NHS hands your data to Facebook

One final thought for 2010 as the festive season swings smoothly into gear, and we start to let our guard down during the celebratory period.

A story has been bubbling under about how the NHS Choices website has apparently included a mechanism that tells Facebook that you’ve been there. According to security company Imperva: “The NHS page has included a script that is hosted on Facebook’s server. When the browser is retrieving the script it delivers all Facebook related cookies from the browser up to Facebook. These are correlated to the Facebook identity of the individual accessing the NHS site.”

In other words, if you’ve got a Facebook account (and a huge percentage of Internet users do) and you then visit the NHS Direct site, your visit is logged by Facebook without your being asked whether this is something you would like to happen. It works by combining information from the “Referer” header (which contains information about the actual pages visited) to allow Facebook to track NHS visits of its users without clicking the ‘Like’ button or being logged in.

An MP has raised this with the NHS whose response was that it’s up to users to ensure that their security is up to scratch and that, when users sign up to Facebook, they agree that the service can gather information on their web usage.

Facebook’s default mode is that your data is their data, and it’s in their interests to operate in a way that helps to increase its revenues, which it cannot do without sharing data about you and me. However, it’s pretty outrageous that you can visit a page that happens to have a ‘Like’ button on it and find that your visit has been logged by Facebook.

Every time we share location data, such as where we are and were we’ve been, it helps to build up a pattern about your behaviour. From a legitimate, advertisement point of view, you might not want to share that data, which allows companies to contact you at times of their choosing and to share data about you with their affiliates and partners.

But that data is not just useful to advertisers but also to people who might want to do you harm in some way. It’s fairly obvious when an individual who shares their location isn’t at home, which might not be the kind of information you want to make available to the other 6,845,609,959 Internet users.

If there’s been a theme over the blogs I’ve written for Avast this year, it’s not been about how good the Avast anti-virus product set is. Its been about asking you to be more aware of security rather then placing convenience above all else. A little prevention goes a long way.

Enjoy the festive season and have a fab new year.

How to make your WiFi more secure

You probably haven’t thought much about your wireless (WiFi) connection recently. Maybe it’s time you did.

You may well have heard about how insecure WiFi used to be. When it started to become popular, poor configuration and guidance from manufacturers combined with a degree of understandable ignorance on the part of consumers led to a lot of wireless hackery. If you conceive of your network as a set of cables strung between computers, then imagine an early wireless network as a set of loose cables hanging out of the window with signs on them urging passers-by to ‘plug me in’.

It’s all different now, we hear, what with advanced encryption technologies such as AES now built in. Or is it? I’m still surprised – and my experience is not an isolated one — when I sniff around with my laptop to find that there are still quite a few totally open networks around. Even among those that aren’t open you’ll often network names (or, more correctly, SSIDs) such as ‘linksys’, a name that the manufacturer assigned to the wireless router in the factory.

An open network is a hacked network. If it’s not hacked already, it will be soon. This means that whoever logs into it can use your broadband connection — this alone might break the terms of your broadband contract, even before the intruder has downloaded whatever — and they can access your Windows network. If you computer is on or you’re using a server of some kind, they’ve probably got access to that too.

So turn on strong encryption — you’ll see it listed as WPA2-AES, WPA2-PSK, WPA2 or WPA. That’s not all. Even after you turn on encryption, you need to take some care. The linksys or netgear names given to wireless broadband routers — there are others but I’m picking on these because they’re very common — tell the potential hacker that you’ve not changed the configuration much, if at all and that, as a result, the wireless network is likely to be easier to hack into.

There are three more steps to take to protect your wireless network. First, change the name of your wireless network name or SSID or something anonymous; it should not identify you, where you live or your business. You should use a strong wireless network key too: it should not be the same as the SSID, and it should not consist of any words that might be found in the dictionary – hackers have tools for breaking passwords like that. Finally, change the default name and password for the administrator account, as hackers know what all the defaults are.

There more steps you can take to make your system even more secure but these three will defend you against all but the most determined of hackers.

US secrets leak gives cause for thought

A CD-RW with Lady Gaga written on it became the vehicle for over 250,000 leaked US state department cables sent from, or to, US embassies all around the world. This news story has made headlines the world over and put egg on the faces of the US diplomatic service, which is part of the US state department — the equivalent of the UK’s foreign office.

The results were passed to WikiLeaks”, a “not-for-profit media organisation” whose aim “is to bring important news and information to the public” based on principles of “the defence of freedom of speech and media publishing”. They were passed to the Guardian on a USB stick and it, along with three other newspapers — the New York Times in the US, Der Spiegel in Germany, Le Monde in France and El País in Spain, has started to publish the thousands of snippets of information these documents contain.

The culprit is said to be soldier Bradley Manning, an intelligence specialist who smuggled the CD-RW out of the intelligence service, and who has been behind bars for seven months as a result and faces a court martial. After the data heist, he said in a chatlog that he “had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months” and sang along to Lady Gaga “while exfiltrating possibly the largest data spillage in American history”.

The reaction from official forces has been predictably furious, although the editor of the Guardian described the leaks as embarrassing for the US rather than damaging.

