NHS hands your data to Facebook

One final thought for 2010 as the festive season swings smoothly into gear, and we start to let our guard down during the celebratory period.

A story has been bubbling under about how the NHS Choices website has apparently included a mechanism that tells Facebook that you’ve been there. According to security company Imperva: “The NHS page has included a script that is hosted on Facebook’s server. When the browser is retrieving the script it delivers all Facebook related cookies from the browser up to Facebook. These are correlated to the Facebook identity of the individual accessing the NHS site.”

In other words, if you’ve got a Facebook account (and a huge percentage of Internet users do) and you then visit the NHS Direct site, your visit is logged by Facebook without your being asked whether this is something you would like to happen. It works by combining information from the “Referer” header (which contains information about the actual pages visited) to allow Facebook to track NHS visits of its users without clicking the ‘Like’ button or being logged in.

An MP has raised this with the NHS whose response was that it’s up to users to ensure that their security is up to scratch and that, when users sign up to Facebook, they agree that the service can gather information on their web usage.

Facebook’s default mode is that your data is their data, and it’s in their interests to operate in a way that helps to increase its revenues, which it cannot do without sharing data about you and me. However, it’s pretty outrageous that you can visit a page that happens to have a ‘Like’ button on it and find that your visit has been logged by Facebook.

Every time we share location data, such as where we are and were we’ve been, it helps to build up a pattern about your behaviour. From a legitimate, advertisement point of view, you might not want to share that data, which allows companies to contact you at times of their choosing and to share data about you with their affiliates and partners.

But that data is not just useful to advertisers but also to people who might want to do you harm in some way. It’s fairly obvious when an individual who shares their location isn’t at home, which might not be the kind of information you want to make available to the other 6,845,609,959 Internet users.

If there’s been a theme over the blogs I’ve written for Avast this year, it’s not been about how good the Avast anti-virus product set is. Its been about asking you to be more aware of security rather then placing convenience above all else. A little prevention goes a long way.

Enjoy the festive season and have a fab new year.

Security error messages need improvement

Today, I had to ask a helpful technical support person how to access the secured wireless network at my local university. Even though I’d successfully logged into the system many times before and have been using it for months, somehow the device I was using had managed to forget the password that enabled the certificate that allowed the wireless network to recognise and authenticate it. As a result, I couldn’t use the network, which is locked down by both encryption and an authentication system.

Faintly embarrassed, it turns out I could have fixed it had I known I needed to dive into the deepest depths of the security settings of my HTC Desire HD phone — which runs Google’s Android operating system — and then reset the password manually.

The problem was two-fold. It wasn’t clear from the input box that popped up that the password being requested was a local one — in other words, the request came from inside the phone, not from the remote wireless network.

Additionally, it asked for a storage credential password and, you know what? I had no idea which password it was asking for, or that I needed credentials to access storage on any remote or local system. I suppose must have typed it in once, months ago, and then forgotten it almost immediately. It seemed out of place too, since I was trying to access a network, not storage.

So what’s the lesson here? As I was waiting for the IT systems person to figure out what the problem was, it occurred to me to wonder how much time is wasted around the world by poor error messages and unhelpful, over-zealous security systems and their obscure or misleading error messages.

If you’re in the IT business you might of course take a different view: it keeps you in a job. Even so, this kind of user support is useful but not massively productive work when you consider that the human being who designed the error message could, with a little more thought, have saved the time of thousands of other humans.

Security is an important part of our lives as it stops the right stuff going to the wrong people. As ever, the implementation usually involves a trade-off between security and convenience: more of one usually means less of the other.

While there’s a still long way to go before we get to the point where much security technology manages to both avoid inconvenience and improve security, thus making our lives easier, I’d suggest that some anti-virus packages get pretty close to that ideal…

How to make your WiFi more secure

You probably haven’t thought much about your wireless (WiFi) connection recently. Maybe it’s time you did.

You may well have heard about how insecure WiFi used to be. When it started to become popular, poor configuration and guidance from manufacturers combined with a degree of understandable ignorance on the part of consumers led to a lot of wireless hackery. If you conceive of your network as a set of cables strung between computers, then imagine an early wireless network as a set of loose cables hanging out of the window with signs on them urging passers-by to ‘plug me in’.

