November 01, 2018

    Hot Buttons

    On the Road Again: Secure Mobile Computing

    Sharon D. Nelson & John W. Simek

    Lawyers are more mobile than they have ever been, but secure mobile computing remains an elusive goal. Wow, have things really changed. Technology has changed with remarkable speed, as have security threats and the “bad actors” who want your confidential data. We connect to our law firm networks from all sorts of wireless networks, at hotels, conference centers, coffee shops, the homes of our friends—even from airplanes now. Many of these connections are free, and many are fraught with peril.

    It’s not just about traveling domestically either. It’s a brave new world, and crossing the border subjects us to searches of our electronic devices. Lawyers need to be aware of the new rules and how they can continue to keep client confidential information out of the hands of unauthorized people.

    A great starting point is the National Cybersecurity and Communications Integration Center tips for secure mobile computing while traveling. There are tips for Holiday Traveling with Personal Internet-Enabled Devices, Cybersecurity for Electronic Devices and International Mobile Safety.

    Software

    Before we jump into the boring details, let’s cover some solutions that should be on your laptop no matter what other technology you use for remote connectivity. It goes without saying that you should have some sort of security software solution installed on your laptop. It should be configured for automatic updates. Security software is no longer just about antivirus protection and downloading virus definition files. Modern internet suite products contain security features such as antivirus protection, malware protection, firewalls, spam control and anti-phishing. Some products even use artificial intelligence to help protect your computer system. If suspicious activity is detected (e.g., something acting in a similar fashion to malware), the software will stop the action. No definition file needed.

    Encryption

    Secure mobile computing must contain some method of encryption to protect valuable personal and client data. We prefer whole disk encryption. This means that everything on the hard drive is encrypted. We don’t have to remember to put files into special folders or on the encrypted virtual drive. All too often humans are in a big hurry and may not save the data in the special protected encrypted areas. Many of the newer laptops have built-in whole disk encryption. To state the obvious, make sure you enable the encryption, or your data won’t be protected. Also, encryption may be used in conjunction with biometric access. As an example, our laptops require a fingerprint swipe at power on to properly boot. Failure at that point leaves the computer hard drive fully encrypted. A very comforting thought if laptop thieves, who constitute a large club these days, make off with your laptop.

    There are even free built-in alternatives. Even if your laptop doesn’t have biometric access or hardware encryption, you’re probably using an operating system that includes encryption. If you are an Apple user, FileVault 2 encryption is included with the macOS. However, it isn’t enabled by default. If you are a Windows 10 Professional user, encryption is also included for free. Microsoft includes BitLocker encryption with Windows 10 Professional but not Windows 10 Home. Just like FileVault, BitLocker is not enabled by default. BitLocker is only available in the Ultimate and Enterprise editions of Windows 7. You really should be running Windows 10 Professional. You’ll need some sort of encryption software if you are running a version of Windows 7 that does not include BitLocker.

    Wireless

    Wireless is the rage of all the road warriors. There are two basic types of wireless access you’ll encounter. The first is generically termed a “wireless hot spot” and is what you find at your local Starbucks, fast food location, library, hotel or the airport. You may or may not have to pay for these wireless connection services. Many businesses are offering free wireless as a way to attract customers. Most of these hot spots are unsecured. This means that it is possible for your confidential data to be viewed by the customer at the next table or the one sitting on the park bench outside the café.

    Does this mean you shouldn’t use any of these wireless clouds? If you have a choice, we would say these clouds are best avoided by those who are technology-averse and don’t understand how to operate securely in an unsecured cloud. Read on, and determine whether you can safely be trusted to do what follows. Here are the precautions you should take. See if there is an option to have a secure connection to the cloud. This would be indicated if you use “https://” as part of the URL. Typically, the connections are unsecured and do not provide an encrypted session like the “https://” connections do.

    Be especially careful if you have to pay for the wireless connection. Be wary when you are at the screens that have you input your credit card and billing information. Do not enter any of this sensitive information without an “https://” connection. Once you’ve established a connection to the wireless cloud, be sure to use your virtual private network (VPN) or other secure (“https://”) access to protect your transmissions.

    Some hotels may give you a wireless cloud that is already secured. Typically these wireless implementations use Wi-Fi Protected Access 2 (WPA2) to secure the data. The cloud will be visible to your computer, but you will be required to provide a password before your computer connects. Once connected, your data is encrypted and secure from those not connected to the same Wi-Fi network. However, you should still use a VPN when sharing access to a public Wi-Fi network. The reason is that even if you need a password to connect to the WPA2 Wi-Fi network, it is probably using a pre-shared key. That means that all devices connected to the same Wi-Fi network are using the same encryption key. Some other device connected to the Wi-Fi could potentially “sniff” the data transmission contents. Using a VPN encrypts the transmission outside of the WPA2 encryption, making the data transmission secure.

    While you’re at it, turn off Bluetooth whenever you are not using it. You may even want to consider not using Bluetooth at all, especially when traveling to some foreign countries.

    Personal Hot Spot

    An even better alternative to public Wi-Fi is to use your personal hot spot. Most users will accomplish this by enabling the hot spot feature on their cellphones. When you configure your smartphone, make sure you select WPA2 as the encryption type for the Wi-Fi network. The data connection (e.g., 4G, LTE, etc.) from your phone to the cellular carrier is encrypted. Selecting WPA2 will encrypt the Wi-Fi network, thereby providing a completed encrypted communication channel from your computer through the cellular provider.

