Friday, 30 May 2014

Antivirus: The balance between privacy and security

I read an article the other day which showed antivirus software in a whole new light. At Makeuseof they had picked up on a report by AV-comparatives that analysed what data was being transmitted by a host of antivrus products.

I have been using a wide variety of security products over the years and this year I was so impressed with the latest free version of Avast I very nearly purchased the paid for version. I am now having second thoughts though as I have read the report linked above that, worryingly, found a number of popular products send the following information and files to the company (either encrypted or unencrypted, it is not clear):

  • The computer name
  • The Windows username
  • The local IP address
  • Information about third party applications
  • Information about running processes
  • Operating System event logs
  • A list of all visited URL's
  • The name and path of files
  • Documents that may be classified as suspicious

I don't understand why, if the product sends a unique identifier for the user and machine on which it is installed, things like Windows username and computer name are required.

I have highlighted documents in the list as this is potentially the one most troublesome. It is entirely possible your sensitive documents could end up stored somewhere in EU/Russia/Korea/USA just because your antivirus product classified it a certain way.

There is a longer list of what information is sent, but some of this information, such as version numbers and operating systems, is obviously essential for updates and so forth.

I urge you to check out the report, and also the MakeUseOf article, which both have good summaries of the findings. I mentioned Avast, which is by no means the worst, and another of my favourite free tools, Avira, seems to come out of it fairly well. I have just checked out the Avira privacy policy and it states "Avira sends suspicious programs only (executable files) to our secure German data centers. Avira does not send any personal data. Files such as pdf, doc, xls as well other personal data, like pictures and videos are not being automatically sent.".

AhnLab and Emisoft are two paid for products that won't send URL's or documents over the internet.

Making the choice between which product to use/buy should not have to be a choice that involves how much privacy you are willing to give-up, but rather how good it is at keeping you secure. At the moment though it seems to be both.

Tuesday, 27 May 2014

Coffee shop or WiFi shop?

I nipped into the Student Union coffee shop on my way back from a job and was a little shocked by the numbers of laptops I could see. I did a quick head count while I was waiting and found most people were using the area to work or study, rather than to buy food or drink. A few people were doing both, but the majority seemed to just be there to use the WiFi, and it probably helps that it is a nicer space (comfy sofas, light and airy, music) than a number of other study areas.

*63 clients seen on the controllers (probably including a number of phones in pockets and passers by).

While most were using laptops there were a few others just making notes on paper. There were only two or three tables in the whole space where people weren't working in some visible capacity.

This sort of information is good to know, as it impacts on how you design the space from a networking point of view. We may need to treat this area more like a teaching space, where we want to ensure a high density of clients can get connected and achieve a usable speed.

Friday, 23 May 2014

WLC 7.6 and MFP anomalies

Since we have set up a wireless controller with WLC 7.6 we are seeing large numbers of alarms starting with: "MFP Anomaly Detected - x 'CCMP Not Encrypted' violation(s) have originated from the client with MAC..."

MFP, as I understand it is Management Frame Protection and is used to help prevent denial of service and man in the middle attacks. While I am fairly sure nobody is trying to attack our test environment, I am pretty concerned that this has coincided with a group of Apple device users reporting they have trouble connecting, or lose connection and have to reauthenticate.

We have set MFP from optional to disabled on the controller that is reporting all the problems but the alarms still persist, as does the problems with Macs and iPhones. The client MAC addresses on the alarms all display Apple or unknown as the vendor type. I can't see any obvious other problems and all other devices seem to be working well.

I'd love to stop people using Apple kit, but I don't think that is going to work somehow.

If/when I find a solution I will update below. It may have to involve a call to Cisco before too long.

Update 27/05/14

I am still seeing the errors after the MFP changes, but I am also seeing Apple OSX Mavericks clients being unable to connect without displaying an error.

Update 30/05/14

A few days off and still scratching my head. Not just Apple devices now but reports from a variety of devices and OS's. 3 People complained in one room and when investigated had a SNR of 40dBm and signal strength in the -50dBm's, they had an AP in their room, which typically works fine when we are stood in the room.

Of course, we were told by management that packet capturing tools were too advanced and we didn't need that level of expertise. Now, though, at this stage what are we supposed to do without them?

Update 09/07/14

This morning we upgraded our controllers to The MFP anomaly alarms are still appearing on Prime, but leaving MFP and QoS disabled and reapplying the config to our backup controller seems to have halted the client connectivity issues that have been reported. So far the affected users say the wireless has been much better.

Going to keep the support call open with our supplier as Prime is currently showing 225 critical alarms.

Devices in numbers [Our network]

65% of the devices on our network are now tablets or phones

Cisco 3700 access point power levels

If you've been familiar with Cisco wireless controllers over the years you will know that when setting the transmit power level of the access points you get an option of 1-7, rather than anything meaningful, like dBm or mW.

We have just installed WLC 7.6 and some 3702 access points in our building to test for a wider deployment, and despite the data sheet (pictured below) listing these as the power levels power available on 2.4GHz, the options you get are only 1-5:

I was not sure where on this scale 1, 2, 3, 4 and 5 sat, and whether 5 was as low as 7 was on the older access points, or whether we now can only turn the radios down to 8 dBm. I connected a console cable to one of the AP's and did a sh run int dot11radio0’ command after changing to each power level (1-5) on the controller.