It’s all different now, we hear, what with advanced encryption technologies such as AES now built in. Or is it? I’m still surprised – and my experience is not an isolated one — when I sniff around with my laptop to find that there are still quite a few totally open networks around. Even among those that aren’t open you’ll often network names (or, more correctly, SSIDs) such as ‘linksys’, a name that the manufacturer assigned to the wireless router in the factory.

An open network is a hacked network. If it’s not hacked already, it will be soon. This means that whoever logs into it can use your broadband connection — this alone might break the terms of your broadband contract, even before the intruder has downloaded whatever — and they can access your Windows network. If you computer is on or you’re using a server of some kind, they’ve probably got access to that too.

So turn on strong encryption — you’ll see it listed as WPA2-AES, WPA2-PSK, WPA2 or WPA. That’s not all. Even after you turn on encryption, you need to take some care. The linksys or netgear names given to wireless broadband routers — there are others but I’m picking on these because they’re very common — tell the potential hacker that you’ve not changed the configuration much, if at all and that, as a result, the wireless network is likely to be easier to hack into.

There are three more steps to take to protect your wireless network. First, change the name of your wireless network name or SSID or something anonymous; it should not identify you, where you live or your business. You should use a strong wireless network key too: it should not be the same as the SSID, and it should not consist of any words that might be found in the dictionary – hackers have tools for breaking passwords like that. Finally, change the default name and password for the administrator account, as hackers know what all the defaults are.

There more steps you can take to make your system even more secure but these three will defend you against all but the most determined of hackers.

US secrets leak gives cause for thought

A CD-RW with Lady Gaga written on it became the vehicle for over 250,000 leaked US state department cables sent from, or to, US embassies all around the world. This news story has made headlines the world over and put egg on the faces of the US diplomatic service, which is part of the US state department — the equivalent of the UK’s foreign office.

The results were passed to WikiLeaks”, a “not-for-profit media organisation” whose aim “is to bring important news and information to the public” based on principles of “the defence of freedom of speech and media publishing”. They were passed to the Guardian on a USB stick and it, along with three other newspapers — the New York Times in the US, Der Spiegel in Germany, Le Monde in France and El País in Spain, has started to publish the thousands of snippets of information these documents contain.

The culprit is said to be soldier Bradley Manning, an intelligence specialist who smuggled the CD-RW out of the intelligence service, and who has been behind bars for seven months as a result and faces a court martial. After the data heist, he said in a chatlog that he “had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months” and sang along to Lady Gaga “while exfiltrating possibly the largest data spillage in American history”.

The reaction from official forces has been predictably furious, although the editor of the Guardian described the leaks as embarrassing for the US rather than damaging.

But all that aside, what does it say for the security of the US’ diplomatic intelligence service? The fact that it took only a simple mistake of not configuring official computers so that were unable to burn CDs or copy data onto USB memory sticks is ludicrous. But it highlights one key aspect of security that applies whether you are the US state department or anyone who has a computer at home.

Security is a state of mind. What seems to have happened is that, once the individual who leaked the information had passed muster, probably by typing in a username and password, he was allowed to access everything on the department’s servers. It suggests that the security hierarchy is pretty flat, with little granularity of access. Additionally, it shows that physical access to a device attached to servers is not seen as something to be controlled, a least to the extent that you are able take data away with you on a physical medium.

So the state of mind of those who set up the machines seems to have been that the possession of a username and password (or maybe some form of biometric identification — there’s no suggestion that Manning falsified his identity) meant he was trustworthy enough to give access to a huge range of secrets.

While your PC might not contain information quite so portentous — though of course it might, I don’t know — it might make you wonder whether your security setup is as secure as you need it to be, especially if you share your machine. And do you trust yourself…?

Could your Apple iPad give away your data?

I read a blog today. The blog’s author compared the much-lauded (but in my view highly overrated) Apple iPad against laptops in general, and highlighted several features that iPad has that laptops should emulate.

Well yes, maybe. The one that caught my eye was the issue of instant-on. “You can click the iPad’s power button and it is instantly ready to pull up a web page, calendar or email”, the blogger wrote. Yes of course we all want computers to be instantly available as soon as we press that button, Apple is very good at making devices that appear to be easy to use but which, after a few minutes’ thought — or, often, after a few hours of ownership and intensive use — turn out to be not quite so smart after all.

