Volume 18, Number 8
Lock Out The Bad Guys
Protect your firm's online activities
By Stephen J. Lief
You just bought new computers, set up your network, finally got the high-speed Internet access installed, and everyone's computers have been hooked up. The new programs are running, your people have been trained, and you've learned how to send instant messages to your colleagues so you don't have to pick up the phone or yell down the hall. Your law office has entered the information age.
Now all that's left to do is sit back and watch the productivity skyrocket, right?
Oh, how wrong you are. Unfortunately, the Internet contains hidden dangers that are only now being widely understood. IT and security specialists know that the very connections that allow you to cruise the Internet and send e-mail and instant messages can be turned against you. The average computer user has very little awareness of security issues. For lawyers, this problem is serious. Although having the e-mail you wrote to your college buddy read by someone else may cause some embarrassment, having a confidential brief or a discussion of strategy for an upcoming case intercepted could prove devastating.
Each type of communication, such as e-mail, instant messaging, or surfing the Web, uses a different protocol or series of rules for processing information. Your computer uses specific ports for each type of protocol. The protocols prevent unrestricted access to these communications. Without those protections, you are at risk. Hackers know ways to monitor where you go on the Internet. They can lock you out of your computer. People can "spoof" you-pretend they are you in e-mail-and say things or demand things from others in your name. Files can be copied, removed, or changed. And all of these things can happen without your ever knowing about it-until you try to access the information in question or find that your competitors mysteriously know your plans. When you connect to the Internet, if you do not have security software, all of the things described above could happen.
Getting In and Out
Many programs and systems can be used to make your computer and intranet (the group of interconnected computers in your office) secure. Starting with firewalls and proxy servers, which offer the first line of defense against attacks and unauthorized access from outside computers, and continuing with antiviral software, encryption technologies, and password protection, there are solutions for every aspect of computer security.
Firewalls. Firewalls are pretty much what they sound like: walls (though not of fire) between your computer and the Internet. Firewalls are programs that control and monitor access to and from the Internet. You can program your firewall to allow certain types of communications (e.g., e-mail, instant messaging, Web pages) or not allow them. Most firewalls also give you the option of blocking individual web or e-mail addresses. Some companies use this ability to block pornographic sites, news sites, or other Internet sites that are not work-related.
There are also firewalls that use stateless packet inspection. Such firewalls are more "intelligent" in that they will allow communication between your computer and a site on the Internet only when you initiate the contact. After a certain amount of inactivity, they shut the connection down and do not accept communication to or from the site until you request it. This helps when there is a possibility that the site or e-mail address you are contacting has lax security, or unreliable people who may attempt unauthorized access to your system.
If you allow a site or Internet address with lax security to have unlimited access to your computer, then your security becomes only as good as its security. If you are unsure as to the level of security other sites have, it is better to completely block it or make sure your firewall supports stateless packet inspection. Firewalls have components that scan the ports, like watchmen, checking to see if anyone is trying to get into your computer.
Proxy servers. Proxy servers serve a similar function. Originally, proxy servers were intended to lighten the load of the primary servers by storing the most requested web pages, so the primary server would have more free space to perform other functions. Eventually it was realized that proxy servers could also function as a barrier to entry by intruders on the Internet. Proxy servers, much like firewalls, filter the connections to the Internet based on rules you give them-whether to block certain addresses or types of traffic, or not. A proxy server is like a manned checkpoint before you get to the front door. Your intranet is behind the proxy server, which itself is connected to the Internet.
The main difference between firewalls and proxy servers is that firewalls can be set up for an entire intranet, for a single computer, or even for a single computer on an intranet that is already behind a firewall. Proxy servers, however, are almost exclusively used to protect an entire intranet.
Now that you know how to control who and what gets in and out of your computers, there are a few other precautions that are necessary. Two simple procedures that you can employ are encryption technologies and password protection. These procedures add another layer of protection, just in case someone figures out a way to get into your computer.
Encryption is fairly simple, depending on the software package. The idea of encryption is to take something perfectly intelligible and make it gobbledygook, using a secret code. To encrypt a file, follow the instructions of the software you are using for encryption; decryption almost always requires a password. Passwords are secret words or phrases that only you know. When a password is entered into the dialogue box that asks for it, it allows access to files or programs. Only after giving the right word will you be allowed to enter. Encryption is available in different strengths. The strongest is usually just as easy and inexpensive to use as a weaker encryption and works in much the same way, so there is really no need to worry about getting encryption that is too strong.
Most experts suggest that you choose passwords containing numbers and letters, and avoid everyday words. Passwords can be very effective, but the greatest problem with them is the people who choose them. People are afraid that they will lose or forget their passwords, so they try to use something simple or common, or something that they know-such as a birthday or street address. These make the worst passwords. Hackers have dictionaries of passwords and programs that can run all the combinations of dates. The more "abnormal" your password is, the safer it will be.
