Skip to Main Content UMKC University Libraries

Law Practice Technology

A guide created for a law class incorporating the book, The 2018 Solo and Small Firm Legal Technology Guide (ABA)

Networking Hardware

Firewalls/Intrusion Detection System

Routers with Firewall and Intrusion Detection

Cisco ASA 5500 X-Series

See 2020 LTG, images 107-108.

Wireless Encryption Settings

"Do not use WEP! Frankly, the Federal Trade Commission and the Canadian Privacy commissioner have both found WEP encryption insufficient to secure credit card information. Some time ago, WPA using the TKIP (temporal key integrity protocol) algorithm was cracked by a group of Japanese scientists in about a minute.  So avoid WPA as well.  This means that you would be encrypting using WPA2 only.  However, WPA2 has recently been the subject of a sever vulnerability known as KRAC (Key Reinstallation Attacks), which means your Wi-Fi device is probably impacted .... WPA3 is a new wireless standard that will soon replace WPA2 ...."  image 237 of the 2020 Guide

Other Precautions

  • make sure to change the user name and password of the wireless administrative login
  • enable MAC filtering on your wireless
  • don't identify your firm name in the SSID (service set identifier)
  • consider disabling the broadcasting of the SSID name

 

elect not to broadcast ssid

 

 

 

 

 

 

 

 

Consider using MAC addressing for each devices allowed on the network.

MAC Addressing

 

Security Software

  • The 2020 Guide sees Norton and MaAfee has being to "heavy a load" on the system.  It recommends Webroot Secure Anywhere.  Current cost is $44.99 per year for upt to three devices.  See images 108-109.
  • Guide recommends CryptoPrevent to assist blocking ransomware ($15 annually).  See impage at 158 of LPTG.
  • I use ESET Security  Price varies per subscription ($59 for premium version)

Privacy Vendors

Encryption in the Cloud

Many cloud syncing services provide encryption, but maintain the encryption key themselves. However, there are services like Boxcryptor, Spideroak and Viivo which make further encryption possible or which let the account user retain sole control over the encryption key.  Below is a video from Boxcryptor as used with Dropbox

Essentially, Boxcryptor sets up two directories, one in your dropbox folder, in which items are encrypted, and another as drive X or Z, which is not.

Amazon Web Services S3 provides multiple methods of encryption, including one where you control the key.  See http://tinyurl.com/nxnlbmz.

iPhone and Security

The 2019 LTG prefers Google Android over iPhone, but iPhone is used by 75% of attorneys.  See chapter 9 of the 2019 LTG.  It also suggests a number of steps to make the iPhone more secure.

  • don't use anything lower than an iPhone 8.
  • upgrade to the latest version of the iOS system (currently at 12)
  • enable a passphrase by disabling the "Simple Passcode," a six-digit pin
  • enable system wiping after 10 attempts with the wrong password
  • do not enable touch fingerprint reader
  • unsure what to recommend about facial recognition

 

Encryption in Motion

"Most hosted systems require a connection using the secure socket layer (SSL) . . . You will know when you are using SSL bedcause your web browser's address bar adds an "s" after the http:

Illustrating Encryption in Motion
Non-SSL SSL
 http://www.google.com   https://www.google.com 

Multi-Factor Authentication (MFA)

  • Microsoft claim's using MFA will block 99.9 percent of automated account takeovers (ATO)
  • “Our research shows that simply adding a recovery phone number to your Google Account can block up to 100 percent
    of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks that occurred during our
    investigation."

Chapter 21, LTG.

Passwords

How strong is your password?

Password Strength Checker - Check your password strenght here.

See Password Strength, Wikipedia 


Password Policy

"Some security experts recommend using a password based on a mnemonic, such as an easily remembered phrase. For example, take the first letter of a each word in a phrase, then add a few special characters or numbers to it. For example, 'lend me your ears' can become 'lmye4%'. 'To be or not to be, that is the question' can become '2Bor!2b?'."

  • Yan, J.; Blackwell, A.; Anderson, R.; Grant, A.; , "Password memorability and security: empirical results," Security & Privacy, IEEE , vol.2, no.5, pp.25-31, Sept.-Oct. 2004, at http://tinyurl.com/m6hp4o4.  Some conclusions:

• Instruct users to choose mnemonic-based passwords,
which are as memorable as naively selected passwords
but as hard to guess as randomly chosen passwords.
• Size matters. . . . Users could be advised
to choose passwords with 10 or more characters,
which might further encourage the use of mnemonics.
• Entropy per character also matters. Instruct users to
choose passwords containing numbers and special characters
as well as letters. If you don’t, most users will
choose passwords from a very small subset of the total
password space.

  • The problem is that few passwords are randomly generated because they are hard to remember and often have to be written down.  One solution is to use the Diceware method to produce a string of randomly selected words, which is easier to remember.  For instance, a five-word string password generated by the Diceware method would have 64 bit encryption strength, the same as a password of seven randomly generated case-sensitive alpha-numeric characters.  See Password Strength, Wikipedia.

 


What does "bit strength" measure?