The only issue with instant-on is that anyone can do it. The person who steals your iPad that you carelessly left on the coffee-shop table as you order another skinny latte, or who lifts it from your bag on a crowded train or bus will have no problem turning it on and gaining instant access to your stuff: your email, your Facebook page, your passwords, personal information…. Your life.

If it never leaves the home then maybe that’s a different story. But wait: burglars can and do steal computers if they’re small enough to walk away with without looking suspicious, and I believe an iPad qualifies. Or your small (or not so small) child — or lodgers or whoever — can come along and press all sorts of buttons with neither let nor hindrance, leading to all sorts of weirdnesses.

Aren’t we lucky the iPad is so convenient?

A combination of username and password is not the most secure way of protecting data but, when balancing convenience against security, it’s good enough and should deter most thieves.

Many years ago, my IBM ThinkPad laptop was among the goodies taken away by a burglar and, about three years later, I received a phone call from someone (who purported to be and might well have been an innocent buyer) who had managed to find out where it came from and wanted the password for it.

Of course I refused, not knowing where the machine was, who had it, or what stuff that I wanted might still be on it. But I was satisfied that that the ThinkPad has industrial-strength, password-protected encryption and that the data would be unavailable to whomever: they would have to wipe the disk to make any use of the machine.

So when you read that convenience is the sole criterion of value, think hard: data on portable devices can end up anywhere and instant-on could mean instant bye-bye to your personal data. So if you have one, use the password feature. It might be a little inconvenient most of the time, but it will be very convenient the one time it’s really needed.

Kroxxu botnet’s secrets revealed
Avast’s Jiri Sejtko, head of virus research at the company’s virus lab, has written a fascinating account of how he tracked down Kroxxu, a botnet based on infected websites with the aim of stealing passwords.

Since its inception in October 2009, it’s grown to become a network with over 10,000 redirectors, 2,500 PHP redirectors, and over 700 malware distribution sites. The 15 redirectors used in the longest active connection send visitors through seven countries in three continents to infectious exploits, with many of the zombie machines enduring 90 days or more.

It’s worth checking out.

Phishing takes a new turn

Phishing’s just taken a new turn: scammers have taken to calling people at home to warn them about their anti-virus software and suggesting that they use a certain link to install some new improved software. Of course, it’s not what it seems.

A report in the news today suggests that up to a quarter of UK Internet users may have received such a call — although that sounds like a hugely expensive exercise. Even if it’s a tenth of that, it’s a lot of calls. It seems that the callers offer to repair your PC’s virus problems — but instead install spyware with the aim of stealing valuable personal information. This includes identity data, such as usernames and password combinations, credit card details, bank account details and the like.

A PC security campaign, Get Safe Online, reckons that up to 400 people are employed in dedicated, eastern European or Asian call centres to make this happen. According to Sharon Lemon, deputy director of the UK’s Serious and Organised Crime Agency, they could be paying up to £92,000 monthly to webmasters, presumably running small websites, to advertise their software in ignorance of its true purpose. The fact that they’re spending this much demonstrates the profit levels they must be making.

Other companies call and offer technical support but in fact do no such thing. While not as malicious, it’s still a big security hole, as they ask you to allow them to take over remote control of your PC. One reporter was brave enough to let one of these people onto his PC, and found that they offer a worthless service. He reported that they footle around on your machine for a bit and that’s it. Assuming that if you’re gullible enough to let them in, you won’t know that what they’re doing is effectively worthless.

I’ll confess that in fact this is not so new: a national newspaper reported a similar phenomenon a few months ago but this is the latest wave.

But if in doubt, don’t respond to cold calls — you probably shouldn’t anyway — and certainly never provide someone whose credentials aren’t cast-iron with access to your computer.

It’s not just you you’re protecting: like any infection, if your machine is compromised, so are a whole host of others.

