Oklahoma Bar Association


Search

Who is Reading your Hard Drive Tonight?
Security with High Speed Internet Access and a Few Words about Passwords

Last month we discussed e-mail attachments and protecting your law firm against computer viruses. If you missed that article, you should go back and read it in the June 10, 2000 Oklahoma Bar Journal or read it on our web page, www.okbar.org. This is very important stuff. After that article went to press, a new kind of virus, Stages, made the rounds, but it was fairly benign.

It seems appropriate to continue discussing computer security issues since we covered so many of them last month. Warning: There is "teckie talk" ahead. Usually I try very hard to write in "plain English." That does not work as well with these topics. We cannot avoid some technical explanations on this discussion. But we believe you can handle it, and we will conclude with a discussion of passwords where I will amaze many of you by accurately guessing the passwords of your computers, laptops and online account.

Once you have a high speed Internet connection and use it for very long, you can never go back. Only a severe financial problem or a relocation where there is no high speed access will have you dialing up to get online with your modem again. It's fast. It's always on. You can be working on a document, realize there is something you need to check online about the document, check it in a few seconds and continue your work. A high speed Internet connection can be shared by several computers in your office depending on the service agreement you sign with your provider.

DSL, cable modems and, for some, ISDN or satellite dishes, are the broadband fast connections to the Internet. You may not have these in your area now, but you will. When you get it , you will understand why everyone else talks so much about it. Prices vary from under $40 to several hundred a month depending on what you have available in your area.

But broadband brings up some security problems. Some of these have been covered in the state media. There is a lot of discussion about them online.

When you have a connection to the Internet, you are assigned an IP address. When you dial up your local Internet Service Provider (ISP) on the phone and make a connection, you get an IP assigned more or less at random. An IP address is just a set of numbers like 123.45.234.90. Every computer on the Internet and every web page has one. The next time you call into your ISP, you will probably get a different IP address assigned to you.

With the broadband access, there are two differences than with your ISP. First, you have a permanent IP address assigned to your computer that does not change and, secondly, you are always online to the Internet. Those who use the Internet to intrude on other systems, "hackers" for lack of a more precise term, therefore have a much easier job. They know where your "front door" is online and they have many hours of open access to try the knob (or pick the lock.) It fact, the use of scanners to check out access is fairly routine. People who put up guards against such things report "attempted intrusions" several times a week, if not several times a day. In truth, the majority of these may be fairly harmless incidents.

But, if you simply have File Sharing enabled on your computer, then those files may be shared with complete strangers across the Internet without you even knowing about it.

Did that get your attention or should I repeat it? Just remember, you're not paranoid if they really are out to get you.

First of all, ask the company representatives when they are installing the cable modem or DSL how secure it is and what protections are in place. More than likely they will give you some meaningless response, which means there are not any.

One of the truly great Internet resources on computer security was mentioned to me by Tulsa attorney Ken Bodenhamer. Steve Gibson of Gibson Research Corp. has an outstanding web site at grc.com (no WWW's on this one.) The company created the popular SpinRight utility software. There is information on that product, Gibson's downloadable free utilities and lots of information on computer Internet security issues.

Gibson's "Shields Up" link is an eye-opener for many. While you wait, his system will probe your computer's shields and ports.1 Don't be surprised if your name, e-mail address and other information is located on your computer and displayed back to you. In addition you may get warning messages about open ports and other security flaws. His "Explain this to me" link should be required reading for anyone with a cable modem or DSL line. (The direct link to that area is http://grc.com/su-explain.htm .) It is fairly technical reading, taking those of us with some background a bit of time to digest.

Let's go through some of the various scenarios that Gibson and some others2 suggest to protect your system from Internet intruders.

This one is actually pretty easy and works like a dream where you have just one computer that is not networked, hooked up to the Internet. Since you are not networked to share files with other computers, you can just turn file sharing off. Go to Control Panel, then click Network, and make sure that file and printer sharing is turned off. However, there may be one "port" open (port 139) unless you also uninstall "family logon" through Control Panel, Network as well. You can then test your IP addressing and ports at the Gibson web site. You are now very secure (until you decide to network another machine to this one.) Note: Turning this off may be much easier than turning it back on again for the beginner.

