Wireless Networking Is Often Too Insecure
Setting up a secure wireless network that authorized users can actually access without difficulty is often frustrating and time-consuming, one reason that a lot of wireless network users do not implement whatever security their hardware allows. I know of several law offices who were apparently not even aware that neighbors were accessing the Internet through their unsecured wireless connections. I will not use a wireless network connection where business or other confidential data might be silently compromised. Wireless networking is also very slow compared to the sort of fast hard-wired Ethernet connections that are now standard equipment.

A few years ago, I spoke about computer security at the American Bar Association’s annual technology conference in Chicago, placing a twenty dollar bill on the podium and challenging audience members to see whether they could connect to my notebook computer. It took some of the audience members less than three minutes to do so, even though there were no nearby Internet “hot spots”. Most people don’t realize that the wireless connections of a Windows XP computer can silently make direct ad hoc connections to other unsecured XP computers such that a stranger can read your files and write to them without your knowledge. Indeed, in my own experiments, I’ve seen how a third party computer can even use XP’s network bridging feature to surreptitiously connect from one notebook computer’s wireless card to another wireless-equipped computer and then use that rogue wireless connection to further connect to a business’s theoretically more secure hard-wired network. Later that day, while waiting at O’Hare Airport for a flight back to Alaska, I startled a group of traveling Airborne soldiers by simply turning on my notebook computer, watching as it detected and connected to powered up notebook computers being carried down the concourse. These people, of course, had not implemented even the rudimentary wireless network security available a few years ago. Personally, I physically turn off all electrical power to my notebook computer’s wireless connection. That’s probably secure enough. By the way, Blue Tooth devices are probably even less secure.

Microsoft announced a few weeks ago that it was automatically pushing a critical security correction to the tens of millions of Windows XP systems. Generally, when Microsoft tries to automatically install a security update on the average user’s computer, no questions are asked. In this case, questions should have been asked. The security patch seems to cripple many existing anti-virus programs, which in turn prevent Microsoft’s own Email and Internet Explorer programs from even connecting to the Internet. That’s too secure. Thousands of users were affected, myself included.

After a number of phone calls to technical support and a fair bit of experimentation, I found that attempting to simply update security software either failed to solve the problem or became totally impractical because the glitch prevented any contact with the vendor’s web site in the first place. The only reliable solution that I found was to totally uninstall the Internet anti-virus and security program (not very secure there!), go directly to the vendor’s web site, download the most recent anti-virus program version, and then completely reinstall and reactivate the anti-virus and Internet security software, a time-consuming and irritating exercise, assuming you can even find your old software license key and activation codes.

Not being able to access the Internet at all is probably the ultimate in network security, but that’s carrying matters rather too far.

Suggested Solutions: If possible, entirely avoid wireless networking for your law office premises. Hard wired networking is much more secure and much faster, sometimes as much as 20x faster. Recall, for example, that a key Allied advantage during World War II was that the Germans and Japanese often transmitted data by encrypted radio signals susceptible to collection and analysis rather than by secure landline cables. Both countries falsely believed that their signal traffic could not be deciphered, much to their detriment.

If you have little choice except to use wireless networking, then be sure that you prevent unauthorized access both to your overall wireless router/hub and also to individual computers that use any sort of wireless connection. As mentioned above, both the wireless network hub and individual computers are susceptible to unauthorized connections.

The fundamental principle is to ensure that your computers and your network hub will connect only to each other and that they properly authenticate themselves. You are only as secure as your least secure wireless-connected computer. Remember that unsecured Windows XP computers can connect directly with each other and do not need to go through a wireless hub. Once connected to a weakly protected computer that in turn is connected other systems, then those other systems become vulnerable.

Earlier wireless security schemes were generally called Wireless Encryption Protocol or WEP. Unfortunately, a technically savvy 12 year old can crack WEP. The encryption key is so short and insecure that you can download free programs from the Internet that can crack WEP with a handheld device and then start reading your files from across the street.

A newer security protocol is WPA2, which is generally more secure, and should be used. Unfortunately, wireless security is hardware-based, so ALL of your hardware and all of your computers must support WPA2 or it cannot be used. Older WEP class wireless hardware will not under any circumstances connect to WPA2 wireless security hardware. Hence, if some of your hardware is older, then it either will not connect to modern, more secure WPA2 hardware under any circumstances. Older wireless hardware must be replaced or updated if you plan to use WPA2 to protect a wireless network.