Avast news
Avast has released news that its software now protects Queen Elizabeth Hospital in King’s Lynn. In 2006, the hospital realised its computer network was insecure after a series of malware attacks penetrated the incumbent anti-virus software, so managers decided to evaluate alternatives. One manager had heard about avast from a relative who had successfully used it on their home PC so the hospital downloaded a free copy and ran it on a test computer.

It worked, clearing up a mess left by a previous AV package and, as a result, the trust now has Avast running on 118 servers and over 1,500 desktops. Avast claims the trust is very happy with the results over the last four years: better security and good service.

Watch out for virus on a stick

We’re all used to the ease with which we can move data around using networks — and with USB memory sticks.

While networks came later for most people, the flash memory stick has become the equivalent of the old floppy disk: universal and easy to transport. Except its not unusual to find one with 4GB of data while the last mass-market floppy could handle a massive 1.44MB. That’s 0.00014GB. I digress.

The point here is that we know about how networks can be carriers of malware — viruses, spam, and all the other unlovely stuff that some individuals (and groups) create with the express intention of messing up your day. But did you know that the humble USB stick can also be a vector?

That’s because there’s a file on most USB sticks called autorun.inf that tells the PC what program to run when the stick is inserted. If it exists, it runs the application pointed to by the file. The problems is that several malware scripts exploit autorun.inf. When you plug in an infected memory stick, the scripts can change the autorun.inf file so your PC executes the malware which will, at the very least, infect your PC, probably inviting other malware onto it. When you take the stick to another computer, the cycle repeats.

Avasts technical team recently reported that some 13.5 percent of all malware detected by its software originated from a USB stick. As Avast’s Jan Širmer reports in his blog: “This malware is a worm that starts an executable file which then invites a wide array of malware into the computer. The incoming malware copies itself into the core of the Windows OS and can replicate itself each time the computer is started.”

It’s not the first time this phenomenon has been spotted and it surely won’t be the last as experience teaches us that, when it comes to a tussle between security and convenience, convenience wins every time. Alas, Windows’ autorun feature may be convenient, but the operating system doesn’t make the potentially adverse consequences of opening the contents of a stick in Windows Explorer quite so evident.

However — and there always is a ‘however’ isn’t there? — there is a simple remedy: disable autorun — it’s only a one-off task — to give Avast (or whatever you use) time to scan any USB memory device you connect to your PC before you open it up. Here’s a link to Microsoft’s website that tells you how to do it.

One last thing: just because a stick comes from a supposedly reputable source, you cannot assume that the contents of the stick as malware-free: mistakes do and have happened to even the best brands.

Just be aware.

Take control of your computer

When get calls from friends and relatives about a problem with their PCs, one of the first things that springs to mind is ‘too much software’.

Most people have fairly simple requirements: they want to browse the web, do emails, write letters, maybe run a spreadsheet or two and perhaps play the odd game. This calls for the installation of, at most, around ten applications if you include an instant messager, Skype and, rummaging around in my system tray, I also find EditPad Lite, a free, fast and much more capable replacement for Windows’ brain-dead Notepad.

But what do I find when I actually get to take a look at the machine that’s behaving oddly? Usually the symptoms are that it’s slowed to a crawl and there are common causes for that.

These days, lack of memory isn’t as much of an issue as it used to be, as most PCs come with at least 2GB which is fine for light to medium usage — although adding memory remains one of the cheapest and most effective performance upgrades you can buy.

Disk defragmentation, I hear you thinking — but without exception, my most recent call-outs have all insisted that the disk is defragged — Microsoft seems at last to have done a good job on this problem.

No, the problem is usually bloatware. A quick rootle through the task manager’s list of processes shows two or three anti-virus packages, maybe a third party firewall running as well as Windows’ own package, and a whole host of programs that seem designed to add minimal value and maximum CPU utilisation.

Many of these get installed by PC manufacturers because they get paid by software vendors to do so. It helps to keep the prices down but you don’t get something for nothing. Many also get installed by default when you install something entirely unrelated.

My next step is to remove almost all this cruft, explaining what I’m doing along the way just in case the user is really attached to or actually requires the application. At the end of the process, the disk and memory are considerably emptier, the CPU is issuing palpable sighs of relief at not having to churn away at full chat all the time, and the user experience is enhanced.

