Features - Who is Reading Your Hard Drive Tonight? Security with High Speed Internet Access and a Few Words about PasswordsBy Jim Calloway, Published on September 16, 2000
Jim Calloway is a lawyer from Oklahoma, currently employed as a practice management advisor for the Oklahoma Bar Association, as Director, OBA Management Assistance Program.
More and more people are signing up for high speed, broadband Internet access.
Once you have a high speed, broadband Internet connection and use it for very long, you will never want to go back to dialing with a modem. Only a severe financial problem or a relocation to an area where there is no high speed access will force you to return to a 56K modem again. It's fast. It's always on. You can be working on a document, realize there is something you need to check online about the document, check it in a few seconds and continue your work. A high speed Internet connection can be shared by several computers in your office or home depending on the service agreement you sign with your provider.
We cannot avoid some technical explanations with this discussion. We will try to minimize the "teckie talk." But we believe you can handle it, and we will conclude with a discussion of passwords where I will amaze many of you by accurately guessing the passwords of some of your computers, laptops and online accounts.
DSL, cable modems and, for some, ISDN or satellite dishes, are the broadband fast connections to the Internet. Many, if not most, lawyers now enjoy fast Internet access at work. You may not have affordable home access in your area now, but you will. When you get it , you will understand why everyone else talks so much about it. Prices vary from under $40 to several hundred a month depending on what services are available.
But broadband brings up some security issues and many Internet service providers do not adequately warn their customers of Internet security risks. The cable TV installer setting up your cable modem may not have any information or knowledge about security or devices like firewalls.
What’s Different about Broadband Access?
When you have a connection to the Internet, you are assigned an IP address. When you dial up your local Internet Service Provider (ISP) with your modem and make a connection, you get an IP assigned more or less at random. An IP address is just a set of numbers like 18.104.22.168. Every computer on the Internet and every web page has one. The next time you call into your ISP, you will probably get a different IP address assigned to you for that session.
With the broadband access, there are two differences from your dial-up ISP. First, you have a permanent IP address assigned to your computer that does not change and, secondly, you are always online to the Internet. Those who use the Internet to intrude on other systems, "hackers" for lack of a more precise term, therefore have a much easier job. They know where your "front door" is online and they have many hours of open access to try the knob (or pick the lock.) It fact, the use of packages called scanners to check out access is fairly routine. People who put up guards against such things report "attempted intrusions" several times a week, if not several times a day. In truth, the majority of these may be fairly harmless incidents.
But, if you simply have File Sharing enabled on your computer, then those files may be shared with complete strangers across the Internet without you even knowing about it.
Did that get your attention or should I repeat it? Just remember that you're not paranoid if they really are out to get you.
What Can a Non-Teckie Lawyer Do?
First of all, ask the company representatives when they are installing the cable modem or DSL how secure it is and what protections are in place. More than likely they will give you some meaningless response, which means there are not any.
Steve Gibson of Gibson Research Corp. produces one of the truly great Internet resources on computer security. His outstanding web site is located at grc.com (no WWW's on this one.) GRC is the company created the popular SpinRight utility software. There is information on that product, Gibson's downloadable free utilities and lots of information on computer Internet security issues.
Gibson's "Shields Up" link is an eye-opener for many. While you wait, his system will probe your computer's shields and ports.1 Do not be surprised if your name, e-mail address and other information is located on your computer and displayed back to you. In addition you may get warning messages about open ports and other security flaws. His "Explain this to me" link should be required reading for anyone with a cable modem or DSL line. (The direct link to that area is http://grc.com/su-explain.htm.) It is fairly technical reading, taking many a bit of time to digest.
Let's go through some of the various scenarios that Gibson and some others suggest to protect your system from Internet intruders.
Turn Off File Sharing
This one is actually pretty easy and works like a dream where you have just one computer that is not networked, hooked up to the Internet. Since you are not networked to share files with other computers, you can just turn file sharing off. Go to Control Panel, then click Network, and make sure that file and printer sharing is turned off. However, there may be one "port" open (port 139) unless you also uninstall "family logon" through Control Panel, Network as well. You can then test your IP addressing and ports at the Gibson web site. You are now very secure (until you decide to network another machine to this one.) Note: Turning this off may be much easier than turning it back on again for the beginner.
This also works well on a small home network.2 Typically, file sharing is little used on home networks, with the only real purpose of the home network being to share the high speed Internet access. If you only need it rarely, you may just learn to turn it off and on as needed, leaving if off when not in use.
Use Windows 98SE or Windows 2000 Security Features
This solution only works if you have Windows 98 SECOND EDITION or Windows 2000. If you do not, you must upgrade to one of these operating systems first. (I have not checked for this feature on Windows ME.)