If you need to access data from outside your office, then there are several approaches. One is to use an Internet data repository. These can be quite simple, as with Adobe’s Acrobat.com or may be tailored to large, complex matters involving dozens of lawyers throughout the US. In the latter case, you’ll need to work with a company that specializes in serving as a secure data repository. CaseShare, located in Denver, comes to mind.

Metadata
Metadata is unseen background data contained in a document and that described information about document itself, such as internal comments, Acrobat bookmarks, prior editing such as deletions or additions, when a document was composed or modified, and by whom. In some contexts, such as electronic discovery and litigation, metadata can be as important as the face document itself because the metadata helps ascertain the credibility of a document. Some bar associations have opined that attorney-generated documents that are shared with opposing parties should not contain the originating attorney’s metadata to avoid breach of work product and attorney-client privileges. You should remove any attorney metadata before sending electronic documents to the other side. This can be done easily using base features of Adobe Acrobat 8 or 9 and of the more current versions of Microsoft Word.

On the other hand, a client’s metadata that is created by a program as a regular part of that program’s day to day operation is important and should be discovered and disclosed under both the 2006 revisions to the federal Rules of Civil Procedure and state analogues. Client metadata thus should probably not be removed from electronic files that are being discovered or disclosed.

 

Other Aspects of Data Protection
Ethical obligations involving electronic data extend beyond preventing inadvertent disclosure or hacking. You also have an obligation to ensure that your client data is protected from loss and that your practice operates continuously and effectively to further the legitimate interests of your clients.

Protecting your computer data is as basic as locking your house or car and buying basic insurance to protect you in case of loss. Extending this analogy, computer security has two components. An electronic “lock” protects you against those who might invade your privacy and misappropriate or vandalize your data. That’s where network security and, as appropriate, data encryption, come into play.

Physical security on the other hand, including data backup, protects you against physical loss such as fire or theft. These components require different actions by you. I’ll address physical loss first because, in some ways, it is more straightforward.

Casualty losses such as fire or flood damage and thefts of computers and related equipment like printers are fairly common. Your best bet under these circumstances is to ensure that you have adequate physical security for your premises, that highly sensitive data is encrypted, and that you maintain enough insurance that includes replacement coverage for office equipment. In that regard, it’s no different than protecting any other sort of valuables with one exception: you’ve also lost a great deal of crucial information unless you back up your data every day. I have had clients who failed to ensure that their business data was regularly backed up and who went out of business after their premises and business equipment were destroyed by fire. In fact, losing the bulk of your business data is one of the surest paths to business problems.

Electrical damage from sudden power loss or high voltage surges can be obvious, such as smoke rising from your system. More common, though, is subtle damage such as scrambled accounting programs and other databases. These sorts of programs are among the most common used by businesses and among the easiest to scramble due to uncontrolled shutdown in the event of a power loss or rogue voltage spikes in the event of a power surge. Most insurance policies will not cover hardware failure or data loss arising from either voltage surges or power failures. You’re on your own in these circumstances. Luckily, it’s pretty easy and inexpensive to cover yourself.

Another threat to your data is hardware failure, whether a hard disk that makes a sudden harsh grinding and then stops working or a gradual failure of a hard disk controller on your main system board that slowly scrambles your data until it becomes unusable. Proactive preventative maintenance, such as replacing network file server hard disks and hard disk controllers every 18-24 months helps in this regard. Activating S.M.A.R.T. hard disk monitoring, when supported by your hardware, can also alert you to hard disk failure. Even better is the use of a RAID 1 or RAID 5 disk array – RAID disk array use multiple hard disks to store your data in a redundant manner such that the failure of any one hard disk does not lead to data loss. However, once a single drive fails, you should replace it immediately because you’ve lost any redundant data protection and the next failure will be fatal.

However, as much as 80% of all data loss happens because of operator error, whether your own or an employee’s, not because of fire, theft or hardware failure. That’s a grim statistic. Although your client confidences might not be compromised, your practice is.