What prompted this thought was being caught the other day by this secret software installation when Firefox insisted it needed a new version of Adobe’s Flash player. I dutifully downloaded and installed — but didn’t pay enough attention to the install dialog boxes and found myself with an unwanted McAfee AV package. Others have found they get a browser toolbar as well.

It’s so easy to do. So the message this week is to pay attention to your installation dialog boxes and refuse to install stuff that insists, without an option, to install software you don’t want or whose purpose is unclear.

Not only is this good practice — it’s like keeping those fluff balls from piling up in the corners of your wardrobe — it helps to keep your PC secure as the fewer applications you run, the fewer security holes there are likely to be.

Privacy or security is your choice

Should your ISP be monitoring your connection? According to this story, that’s what’s starting to happen in Australia, where the government has mandated that computers spewing spam or malware must be shut off from the Internet. And the only way to do that is for your ISP to invest in some pretty heavy-duty gear to peer into every packet their customers send and receive, in order to ensure that there’s nothing nasty lurking inside.

The pluses are that it helps make for a safer Internet. The downside is that your ISP is spending more money that it’ll have to recoup somehow — guess how — and that it’s looking at your data. Right now, it’s only interested in malware – but what happens if government policy changes?

You can hear the conversation now: “Well Mr ISP, you already have the mechanism to look at everyone’s data, how much harder can it be to check for dissidents, or those with a criminal record?” The answer will be: not very. And that’s the top of a very slippery slope.

So it’s a choice: be secure or be private – you can’t have both. The best protection we can all have is the protection we ourselves provide, so that the government does not feel the need to step in with legislation. It’s illegal for them to look into your mail or listen into your phone calls, so why should your email not be subject to the same privacy?

Keep AV free!
Free anti-virus is here to stay – and it works. As someone who’s been using free AV tools for over 10 years and never had a problem, I can testify to that. And about one in four UK PC users uses Avast to protect themselves, with about 42 percent using free AV software worldwide, according to security experts at OPSWAT.

So how does it work? Companies such as Avast give away free AV software in the hope that you and I will find it so compelling that we need to upgrade to a paid-for version. Many do. Those who don’t get exactly the same level of protection but don’t get added features, such as a firewall, anti-spyware and other security measures. If you’re covered already, that’s fine.

And long may it continue.

Security: time to spread the word

There’s no shortage of information online about how to keep your computer safe. The problem is that I suspect most of those who need it are not the kinds of people who would go out and look for it; I’ll get back to this point.

As an example of the kinds of helpful instruction that’s now available, Google has just put up a page that shows you, step by step, how to make your computer as safe as possible. The first three steps consist of making sure the machine is free of viruses and malware (using Avast, naturally – end of plug); making sure your operating system is up to date; and making sure to perform regular software updates. It then provides steps for your browser and email client.

A key suggestion from Google’s list is that you change your password twice a year. Passwords provide notoriously weak protection. People use passwords that are easy to remember, such as their name and birth year. That’s information you could find on someone’s Facebook page. You wouldn’t have to look too far to find answers to other questions such as someone’s mother’s maiden name, or their favourite food.

So you need to make your passwords hard to guess. That’s tough because it makes them hard to remember too – but there are programs that can help. The simplest way is to write them down somewhere but in a safe way. That’s not on a sticky note on your desktop but in a safe, encrypted manner. It could be in your browser or, since not everything goes via the browser, in using a package such as the well-regarded KeePass, for example. This means you need only remember one master password, and the others can be pulled out of the safe as required.

Less fashionable but a method I’ve been using for years is a password generator. While some software may have limitations, such as an inability to generate passwords to meet specific criteria demanded by some websites, such as password length, a fixed number of non-alphabetic characters and so on, it’s a method that’s worked well for me for years. As before, I need only remember a master password, while the service passwords are generated using a combination of the service name I’m trying to access and other data that I’m not going to reveal.

But back to my original point: if you’re reading this you’re already in a category of people who are interested enough to have searched out a security-focused blog. This is both good for you and good for all of us — the more people who compute safely, the safer we all are because of the phenomenon of herd immunity.

What we need to do is to reach those who don’t make it this far. So perhaps we should all make it our mission to get at least one other person interested enough to do likewise, and they can then go on and infect someone else with the security bug.

How about it?