Sixty-four-bit strength would require 264 attempts to process every possible combination of characters making up the password.  But given modern computing power, 64-bit strength may not be sufficient. 

From Password Strength, Wikipedia

Some basic benchmarks have been established for brute force searches in the context of attempting to find keys used in encryption. The problem is not the same since these approaches involve astronomical numbers of trials, but the results are suggestive for password choice. In 1999, an Electronic Frontier Foundation project broke 56-bit DES encryption in less than a day using specially designed hardware. In 2002, distributed.net cracked a 64-bit key in 4 years, 9 months, and 23 days. As of October 12, 2011, distributed.net estimates that cracking a 72-bit key using current hardware will take about 45,579 days or 124.8 years.  Due to currently understood limitations from fundamental physics, there is no expectation that any digital computer (or combination) will be capable of breaking 256-bit encryption via a brute-force attack. Whether or not quantum computers will be able to do so in practice is still unknown, though theoretical analysis suggests such possibilities.

As a result, there can be no exact answer to the somewhat different problem of the password strength required to resist brute force attack in practice. NIST recommends 80-bits for the most secure passwords, which can nearly be achieved with a 95-character choice (e.g., the original ASCII character set) with a 12-character random password (12 x 6.5 bits = 78). A 2010 Georgia Tech Research Institute study also recommended a 12-character random password, but as a minimum length requirement.

 

Public Networks

Public networks, such as in an airport, are by their very nature unsafe.  Never check email or your online banking while on such a network.

Secure Emails & Client Portals

"Particularly important to attorneys is the confidentiality and integrity of e-mails. Respected security professionals have for years compared e-mail to postcards—or to postcards written in pencil. They can be viewed or altered by third parties. While some ethics opinions have been incorrectly interpreted as saying that e-mail encryption is never required, current ethics opinions continue to stress the requirement of reasonable and competent safeguards. For example, California Formal Opinion No. 2010-179 states, 'encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.' Encryption is increasingly required in areas such as banking and health care and by new state data protection laws. As these requirements continue to increase, it will become more and more difficult for attorneys to justify their avoidance of encryption".  David G. Ries & John W. Simek, Encryption Made Simple for Lawyers, 29 GP Solo at http://tinyurl.com/bqyzw8t.

Missouri Informal Ethics Opinion 970161 states, "unless e-mail communications, in both directions, are secured through a quality encryption program, Attorney would need to advise clients and potential clients that communication by e-mail is not necessarily secure and confidential."  Thus, there is a duty to notify clients about the lack of security in standard, unencrypted email communication.

The problem with encrypting email is it is difficult to arrange for the digital ids or keys which allow secure encryption between senders. 

An alternative to digital ids is to email a password protected document (such as an MS Word file) to the client and by different communication inform the client of the password.  Multiple files can be encrypted at the same time with a WinZip program.  This can also be done with Adobe Acrobat--a portfolio or package of documents (including non pdfs) can be made for a client, which can be opened in Adobe Reader.

Link to How to Encrypt Files for Sending by Email

Persistence in this practice can lead to a real headache in managing passwords among clients and voluminous documents.


Client Portals

This leaves open the possibility of trying to create a client portal for documents through providing access to folders in Dropbox, Box or some other online service to your clients.  One kind of access is to send a unique URL.  A better kind of access usually involves an email invite to the client who must then register his or her own Dropbox or Box account to gain access to the folder and the documents.

Box invite feature

Click image to enlarge.

This method also has some risk since Dropbox and Box maintain master encryption keys to the files on their systems.  New products like Boxcryptor may provide ways to share encrypted files with clients.  The video below shows how files shared in Dropbox can also be shared in Boxcryptor.


Sending a Word Doc File Safely

Click here for full screen

Sending attachments securely.

The LTG Guide recommends services like:

See p. 157

Microsoft Office 365 Secure Score

See p. 168 of the 2019 text or https://tinyurl.com/ms-securescore.  

"Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. Following the Security Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft 365 security center, organizations can monitor and work on the security of their Microsoft 365 identities, data, apps, devices, and infrastructure."

External Security Monitors

Encryption

The Problem

"The attributes that make laptops and portable devices useful also make them very dangerous from a security perspective: They’re compact and portable. Add to that the fact that their costs have been decreasing over the years, their capacities have been dramatically increasing, and they have become more and more compact. Laptops are available with 1 TB (terabyte) and larger hard drives. USB thumb drives with capacities of 256 GB or more are now available. Portable hard drives of 1 TB or more, the same as desktop computers, are now available. A massive amount of data, in compact media, can be easily lost or stolen. With these devices, attorneys and employees can lose or steal the equivalent of a truckload of paper pages or more."

David G. Ries & John W. Simek, Encryption Made Simple for Lawyers, 29 GP Solo at http://tinyurl.com/bqyzw8t (excellent article on encryption)


Microsoft Bitlocker

Bitlocker Drive Encryption, Wikipedia

"BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Microsoft's Windows Vista, Windows 7, and with Pro and Enterprise editions of Windows 8 desktop operating systems, as well as the server platforms, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012."  It use 128-bit AES encyrption.  Microsoft claims to have maintained no "backdoor" into the system.  As good as it is, the system has been critizcized because it can be bypassed with a "cold boot attack," which can be avoided by powering down devices between uses (it takes a few minutes for DRAM to clear holding the passwords).