A more recent data mechanism involves those tiny, ubiquitous flash drives and memory cards. There’s room on most of these miniature drives to store several large case files worth of PDF documents and they’re so tiny that their loss is both frequent and unnoticed. In fact, ALPS recently warned attorneys about the danger of compromising client confidences through lost flash drives and memory cards. Aside from simply being careful, you might consider encrypting any data that’s copied to such media but be aware that encryption can be a real hassle, particularly when you need to share data with many others. It’s probably best to reserve encryption for seriously secret stuff, not day to day Emails and files stored on an office network.

Data Backups
Once we understand why data is lost, it’s fairly easy to reduce the likelihood and consequences of loss. The most obvious step is to physically secure your premises and ensure that you back up your data every day, storing the data backups away from your office so that the same fire, theft or other casualty won’t result in loss of your backup data as well.

Data backup is generally now quite inexpensive and easy. Probably the easiest, most effective, and least expensive solution is to use the Windows backup program that ships as an Accessory to every Windows program installation. Although this program, archaically, still defaults to backing up to a floppy disk drive, the least reliable computer storage media of all, Windows Backup can be re-directed to other more reliable, faster media. I prefer using it with an external hard disk connected to a USB or Firewire port for routine daily data backups. This is the fastest and easiest approach. You should have at least three sets of external backup hard disks, rotating them so that any backup is made on the disk previously containing an older backup set. Use a different hard disk every day and be sure that you keep one hard disk backup set at least two weeks before reusing it, just in case of slow, subtle data corruption from a failure computer system or a human error that is not noticed immediately, both of which really do happen on occasion. Your total hardware cost will be around $500 to $600 for the three backup hard disks with their external cases and connecting cables. Be sure to get the highest capacity backup hard disks that you can easily afford. High capacity hard disks are now very inexpensive and a larger disk drive will give you more flexibility later.

Before starting to make a backup, be sure that you know all of the places where Windows might store data. You’ll likely be surprised. Make a full backup every day. “Incremental” backups tend to be unreliable and rather more complex to use when trying to restore data.

Making DVD or CD disks are a useful approach to sharing data or long term archiving of a small amount of data but they are not a reasonable alternative for daily data backup. Their data capacities are low and disk writing speeds much too slow. Reusable DVD and CD disks are not very reliable and you’ll need to sit around doing nothing but occasionally feeding a new disk into the computer, being sure that you’ve kept each disk in order and correctly labeled. On the other hand, if you use a large external hard drive, you can simply start the data backup process and go home, disconnecting the hard drive the next morning after the backup process is done. By the way, be sure to turn on Windows Backup’s verify after write feature.

The remainder of your physical security methods are pretty straightforward: use a high quality, high Joule surge protector between the electrical wall outlets and all computing equipment, including computers, monitors, printers, incoming phone line, Internet, and other network connections. Be sure that you store your critical business computer data in a single spot that’s easy to identify and backup. I strongly prefer putting all of my Windows and application programs on a fast C drive but adding a second hard disk, a D drive, to my computers and storing all of my data in logically named folders on the D drive. That way, it’s easy to back up all of your data - just backup the D drive. The Windows default of putting several thousand documents and photos into an unsorted “My Documents” or “My Pictures” folder is basically awful and suitable only for computer dilettantes who have little valuable business data.

Connect a reliable uninterruptible power supply backup battery between each computer and network device and its surge protector, but sure that you don’t connection any laser printers to an uninterruptible power supply. Laser printers draw so much electrical current that they’ll likely overload the UPS and burn it out. About every 18-24 months, have a skilled computer technician replace the D data drive with a new high reliability hard disk.

Finally and most importantly, train yourself and your staff to be use your computer systems correctly and carefully, paying particular attention to confirming dialog boxes such as “Do you really want to delete this file” rather than just clicking through them until you realize that it’s too late. Even then, some “deleted” files can still be recovered from the “Recycle Bin” or using dedicated data recovery programs such Undelete 2009 sold by Diskeeper Corporation at www.diskeeper.com

Basic Facets of Internet Security
The Internet is now a nearly indispensible and highly useful part of nearly everyone’s life. However, Internet communications can be likened to walking in a beautiful but snake-infested jungle: you need to watch where you step. Most importantly, train yourself, your employees and your families to be security conscious. Computer security is as much common sense and a security-conscious mind-set as it is a specific program or piece of hardware. For others to compromise your security, they must first have some sort of “in”, whether physical penetration, operating system security deficits that have not been identified and repaired, or the surreptitious installation of malicious software by infected removable storage media, from other infected computers on your office network, or delivered as an Internet payload.