Now that you have secured your computer and its contents, the only thing left is to secure all that information you send and receive from outside of your network. E-mails, instant messaging, and file transfers can contain dangers and can be intercepted. Viruses are well known, thanks to attacks by the Love Bug virus, the Anna Kournikova virus, the Melissa virus, and others. They wipe out files and waste time, eventually resulting in millions of dollars in damage and lost revenue. Close relatives of viruses-such as worms, Trojan horses, and other intrusive, unwanted programs-can be hidden in e-mail. Some of these programs are benign, with little or no damage caused. Others can create security breaches, steal information and passwords, or delete your entire hard drive.
Antiviral software is available at any computer store and is straightforward and easy to use, but you should be diligent and update the software as recommended. Computer viruses, like their biological counterparts, mutate, and new ones appear all the time. Updates are designed to counter these new viruses.
To avoid having your e-mail and instant messages read by third parties, the best solution is to encrypt all of your communications. Several programs encrypt e-mail, and a few offer ways to encrypt instant messages, but no program encrypts all communication. The e-mail encryption technologies are fairly advanced, yet most of the programs are confusing or difficult-though not impossible-for the layperson to use.
Encryption works by using key pairs, which consist of a private key and a public key. The private key is just that, a key that only you have. The public key is distributed to anyone who wants to send you an encrypted message. E-mail and other communications are encrypted using your public key, which can then be decrypted by your private key, and by your private key only. Because keys are random mathematical numbers that cannot be duplicated or decoded, they offer very high security. Anyone who intercepts an encrypted e-mail will get either a blank message or a screen full of still-encrypted junk. The public key will encrypt to the user's private key, but no information about the private key is contained in the public key. Thus, you can and would want to send your public key to everyone in the world without fear of them discovering your private key. Although it may be confusing to keep track of which key is encrypting to which key and when, the only thing you need to know is that the keys act as authenticators. Encrypting communication is the only way to maintain privacy over the Internet short of buying your own dedicated line or building your own Internet. Even then, if there is a connection to the public Internet, there are still security issues.
One of the by-products of e-mail encryption technology is the digital signature. You may have heard of this because Congress has passed laws that give digital signatures a legally binding status, and some other countries have followed suit. Digital signatures use the same idea as encryption-but in reverse. The sender encrypts a small message using his or her private key, which can then be decrypted by the public key. Because only the public key of the sender can decrypt a message encrypted by the private key of the sender, one can verify that the message, e-mail, or file was indeed sent by that particular sender.
The benefits of digital signatures are just being realized. Digital signatures not only confirm the sender but also can be used for various legal transactions, verification of files, and to indicate whether an e-mail has been intercepted. If you want to confirm receipt of an e-mail, digital signature techniques can provide the feedback.
Beware of Human Nature
Once you have all of these bases covered, you can almost sit back and relax. The only thing you have to worry about now is human nature and human error. But, then again, if it weren't for human error, you might be out of a job. Human nature leads people to send out destructive e-mails containing viruses with provocative or enticing headers. This is called social engineering, taking advantage of people's inclination to look at an interesting or illicit e-mail, or even to believe something just because it is written down.
A recent example was an e-mail that contained no virus or hidden programs, but only recommended that a certain program be removed from the computer because, the author claimed, it contained a virus. People who believed the e-mail deleted a benign and helpful file from their computers. Some hackers have the audacity to call people up at work and, posing as IT professionals, ask for their passwords-and people will give them out without thinking. The only solution to these problems is to educate your employees and fellow workers about the potential dangers and the tricks hackers use.
Hackers and Crackers
Your computer connects to the Internet through protocol suites-a list of rules and common languages that control the flow of data to and from the Internet. The protocols were written for maximum efficiency but with no eye toward security, because the initial Internet users were scientists and other academics who wanted to share information freely. As commercial and personal use of the Internet grew, so did the abuse of these security flaws. "Hackers" started to explore this new cyberworld, finding holes and figuring out ways to exploit them. Most hackers do this for the thrill, for bragging rights, and to perpetrate pranks.
But there are some, referred to by other hackers as crackers, who use the information they gather for illicit purposes. Crackers use a variety of attacks. Depending on the attack, the results can range from crashing a computer to changing website content to stealing and holding for ransom information such as credit card numbers.
White-hat hackers (a reference to the white hat the good guys wore in Westerns) use the information they gather while hacking to publicize security problems. They post their findings about various programs and systems on websites or are hired as security consultants for companies. They, along with programmers, create software and systems designed to secure computers, communications, and files.
Stephen J. Lief advises his fellow attorneys on the latest in practical and profitable technology applications, including automated litigation support, document imaging, and voice recognition systems.