|
Ah, the ease and convenience of it all. Connecting to
the Internet from your local coffee shop, an airport you
are wandering through, or right in your own backyard.
Wireless in Wonderland offers the ability to
connect a laptop or PC to the Internet at low to no cost
in most cities and airports across North America. It sounds
so seductive. But bear with me for just a few minutes,
my wireless friends. Remember the old joke, “You
know it’s a bad day when…” My favorite
ending is: “when the 60 Minutes crew is waiting
for you in the morning by your office door.” (Fortunately
that only happened to me once!) But the modern day version
goes: “you know it’s a bad day when your
privileged client communications or files show up on
the Internet.” Can’t happen, right? It can
if you go wireless.
After all, the vendors tell us that wireless is secure.
Indeed, one lawyer recently told me he wasn’t
worried because “the networking companies would
never manufacture and sell a product which is not secure!”
(Apparently, he hasn’t heard of a small, security-unconscious
software start-up company in Redmond.) And lots of others
tell me how their computers store nothing of interest
to the neighborhood teenage hackers, or to wardrivers
in your fair town. (Wardriving contests have been held
in many cities. The goal is to see how many wireless
systems one can get into in a day).
Maybe my colleagues from Law Practice Today
like wireless, but I won’t touch the stuff. I
set a policy for my group prohibiting the use of wireless
from any computer connected to our systems. Am I paranoid?
Maybe, but just because you’re paranoid doesn’t
mean they’re not out to get you! Trouble
is, in this case, they are. Wireless is not secure and
the hackers all know it. You can take all the steps
you like to lock down your network and PC but in the
end they may get you. Wireless is not secure.
Let’s first consider why this issue should even
arise for lawyers and legal professionals. The American
Bar Association Model Rules of Professional Conduct
provide a good ethics-based starting point concerning
maintenance of client confidences:
RULE 1.6 CONFIDENTIALITY OF
INFORMATION
(a) A lawyer shall not reveal
information relating to representation of a client
unless the client gives informed consent, the
disclosure is impliedly authorized in order to
carry out the representation or the disclosure
is permitted by paragraph (b).
(b) A lawyer may reveal information relating to
the representation of a client to the extent the
lawyer reasonably...
http://www.abanet.org/cpr/mrpc/new_rule1_6.pdf
Recently I tested my staff on which of the following
statements were good and which bad. Try it yourself:
- Inadvertent disclosure is bad!
- Maintaining client confidences is good!
- Hackers gaining access to our case-related or confidential
materials are bad!
- Not opening up your entire network or laptop/PC
to the world is good!
Not surprisingly, confidentiality is high on my agenda
and that of the 1000 or so lawyers we support. But out
of the box, wireless devices are completely devoid of
security. Plug the access point into your router or
switch, attach a wireless network card to your computer,
and presto¸ you’re surfin’
away. Its cool. Sans security, that is.
To be sure, wireless vendors and experts suggest a
number of steps to lock down wireless communications.
No one will tell you it is 100% secure, or even close
to it. But they will probably say it is good enough,
whatever that means.
The current implementation of wireless relies on 802.11x
standards. Most use Wired Equivalent Privacy (WEP) encryption,
unique service set identifier (SSID) numbers and Media
Access Control (MAC) addresses, along with attempts
to control the wireless signal range. Ever try to control
where a radio signal goes? Good luck. All of these steps
certainly are better than no security, but not by much.
There are hundreds of reports of these measures being
easily compromised by just the people you don’t
want gaining access to your computer or your network.
Let’s take WEP. The protocol is sold as the method
for encrypting wireless packets. But there is a small
problem—It is easily decrypted by information
eavesdroppers. Worse yet, the SSID and MAC addresses
used as part of the encryption scheme are sent in plain
text (not encrypted). For that reason, wireless proponents
advise using a non-default SSID and a MAC filter to
secure wireless connections. What they don’t mention
is these too can be easily captured with packet capturing
software freely available on the Internet.
There are a number of expensive proprietary wireless
solutions that are much more secure. I am most familiar
with Cisco’s
Aironet series. Cisco adds an additional, non-proprietary
(i.e., non-standard) level of encryption to ensure that
the signal is fully secure. Other vendors use similar
schemes.
Trouble is, the cards they provide for users are typically
backwards compatible so the users can get on other wireless
networks. That means all of your best efforts to secure
your network may be for nothing because your user is
connecting in at the local coffee shop over an unsecure
line.
This issue is not unique to proprietary wireless. In
order to be flexible, all commercial implementations
of wireless are set to fall back to lower forms of security,
such as WEP.
The new kid on the block is WiFi Protected Access (WPA),
which will tie into the emerging 802.11i standard. WPA
has been said to be much more secure than WEP, using
a more complex encryption scheme. Not surprisingly,
there are already reports of security holes in WPA.
See TechNewsWorld,
November 10, 2003. The hackers just view it as another
challenge.
From my perspective, there are at least two major security
weaknesses. The first arises when you install and use
a wireless network in your firm. Suddenly your wireless
connection is the weakest link. Like most organizations
of our size, we have spent tens of thousands of dollars
on the purchase and support of our firewalls. We also
use an array of software to ensure the firewalls are
working properly, such as internal detection systems
to monitor malicious data traffic (from hacking, viruses,
worms, etc.). Placing a wireless access point (antenna)
on a firm’s system reduces the security of the
network to the “hackability” of the wireless
system. This is like putting a wall around the White
House, but then leaving open the backdoor of the place,
guarded only by a rent-a-cop. I would bet your next
paycheck (maybe even part of mine) that you simply cannot
make the wireless network access point even a fraction
as secure as the rest of your network. Talk about wireless
bypass surgery.
The second weakness comes from putting a wireless PC
card on a legal professional’s home or laptop
computer. We have already talked about WEP (not secure)
and WPA (trying to be, but not there). When your users
run around with wireless cards, they are bringing the
world to your door (without an invitation). But these
aren’t nice houseguests.
I always love hearing people say there is nothing on
their PC or network anyone would care about. Think about
that for a minute. How would your clients respond if
they realized their draft contracts, briefs, and/or
proprietary data were suddenly available to anyone with
a wireless card in the area? Is your e-mail so insignificant
that no one on the Internet, other than the recipient,
would be interested in its contents and attachments?
Keep in mind, securing any Windows-based machine requires
a major effort (ask me for the details if you have several
hours to spare!) It is tough enough trying to keep up
with all of the little, or not so little, new Windows
security holes being identified every week.
Every day you read about people stealing Internet bandwidth
by connecting with their neighbors’ wireless systems.
The neighbors probably have more than they can use anyway,
right? Add a network sniffer and watch everything going
across their network, in and out. Bank passwords, social
security or insurance numbers, and the like. Throw in
a keystroke logger on a machine in the firm across the
street and capture everything that is typed into the
PC, or for the more visual, capture a screen shot of
the monitor every 10 seconds. No problem.
One of the latest accounts of theft of information
concerns setting up a wireless access point in a car
just outside of a local coffee shop. The eavesdroppers
used a signal so strong that anyone trying to log into
the coffee shop’s wireless was instead connected
to a rogue wireless server. They mirrored the look of
the coffee shop’s wireless provider’s login
page. From there it was a cinch to steal login passwords
and credit card numbers.
The bottom line is this: why would anyone use wireless
given the continuing and substantial security risks?
Do the benefits of wireless outweigh the significant
risks? Sure, it’s convenient, even fun. But it
is not secure; hence, in my judgment, it cannot be appropriately
justified on any computer or network on which confidential
and/or privileged materials are stored or communicated.
What would your local state bar or ethics board say
to a careless release of confidential client information
over a wireless connection? Maybe someday they will
figure out how to make it secure. But until then you
won’t see it on my networks or computers.
Want to learn more about all this? Try these references.
And, If you still think you want to use wireless:
Jeff Flax is the National Technology
and Litigation Support Administrator for the federal
defender program. He is based in Colorado and worries
a lot about information security.
|