Avoid the back alleys of computing that are likely to mug your data or privacy. Some types of web sites, especially those that your teens and children might be tempted to frequent, are obvious places to contract computer viruses and other malicious software (often called “malware”). Other Internet traps include Emails that solicit your assistance in supposed foreign money laundering schemes, alleged employment solicitations or other get rich quick schemes such as the ostensible request that you confirm an out of the blue award of a Wal-Mart card or some such to you. Other Internet sites look and sound like the real thing but are then silently redirected to scammers. This practice is termed “phishing” (fishing) but can be readily countered by turning on the “phishing filter” in Microsoft’s Internet Explorer 7 and by using some common sense.

NEVER give out personal and financial data in response to any sort of unsolicited Email. Be especially wary of unsolicited Emails to the effect that your login data or financial and bank account information should be verified or updated. These are often crude but sometimes effective attempts to get enough information to victimize the unwary. If you really must make changes, then do so by telephone to an independently verified telephone number to your bank’s service department or a known-good login site that you independently enter into your browser’s URL window. Be particularly careful about opening the attachments to unsolicited Email. This is a favored delivery mechanism for malicious payloads.

ALWAYS enable some sort of firewall program. Remember that Internet communication is a two way street. Just as “what goes up, comes down”, what comes in can also go out. There’s a huge amount of rogue software roaming the Internet that can be used, and often is used, to silently plumb every corner of your computer and export all sorts of data to persons artfully hidden behind several layers of the Internet. A firewall reduces the chance of someone beaming into your computer and exercising mind control over it. You can find the Windows firewall settings as a separate icon on the Windows Control Panel by clicking on Start, Settings, Control Panel, Windows Firewall. If you use the Internet to communicate between office and your home or a fixed remote location, then be sure that you set up what is termed a “virtual private network”, which uses a dedicated port for secure automatically encrypted two way communication over the Internet. A VPN requires special hardware enabled on each end with the same encryption keys, so it’s usable only when both ends are physically controlled.

One of the most important general security approaches is to ensure that your computer downloads and installs both routine and critical security and operating system updates from Microsoft. Although a few have been problematic, most work well and without fuss. You can turn on automatic updates by clicking on Start, Settings, Control Panel, Security Center.

Periodically make a manual check for other updates to your operating system and the proprietary software that interfaces your Windows installation and the specific hardware installed in your computer, such as video and network adapters. “Service Packs” are large comprehensive upgrades that address many different security and reliability issues at one time. As a general rule, your computer should have the most recent service pack installed but wait a few weeks after a new service pack is introduced before actually downloading and installing it. There are usually a few bugs that need to get fixed in the first days after initial introduction. Many programs will not even work properly if newer service packs are not installed.

To check for updates, click on Start, Windows Update. Internet Explorer will open and check what’s already installed on your computer and any available new updates. I suggest that you use the Windows Update “Express” option several times until Windows advises that there are no more critical items to be installed on your computer. Then, try the “Custom” option to check for any optional updates to Windows components, such as Media Player 11, or newer software “drivers” that interface your computer hardware and operating system. These are not necessarily critical items but probably should be installed in most instances. Some optional items, such as Media Player, may require a shutdown and restart after installation, followed by a further Windows Update, Express check to see whether your newly installed optional software itself requires some security or reliability patches or a service pack installation, which is often the case. One might believe, not unreasonably, that the downloaded optional components already include all necessary security and reliability fixes, but that’s not necessarily Microsoft’s approach.

After ensuring that your system is up to date, use Internet Explorer’s Tools, Internet Options, to check your general Internet Explorer security settings, making a sensible balance between security and ease of use. Microsoft’s defaults are generally a fairly reasonable default approach. Turn off the automatic execution by your browser of Javascript and Active-X components and ask to be prompted before running them. Doing so gives you at least a little bit of control over potentially rogue programs that might damage your system or compromise your privacy and security.

Viruses and Other Malicious Software

When talking of network security, most people immediately think about intentional security threats arising from external sources - in other words, viruses, “spybots”, Trojan Horses, and other malicious software. In this context, the old maxim that “If you’re not a little paranoid, you’re not being sufficiently careful” is assuredly true.