Windows 98 Second Edition and Windows 2000 have security built in. It is called "Network Address Translation." It hides the IP addresses of your local machines and creates good security all by itself. This is not extra expense for owners of Win98SE and Win2000. This is set up by going to Control Panel, Add new programs, Windows setup, Internet tools and finally Internet connection sharing. I have not seen this in operation yet, but I am told that it works this way. Internet service runs through DSL adapter or cable modem to a network interface card (NIC) in the computer, a second NIC in my computer runs to the hub for the network. It sets up with a software wizard on the first computer. The setup program creates a floppy disk that is used to configure each of the other machines on the network.
You do need two network cards to make this work. There are alternative instructions for using a modem in lieu of the second network card. I would judge that you would need some computer experience to do this. So, you might want to bribe your teenager or college student in the family for assistance.
Install a Firewall Using Specialized Software
This one sounds daunting, but actually is not. Firewalls are at least aptly named, so that we understand in a general sense what they should do. A firewall is either an electronic boundary that prevents unauthorized users from accessing certain files on a network or a computer, or other device, used to maintain such a boundary.3 They are supposed to keep "the fire" away from our data files.
But the good news is that due to the new users of cable modems and DSL connections, there are now many home consumer-oriented firewall products. This means they must be simple enough for the average consumer to install and use them. They are typically not that expensive.
One of the most popular of these is free. This is a firewall program named ZoneAlarm from www.zonelabs.com. The site has a link to click to download the program. Others have told me installation is easy. The site also has a positive review of the ZoneAlarm program. The Gibson website absolutely raves over Zone Alarm 2.0, saying that it may "be the perfect and ultimate personal firewall for the typical Internet user."4
There are other products available. Some have great names like BlackICE Defender 2.1 (http://www.netice.com). Just remember that unless you have in-house computer expertise you probably want to look at the consumer/home products and not those that require much technical expertise to install and maintain.
Installing a Firewall with Hardware and Software
A local computer guru had an extra computer at home. When he got his cable modem, he took the old computer, reformatted the hard drive, installed the Linux operating system and then configured the computer as a firewall with Linux-based software. So the Internet connection goes through the firewall into the main computer. The cost was essentially zero. Obviously, such a set up is beyond most lawyers' ability.
But there are a couple of interesting products out there that do much the same thing. They function as a gatekeeper between the Internet and your computer.
Several lawyers swear by the Lynksys 4-Port Cable/DSL router. This is a hub, a router and a firewall combined into one. A simple hub that you buy at the electronics store will cost $30 -$40. Why not get a quality piece of equipment for $170-$180 that incorporates a firewall and some other nice features? It has four ports5 to easily hook up four computers for sharing but can maintain up to 253 users. Reports are that you plug it in, install the software and go! More information is available at www.linksys.com and information on this specific product is at www.linksys.com/products/product.asp?prid'20&grid'5. You might try shopping online both for availability and a good price.
(For those of you who have been reading along forlornly, hoping for a "bottom line" kind of answer, you may have just read it.)
There are other router firewall combinations, but they are typically in a higher price range.
Let Someone Else Handle this Headache
If reading this article has made your head ache and your eyes swim, then maybe net security outsourcing is the best option for you. You just write annual or semi-annual checks and someone else handles the entire security job for you.
Although I do not know personally of anyone using this method, it has an obvious attraction. They send you a box and walk you through plugging it in by phone. They remotely handle software updates and other issues. You just pay them like you would the burglar alarm company for a similar service.
For an example of this kind of service, see www.watchguard.com.
O.K. That was Exhausting. How about a Topic that is More Simple?
Can I Crack your Password Protection in 10 Minutes or Less?
Let's pretend that I have been hired as a computer cracker to break into your office computer system and steal valuable client information. I decide I want to leave no trail on the Internet. I do it the old fashioned way. Just before dawn Sunday morning, we break into a back window and gain entry to your office, quickly disabling the burglar alarm before the 10-second delay. My team and I remove our black ski masks. One person goes to work replacing the broken glass with the new pane we brought with us. The others start turning on the computers.
Question No. 1 - Certainly this is a hypothetical crime, but have we already won? Will all of your office computers now yield up all of their data to be copied to the portable CD Writers we carry or are they password protected to protect your client's information?
I know many of our readers have already failed this test. Some of the rest of you have a Windows password securely in place. A word of warning is in order. Unless your password is set up through CMOS as opposed to Windows only, it is a fairly easy matter to circumvent the password and get to the contents of the hard drive. If you don't know how to do this, it is time to bribe the teenager again. But moving on .......
The computer demands a password. I quickly scan your desktop, your monitor and pull out the wooden signing board in your desk. Did I find it? Too many lawyers and secretaries have their password taped someplace very near their keyboard "just in case they forget it." I look through the Post-It Notes™ - attached to your computer screen and inside the drawers for a password.
Our team is still confident. I sit down at the keyboard and start entering possible passwords. I know who works at each station and so I try the following passwords:
1) Your first name
2) Your last name
3) Your bar association number
4) The word "Password" (Bet you thought that was original, didn't you?)