But all that aside, what does it say for the security of the US’ diplomatic intelligence service? The fact that it took only a simple mistake of not configuring official computers so that were unable to burn CDs or copy data onto USB memory sticks is ludicrous. But it highlights one key aspect of security that applies whether you are the US state department or anyone who has a computer at home.

Security is a state of mind. What seems to have happened is that, once the individual who leaked the information had passed muster, probably by typing in a username and password, he was allowed to access everything on the department’s servers. It suggests that the security hierarchy is pretty flat, with little granularity of access. Additionally, it shows that physical access to a device attached to servers is not seen as something to be controlled, a least to the extent that you are able take data away with you on a physical medium.

So the state of mind of those who set up the machines seems to have been that the possession of a username and password (or maybe some form of biometric identification — there’s no suggestion that Manning falsified his identity) meant he was trustworthy enough to give access to a huge range of secrets.

While your PC might not contain information quite so portentous — though of course it might, I don’t know — it might make you wonder whether your security setup is as secure as you need it to be, especially if you share your machine. And do you trust yourself…?

Could your Apple iPad give away your data?

I read a blog today. The blog’s author compared the much-lauded (but in my view highly overrated) Apple iPad against laptops in general, and highlighted several features that iPad has that laptops should emulate.

Well yes, maybe. The one that caught my eye was the issue of instant-on. “You can click the iPad’s power button and it is instantly ready to pull up a web page, calendar or email”, the blogger wrote. Yes of course we all want computers to be instantly available as soon as we press that button, Apple is very good at making devices that appear to be easy to use but which, after a few minutes’ thought — or, often, after a few hours of ownership and intensive use — turn out to be not quite so smart after all.

The only issue with instant-on is that anyone can do it. The person who steals your iPad that you carelessly left on the coffee-shop table as you order another skinny latte, or who lifts it from your bag on a crowded train or bus will have no problem turning it on and gaining instant access to your stuff: your email, your Facebook page, your passwords, personal information…. Your life.

If it never leaves the home then maybe that’s a different story. But wait: burglars can and do steal computers if they’re small enough to walk away with without looking suspicious, and I believe an iPad qualifies. Or your small (or not so small) child — or lodgers or whoever — can come along and press all sorts of buttons with neither let nor hindrance, leading to all sorts of weirdnesses.

Aren’t we lucky the iPad is so convenient?

A combination of username and password is not the most secure way of protecting data but, when balancing convenience against security, it’s good enough and should deter most thieves.

Many years ago, my IBM ThinkPad laptop was among the goodies taken away by a burglar and, about three years later, I received a phone call from someone (who purported to be and might well have been an innocent buyer) who had managed to find out where it came from and wanted the password for it.

Of course I refused, not knowing where the machine was, who had it, or what stuff that I wanted might still be on it. But I was satisfied that that the ThinkPad has industrial-strength, password-protected encryption and that the data would be unavailable to whomever: they would have to wipe the disk to make any use of the machine.

So when you read that convenience is the sole criterion of value, think hard: data on portable devices can end up anywhere and instant-on could mean instant bye-bye to your personal data. So if you have one, use the password feature. It might be a little inconvenient most of the time, but it will be very convenient the one time it’s really needed.

Kroxxu botnet’s secrets revealed
Avast’s Jiri Sejtko, head of virus research at the company’s virus lab, has written a fascinating account of how he tracked down Kroxxu, a botnet based on infected websites with the aim of stealing passwords.

Since its inception in October 2009, it’s grown to become a network with over 10,000 redirectors, 2,500 PHP redirectors, and over 700 malware distribution sites. The 15 redirectors used in the longest active connection send visitors through seven countries in three continents to infectious exploits, with many of the zombie machines enduring 90 days or more.

It’s worth checking out.

Privacy or security is your choice

Should your ISP be monitoring your connection? According to this story, that’s what’s starting to happen in Australia, where the government has mandated that computers spewing spam or malware must be shut off from the Internet. And the only way to do that is for your ISP to invest in some pretty heavy-duty gear to peer into every packet their customers send and receive, in order to ensure that there’s nothing nasty lurking inside.

The pluses are that it helps make for a safer Internet. The downside is that your ISP is spending more money that it’ll have to recoup somehow — guess how — and that it’s looking at your data. Right now, it’s only interested in malware – but what happens if government policy changes?

You can hear the conversation now: “Well Mr ISP, you already have the mechanism to look at everyone’s data, how much harder can it be to check for dissidents, or those with a criminal record?” The answer will be: not very. And that’s the top of a very slippery slope.

So it’s a choice: be secure or be private – you can’t have both. The best protection we can all have is the protection we ourselves provide, so that the government does not feel the need to step in with legislation. It’s illegal for them to look into your mail or listen into your phone calls, so why should your email not be subject to the same privacy?

Keep AV free!
Free anti-virus is here to stay – and it works. As someone who’s been using free AV tools for over 10 years and never had a problem, I can testify to that. And about one in four UK PC users uses Avast to protect themselves, with about 42 percent using free AV software worldwide, according to security experts at OPSWAT.

So how does it work? Companies such as Avast give away free AV software in the hope that you and I will find it so compelling that we need to upgrade to a paid-for version. Many do. Those who don’t get exactly the same level of protection but don’t get added features, such as a firewall, anti-spyware and other security measures. If you’re covered already, that’s fine.

And long may it continue.