September 19, 2018 Feature

Technology—Property

Technology—Property provides information on current technology and microcomputer software of interest in the real property area. The editors of Probate & Property welcome information and suggestions from readers.

Data Security on the Internet

Computer data security should be a concern of all lawyers. The marketplace now offers many products promoted as tools to help firms keep their data secure. I have not had the opportunity nor the time to try out all the available products or attempt to test their effectiveness, and I don’t want to rely on the marketing claims of the products.

To give me a better understanding of the benefits and risks associated with software products, I performed a variety of searches listed in the sidebar on the next page. In this column, I am reporting my findings as the result of performing these internet searches. Each search yielded many items that could be looked at in greater detail. After reading the summaries given in the search results, I studied the products in detail. I then used my judgment to determine what to include in my report.

Lawyers have a responsibility to keep client information confidential. Lawyers frequently use computers in the office, at home, while traveling, and at a local coffee shop or restaurant with free public Wi-Fi for customers. The key question is whether the lawyer is undertaking any significant risk of exposing confidential material to others while doing so. If so, what can be done about it?

If a firm’s internal network is properly implemented with strong security for access to the system from the office, the firm’s documents on the computers and servers physically in the office should be protected, unless those documents are transmitted or stored on the internet. Without additional security, any information that is transmitted over the internet is available to be captured by others who may use that information for improper purposes. My understanding is that this is fairly easy to do. When data is transmitted over the internet, in addition to the actual data being sent, the transmission identifies the party who is sending the information.

To protect the data that is sent over the internet, firms can use one of the Virtual Private Network (VPN) systems that are available in the marketplace, some for free and others for a fee. VPN products are not all the same, and it is important to know the available features. One advantage of VPN is the ability not to let your Internet Service Provider (ISP) and others know the websites you are communicating with and what you download. Your ISP can see your IP address and consequently knows who you are. The VPN connection will hide your IP address so that the only IP others can see is the VPN server IP. When you use a VPN, data cannot be seen as it is transmitted between you and the VPN server.

In the process of sending data to one or more specific recipients, the data first goes from your firm’s server to the VPN server. The data is then sent over the open internet to reach your recipients. In this stage, the data can be seen by others, but nothing can be traced back to you. If you want to further protect the data after it leaves the VPN server, you can use transport layer security that provides for encryption of data in transit over the internet, including the data as it moves from the VPN server to the servers of the ultimate recipients.

In connection with hiding the identity of the party sending the data, it is important to note that VPN providers keep logs of the identity of the transmitters. Some VPN providers claim not to keep logs on the transmission of data that would provide IP numbers of the senders of data. From the material read for this column, there is clearly skepticism about the truth of the “no logs” approach. Other VPN providers claim to delete any such logs on a regular basis. One writer pointed out that the logs are reachable by subpoena by law enforcement agencies.

VPNs are not only used by companies, but they are now available for use by individuals for personal data protection. The level of encryption from one VPN system to another varies. The larger the bit number, the more difficult it is to defeat the encryption. A larger bit number slows down the rate of data transmission. 256-bit encryption can be very slow, and 128-bit encryption is considered by some as a good balance between speed and security.

In addition to encryption, two other VPN components frequently discussed are tunneling and authenticated connections. To understand tunneling, note that all data transmitted over the internet is split into small pieces called “packets.” On a VPN’s tunneled connection, every data packet is placed inside another data packet before it is sent over the internet. The process is called encapsulation. Third parties cannot access the packets within the packets. Authentication is a protocol that establishes a secure connection between the user and the server through the exchange of opaque messages known as “security tokens.”

A good number of security protocols have been developed as VPNs, each offering differing levels of security and features. It is obviously important for a VPN subscriber to understand the pluses and minuses of the security protocols available in the VPN systems to protect data while it is transmitted from the user’s office to a third party over the internet. VPNs allow individuals to spoof their physical location, so the user can make it appear that the message originates at a distant location or any desired location. One additional note of interest is that anti-virus software discloses the user’s identity on a VPN by transmitting a unique identifier that can be linked to the user.

