Security alert: what you need to know about passwords and encryption

  • 16 avril 2008
  • David J. Bilinsky

Toutes nos excuses. Cet article n'est disponible qu'en anglais.

 

One of the more dreadful things for a lawyer to discover is that their electronic device — desktop computer, laptop, Blackberry, PDA, portable hard drive or USB flash drive —has gone missing, taking confidential client information with it.

A family lawyer’s laptop could contain reams of financial disclosure documents containing bank accounts and deposits, SINs, investments and other highly personal information. A corporate lawyer’s Blackberry could carry details of a proposed merger or corporate purchase: a disastrous leak. Indeed, there are few areas of the law where lawyers have not been entrusted with the safekeeping of their clients’ secrets as a function of providing legal advice.

We advise lawyers who have suffered a theft of an electronic device containing client information to inform those clients as soon as possible that their confidential information may have been compromised. There is a real possibility that the disclosure of client personal information could result in “identity theft” for the client — resulting in false credit cards issued in their name, the unauthorized access to their bank or financial accounts and other sources of funds and the like. Clients are entitled to take such action as they deem necessary to protect their private affairs as a result of the possible disclosure resulting from the theft or “disappearance.”

On the other hand, if the lawyer could tell those clients that all the information on that stolen computer had been encrypted using a “whole disk encryption” application — imagine the reassurance felt by everyone concerned! I emphasize “all,” because there are certainly ways to encrypt single files and discrete folders on computers. However, in the words of Bruce Schneier, founder and CTO of BT Counterpane Security:

The reason you encrypt your entire disk, and not just key files, is so you don’t have to worry about swap files, temp files, hibernation files, erased files, browser cookies or whatever. You don’t need to enforce a complex policy about which files are important enough to be encrypted. And you have an easy answer to your boss or to the press if the computer is stolen: no problem; the laptop is encrypted.

Whole disk encryption applications typically extend to all removable and portable media such as USB flash drives, portable hard drives and other removable media. (Note that this is not a solution for files that have been emailed to other computers, PDAs or Blackberries, which are typically sent “clean” or unencrypted. ) These whole-file encryption applications work in the background and to the user, they are transparent.

They work on both Mac and Windows machines. Typically, they also incorporate secure file deletion algorithms, meaning that once a file is deleted, it is well and truly gone. They can be established as an enterprise solution, ensuring that if any computer is stolen — within or outside the office — the information contained therein is secure and protected. They can establish multiple levels of security.

It is gratifying to see that PCWorld, in an article posted April 6, 2008 titled “Are Extra Laptop Features Worth It?” stated:

Our verdict: For any industry in which security is paramount or even legally obligated (the medical, legal, and governmental fields, for starters), the additional cost of hardware encryption is minuscule when weighed against the technology’s ease of use and its role in avoidance of liability.

In my opinion, all lawyers should be looking at whole-disk encryption for their portable devices (laptops, flash drives, etc.) and should be considering it for their office networks as well. There have been instances when desktop computers have been stolen, even in broad daylight, from lawyers’ offices.

Why we haven’t seen more secure laptops out in the market? I think the answer is that they are just starting to appear.

Passwords
Regarding passwords, there are many rules to follow.

First, since password-cracking programs use dictionary words, birthdates and common names, never use these as passwords. Needless to say, don’t use the word “password,” and change all default passwords immediately. Don’t post the password on a sticky note on the monitor!

If you need to write them down, do so — but in a way that is a bit cryptographic ... reverse the numbers or transpose the 7th and 8th character and the like. Something that only you would know, and which is not obvious to anyone reading it — for example, you can write down a character in your note that would not appear in your actual password.

Or, have a character/number sequence memorized that you append to the written password that only you would know. Use symbols, uppercase letters, lowercase letters and numbers. Make sure it isn’t something that has been used before (e.g., R2D2). And make it fairly long, at least six characters.

Needless to say, don’t tell anyone your passwords! Change your passwords regularly. Don’t use the same password for everything! And if you suspect that a password has or may have been compromised, change it — now!

Don’t save your passwords in a Word or WordPerfect or Excel file; these can be found easily. Instead, acquire one of the automatic password managers such as:

These applications will record your passwords and will also record your common form info (name, address etc) and populate web forms for you on the fly. Some of them even allow you to store your passwords on a USB flash drive, so you can carry them with you.

Another way to protect yourself is to acquire a USB security key. It plugs into the USB port and the computer is disabled without it. If you enable the encrypted file system in Windows together with the USB key, then the data on your computer is unreadable to anyone without the USB key. (Perhaps needless to say, don’t travel with the USB key in the same luggage as the computer.)

At the office, we have RSA key fob tokens that have a six-digit number display that changes every minute. To log onto the computer, you need a four-digit code in addition to the six-digit number on the RSA token. Only you know that four-digit code, so even if someone manages to steal both the laptop and the RSA token, they would have to know or guess the extra four-digit code and how it is used, together with the token to gain access to your computer — which only increases the security.

David J. Bilinsky, Esq. is an independent consultant as well as the Practice Management Advisor for the Law Society of British Columbia. He is a Fellow of the College of Law Practice Management and the Editor-in-Chief of ABA’s Law Practice Magazine. His consulting services focus on enhancing law firm profitability, strategic business planning and the thoughtful application of technology to the practice of law. His blog Thoughtful Law was the recipient of two CLawBie Awards in 2007.