“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
Introduction to Security
As Director of Software Development here at Promethean, I am the de facto “top tier” technical support representative. Because of this, I have a lot of interaction with the computers of many different attorneys and their staff. This has given me a unique perspective on some of the challenges facing our users these days.
As you may or may not be aware, identity theft is the fastest growing crime on the Internet; and by far the largest portion of Identity theft is committed using “phishing” (sounds like “fishing”) scams. If you’ve been on the Internet for a while, you’ve probably seen an example of this kind of scam before; perhaps an email that you received that looked like something official – perhaps it seemed to be from your bank, or from eBay, or from PayPal. However, the email was not from who it said it was from. It was from the scammer – and it was deliberately “forged” to look “official.” Taking advantage of people’s trust, it can fool people into giving away credit card numbers, passwords, and many other pieces of information – including the mother of all personally identifiable information, your social security number.
It’s extraordinarily important for people to be aware of these scams, because these particular scams rely on what computer security professionals call “social engineering.” Social engineering is (basically) using people themselves as the “weak point” in the chain of security. Your bank’s server may be impenetrable, and the bank’s physical security may be top-notch, but if a criminal has your name, account number, and password – your money is as good as gone. And if the criminal tricked you into giving him that information, you have no recourse against the bank (or whatever) for your loss – because YOU were at fault.
Additionally, tricks like these can be used to bypass virus protection and firewalls to get viruses or trojan horse type programs into your computer. The latter is especially dangerous to those in the legal profession, as you frequently have sensitive, privileged, private information on your computer. A trojan horse program works just like its namesake – it gets into your program by “pretending” to be something legitimate; maybe a free game, or a useful utility, or even a “fake” security update.
Now, all of these things are bad enough on their own, but what makes all of this 10 times worse is that the browser you are probably using to read this article is making it 10 times easier for those criminal types to get into your computer and steal private information. Yes, I’m talking about “Internet Explorer,” the default browser in every version of Windows. There are more problems with Internet Explorer in regards to security then I have room to talk about, but I’ll go over two of the big ones.
Integration into Windows
You probably remember the big anti-trust lawsuit against Microsoft from a few years ago. Among other things, this suit alleged that Microsoft had made Internet Explorer an inseparable part of the operating system (Windows). And – unfortunately for most users – this is absolutely true. You cannot un-install Internet Explorer from your computer if you are using anything newer than Windows 98 – which means ALL new computers, as well as anything running Windows ME, Windows 2000, or Windows XP.
Because of this integration, any flaw which affects the browser (Internet Explorer) also affects your computer in general. During the past year, there have been dozens of “updates” released by Microsoft for Internet Explorer. If you have Windows Automatic Update turned on, and you actually bother to read the description of the updates you are receiving, you’ll see that the descriptions are largely the same:
Update for Internet Explorer: A flaw has been discovered that could allow an attacker to take control of your computer. Install this update to remain safe. You may have to reboot your computer when the update is installed.
Remember – each of these flaws has to be found by someone (typically not Microsoft themselves), and then Microsoft has to fix it – a process which can (and often does) take months. All the while, your computer is vulnerable. It’s as if the manufacturer of the locks on your house notified you by mail that there is a flaw in your locks (which has been known publicly for several months now), and that any kid with a toothpick can open all your doors – and they will be sending you the tools & instructions to fix your locks in a few more weeks. It goes without saying that this is a less than ideal situation.
ActiveX – Browser Plugins that Bite Back
Perhaps the biggest security problem with Internet Explorer isn’t actually a “flaw” at all – it’s a feature, designed way back when Internet Explorer was still fighting with Netscape for dominance on the Internet. This “feature” is called “ActiveX,” and it allowed small little programs (called “ActiveX objects”) to run “inside” of your browser window. These programs could literally do anything; and since they were running on your computer, they were a prime choice for getting access to your system. On many computers, these ActiveX programs are simply downloaded & installed without notifying the user – which means that you could be visiting a web site that is (unbeknownst to you) installing an ActiveX program that scans your computer for credit card numbers, social security numbers, passwords, or any number of things, and then sends them back to some server somewhere – where they are most likely used to impersonate you and obtain access to your money. Even on computers where the user is prompted about the installation of ActiveX programs, most people simply click “Allow” when prompted – mostly due to the fact that Microsoft themselves uses ActiveX for things like Windows Update, and their web site instructs you to click “Allow” (although to their credit, they do ask you to review the text on the window and make sure the program actually does come from Microsoft).