A user’s data has greater vulnerability when being transmitted over a public network of the type available at airports, coffee shops, restaurants, and other places that make Wi-Fi available to their customers as a convenience and a way to attract more customers. Transmitting one’s data over the internet from such places provides a good deal of exposure of a user’s data to third parties looking to capture data on the internet. Many of the networks available at such places make it easy for their customers to access their network, and the passwords to enter such systems are often readily available.

Interestingly, at coffee shops and other facilities providing Wi-Fi, a user’s data is at risk even if the dishonest third party seeking to capture the user’s data does not access the facility’s network. These networks are usually wireless networks. Data is being transmitted wirelessly through the router for the network, and unprotected data packets are moving wirelessly back and forth through the network. Third parties can easily capture these data packets while the data is moving wirelessly. There are no protections from such capture unless the data packets are encrypted by using a VPN or another system installed on the laptop, phone, tablet, or other devices being used by a customer. In essence, the customers are freely broadcasting their data to anyone who knows how to capture it.

In discussing whether free VPN systems are as safe as fee-based VPN systems, it has been suggested that one way for dishonest third parties to capture a large amount of private data is to provide VPN service for free to build up a large subscriber base and provide secret access to the private data while it is on the VPN’s server. Such a dishonest VPN provider may grow its subscriber base quickly by providing excellent service and features at no charge. It was also suggested that dishonest VPN providers may make some of their VPN systems not quite as good as others, because some potential subscribers may be suspicious of the VPN systems that appear too good.

While dishonest third parties can capture data out of the wireless transmission in places where people are communicating through wireless Wi-Fi, as mentioned above, some of these dishonest third parties have additional tricks up their sleeve. Some set up their own free network at a coffee shop, hotel, airport, or other facility. They assign a reasonable sounding name to the network to entice users to use their network, perhaps even using the name of the facility as all or part of the network name. With this setup, all those customers at the facility who have unwittingly elected to use the dishonest third-party network have made their data available to be captured by said dishonest third party unless the user is utilizing a VPN.

Another tactic of a dishonest third party is to capture the keystrokes of the user entered for the user ID and password, so they can wreak havoc with your account. There are also networking sniffing software tools available to the dishonest third party to sniff out usernames, passwords, and authentication cookies on any computer connected to the same network. The user ID and password information may be available in plain text when the user signs in under the http protocol, rather than the more secure https protocol. Https is often used by websites for sign-in purposes to encrypt the ID and password. Websites also are increasingly using https to encrypt information in addition to ID and password.

This column does not address all the risks of exposing your data to dishonest third parties. Everyone must be alert to risks. For example, I regularly receive calls from someone claiming to be a Microsoft technician who advises me that Microsoft technicians discovered my computer is not working efficiently, and they need me to grant them access to my computer remotely to fix the problem. I am not suggesting you should never give remote access to legitimate Microsoft technicians. I have done so in the past when I contacted Microsoft due to a problem I was experiencing, and they have always solved my problems. The major difference in that situation is that I made the call (instead of receiving the call) to Microsoft to discuss a problem that I noticed, and I was certain that I was using a legitimate Microsoft contact phone number.

Clearly, users must take affirmative steps to secure confidential and other data from being captured by dishonest third parties. The recommended protective steps include:

• Use a VPN.

• Disable sharing in your settings.

• Turn off network discovery so that your computer or device won’t be identified to others on the network.

• Make sure your software is up to date, particularly your operating system, because updates often become available to protect the security of your system.

• Use passwords of at least 12 characters. The more characters in a password, the more difficult it is to decrypt. n

The searches I made to obtain the information discussed in this report are the following:

Is the Cloud safe from hackers?

Is it safe to use Wi-Fi in Starbucks?

How does VPN keep the data you are transmitting from being available to others?

How to access data from other phones in Starbucks?

Can hackers get around VPN?

Is Cloud storage of documents safe from hackers?

How to capture keystrokes entered for ID and Password?

Entity: