Networking Hardware | Security Software | Wireless Settings | Privacy Vendors | Encryption in the Cloud | iPhone and Security | Encryption in Motion | Multi-Factor Authentication | Passwords | Public Networks | Secure Email & Client Portals | MS Secure Score | External Security Monitors | Encryption | Virtual Private Networking | Wiping Hard Drives and Files | The Risks |
"Do not use WEP! Frankly, the Federal Trade Commission and the Canadian Privacy commissioner have both found WEP encryption insufficient to secure credit card information. Some time ago, WPA using the TKIP (temporal key integrity protocol) algorithm was cracked by a group of Japanese scientists in about a minute. So avoid WPA as well. This means that you would be encrypting using WPA2 only. However, WPA2 has recently been the subject of a sever vulnerability known as KRAC (Key Reinstallation Attacks), which means your Wi-Fi device is probably impacted .... WPA3 is a new wireless standard that will soon replace WPA2 ...." image 237 of the 2020 Guide
Other Precautions
Consider using MAC addressing for each devices allowed on the network.
Many cloud syncing services provide encryption, but maintain the encryption key themselves. However, there are services like Boxcryptor, Spideroak and Viivo which make further encryption possible or which let the account user retain sole control over the encryption key. Below is a video from Boxcryptor as used with Dropbox.
Essentially, Boxcryptor sets up two directories, one in your dropbox folder, in which items are encrypted, and another as drive X or Z, which is not.
Amazon Web Services S3 provides multiple methods of encryption, including one where you control the key. See http://tinyurl.com/nxnlbmz.
The 2019 LTG prefers Google Android over iPhone, but iPhone is used by 75% of attorneys. See chapter 9 of the 2019 LTG. It also suggests a number of steps to make the iPhone more secure.
"Most hosted systems require a connection using the secure socket layer (SSL) . . . You will know when you are using SSL bedcause your web browser's address bar adds an "s" after the http:
| Non-SSL | SSL |
| http://www.google.com | https://www.google.com |
Chapter 21, LTG.
How strong is your password?
Password Strength Checker - Check your password strenght here.
See Password Strength, Wikipedia
Password Policy
"Some security experts recommend using a password based on a mnemonic, such as an easily remembered phrase. For example, take the first letter of a each word in a phrase, then add a few special characters or numbers to it. For example, 'lend me your ears' can become 'lmye4%'. 'To be or not to be, that is the question' can become '2Bor!2b?'."
• Instruct users to choose mnemonic-based passwords,
which are as memorable as naively selected passwords
but as hard to guess as randomly chosen passwords.
• Size matters. . . . Users could be advised
to choose passwords with 10 or more characters,
which might further encourage the use of mnemonics.
• Entropy per character also matters. Instruct users to
choose passwords containing numbers and special characters
as well as letters. If you don’t, most users will
choose passwords from a very small subset of the total
password space.
What does "bit strength" measure?
Sixty-four-bit strength would require 264 attempts to process every possible combination of characters making up the password. But given modern computing power, 64-bit strength may not be sufficient.
Some basic benchmarks have been established for brute force searches in the context of attempting to find keys used in encryption. The problem is not the same since these approaches involve astronomical numbers of trials, but the results are suggestive for password choice. In 1999, an Electronic Frontier Foundation project broke 56-bit DES encryption in less than a day using specially designed hardware. In 2002, distributed.net cracked a 64-bit key in 4 years, 9 months, and 23 days. As of October 12, 2011, distributed.net estimates that cracking a 72-bit key using current hardware will take about 45,579 days or 124.8 years. Due to currently understood limitations from fundamental physics, there is no expectation that any digital computer (or combination) will be capable of breaking 256-bit encryption via a brute-force attack. Whether or not quantum computers will be able to do so in practice is still unknown, though theoretical analysis suggests such possibilities.
As a result, there can be no exact answer to the somewhat different problem of the password strength required to resist brute force attack in practice. NIST recommends 80-bits for the most secure passwords, which can nearly be achieved with a 95-character choice (e.g., the original ASCII character set) with a 12-character random password (12 x 6.5 bits = 78). A 2010 Georgia Tech Research Institute study also recommended a 12-character random password, but as a minimum length requirement.
"Particularly important to attorneys is the confidentiality and integrity of e-mails. Respected security professionals have for years compared e-mail to postcards—or to postcards written in pencil. They can be viewed or altered by third parties. While some ethics opinions have been incorrectly interpreted as saying that e-mail encryption is never required, current ethics opinions continue to stress the requirement of reasonable and competent safeguards. For example, California Formal Opinion No. 2010-179 states, 'encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.' Encryption is increasingly required in areas such as banking and health care and by new state data protection laws. As these requirements continue to increase, it will become more and more difficult for attorneys to justify their avoidance of encryption". David G. Ries & John W. Simek, Encryption Made Simple for Lawyers, 29 GP Solo at http://tinyurl.com/bqyzw8t.
Missouri Informal Ethics Opinion 970161 states, "unless e-mail communications, in both directions, are secured through a quality encryption program, Attorney would need to advise clients and potential clients that communication by e-mail is not necessarily secure and confidential." Thus, there is a duty to notify clients about the lack of security in standard, unencrypted email communication.
The problem with encrypting email is it is difficult to arrange for the digital ids or keys which allow secure encryption between senders.
An alternative to digital ids is to email a password protected document (such as an MS Word file) to the client and by different communication inform the client of the password. Multiple files can be encrypted at the same time with a WinZip program. This can also be done with Adobe Acrobat--a portfolio or package of documents (including non pdfs) can be made for a client, which can be opened in Adobe Reader.