5) The user name displayed on the first line
6) The word "Secret"
7) Your spouse's name
8) Each of your children's first names
9) Your pet's name
10) Your birth date & anniversary date
11) Your nickname
Well, that took about a couple of minutes. I may not have made it to your password yet, but I promise you that far too many readers were caught somewhere with that list. And don't forget that with most network set-ups, I only have to break into one of the computers on the network. I believe that you would be stunned and amazed at how many secretaries have their husband's, children's or boyfriend's name as a password.
Still not concerned? You've got a pretty good password that you don't believe I can guess. You might be right. Since it is such a great password, you use it for several things. Of course, if I call your Internet Service Provider tech support guy in the middle of the night pretending to be you, I might just talk him out of it. ("Hey, I just got this new laptop, but I don't remember my password anymore, it just shows that row of stars.") In fact, maybe it is such a good password you used it for your online banking as well. Then I might even be able to pay myself a little bonus on this job.
The point is that you may already have several passwords that you need to remember. If you do not now, within the near future with more online banking and shopping you will soon have even more passwords. A password on the office computer protects the secrecy of client files.
Strange as it may seem there are actually Windows-based random password generators that can be set up to try possible password after password attempting to gain entry into a system.
But it is hard to remember all of these passwords. Hopefully, the example above makes it clear that you cannot use the same password for everything. So, how can you have a reasonable degree of security without having to remember 27 different passwords?
Here are my suggestions:
1) Have one general password for things you don't care all that much about and have no economic danger. Examples of these might be online services where you have not given them your credit card information, like the New York Times online, or if you play the games on ESPN online. Perhaps you have a web-based e-mail account that only your family uses to communicate with you when you are on the road. Whatever it is, this is your "don't care who might find out." It is not like you will tell this to others, but if a password-stealing virus ever invades your computer, it will probably get this one because it will be saved for several websites. This still should not be a real word, but a combination of real words you will remember like theturnip, ted'sword or thisIknow. This is your "throwaway" password. Use it for all meaningless, non-credit card related
2) Use unique passwords for your most important information such as access to your bank accounts. Don't use the same one twice. Remembering them will be a challenge. But you do not want a hacker to be able to roam from bank account to credit card to online store if your password becomes compromised.
3) Keep a list of your passwords hidden on your computer. Do not use the word "password" anywhere in this document so no one can search and find it. Fill the first page or two with a pleading of some sort and then include the list of passwords. Name this document something simple like "old construction contract.wpd." No one will ever look at it. If you want to be extra cute, just in case someone does look it at you can have a trick like ending every password with a number like 4 and not putting the number on the list.
Your list would look like:
User name PW (remember I said not to type password in this document) CompuServe 742354,121
BankAmerica Smith surebucks OBA-NET john.smith whitetaildeer
But your passwords would really be dog+pound4, surebucks4 and whitetaildeer4.
(I can already see some of you glazing over out there at this, but remember with e-commerce, we are not just talking about sensitive client information, but also banking and credit card information. Stick with me through paragraph 4.)
4) If a list of passwords strikes you as insecure, then come up with a formula to allow you to figure out your password to every account. (Remember to have one throw-away general password for online newspapers and such.) The key to a password formula is that you should be able to figure out all of your passwords, but no one else who sees it can.
A good password will need to be at least eight characters long and contain some number or symbols.
For example, your formula could be your first name, then the first two letters of the name of the service you are using, a semicolon and the number 23. So if the person at CompuServe learns your password is jimco;23, it is very unlikely to make the leap to figure out that Bank of Oklahoma's is jimba;23 and Sears online is jimse;23.
In conclusion, let me stress that you do not need to lie awake at nights worrying about these security issues. The odds are in your favor. Someone trying to crack into your computer over the Internet is looking for a tiny needle in an unbelievably huge haystack. Just take a few precautions as we have outlined here and you will know that you have done more to insure that your client's data, as well as your own, is protected.
defines it this way: Port 1. A socket at the back of a computer used to plug in external devices such as a modem, mouse, scanner, or printer. (2) In a communications network, a logical channel identified by its unique port number. (3) (Omitted) <back to text>
- Defining ports is not that easy. The High Tech Dictionary at http://www.computeruser.com/resources/dictionary/dictionary.html
What you don't have you home computers Networked yet? Get with it! In truth, depending on the size of your family, home networks are in most of our future. You can share an Internet connection at no extra chare. If you have teenagers, they have their own computer for attaching all joysticks and steering wheels. And, as you upgrade your office computer system you will find yourself with working, but virtually worthless, out of date computers. Taking them home for an extra Internet connection if you have space (and high bandwidth Internet access) isa useful project. <back to text> http://www.computeruser.com/resources/dictionary/dictionary.html <back to text> http://grc.com/zonealarm.htm<back to text> Here "ports" refers to a physical plug-in as opposed to "ports" as used in Endnote 1. Are you confused yet?<back to text>