This also works well on a small home network.3 Typically, file sharing is little used on home networks, with the only real purpose of the home network being to share the high speed Internet access. If you only need it rarely, you may just learn to turn it off and on as needed, leaving if off when not in use.

This solution only works if you have Windows 98 SECOND EDITION or Windows 2000. If you do not, you must upgrade to one of these first. (The more simple route is WIN 98 SE.)

Windows 98 Second Edition and Windows 2000 have security built in. It is called "Network Address Translation." It hides the IP addresses of your local machines and creates good security all by itself. This is not extra expense for owners of Win98SE and Win2000. This is set up by going to Control Panel, Add new programs, Windows setup, Internet tools and finally Internet connection sharing. I have not seen this in operation yet, but I am told that it works this way. Internet service runs through DSL adapter or cable modem to a network interface card (NIC) in the computer, a second NIC in my computer runs to the hub for the network. It sets up with a software wizard on the first computer. The setup program creates a floppy disk that is used to configure each of the other machines on the network.

You do need two network cards to make this work. There are alternative instructions for using a modem in lieu of the second network card. I would judge that you would need some computer experience to do this. So, you might want to bribe your teenager or college student in the family for assistance.

This one sounds daunting, but actually is not. Firewalls are at least aptly named, so that we understand in a general sense what they should do. A firewall is either an electronic boundary that prevents unauthorized users from accessing certain files on a network or a computer, or other device, used to maintain such a boundary.4 They are supposed to keep "the fire" away from us and our files.

But the good news is that due to the new users of cable modems and DSL connections, there are now many home consumer-oriented firewall products. This means they must be simple enough for the average consumer to install and use them. They are typically not that expensive.

One of the most popular of these is free. This is a firewall program named ZoneAlarm from www.zonelabs.com. The site has a link to click to download the program. Others have told me installation is easy. The site also has a positive review of the ZoneAlarm program. The Gibson website absolutely raves over Zone Alarm 2.0, saying that it may "be the perfect and ultimate personal firewall for the typical Internet user."5

There are other products available. Some have great names like BlackICE Defender 2.1 (http://www.netice.com). Just remember unless you have in-house computer expertise you probably want to look at the consumer/home products and not those that require much expertise to install.

Our resident computer guru, Chad Williamson, has an extra computer at home. When he got his cable modem, he took an old computer, reformatted the hard drive, installed the Linux operating system and then configured the computer as a firewall with Linux-based software. So the Internet connection goes through the firewall into the main computer. The cost is zero. Obviously, such a set up is beyond most Oklahoma lawyers' ability. We are negotiating with Chad for a step-by-step instruction sheet of how this is done.

But there are a couple of interesting products out there that do much the same thing.

Several Oklahoma lawyers swear by the Lynksys 4-Port Cable/DSL router. This is a hub, a router and a firewall combined into one. A simple hub that you buy at the electronics store will cost $30 -$40. Why not get a quality piece of equipment for $170-$180 that incorporates a firewall and some other nice features? It has four ports6 to easily hook up four computers for sharing but can maintain up to 253 users. Reports are that you plug it in, install the software and go! More information is available at www.linksys.com and information on this specific product is at www.linksys.com/products/product.asp?prid'20&grid'5. You might try Egghead online for a good price.

(For those of you who have been reading along forlornly, hoping for a "bottom line" kind of answer, you may have just read it.)

There are other router firewall combinations, but they are typically in a higher price range.

If reading this article has made your head ache and your eyes swim, then maybe net security outsourcing is the best option for you. You just write annual or semi-annual checks and someone else handles the entire security job for you.

Although I do not know personally of anyone using this method, it has an obvious attraction. They send you a box and walk you through plugging it in by phone. They remotely handle software updates and other issues. You just pay them like you would the burglar alarm company for a similar service.

Let's pretend that I have been hired as a computer cracker to break into your office computer system and steal valuable client information. I decide I want to leave no trail on the Internet. I do it the old fashioned way. Just before dawn Sunday morning, we break into a back window and gain entry to your office, quickly disabling the burglar alarm before the 10-second delay. My team and I remove our black ski masks. One person goes to work replacing the broken glass with the new pane we brought with us. The others start turning on the computers.

Question No. 1 - Certainly this is a hypothetical crime, but have we already won? Will all of your office computers now yield up all of their data to be copied to the portable CD Writers we carry or are they password protected to protect your client's information?

