS cache with:
> start -> run -> cmd <enter>
> ipconfig /flushdns
> Under XP or W2K go to the hosts file at:
> C:\WINNT\system32\drivers\etc\hosts
> Add a line at the bottom of the hosts file with:
> 74.125.19.147 www.wellsfargo.com
> The IP address is one of Googles many servers. Now, fire up your
> favorite browser and go to:
> http://www.wellsfargo.com
> Guess what? You went to Google instead. No warning, no indication
> that it's been redirected, and everything looks just fine. Note that
> some anti-virus and anti-spyware programs will detect changes to the
> hosts file, but that's not the point. This is just a simulation of
> what can be done by manipulating DNS. If this were the real thing,
> the changes would be made in the router, where the anti-whatever
> program would not be able to see or detect anything. When you're done
> tinkering and testing, run:
> ipconfig /flushdns
> to clear the bogus entries from your machine.
>
>> Is the "Evil hacker owning the router" scenario applicable for public
>> routers at airports, Starbucks etc? While those are administered by
>> professionals (I hope), I suppose it is safest to assume that they could
>> be compromised.
>
> Assumption, the mother of all screwups. In this case, we have to
> assume that they are professionally administered by a competent
> service company with an active concern for the security of their
> customers data. It would not due to have the lack of adequate
> protection precipitate an identity theft, and have the customer turn
> around and sure the provider. I think that's a fair assumption for
> most large hotspots.
>
> However, it is NOT a good assumption for the do it thyself variety
> found in hotels, coffee shops, and in particular home users. If you
> must use one of these, kindly invest in a VPN/SSL/TLS tunneling
> service:
> <http://wireless.wikia.com/wiki/Wi-Fi#SSL.2FTLS>
> Or arrange something with your ISP.
>
>> How do I detect password sniffing in the (public) router?
>
> You can't. Passive sniffing does not require the sniffer to send any
> data. If the data moving on the wireless or wired part of the network
> are unencrypted, sniffing is trivial. Even if the wireless part were
> encrypted, it would still be possible to sniff the traffic in the
> backhaul or at the wired connection.
>
>> I'm assuming
>> that this will not happen on my home router (WRT54GS). What about my
>> ISP's router? How do I detect password sniffing in general?
>
> Again, you can't. The government requires ISP's to provide sniffing
> services to fight crime or some such rubbish.
> <http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act>
> <http://en.wikipedia.org/wiki/Carnivore_(FBI)>
>
>> What If I save a bunch of bookmarks (like the bank's login page) with IP
>> addresses instead of domain names. I bet the IP addresses of commercial
>> pages don't change that often.
>
> You'll lose your bet. Most large web sites have a number of gateway
> servers, all over the world. They're controlled by a load balancer
> which usually delivers the IP address of a server with minimal
> utilization for new connection requests. The idea is to prevent users
> from overloading one server, while another remains under-utilized.
> This is most often done with DNS redirection, which prevents you from
> using a static IP address. You can go to a site by IP address, but
> then there's no guarantee that you won't hit a very busy server, or
> one that is temporarily down for maintenance or backups. It also gets
> really complicated if your ISP is running anycast DNS servers, where
> the IP address of the DNS server can also change.
>
> C:\>nslookup
> Default Server: DD-WRT
> Address: 192.168.1.1
> > set type=A
> > www.google.com
> Server: DD-WRT
> Address: 192.168.1.1
>
> Non-authoritative answer:
> Name: www.l.google.com
> Addresses: 74.125.19.147, 74.125.19.104, 74.125.19.99,
> 74.125.19.103
> Aliases: www.google.com
>
> 4 different IP addresses for Google. If I try it later tonite, it
> will probably be a different collection.
>
>> Password sniffing has me worried, though. How to detect/deal with that?
>> Aloke
>
> You can't detect sniffing. Make sure you never send you password in
> the clear. That means you have to go through a long list of really
> dumb applications that are not very smart about encrypting passwords.
> In particular, telnet, ftp, POP3, authenticated SMTP, and various web
> forms. Take each application INDIVIDUALLY and determine exactly how
> it deals with passwords. Also realize that your "saved passwords" is
> a perfect target for hackers. I have 400 passwords, so it's
> impossible to use unique passwords for all of these accounts. So,
> divide up the list by priority. Anything that involves a movement of
> money or might cause problems with identity theft if leaked gets:
> 1. A unique non-dictionary pronounceable password.
> 2. Does NOT get saved on my various machines.
> 3. Is stored on my removable USB dongle. Both the file and the
> entire dongle are encrypted.
> 4. Backed up to an identical USB dongle and buried in my safe deposit
> box.
> 5. The really important (banking, finance, medical) passwords get
> changed regularly.
>
>Gee.. You have taken all the fun out of using WiFi on the road :-)
Well, I use wireless on the road. However, I cheat. I have a VPN or
PPTP termination on my office router, home router, and various ISP's.
Here's an example of one ISP's setup:
<http://sonic.net/features/vpn/>
<http://sonic.net/support/ss/windows/vpn/>
Everything outside the tunnel is encrypted and un-sniffable. Doing
this to my home or office router is a problem due to limited outgoing
bandwidth. It's really slow. However, for just checking if some
email I was expecting, it's fine.
>Seriously, thanks for all your replies. It has been a learning experience.
Thanks. If you understand how such things work, you can easily avoid
problems. If you just trust in the odds, in luck, or in marginal
security suggestions, without an understanding of how it works, you're
going to have a problem. The problem is that the various layers,
acronyms, protocols, add-ons, shims, supplicants, AAA, and buzzwords
are becoming very difficult to absorb. I've been doing this for a
long time, so I get to absorb new things in small bites. Someone just
getting started gets instantly overwhelmed. Learning is a good thing,
but don't blame yourself if it goes together like a bad jigsaw puzzle.
Strange SSID in the air... 
Linear Mode