Alternatives
This wouldn’t be much of a “tech” column if I didn’t offer some helpful (or at least useful) advise on this subject. Towards that end, here are some of my recommendations. These can (and should!) be implemented by everyone – regardless of whether you’re a solo practitioner, or part of a large law firm with a dedicated IT staff.
Switch Your Browser
Perhaps the easiest thing you can do is switch to a different browser. This won’t remove Internet Explorer from your computer – nothing will – but it will give you a safer, more secure browser. And since nearly 90% of the time people spend “on the Internet” is actually browsing, this can be a significant step forward in terms of safety.
The browser I recommend is called “Firefox,” and it is completely free – for both personal and commercial use. This browser does not support ActiveX; so if your company uses ActiveX for something internal, or if you need ActiveX for on-line banking (there are a few rare banks that require ActiveX for on-line banking), you may still need to open Internet Explorer sometimes. However, most (99%) pages will open faster in Firefox, and there’s far less security problems. There are also features in Firefox which make it ideal for research – in particular the “tabbed browsing” feature. But don’t just take my word for it – over 25 million people have downloaded Firefox world wide. And it’s not just for Windows, either – if you’re a Mac user, or if you use UNIX or Linux, Firefox is available for those operating systems as well.
For more information on Firefox, visit www.mozilla.org, the home page of the public organization which created it.
Get a Firewall
Many people don’t know what a firewall is, or how it can help improve security. Basically, a firewall is a piece of hardware or software that “blocks” certain types of data from passing between computers (or entire networks). You can think of it as a little computerized “bouncer,” only letting in the people (data) you’ve approved. Random people trying to gain access to your computer (perhaps via a security flaw) will be turned away, thus keeping your computer safe. (A firewall is actually much more complex than that – but for simplicity’s sake, that’s all I’ll say on it. For the full definition of a firewall, click here.)
If you have Windows XP, and you’ve installed Service Pack 2 (or if you’ve just been doing your Windows Updates regularly), you already have a very good firewall installed on your computer. If you have XP, but haven’t downloaded Service Pack 2 yet, I highly suggest you do. You’ll have to visit www.microsoft.com and go to the Windows Update site (or you can use the link that’s probably on your Start menu).
If you don’t have Windows XP, then you probably should install a firewall. Fortunately, there are free firewalls available as well. The one I would recommend comes from Zone Labs, and is called ZoneAlarm. You can download it by clicking here. You may also be able to get firewall software bundled with your anti-virus software (you DO have anti-virus, don’t you?), so be sure to check on that. Just remember that firewalls also block programs on your computer from connecting to the Internet, so when you see a window pop up asking you if you want to allow a program to access the Internet, take a moment to read it and decide if it is legitimate. (Users of TurboLaw may run into this problem when checking for updates, for example.)
As an alternative to software firewalls, most Internet “routers” have built in firewalls. If you have a small home or office network, and you have a router (probably from either Linksys or Netgear), then you already have a layer of protection against attacks from the “Internet-at-large”.
I hope that I have managed to at least provide a background for the casual user regarding these very important topics. As I said previously, I highly recommend that you follow the advise I give, but if you are in doubt, always check with your local IT professional. All of the software I recommend in this column is totally free – and my recommendations are based solely on my own extensive experience with computers. I do believe that if you keep your wits about you, and if you understand just a little bit about the way the Internet and computers work, you can keep your computer (and your data) safe from most of the threats that exist these days.
Good luck!