NHS hands your data to Facebook

One final thought for 2010 as the festive season swings smoothly into gear, and we start to let our guard down during the celebratory period.

A story has been bubbling under about how the NHS Choices website has apparently included a mechanism that tells Facebook that you’ve been there. According to security company Imperva: “The NHS page has included a script that is hosted on Facebook’s server. When the browser is retrieving the script it delivers all Facebook related cookies from the browser up to Facebook. These are correlated to the Facebook identity of the individual accessing the NHS site.”

In other words, if you’ve got a Facebook account (and a huge percentage of Internet users do) and you then visit the NHS Direct site, your visit is logged by Facebook without your being asked whether this is something you would like to happen. It works by combining information from the “Referer” header (which contains information about the actual pages visited) to allow Facebook to track NHS visits of its users without clicking the ‘Like’ button or being logged in.

An MP has raised this with the NHS whose response was that it’s up to users to ensure that their security is up to scratch and that, when users sign up to Facebook, they agree that the service can gather information on their web usage.

Facebook’s default mode is that your data is their data, and it’s in their interests to operate in a way that helps to increase its revenues, which it cannot do without sharing data about you and me. However, it’s pretty outrageous that you can visit a page that happens to have a ‘Like’ button on it and find that your visit has been logged by Facebook.

Every time we share location data, such as where we are and were we’ve been, it helps to build up a pattern about your behaviour. From a legitimate, advertisement point of view, you might not want to share that data, which allows companies to contact you at times of their choosing and to share data about you with their affiliates and partners.

But that data is not just useful to advertisers but also to people who might want to do you harm in some way. It’s fairly obvious when an individual who shares their location isn’t at home, which might not be the kind of information you want to make available to the other 6,845,609,959 Internet users.

If there’s been a theme over the blogs I’ve written for Avast this year, it’s not been about how good the Avast anti-virus product set is. Its been about asking you to be more aware of security rather then placing convenience above all else. A little prevention goes a long way.

Enjoy the festive season and have a fab new year.

Security error messages need improvement

Today, I had to ask a helpful technical support person how to access the secured wireless network at my local university. Even though I’d successfully logged into the system many times before and have been using it for months, somehow the device I was using had managed to forget the password that enabled the certificate that allowed the wireless network to recognise and authenticate it. As a result, I couldn’t use the network, which is locked down by both encryption and an authentication system.

Faintly embarrassed, it turns out I could have fixed it had I known I needed to dive into the deepest depths of the security settings of my HTC Desire HD phone — which runs Google’s Android operating system — and then reset the password manually.

The problem was two-fold. It wasn’t clear from the input box that popped up that the password being requested was a local one — in other words, the request came from inside the phone, not from the remote wireless network.

Additionally, it asked for a storage credential password and, you know what? I had no idea which password it was asking for, or that I needed credentials to access storage on any remote or local system. I suppose must have typed it in once, months ago, and then forgotten it almost immediately. It seemed out of place too, since I was trying to access a network, not storage.

So what’s the lesson here? As I was waiting for the IT systems person to figure out what the problem was, it occurred to me to wonder how much time is wasted around the world by poor error messages and unhelpful, over-zealous security systems and their obscure or misleading error messages.

If you’re in the IT business you might of course take a different view: it keeps you in a job. Even so, this kind of user support is useful but not massively productive work when you consider that the human being who designed the error message could, with a little more thought, have saved the time of thousands of other humans.

Security is an important part of our lives as it stops the right stuff going to the wrong people. As ever, the implementation usually involves a trade-off between security and convenience: more of one usually means less of the other.

While there’s a still long way to go before we get to the point where much security technology manages to both avoid inconvenience and improve security, thus making our lives easier, I’d suggest that some anti-virus packages get pretty close to that ideal…

How to make your WiFi more secure

You probably haven’t thought much about your wireless (WiFi) connection recently. Maybe it’s time you did.

You may well have heard about how insecure WiFi used to be. When it started to become popular, poor configuration and guidance from manufacturers combined with a degree of understandable ignorance on the part of consumers led to a lot of wireless hackery. If you conceive of your network as a set of cables strung between computers, then imagine an early wireless network as a set of loose cables hanging out of the window with signs on them urging passers-by to ‘plug me in’.

It’s all different now, we hear, what with advanced encryption technologies such as AES now built in. Or is it? I’m still surprised – and my experience is not an isolated one — when I sniff around with my laptop to find that there are still quite a few totally open networks around. Even among those that aren’t open you’ll often network names (or, more correctly, SSIDs) such as ‘linksys’, a name that the manufacturer assigned to the wireless router in the factory.

An open network is a hacked network. If it’s not hacked already, it will be soon. This means that whoever logs into it can use your broadband connection — this alone might break the terms of your broadband contract, even before the intruder has downloaded whatever — and they can access your Windows network. If you computer is on or you’re using a server of some kind, they’ve probably got access to that too.

So turn on strong encryption — you’ll see it listed as WPA2-AES, WPA2-PSK, WPA2 or WPA. That’s not all. Even after you turn on encryption, you need to take some care. The linksys or netgear names given to wireless broadband routers — there are others but I’m picking on these because they’re very common — tell the potential hacker that you’ve not changed the configuration much, if at all and that, as a result, the wireless network is likely to be easier to hack into.

There are three more steps to take to protect your wireless network. First, change the name of your wireless network name or SSID or something anonymous; it should not identify you, where you live or your business. You should use a strong wireless network key too: it should not be the same as the SSID, and it should not consist of any words that might be found in the dictionary – hackers have tools for breaking passwords like that. Finally, change the default name and password for the administrator account, as hackers know what all the defaults are.

There more steps you can take to make your system even more secure but these three will defend you against all but the most determined of hackers.