    Remote Access

    We’ve dealt with some of the more common methods to provide secure communications. Now that you have a secure connection, what’s next? Email access is pretty simple from most laptops, but what about working on client files? Larger firms will have an environment where you connect to virtual computers. We have a Remote Desktop Services environment, where multiple users connect to virtual machines. You connect and log in just as you would while you’re in the office. You would then have access to all your data just as if you were sitting in your desk chair. Citrix is another technology solution that provides the same function.

    Smaller firms typically use something like GoToMyPC or LogMeIn. These products take control of a remote machine and pass keystroke, mouse movement and screen updates across the connection. This does require that the remote machine be powered on prior to your connecting. Be sure that you have a screen saver password set on the computer so nobody can sit at the keyboard at the office and access your computer. Cleaning crews are known to do this! These remote control solutions are very cost-effective, and all communications are over a secure encrypted connection.

    If you use Outlook as your email client connected to an Exchange server, take the extra step and encrypt the communications. You are looking for the configuration item “Encrypt data between Microsoft Outlook and Microsoft Exchange.” Don’t worry if you are an Office 365 user. The traffic between Outlook and Exchange Online in Office 365 is encrypted regardless of the “Encrypt data between Microsoft Outlook and Microsoft Exchange” setting.

    Public Computer Usage

    A word of warning here. Be very careful about using a public computer, such as those in a public library or business center of the hotel. Even if you are only accessing your web-based email account, the data is temporarily written to the local hard disk. There is also the risk that some keystroke logging software is installed on the computer, thereby capturing everything that you do on the machine.

    Does that mean all public computers are off-limits? Not at all. It’s fine to check the sport scores from the day before, but don’t do any sort of business on the machines. Because of the possible existence of keystroke loggers, even using a VPN won’t protect the data. The keystroke logger will just capture everything you type, including any passwords. We know it’s tempting to use the hotel business center computer to print your boarding pass, but resist the temptation. Once you log in to your frequent flyer account, the bad guys will have captured your authentication credentials. They then transfer all of your airline miles to an account they control. Remember ... those miles can be worth a lot of money.

    Cloud Computing

    Lawyers may want to consider moving their practices to the cloud. We have seen a huge movement to the cloud, especially by solo and small-firm attorneys. Office 365 has been a huge influencer for cloud adoption. Why move to the cloud? Primarily because cloud providers tend to have better security practices than most solo or small-firm lawyers. Also, having client confidential data in the cloud will protect it from being accessed by U.S. Customs and Border Protection personnel when crossing the border. In fact, Customs and Border Protection has clarified that it will not access any data in the cloud as part of a border search. Just remember not to synchronize any cloud data to your local electronic device until you are safely back in the United States.

    Ethical Duties

    Lawyers have an ethical obligation to protect client confidential information. The New York City Bar has reissued an ethics opinion dealing with “An Attorney’s Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients’ Confidential Information.” The digest of the opinion reads:

    Under the New York Rules of Professional Conduct (the “Rules”), a New York lawyer has certain ethical obligations when crossing the U.S. border with confidential client information. Before crossing the border, the Rules require a lawyer to take reasonable steps to avoid disclosing confidential information in the event a border agent seeks to search the attorney’s electronic device. The “reasonableness” standard does not imply that particular protective measures must invariably be adopted in all circumstances to safeguard clients’ confidential information; however, this opinion identifies measures that may satisfy the obligation to safeguard clients’ confidences in this situation. Additionally, under Rule 1.6(b)(6), the lawyer may not disclose a client’s confidential information in response to a claim of lawful authority unless doing so is “reasonably necessary” to comply with a border agent’s claim of lawful authority. This includes first making reasonable efforts to assert the attorney-client privilege and to otherwise avert or limit the disclosure of confidential information. Finally, if the attorney discloses clients’ confidential information to a third party during a border search, the attorney must inform affected clients about such disclosures pursuant to Rule 1.4.

    As we’ve previously mentioned, the Customs and Border Protection agents can’t search what you don’t have. That’s why we recommend using cloud services, especially when crossing the border. Also make sure you carry business cards and your bar card to further establish the fact that you are a lawyer and searching of your electronic devices requires special handling.

    Final Words

    The options for secure remote access have certainly changed quickly over the years. Every time we give a presentation on secure mobile computing, the presentation changes. So stay current in your knowledge and take a refresher CLE every now and again. It may be scary to hear of all the new threats and attack surfaces, but you can’t protect your confidential data if you don’t regularly refresh your knowledge. You remember all the references to WPA2 encryption above? Well, it has a vulnerability that has recently been discovered, known as KRACK attacks. The new WPA3 standard has been adopted, and we expect to see devices supporting WPA3 beginning in late 2018 and going mainstream in 2019. If you feel like cybersecurity moves at warp speed, well, it does.

    Sharon D. Nelson

    Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises Inc. She is a past president of the Virginia State Bar and the co-author of 16 books published by the ABA. Email her.

    John W. Simek

    John W. Simek is vice president of Sensei Enterprises Inc. He is a Certified Information Systems Security Professional and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, information security and digital forensics from their Fairfax, Virginia, firm. Email him.

    Entity:
    Topic: