GPSolo Technology & Practice Guide - June 2006
Security on the Go
These days, we all seem to be in love with the extreme ease of information access. This access can be from our home computers, our laptops, our PDAs, our smartphones, or the public computer in the hotel lobby. Our confidential information can be stored on our laptop hard drives, our telephones, or those cool (and easily lost) thumb drives. What is available to secure our communications and storage of information? Should we really worry overmuch about protecting our data? How can we continue to maintain mobility and still operate in a secure fashion? In a world where laptops are among the most frequently stolen items and data theft is on the rampage, a little reassurance is in order. So we’ll identify some obvious and some not-so-obvious things that you can do to protect your data and help you sleep well at night.
Thumb drives, flash drives, jump drives—these are all names for small electronic storage devices that appear as another disk drive to a computer. We copy our client files to a thumb drive and take them home for the weekend so that we can continue to work on the case. We may keep our firm’s financial data on a thumb drive as a backup. No matter what we store on these wonderful, small devices, it is subject to theft if we happen to lose the thumb drive. Some vendors provide a lanyard so that you can hang the device around your neck, but how many of us do that? More often than not, we attach it to our keys or just stick it in our pocket (it’s too hard to insert the drive into a computer with all those keys attached, anyway). The bottom line is that the data is stored on these portable devices in an easily accessible fashion. Pull out your wallet and accidentally your thumb drive falls on the ground. Put your thumb drive on your desk and walk to the restroom to find that it has vanished upon your return. Leave it accidentally on your hotel room desk only to find it grew legs while you were out at dinner. Anybody that finds your lost thumb drive can connect it to a computer and read the contents—unless you encrypt.
Annie Attorney Says:
You need to take extra precautions when working outside the office.
Don’t bother to password protect your documents unless you intend on using “strong” passwords (i.e., containing letters, numbers, and symbols). And also bear in mind that many password-cracking tools can blow through any passwords created in a document’s “native” software (e.g., MS Word, WordPerfect, Excel, etc). Turn to a third-party software package to encrypt the thumb drive contents, or use the encryption software that comes with the thumb drive itself. Some vendors provide encryption software that has the ability to define a secure area of the drive for encrypted storage.
Laptops are the number-one item lost or stolen at airports (and high on the list of items stolen from hotels), so protection is imperative. The first defense is to configure a power-on password so no one can even operate your computer without it. This is a simple thing to do and is achieved by changing the setting in the “basic input/output setting” (BIOS). But don’t think that you are totally safe just because you have set a power-on password. If someone really wants to gain access to your data and steals your laptop, it’s easy enough to remove the hard disk from the laptop, connect it to a special adapter, and then connect it to another computer in order to read the drive contents. Some models of the Lenovo ThinkPad prevent this type of access by requiring that the hard disk be inserted in the ThinkPad, effectively “marrying” the hard drive to the actual laptop.
If you are in the market for a new laptop, consider buying one with biometric access. In the last issue of the Technology & Practice Guide, Daniel S. Coolidge warned that many add-on biometric devices are easily fooled and can actually compromise your security, rather than enhance it (see GPSolo, vol. 22, no. 8, December 2005, www.abanet.org/genpractice/magazine/dec2005/biometric.html). Built-in biometrics are very different from those add-on USB readers. Built-in biometric devices require you to swipe you finger across the reader, instead of merely laying your finger on a pad (the latter procedure can be fooled by such high-tech devices as a Gummy Bear). In addition, built-in readers are used in combination with a password (again, make sure it’s a strong one) to further enhance security.
Just as you would restrict access to thumb drives, encrypt the contents of your laptop’s hard disk. You can encrypt all or a portion of the drive. PGP Desktop Home 9.0 ($79; www.pgp.com) creates a virtual PGP-encrypted disk. You merely mount the PGP disk, which shows up as another hard drive to your computer. Drag and drop files to the virtual disk and they are stored encrypted. Don’t forget to unmount the virtual disk when you are done. Encrypting the complete drive is a little more risky, especially if you forget your password and can’t access the hard drive. If you encrypt the whole disk, make sure that you create an administrative override ID that can unlock the drive in an emergency.
