Internet Security and its Impacting the Business of Law and the Practice of Law

A Grande Latte please and keep them coming… it’s a bumpy ride.

This past Sunday I sat down and talked with Dr. Michael Franz (http://www.ics.uci.edu/~franz/), a professor of Computer Science at UC Irvine, to talk about Internet security and its impacting the business of law and the practice of law. Professor Franz is an expert in Cyber Security and his current research on CyberDefense is funded by the U.S. Department of Homeland Security. It was a compelling conversation which flowed with insight and helpful tips.


JC: Dr. Franz, almost every day we hear of some new problem with the Internet. Is the Internet becoming less secure?

MF: Well, the Internet was never very secure to begin with, but what has changed in the past 2 years or so is that organized crime has got in on the act. While before it was just a few isolated little crooks (something that the intelligence community refers to as “ankle biters”) now all of a sudden we see the emergence of actual criminal networks. I was at a meeting in Arlington Virginia organized by the Department of Homeland Security just recently where someone estimated that about 30,000 people are “full time employees” of Internet fraud schemes today, and the number is growing.


JC: What kind of fraud are we talking about?

MF: Well, you probably have heard of the term “Phishing”, which means trying to obtain somebody else’s financial information that can then be exploited for raiding their bank accounts or going shopping on their credit card. You probably also by now have got these emails where some bank is telling you that your account has been suspended and that you need to update your information by clicking on the link. And of course, that link doesn’t really take you to your bank, but to a fake web site that just looks like that of your bank – and that is how they get your credit card details. It is amazing how many people fall for this and divulge all of their personal information, including social security and driver license numbers.


JC: Are the criminals moving to more sophisticated information theft?

MF: Unfortunately yes. As I said, the “big guys” are now getting in on the act. For example, most people (and even I have been guilty of this at times) use the same username/password combination at all the sites that they visit on the Internet. So what the criminals do is that they try to crack small, relatively unprotected sites – your local sports club, your high school reunion site – and then they use the username/password combinations they find there and test if they also work on Amazon.com or eBay or various banks. And more often than not, they do, because we as users are so lazy.

JC: So for those of us practicing law or in the business of law, how do you suggest we safeguard our business information and advise our clients?

MF: Well, first of all, unfortunately it means more work for all of us. We cannot be as casual about these things as we used to be. For example, for every internet site that you entrust with critical information, you should use a different password. Also, you probably should not even use the same web browser for your “important” sites as you use for casual web browsing – because information could leak from one site to another if you are viewing them in the same browser.


JC: What do you mean by “leak” information?

MF: The attack most talked about in the security community today is “cross site scripting” (http://www.cgisecurity.com/articles/xss-faq.shtml), by which a bad guy puts up a web page that lets him access information you are browsing or typing in a completely different window for a completely different web site. This is quite sophisticated and we are only at the beginning of this stuff happening. The only way you can really prevent this “leaking” is by keeping your work environment completely controlled and completely separate from your “play” environment.


JC: So what is your recommendation?

MF: Well in the government, people actually have different computers – one for the secret stuff, and one for the unclassified stuff. It is too expensive for most people to buy two separate computers, but you can enforce a separation of sorts by using different web browsers. So for example, I use the FireFox browser whenever I deal with my bank, with Amazon, and with other trusted providers. I never ever casually browse the Internet with that browser. I use the other web browser on my system to do all the casual browsing, and I never use that other browser for banking or similarly important activities. So by building this “mental firewall” between activities, I greatly diminish the probability that a “bad site” can steal my “good data” – because these are now being accessed in two completely different programs.


JC: Given that most of us haven’t been so diligent, how do we put the genie back in the bottle?

MF: Well, there is some work involved. The first thing to do obviously is to install a second browser that is “clean”. Then you should systematically go and change all the passwords of the important sites you use – and you need to do this from inside the “safe” browser, because the enemy might already be listening in on your old browser. And I really recommend that you use a different password for every site you use.


JC: But then how do you remember all these passwords?

MF: Well, the easiest is to use a password system. For example, I use the street map of a town I have lived in as my mental guide. So for “Amazon.com”, I use a street name that starts with an “a” on that grid, and for “eBay” I use a street that starts with an “e” on that street grid. And of course, you want a combination of letters and digits, so I insert the street number of a person I know on that street somewhere in the middle of the street name. So you wind up with a whole family of passwords that you can memorize easily yourself because you are familiar with whatever the passwords are based on, but no hacker has a chance of guessing one password based on another that they may have obtained in some manner. So you limit your damage if one of your passwords does get exposed.