Under 'power local', the following numbers were displayed:

Power level 1 = There was no entry for power local
Power level 2 = Power local 13
Power level 3 = Power local 10
Power level 4 = Power local 7
Power level 5 = Power local 4

To my mind it made sense for these to be in dB, as the numbers go up and down by 3 with each power level (which would double or halve the power). However these don't tally with the table above, unless one is rounding up and one is rounding down, and you can only go as high as 40 mW.

On the older AP's, in this case a 3502, the power local output appeared to match exactly with what we believed them to be:

So I was left scratching my head and decided to have a look what I could find from the controller side.

I telnetted into the controller on software version 7.6 and found there are two options a lot simpler than the method I used above to find the power levels. 

First there is the 'show advanced 802.11b txpower' command, which outputs as below:

This shows you all the channel and power settings currently used by your access points with all the options at then end in brackets. The 'b' can be substituted for 'a' to view the 5Ghz.

The other command I tried was a 'show ap config 802.11b [ap name]'. This will probably be of more use when you have many more AP's and varying models on a controller than I did during our test. You can then see all the power levels supported by that access point, as in this screenshot:

...and the 5GHz (UNII-1, again substituting 802.11b for 802.11a):

While I understand Cisco kit is shipped and used all over the world, meaning a 1-5 or 1-7 scale would be easier to display than all the allowed levels in each domain, the documentation needs to be clearer and more complete. It also needs to be clear for people on the helpdesk and the people carrying out installations, who may not have access to the controllers. To a lot of people the Cisco AP's all look the same (a square white box) and those not so au fait with wireless assume they all act the same and behave in the same way. It would be great if Cisco could provide a chart for each regulatory domain for each access point/radio. Surely that wouldn't be too difficult?

Since my investigations detailed above, I have found that Will Jones started making a chart similar to what we need on his blog at It's a good idea.

What this seems to suggest to us is that the 3702 will have less transmit power on the 2.4GHz interface than our other AP's, so when replacements, upgrades and swap-outs are required, people need to know what they are installing and that it will do the same job with regards to coverage.

Wednesday, 7 May 2014

A Rogue By Any Other Name

Currently on my Cisco Prime it is reporting 1674 rogue access points and, having just run a report on rogue AP's in the last day, it comes to exactly 2500.

While our campus is spread over a large area of the city and many of these will belong to neighbours, an increasing number are coming from inside our walls and mainly due to Apple machines.

What is worse, when I go out to have a look at them, they are often on some ridiculous channel selection. Meaning they manage to interfere with, not one, but two normally perfectly usable 2.4GHz channels.

Our top current offender has been reported with an RSSI of -31dBm! Tom...s iMac, whoever you may be. At least it is on channel 1. Our third, sixth, thirteenth and fourteenth (as well as many more further down the list of) rogues with the highest RSSI are all on channel 4. You can see in the image below how channel 4 overlaps with the channel 1 and channel 6 frequencies:

Looking through the report we have:
  • 6 networks detectable under -40dBm
  • 47 networks detectable under -50dBm
  • 400 networks detectable under -70dBm
  • 1190 networks detectable at -83dBm where the 802.11 preamble can be decoded.
  • 644 rogue networks on channel 1
  • 124 on channels 2-5
  • 682 on channel 6
  • 122 on channels 7-10
  • 579 on channel 11
  • 3 on channel 12
  • 18 on channel 13
  • 303 on 5GHz channels with most on 36, but spread fairly evenly across the UNII-1 and UNII-2 range from 36 to 100.
To sum this up, it is obvious we need more 5GHz clients.

P.S. The best rogue SSID names in no particular order:
  • TheCakeIsALie
  • (.)(.) BOOBIES
  • 3 Guys 1 Router
  • F**kYouFlat19
  • Surveillance #11
  • Obi-WLAN Kenobi
  • I HAVE A HTC ONE    (They are obviously very proud)
  • Pretty Fly For A WiFi
  • Wu Tang WLAN

Thursday, 1 May 2014

Lazy journalism

I suppose it was inevitable that it would happen, but if I'm honest I expected the source to be The Daily Mail or The Mirror, not The Daily Telegraph.

On the front page of the paper yesterday I noticed an article about the tragic killing of Ann Maguire which tried to draw a link between the incident and the fact the suspect played a video game called Dark Souls 2.

Well, as of a month ago, Dark Souls 2 had sold over 400,000 copies in America and the previous total racked up over 2 million. So if the game is to blame why haven't there been 400,000 incidents like this? Maybe because there is NO LINK BETWEEN VIDEO GAMES AND MURDER. I play 'violent' games if you count GTA, which is most tabloid newspapers go to when blaming games for the breakdown of society, and I have never hurt anyone, and never plan to. GTA5 alone has sold over 32 million copies and I have every confidence that the majority of those 32 million are decent people.

Games seem to be the 'whipping boy' of the media, the way film used to be, but in my opinion this is lazy journalism. I'm sure there was much more salient reasons for the tragic events and the fact that people get paid for printing the same old rubbish is ridiculous.