There are numerous potentially serious security problems that have roamed the Internet so long that their exact genesis can be hard to pinpoint and, of course, new ones are added daily. Computer viruses and other malicious software are easy to write – 12 year olds can download virus writing software even though setting any malicious software loose is a serious federal crime. Viruses typically are designed to simply wreak havoc on your data and, less often, on your hardware. Other malicious software include “rootkits” that burrow almost undetectably into the very core of your computer operating system and various forms of spyware that quietly send select data, and possibly keystrokes such as passwords and PIN numbers, to a remote, often obscure location.

There’s not a single general method of exchanging data that will always be secure without taking some precautions. At one time, most malicious software was thought to spread through floppy disks. Back then, malicious Email attachments, even “free” picture and screen saver files, were primary source of external computer infections. More recently, malicious programs have been hitch-hiking within ubiquitous USB flash drives and even digital photo frames. In fact, the US Army just banned the use of flash drives until further notice due to the spread of viruses that threatened the security of military networks; new Chinese digital photo frames were recently found to include hidden security-breaching software that could transfer to your computer by hitch-hiking on your SD photo card. Are you feeling paranoid yet?

Yet, even if cyberdoom may someday occur, day to day computing can be fairly trouble-free if you take reasonable precautions. Avoid sharing data with users and computer systems that you don’t trust. Don’t open dangerous Email attachments such as executable programs and files with embedded macros. Set your Windows system to limit the access of Java and ActiveX scripts.

There several basic lines of defense. First and foremost is to ensure that you have properly installed all Microsoft security patches. To do so, first, run Windows Update. Then, check whether your operating system’s basic security is current by running Belarc Advisor, available as a free download from www.belarc.com. Belarc is a recognized security provider to federal agencies and their free Advisor program not only does a comprehensive system audit but identifies any missing or improperly installed security patches and includes a link that takes you directly to the Microsoft web page that provides further information and, in most cases, a direct download of the missing security patches.

Another generally accepted, free security program is Spybot 1.6, which seeks out and deactivates spyware, a type of software that, in its least malicious form, silently tracks your web surfing behavior to create a marketing profile of you that is transmitted without your knowledge to third parties and perhaps sold to advertising companies or scammers. Internet “cookies” which track your access to various web sites are among the most common but typically most benign sort of spyware. Much more dangerous spyware exists and you should periodically scan your computer for it using either Spybot or the spyware component of Internet security suites such as AVG 8. One reputable source for Spybot is www.softpedia.org and the URL for Spybot 1.6 is http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/SpyBotSearch-Destroy.shtml.

You’ll need comprehensive security software to block attempts to infiltrate and infect your computer system. Norton Anti-virus used to be a favorite, in part because there was a time back in the old DOS command prompt days when Norton was about the only one around. Several years ago, the Norton-branded software started losing favor because it was a resource hog that slowed down computer systems by as much as 30% in my own tests and because its somewhat dated programming approach seemed to introduce instabilities into Windows computer systems. As a result, other anti-virus programs gained a foothold and ultimately expanded into fully functional security suites that now dominate the market.

At the moment, my favorite Internet security software is AVG Anti-virus, now in version 8, and typically purchased by paid Internet download although a free trial version is available. Grisoft (www.grisoft.com) publishes AVG Anti-Virus in the Czech Republic. AVG version 8 has several nice features: it’s updated several times a day and its subscriptions are both reasonably priced and run for two years. AVG 8 does not cause system instabilities and does not make heavy demands on a modern computer’s resources and hence will not perceptibly slow it unless it’s doing a full hard disk scan. The entire AVG security suite installs by default and is highly configurable to fit whatever blend of security, performance and ease of use most suits you.

You can easily configure each AVG module using the “components” submenu from the main AVG menu bar and then clicking on the component that you want to configure. When you configure AVG 8, ensure that the system updates itself and scans your system at least daily even though scanning your computer temporarily slows it. Automatically scan all incoming and outgoing Email and web pages. Also scan all potentially infectable data and program files traveling solely within your system. Enable “heuristic” analysis that spots suspicious software behavior even if that software doesn’t match any currently known virus. Enable the “rootkit”, “resident shield”, “web shield” and spyware modules. Although AVG includes an optional firewall program, I still prefer using Microsoft’s Windows Firewall because it works more transparently. AVG’s firewall is so secure that I am often unable to even access my Internet connection and expose my system to potential virus infections and security breaches. Now, that’s secure!

[an error occurred while processing this directive]