It is no longer an option merely to install anti-virus software to protect you from viruses, worms, and Trojans. Today the threat of spyware is growing by leaps and bounds, and it demands particular attention. You’ll need to install anti-spyware software along with your anti-virus installations. Don’t flinch at the additional time and expense—the confidentiality of your client data is worth it. Lavasoft’s Ad-Aware ( www.lavasoft.nu/software/adaware) and Spybot Search & Destroy ( www.safer-networking.org) are two of the most popular free anti-spyware packages. The main problem with such free packages is that they lack real-time protection and automated updates. You have to remember to manually update and scan your systems. Would we take that risk? Nope. We’ll fork over the cash gladly to remove the “idiot factor” (us) from the equation.
Two highly rated paid anti-spyware applications are Webroot’s Spy Sweeper ($30; www.webroot.com) and Sunbelt Software’s CounterSpy ($20; www.sunbelt-software.com). You should run at least two anti-spyware applications because no single package will catch everything. Install one of the paid, automatic products and periodically run a manual scan with one of the free products. Because we have very little success convincing our own clients to run two anti-spyware programs, go ahead and start with one. Better something than nothing. Over time, the depth and breadth of this problem may persuade you to add a second line of defense.
Why do you need to worry about spyware? Normal Internet browsing activity exposes your computer to the installation of spyware that may be capturing your keystrokes, search terms, or personal information and transmitting it to a third party without your knowledge. Not only do lawyers have to be concerned with the loss of their own personal data, but they have an ethical responsibility to safeguard their clients’ information. Remember the “prudent man” standard? Have no doubt, the prudent man would attend to the threat of spyware.
Certainly you need to have a firewall for your communications connections to ensure privacy. The simplest and easiest for a home or office network is to install a router that does network address translation (NAT). This means that there is one public IP address on the “outside” of the router that connects to the Internet, and the internal network is translated into a private network. Typically, the internal network will be a 192.168.x.0 network. To further secure your network, change the default network address to something other than the factory setting. As an example, if the default network is 192.168.1.0, change it to something like 192.168.198.0. This makes it a little harder for the potential hacker to discover.
Windows XP with Service Pack 2 contains a software firewall. Make sure that it is enabled. A firewall doesn’t do you any good if it isn’t operational. Also, consider replacing the Windows firewall with a third-party software product such as Symantec Personal Firewall ( www.symantec.com) or Zone Alarm ( www.zonealarm.com). The Windows firewall does not monitor suspicious activity that originates from your own computer, whereas products such as Zone Alarm monitor for activity that may indicate a compromise of your system. As an example, you may have spyware installed that has turned your computer into a zombie machine, capable of transmitting spam without your knowledge. Third-party firewalls watch for such symptoms and either block or warn you of the activity.
Everyone seems to get excited about the prospect of free wireless (WiFi) Internet access while staying in a hotel or the wide-open wireless cloud at the local deli or coffee shop—or legal conference. Certainly, wireless clouds make it very easy to connect to the Internet and begin work on your e-mail or client files. The problem? It’s also easy for someone else to monitor your traffic because it is sent in clear text. We cannot tell you how easy it is for us to monitor the actions of other wireless cloud users, although we hasten to add that we have only done this for demonstration purposes.
The sheriff in town is the virtual private network (VPN). The VPN encrypts the connection between your computer and the receiving machine. At a minimum, use a VPN connection when connected to public hotspots. As with other security measures, don’t believe that no one can monitor your transmissions if you use a VPN. What if there is a keystroke logger installed on your computer that you don’t know about? Here’s one scary scenario of your laptop being compromised when you thought you were safe:
Prior to taking a business trip with your laptop, you allow your teenage son to use your laptop to surf the Internet from your home network. He installs a P2P (peer-to-peer) file-sharing application to download music files. Unfortunately, the P2P software also installs a keystroke logger and Trojan horse. Your son had no idea that this was happening, but that sure doesn’t change the result. Off you go on your trip to take depositions of the opposing witnesses. While away, you decide to check your e-mail at the local Starbucks. You are very aware of the insecurities at public hotspots. Not to worry . . . you fire up your VPN software and connect to the law firm’s network using an encrypted communication connection. Sorry, but the keystroke-logging software captures your user ID and password for invoking the VPN software and sends it to the bad guys. Once the information is transmitted and they see that they have a juicy target (a lawyer’s computer—wahoo!), they decide to monitor your connection and see all of your e-mail messages (with attachments, too) and read your responses in real time. The scent of malpractice, as well as Sumatra coffee, may be in the air.
With the recent worries over the BlackBerry network, more and more people are moving to alternative devices and also replacing their cell phones with convergent or Smartphones. Smartphones are cell phones that also have the ability to send and retrieve e-mail, run applications, process e-mail attachments, and manage calendaring and contacts. Besides the BlackBerry ( www.blackberry.com), popular models from Palm (such as the Treo, www.palm.com) and Samsung ( www.samsung.com) are being purchased by many lawyers wanting a full range of functions from a single device.
How do you secure the information on a Smartphone? At a minimum, configure a password in case your phone gets lost or stolen. In addition, set the phone to lock after a period of inactivity, thereby requiring a password. Many lawyers view this “lockout” or screen saver function as too inconvenient and will not enable it. If you think entering a password to unlock your phone is inconvenient, try explaining to your largest client that you just lost your phone containing your latest deposition schedule, expert witness contact info, strategy meeting reminders, and case notes.
Consider getting some encryption software for your phone. Smartphones may have alternative network communications ability, too. The phone could be equipped with WiFi, Bluetooth (short-range wireless), and/or infrared abilities, all of which can be scanned and monitored. Disable the communications methods you don’t need and only turn them on when you need to use them.
You can even remotely wipe data from a phone if you have Microsoft Exchange 2003 with SP2 and a Windows Mobile 5 device with the Messaging and Security Feature Pack. The administrator can remotely issue a wipe command to a lost phone, or it can be programmed to wipe automatically after a certain number of invalid login attempts. This is a particularly nice advance in defeating the bad guys of the world. As cartoon villain Snidely Whiplash would say, “Curses! Foiled again!”
We’ve already touched on some of the issues with wireless connections and VPNs, but let’s go into a little more depth. At a minimum, you should change all of the default settings on your wireless networks. This includes the administrator access (ID and password), the network addressing, and the network name. Don’t broadcast the name (SSID) of the network, either. Consider configuring a media access control (MAC) filter. This means that you enter the hardware MAC addresses for only those devices you want to connect to the wireless cloud. It is easier to spoof the hardware address (i.e., use software to present a false MAC address that is different from the true physical address of the device) for a wireless device than a wired one, but it’s better than nothing. Practically speaking, hackers will go to another cloud if they encounter even the slightest difficulty connecting to yours. A lot of low-hanging fruit is out there. The effect is like having a big “Protected by Acme Security” sign in your front yard—even when the system belonged to a previous owner and you have no security at all.
It still amazes us that more of our colleagues don’t lose their equipment on the road. In your office or home, you can physically secure your equipment fairly easily. You know where the equipment is, and people have limited access to it. When you are mobile, however, do you always know where or how secure your equipment is? Your laptop and telephone are the two major pieces of mobile equipment to protect. Normally, the phone is always physically attached to your hip or ear. But the laptop is another story. A large number of people just leave it in their room when they go out to breakfast, dinner, or the workout room. This leaves the laptop totally unsecured and a tempting target for the cleaning crew. It is inexpensive (less than $50) to buy a security cable lock. Lock the laptop up when you leave and make sure you attach it to something secure in the room. We often use the mattress frame, for instance. Good hotels are not immune to thieves. Do you really want to take any chances?
The Bad New World
In years gone by, it was common to go outside on cold mornings and start the car so it could warm up. A recent report from Maryland states that those are now the cars most commonly stolen. We’ve always had credit card fraud and identity theft, but only recently has it gotten so bad that you can’t turn on the TV without hearing another horror story. In sum, perils beset us on all sides. The smarter we get, the smarter the bad guys get. But in the end, we must do the very best we can to ensure that our clients’ data remain secure. It is possible for you to try your very best and fail, but as attorneys, we dare not fail to try.
John W. Simek and Sharon D. Nelson are, respectively, vice president and president of Sensei Enterprises, Inc., a legal technology and computer forensics firm based in Fairfax, Virginia. They can be reached at firstname.lastname@example.org or via their website, www.senseient.com.