October 23, 2012

Hit the Road, Jack: Secure Mobile Computing

Law Practice Magazine Logo
Differentiate! The Law Firm Marketing Strategies Issue

 Table of Contents | Features | Frontlines | Technology | Business

September/October 2009 Issue | Volume 35 Number 6 | Page 24



Hit the Road, Jack: Secure Mobile Computing

In the past few years, technology advances in remote-access solutions have come at warp speed. Gone are the days when you carried around a 50-foot phone cord wherever you traveled and desperately searched for an analog phone jack to use with the modem in your laptop. Thankfully, wireless is the word these days.

More and more hotels, conference centers, coffee shops, bookstores, cafés and other types of venues are offering wireless access solutions that allow mobile lawyers to quickly and easily connect to the Internet wherever they go. So let’s catch up on some of the central solutions here to ensure that you’re up-to-date on the options.

Put Security First

Before jumping into the details, it’s well worth reviewing some tools that should be on your laptop regardless of what other technology you use for remote connectivity. It goes without saying that you need an antivirus solution installed on your laptop. It should be configured for automatic updates and perform periodic full scans to catch anything that may have “landed” between the signature updates. It would be a total drag to catch a new virus and be the first kid on the block to suffer the effects, wouldn’t it?

Likewise, anti-spyware software is a must. Normally, Internet security suite products will give you both antivirus and anti-spyware capability, as well as other security features like firewalls, spam control and anti-phishing.

In addition, secure mobile computing for lawyers calls for some method of encryption to protect sensitive data. We prefer whole-disk encryption, which means that everything on the hard drive is encrypted. That way, you don’t have to remember to put files into special folders or on an encrypted virtual drive—something that humans all too often will fail to do when they’re in a hurry. Many newer laptops have built-in whole-disk encryption. But, to state the obvious, you must make sure you enable the encryption or your data won’t be protected. Also, encryption may be used in conjunction with biometric access. As an example, our laptops require a fingerprint swipe to power on—a very comforting thought should thieves make off with your laptop.

And now, let’s move on to some details about connection types.

Wireless Hot Spots and Clouds

Wireless is the rage of the road warriors. There are two basic types of wireless access. The first type is generically termed a “wireless hot spot” and is what you’ll find at your local Starbucks, Barnes & Noble, many hotels or the airport. You may or may not have to pay for the connection, although many businesses are offering free wireless as a way to attract customers. But watch out—most of these hot spots are unsecured. This means that it’s possible for your confidential data to be viewed by the person at the next table or the one sitting on the park bench outside the café. Does this mean you shouldn’t use any of these wireless clouds? Actually, the better question is what type of data will you be dealing with and how comfortable are you with the technology? We would say these clouds are best avoided by those who are technology-averse and don’t understand how to operate securely in an unsecured cloud. Read on, and determine whether you can safely be trusted to do what follows. Here are the core precautions you should take.

First, see if there is an option to get a secure connection to the cloud. The indication of that is if you have https:// as part of the URL. Frequently, though, the connections are unsecured and do not provide an encrypted session like the https:// connections do.

Be especially careful if you’re required to pay for the connection and have to input your credit card and billing information while you are at the activation screen. Do not enter any of this sensitive information without an https:// connection.

Once you’ve established a connection to the wireless cloud, be sure to use your VPN (Virtual Private Network) if you have one or another secure (https://) access method to protect your transmissions.

Some hotels may give you a wireless cloud that is already secured. Typically, such implementations use WPA (Wi-Fi Protected Access) to secure the data. This means the cloud will be visible to your computer, but you’ll be required to provide a password before your computer connects. Once connected, your data is encrypted and secure.

AirCard Devices and Plans

Another wireless connection method is commonly called an AirCard. These cards are used to connect to the high-speed wireless networks of the cellular phone providers. The major technologies in use today are EV-DO and 3G. Don’t be swayed by the vendor claims for speed and availability. Make sure that you’ll be able to have service in the areas you travel to the most. Connection reliability is another consideration, as well as whether you already have a cellular plan.

The AirCard itself is a hardware device that you connect to your laptop. They come in USB or PC Card formats. Since they are external devices, they can be used on any laptop. These devices can cost several hundred dollars, but most providers offer significant discounts. In addition, some newer laptops have the electrical circuitry built in so no additional hardware is required. The built-in capability means it is “married” to the laptop and can’t be transferred between machines.

The wireless service itself can be monthly or daily. The monthly plans measure the amount of data you transfer over the connection and charge you for any overage usage. Typically, the data limit usage is 5GB a month and will run about $60 per month. Verizon is currently offering a day pass, where you can get 24 hours of secure high-speed connectivity for $15 a day.

Obviously, you’ll want to purchase a monthly plan if you travel a lot or will use the service for more than four days a month. The AirCard is the preferred wireless connection because the data is secured from the very beginning, since the electronic circuitry itself and the cellular carrier provide a fully encrypted session immediately. Consequently, you don’t have to worry about whether you have an https:// session or not.

Remote Access to Your Office Files

Now that you have the secure connection, what’s next? E-mail access is pretty simple from most laptops, but what about working on client files? Larger firms will usually have an environment where you connect to virtual computers. We have a Microsoft Terminal Server environment, where multiple users connect to virtual machines. With this system, you connect and log in just like you would while you’re in the office. You would then have access to all your data just as if you were sitting in your desk chair. Citrix is another technology solution that provides the same function.

Smaller firms will typically use something like GoToMyPC or Log-MeIn. These products “take control” of a remote machine and pass keystroke, mouse movement and screen updates across the connection. This does require that the remote machine be powered on prior to you connecting, so be sure that you have a screen saver password set on the computer so nobody else can sit at your office keyboard and access your computer. These remote control solutions are very cost-effective and all communications go over a secure encrypted connection.

Public Computer Usage

A word of warning here: Be very careful about using a public computer such as those in the library or the business center of a hotel. Even if you are only accessing your Web-based e-mail account, that data is temporarily written to the local hard disk. There is also the risk that keystroke-logging software is installed on the screencomputer, thereby capturing everything that you do on the machine.

Does that mean public computers are off limits? Not at all. We are big fans of the IronKey hardware encrypted USB flash drive. Besides its drive encryption and secure management of passwords, the IronKey has portable applications that are intended to be used with public computers. As an example, there’s a specially modified version of the Firefox browser that doesn’t write any data to the computer. All data stays on the IronKey flash drive, thereby making it secure and keeping it with you when you leave. Of course, this does mean that the public computer has to accept the insertion of USB devices. Note that some business center machines are locked down and won’t allow USB devices to be inserted because it is a security risk to the business, as USB devices can be used to introduce malware to the machine or network.

Stay on Top and in Charge

The options for secure remote access have certainly changed quickly over the years. And doubtless they’ll keep changing along with the rest of the world. For now, make sure that you are aware of all the issues involved so you can securely transfer your data and that you are not relying on “antique” knowledge. You must assume that there is absolutely no protection of the communication stream between your laptop and your remote device. Seriously— we’ve been on hotel networks that didn’t have a firewall so all traffic was allowed to flow through. We immediately saw probing attacks on our computers, which were only stopped by our own firewalls on the laptops. It’s the Wild, Wild West out there and you’re the only marshal in town.

About the Authors

Sharon D. Nelson and John W. Simek are President and Vice President, respectively, of Sensei Enterprises, Inc., a computer forensics and legal technology firm based in Fairfax, VA. They are coauthors of The Electronic Evidence and Discovery Handbook: Forms, Checklists, and Guidelines ( ABA, 2006).