I know many of our readers have already failed this test. Some of the rest of you have a Windows password securely in place. A word of warning is in order. Unless your password is set up through CMOS as opposed to Windows only, it is a fairly easy matter to circumvent the password and get to the contents of the hard drive. If you don't know how to do this, it is time to bribe the teenager again. But moving on .......

The computer demands a password. I quickly scan your desktop, your monitor and pull out the wooden signing board in your desk. Did I find it? Too many lawyers and secretaries have their password taped someplace very near their keyboard "just in case they forget it." I look through the Post-It Notes™ - attached to your computer screen and inside the drawers for a password.

Our team is still confident. I sit down at the keyboard and start entering possible passwords. I know who works at each station and so I try the following passwords:

Well, that took about a couple of minutes. I may not have made it to your password yet, but I promise you that hundreds, if not thousands, of readers were caught somewhere with that list. And don't forget that with most network set-ups, I only have to get in to one of the computers on the network. I promise you that you would be stunned and amazed at how many secretaries have their husband's, children's or boyfriend's name as a password.

Still not concerned? You've got a pretty good password that you don't believe I can guess. You might be right. Since it is such a great password, you use it for several things. Of course, if I call your Internet Service Provider tech support guy in the middle of the night pretending to be you, I might just talk him out of it. ("Hey, I just got this new laptop, but I don't remember my password anymore, it just shows that row of stars.") In fact, maybe it is such a good password you used it for your online banking as well. Then I might even be able to pay myself a little bonus on this job.

The point is that you may already have several passwords that you need to remember. If you do not now, within the near future with more online banking and shopping you will soon have even more passwords. A password on the office computer protects the secrecy of client files.

Strange as it may seem there are Windows-based random password generators that can be set up to try possible password after password.

But it is hard to remember all of these passwords. Hopefully, the example above makes it clear that you cannot use the same password for everything. So, how can you have a reasonable degree of security without having to remember 27 different passwords?

Service	User name	PW (remember I said not to type password in this document)
CompuServe	742354,121	dog+pound
BankAmerica	Smith	surebucks
OBA-NET	john.smith	whitetaildeer

(I can already see some of you glazing over out there at this, but remember with e-commerce, we are not just talking about sensitive client information, but also banking and credit card information. Stick with me through paragraph 4.)

A good password will need to be at least eight characters long and contain some number or symbols.

For example, your formula could be your first name, then the first two letters of the name of the service you are using, a semicolon and the number 23. So if the person at CompuServe learns your password is jimco;23, it is very unlikely to make the leap to figure out that Bank of Oklahoma's is jimba;23 and Sears online is jimse;23.

In conclusion, let me stress that you do not need to lie awake at nights worrying about these security issues. The odds are in your favor. Someone trying to crack into your computer over the Internet is looking for a tiny needle in an unbelievably huge haystack. Just take a few precautions as we have outlined here and you will know that your client's data, as well as your own, is protected.

1. Defining ports is not that easy. The High Tech Dictionary at http://www.computeruser.com/resources/dictionary/dictionary.html defines it this way: Port 1. A socket at the back of a computer used to plug in external devices such as a modem, mouse, scanner, or printer. (2) In a communications network, a logical channel identified by its unique port number. (3) (Omitted)
2. Having mentioned the OBA-NET in my last three articles, I was determined to avoid a mention here. But I cannot. It would be intellectually dishonest to fail to note that the issues discussed in this article have been discussed, dissected, and deliberated at length over the last several months on OBA-NET. The individuals who contributed their thoughts and research there have greatly informed my thinking on these issues, especially John Brewer, who took researching these issues as a personal cause.
3. What you don't have you home computers Networked yet? Get with it! In truth, depending on the size of your family, home networks are in most of our future. You can share an Internet connection at no extra chare. If you have teenagers, they have their own computer for attaching all joysticks and steering wheels. And, as you upgrade your office computer system you will find yourself with working, but virtually worthless, out of date computers. Taking them home for an extra Internet connection if you have space (and high bandwidth Internet access) is as useful a project as any.
4. www.computeruser.com/resources/dictionary/dictionary.html
5. http://grc.com/zonealarm.htm
6. Here "ports" refers to a physical plug-in as opposed to "ports" as used in Endnote 1. Are you confused yet?