From Windows Help and Support:

Help protect your files using BitLocker Drive Encryption

You can use BitLocker Drive Encryption to help protect all files stored on the drive Windows is installed on (operating system drive) and on fixed data drives (such as internal hard drives). Your can use BitLocker To Go to help protect all files stored on removable data drives (such as external hard drives or USB flash drives).

Unlike Encrypting File System (EFS), which enables you to encrypt individual files, BitLocker encrypts the entire drive. You can log on and work with your files normally, but BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by removing it from your computer and installing it in a different computer.

When you add new files to a drive that is encrypted with BitLocker, BitLocker encrypts them automatically. Files remain encrypted only while they are stored in the encrypted drive. Files copied to another drive or computer are decrypted. If you share files with other users, such as through a network, these files are encrypted while stored on the encrypted drive, but they can be accessed normally by authorized users.

If you encrypt the operating system drive, BitLocker checks the computer during startup for any conditions that could represent a security risk (for example, a change to the BIOS or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and require a special BitLocker recovery key to unlock it. Make sure that you create this recovery key when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files. If your computer has the Trusted Platform Module (TPM) chip, BitLocker uses it to seal the keys that are used to unlock the encrypted operating system drive. When you start your computer, BitLocker asks the TPM for the keys to the drive and unlocks it.

If you encrypt data drives (fixed or removable), you can unlock an encrypted drive with a password or a smart card, or set the drive to automatically unlock when you log on to the computer.

You can turn off BitLocker at any time, either temporarily by suspending it, or permanently by decrypting the drive.

Note that Bitlocker can take several hours to encrypt a large drive; so encrypt when you have plenty of time to let your computer stand idle.  Also, besides selecting a security password, you should arrange for a security key (a text file with an extra long key) to be held somewhere safe--on a flash drive or another hard drive.   This will protect you if you forget your password.

 

Click on image to enlarge.

Vincenovelli, Personal Data Encryption and its Legal Implications, Columbia Science and Technology Law Review (Oct. 7,2014), at http://tinyurl.com/ol58mtd.


For Mac Users Use FileVault

Free Alternatives to Bitlocker

Virtual Private Networking

Chapter 18 of the  2018 LTG

Virtual Private Networking

  • "VPN connection allows a user to connect to the office when working remotely.  The communications tunnel encrypts the data traffic between the remote user and the office network, maintaining security of of the information as it is passed back and forth.  This is extremely important for law firms who lawyers work on client files while traveling or away from the office and have to download a local copy of a client file to work on.  Best of all, the VPN service software is included with Microsoft's server operating systems, and the VPN client software is included with Microsoft operating systems, at no additional cost to the user."  2022 LPTG, image 222.
  • Facilitates remote desktop
  • May require IT consultant
  • Comes with Microsoft server, but a private subscription service is available through vpnunlimited.   If you want to configure it with a "remote desktop service" (which comes with windows). It may take some effort to configure and you will need to know the name of your computer on your network..
  • Comparison of VPNs at https://thatoneprivacysite.net.

GoToMyPC

  • Does not require a server
  • Data is encvrypted
  • Works even with dynamic IP addresses and without modifing firewalls
  • Works with apps

LogMeIn

  • Securley encrypted
  • Works with Apps
  • Costs less than GoToMyPC

TeamViewer

  • "Business Edistion is a remote access solution on steroids."
  • Works with Mac
  • Communication tools
  • File box for common file sharing
  • MS Outlook calendar integration
  • Mobile devices add-ons

 

 

 

Wiping Hard Drives and Files

Darik's Boot And Nuke -  Darik's Boot and Nuke ("DBAN") is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction.  

Shred 2 Selectively wipes files and folders.  

Prey Anti-theft Tracking--tracks and wipes laptop, phone or tablet.  "Pro" plan for tracking fleets of devices also available.

The Risks

Aarti, Shahani, Ransomware: When Hackers Lock Your Files, To Pay Or Not To Pay?, NPR (Dec. 8, 2014).  Per the 2019 version of the Guide, ransomware attacks are down, but cyrpto mining hacking is up. See p. 171.

Matthew Goldstein, Law Firms are Pressed on Security for Data, New York Times (March 26, 2014)

Debra Cassens Weiss, Office manager's alleged theft of client funds and office computer leads to suspension for lawyer, ABA Journal (Dec. 11, 2014)

ABA Formal Opinion 482, Ethical Obligations Related to Disasters.  Commenting on the Opinion, from p. 177 of the 2019 Guide:

If a disaster causes the loss of client file, lawyers must also consider their ethical obligations under Rule 1.15, which requires lawyers to safeguard client property.  For current clients, lawyers can attempt first to reconstruct files by obtaining documents from other sources.  If they cannot, lawyers must notify the clients of the loss of files or property.  To prevent such losses, "lawyers should maintain an electronic copy of important documents in an an off-site location that is updated regularly."  Yup, we're back to the cloud again.

Example of Spear-phishing Attack

Spear phishing email