JC: How does the hacker find me?

MF: Well, there are actually two different things going on here. First, there are many attacks that you bring into your computer yourself. You go to some less reputable web site, or your kids or your employees do, and that site contains some bad stuff, or as we say “malware” that triggers a bug on your system. And then there are attacks where the bad guys are constantly scanning the whole internet to find vulnerable hosts. And if you are vulnerable and you are infected, then your computer is in turn used as a “zombie” to find even further vulnerable hosts. Your best defense against that is to keep your system up to date.

JC: Up to date?

MF: You see, these hackers are exploiting errors in the operating system. These errors really shouldn’t be there, but unfortunately they are because the software gets shipped on a tight schedule. The quality of desktop software is not as high as for example for nuclear reactor control systems. Commercial software in the long-year average has between 20 and 30 bugs per 1000 lines of code. For Windows, which has about 5.7 million lines of code, this translates into between 115,000 and 171,000 bugs - a staggering number if you think about it. And many of these bugs are safety critical. Now you know how many people work at Microsoft – they couldn’t possibly fix all the bugs in something this big even if they did nothing else for a year. And of course, the emphasis is on building new software, not fixing the old stuff that you have already paid for…


JC: Does what we are talking about apply also to mobile devices? They are becoming more popular with lawyers.

MF: Well the good thing about small things is that by the same rule of thumb, there are fewer bugs. Plus, a PDA or a cell phone is a much less friendly environment for viruses and computer worms to multiply in – for example, they don’t have enough memory and aren’t fast enough. So while we have seen proof of concept demonstrations of such viruses for mobile devices, I don’t think it is a problem yet. It will become a problem when those devices become more powerful. The biggest problem right now probably is that people save their passwords on their PDA, and the PDAs themselves then get stolen.


JC: What is the government doing about security on the internet?

MF: The government is funding a lot of really innovative research at universities and commercial businesses, and they are committed to improving the infrastructure. The problem is that now we are up against organized crime – just think of the earlier number, 30 thousand criminals joining forces against you. The problem is far bigger than we thought, and there simply isn’t enough brainpower or money for a quick fix. It will get far worse before it gets any better.


JC: If you were setting up an information critical business like a law firm today, what would be some of the “must do’s and don’t” on the hardware and software side to make sure you are as safe as you can be?

MF: Well, this may sound a bit brash, but the easiest solution today would simply be not to use Windows. I go into these meetings of security researchers, and I am always amazed that hardly anyone in this community uses Windows. I myself use a Macintosh, and for full disclosure, I also own Apple stock because I believe the whole security thing plays into their strengths. So for the small guy, the best bet is probably to outsource critical functions to an Application Service Provider who knows how to do the security correctly, and then to mitigate local risks as much as possible. But I see people all the time who run their own servers and don’t even have a comprehensive backup regime in place, and who don’t update the OS on a regular basis – these guys are just waiting for a disaster to happen.


JC: Application Service Providers (ASP) are a tough sell in the legal market because attorneys don’t want their clients’ information housed on third party servers. But what you are saying is in fact that their clients’ information would be safer in the hands of an ASP?

MF: In almost all cases, most definitely yes. Any large ASP will use best practices that are up to the minute current. They also know that the liability arising from any breach would most probably doom them. You could argue that security is half of the total mission of what an ASP actually does, and they will probably do this much more diligently than any small office possibly could. Doing security right is even more difficult than doing networking right. If you want to do this in-house, you will be spending orders of magnitude more on the people doing it for you than you are going to spend on the hardware and software.


JC: What would you say to a law firm who agrees with you about the security and economics of an ASP model but is concerned about the security of information in transit to the ASP over the Internet?

MF: I don’t think the data transmission is the problem – we have strong encryption. You have to realize that in Cyber crime, the transmission has never been found to be a weak link at all. If I want access to your information, it is much easier to attack one of the end points of that transmission – either your computer or the ASP’s. Now on the ASP’s side, that is a liability issue and they are going to do best practices for their own survival. The weakest link is your computer in your attorney’s office – and by moving the data out of that office onto a professionally managed server, you actually are reducing the importance of that weakest link.

JC: I know our time is up. Thanks you for sharing your time and insight. I hope you will allow me to follow up with you as comment and questions flow?

MF: I will gladly answer your reader’s questions. And if any of your readers want to sponsor my research at the University of California, gifts to the university are of course fully tax deductible…