Link to How to Encrypt Files for Sending by Email
Persistence in this practice can lead to a real headache in managing passwords among clients and voluminous documents.
Client Portals
This leaves open the possibility of trying to create a client portal for documents through providing access to folders in Dropbox, Box or some other online service to your clients. One kind of access is to send a unique URL. A better kind of access usually involves an email invite to the client who must then register his or her own Dropbox or Box account to gain access to the folder and the documents.
Click image to enlarge.
This method also has some risk since Dropbox and Box maintain master encryption keys to the files on their systems. New products like Boxcryptor may provide ways to share encrypted files with clients. The video below shows how files shared in Dropbox can also be shared in Boxcryptor.
Sending a Word Doc File Safely
Sending attachments securely.
The LTG Guide recommends services like:
See p. 157
See p. 168 of the 2019 text or https://tinyurl.com/ms-securescore.
"Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. Following the Security Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft 365 security center, organizations can monitor and work on the security of their Microsoft 365 identities, data, apps, devices, and infrastructure."
The Problem
"The attributes that make laptops and portable devices useful also make them very dangerous from a security perspective: They’re compact and portable. Add to that the fact that their costs have been decreasing over the years, their capacities have been dramatically increasing, and they have become more and more compact. Laptops are available with 1 TB (terabyte) and larger hard drives. USB thumb drives with capacities of 256 GB or more are now available. Portable hard drives of 1 TB or more, the same as desktop computers, are now available. A massive amount of data, in compact media, can be easily lost or stolen. With these devices, attorneys and employees can lose or steal the equivalent of a truckload of paper pages or more."
David G. Ries & John W. Simek, Encryption Made Simple for Lawyers, 29 GP Solo at http://tinyurl.com/bqyzw8t (excellent article on encryption)
Microsoft Bitlocker
Bitlocker Drive Encryption, Wikipedia
"BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Microsoft's Windows Vista, Windows 7, and with Pro and Enterprise editions of Windows 8 desktop operating systems, as well as the server platforms, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012." It use 128-bit AES encyrption. Microsoft claims to have maintained no "backdoor" into the system. As good as it is, the system has been critizcized because it can be bypassed with a "cold boot attack," which can be avoided by powering down devices between uses (it takes a few minutes for DRAM to clear holding the passwords).
From Windows Help and Support:
Help protect your files using BitLocker Drive Encryption
You can use BitLocker Drive Encryption to help protect all files stored on the drive Windows is installed on (operating system drive) and on fixed data drives (such as internal hard drives). Your can use BitLocker To Go to help protect all files stored on removable data drives (such as external hard drives or USB flash drives).
Unlike Encrypting File System (EFS), which enables you to encrypt individual files, BitLocker encrypts the entire drive. You can log on and work with your files normally, but BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by removing it from your computer and installing it in a different computer.
When you add new files to a drive that is encrypted with BitLocker, BitLocker encrypts them automatically. Files remain encrypted only while they are stored in the encrypted drive. Files copied to another drive or computer are decrypted. If you share files with other users, such as through a network, these files are encrypted while stored on the encrypted drive, but they can be accessed normally by authorized users.
If you encrypt the operating system drive, BitLocker checks the computer during startup for any conditions that could represent a security risk (for example, a change to the BIOS or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and require a special BitLocker recovery key to unlock it. Make sure that you create this recovery key when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files. If your computer has the Trusted Platform Module (TPM) chip, BitLocker uses it to seal the keys that are used to unlock the encrypted operating system drive. When you start your computer, BitLocker asks the TPM for the keys to the drive and unlocks it.
If you encrypt data drives (fixed or removable), you can unlock an encrypted drive with a password or a smart card, or set the drive to automatically unlock when you log on to the computer.
You can turn off BitLocker at any time, either temporarily by suspending it, or permanently by decrypting the drive.
Note that Bitlocker can take several hours to encrypt a large drive; so encrypt when you have plenty of time to let your computer stand idle. Also, besides selecting a security password, you should arrange for a security key (a text file with an extra long key) to be held somewhere safe--on a flash drive or another hard drive. This will protect you if you forget your password.
Click on image to enlarge.
Vincenovelli, Personal Data Encryption and its Legal Implications, Columbia Science and Technology Law Review (Oct. 7,2014), at http://tinyurl.com/ol58mtd.
Free Alternatives to Bitlocker
Chapter 18 of the 2018 LTG
Darik's Boot And Nuke - Darik's Boot and Nuke ("DBAN") is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction.
Shred 2 Selectively wipes files and folders.
Prey Anti-theft Tracking--tracks and wipes laptop, phone or tablet. "Pro" plan for tracking fleets of devices also available.
Aarti, Shahani, Ransomware: When Hackers Lock Your Files, To Pay Or Not To Pay?, NPR (Dec. 8, 2014). Per the 2019 version of the Guide, ransomware attacks are down, but cyrpto mining hacking is up. See p. 171.
Matthew Goldstein, Law Firms are Pressed on Security for Data, New York Times (March 26, 2014)
Debra Cassens Weiss, Office manager's alleged theft of client funds and office computer leads to suspension for lawyer, ABA Journal (Dec. 11, 2014)
ABA Formal Opinion 482, Ethical Obligations Related to Disasters. Commenting on the Opinion, from p. 177 of the 2019 Guide:
If a disaster causes the loss of client file, lawyers must also consider their ethical obligations under Rule 1.15, which requires lawyers to safeguard client property. For current clients, lawyers can attempt first to reconstruct files by obtaining documents from other sources. If they cannot, lawyers must notify the clients of the loss of files or property. To prevent such losses, "lawyers should maintain an electronic copy of important documents in an an off-site location that is updated regularly." Yup, we're back to the cloud again.
)