A proposal for Reasonable Wireless Security for law firms

It’s just past 8.30 am on a busy Tuesday. A five-person legal team
has just arrived to work with your firm on that big case. For the
next four days, these five lawyers will be camped in your conference
room. And their first question is, “How do we get Internet

[Ian Sacklow co-wrote this white paper]

many small and mid-sized firms in the US, the answer is increasingly,
“We’ve got Wi-Fi1.”
A Wi-Fi Access Point (WAP) allows your computer or personal digital
assistant (PDA) to connect to the Internet, or a computer network, at
high speed, without wires (see sidebar).

Wi-Fi lets your clients use the Internet or access their corporate
network. It allows your partners, associates and interns access to
the web and your Local Area Network (LAN) from the library or
lunchroom – or the coffee shop across the street.

the immediate future, lack of a Wi-Fi connection to the Internet will
be as disruptive to a law firm as the lack of an Internet connection,
or a mobile phone.

we adopt new technologies, no matter how revolutionary or wonderful
they may be, we must not be reluctant to address their
vulnerabilities. An improperly or incompletely configured WAP has
vulnerabilities. Fortunately, there
are inexpensive and easy-to-employ safeguards against many of them.

Executive Summary
This article is intended to provide attorneys and support staff with
an overview of Wi-Fi, and the challenges they face as they maintain
the confidentiality of client documents and information in a wireless
network setting. This article proposes a standard comprising the
steps which law firms should take to reasonably prevent intrusion
into their LAN via their WAP, and thereby protect the confidentiality
of their clients’ information.

article is geared towards those in the many law firms which don’t
have full time Information Technology (IT) departments, or formal
computer training. The steps suggested do not provide a guarantee
against unauthorized intrusion. They do provide a reasonable amount
of security at reasonable expense2.

it comes to a lawyer’s duties to maintain confidentiality, I’ve been
told there has been no landmark ruling about what are reasonable
measures to protect client data across a WAP. A poorly configured WAP
can expose your clients’ confidential information. Unless you wish to
be the test case to establish that standard, you should establish and
maintain reasonable levels of security when deploying a WAP.

is submitted that the steps I propose are reasonable, and it is hoped
that they would therefore be adopted as a standard to be followed and
provide a safe harbor for law firms seeking to protect the
confidentiality of client information in a wireless network setting.

The proposed standard includes four steps to protect and encrypt the
traffic on the WAP. Any WAP not so protected shall be considered to
be an “Open WAP.”

proposed standard also includes a written security policy covering:

  • WAPs in the office
  • WAPs at the homes of those with remote-access authorization to the
    firm’s local area network
  • Computers which contain client data and access publicly-accessible
    WAPs (at coffee bars, airports, Bar Association Libraries, airports,

Wi-Fi: An Indispensable Tool

  • Wi-Fi is everywhere, and it’s no fad.

There were more than 10 million WAPs in US homes by the end of 2004, with an expected 14 million by the end of 2005.

At coffee bars, restaurants and offices throughout the world, you’ll see people working on Wi-Fi-enabled devices like notebook computers. Publicly-accessible WAPs, known as Hotspots,
are provided in scores of cities to
encourage Internet use. Many Hotspots provide the Internet access at no cost, to encourage foot traffic.

Other Hotspots, such as those at most Starbucks, Barnes and Noble,
Borders and Kinkos locations, charge access fees for Wi-Fi – about
$1.30 a day for a monthly subscription.

WAP Overview

  • The vast difference between connecting via Wi-Fi to the Internet, and connecting via Wi-Fi to your LAN is an important distinction.

comprising a Wi-Fi network work in much the same way as
walkie-talkies and a base station. When you set up a WAP (sometimes
also referred to as a, “Wireless Router”), you are broadcasting a
radio signal to the area within a radius of up to 3003
feet from the WAP. By default, anyone with a mobile device equipped
with a Wi-Fi transceiver (“Wi-Fi Adapter”) can detect this
signal and request a connection. When the WAP recognizes the request,
by default it assigns to the requesting device a unique identifier
(an “IP Address”) which permits the WAP and mobile device to
communicate. Once this connection has been made, the mobile device is
granted access to the network to which the WAP is connected.

people connect the WAP to a high-speed Internet connection. Once a
mobile device is connected to such a WAP that device can access the

people also connect the WAP to their Local Area Network (LAN). Your
LAN is the network of computers which contain your data and client
information. LAN access must be protected by a firewall, which
prevents unauthorized communications originating outside the LAN from
getting in.

reasons which will be made clear below, I highly recommend that
anyone accessing your LAN from anywhere outside the firewall –
be it through your WAP, their home computer or network (wired or
wireless) or a public Hotspot – do so through a Virtual Private
Network (VPN). A VPN creates a “tunnel” through which your
data is transported, crytographically encrypted, through the firewall
and on to the LAN.

VPNs are the number one thing people should be doing. A VPN lets trusted4 users be as productive as possible. Even if an unauthorized user gets
on to your WAP, you can keep him locked out of your LAN.

proposed standard therefore requires you place the WAP outside
your firm’s firewall. By creating a “demilitarized zone”
(DMZ) which is inside the WAP but outside the firewall, you grant
wireless Internet access via your WAP, while only Trusted users may
access the LAN, through the VPN.

Unless you intend to offer public Internet access (which you might,
see below), then you must also protect your WAP with encryption and
an authentication scheme, which requires user name and password, to
help keep unauthorized users out. While less important than
protecting your LAN, protecting your WAP from just anyone getting
Internet access can be important as well (see sidebar).

Your Responsibility?

  • Connecting an Open WAP to your firm’s LAN is literally as unsafe
    as placing your client files in an unlocked file cabinet in the
    center of a city street.

Lawyers in New York State mustn’t knowingly “… reveal a confidence or secret of a client”, and “…shall exercise reasonable care to
prevent … employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidences or secrets of a client.”5

Open WAP is a Hotspot – a publicly shared computer network open to
anyone, anywhere within 300 feet. In 2001, the DC Legal
Ethics Committee stated it is “…impermissible for unaffiliated
attorneys to have unrestricted access to each other’s electronic
files (including e-mails and word processing documents) and other
client records. If separate computer systems are not utilized, each
attorney’s confidential client information should be protected in a
way that guards against unauthorized access and preserves client
confidences and secrets.”6

The Delaware Bar opined that client confidentiality is
broken when a lawyer, “should reasonably anticipate the
possibility that his or her communication could be intercepted and
confidences disclosed.”7

irate client whose opponent became aware of embarrassing information
via such an interception might well make the argument that
maintaining an Open WAP doesn’t protect his data in a way that guards
against unauthorized access and preserves client confidences and

the confidentiality of client information on an Open WAP is
impossible. Cheap and simple steps can solve this problem.

Criminal Liability of Accessing a ‘Public’ Hotspot

  • You
    cannot rely on existing laws to prosecute “unauthorized” WAP
    access. It is difficult to determine how a user becomes authorized
    to access a WAP, and there’s no common mechanism by which to post a
    notice that he is not.

early July, 2005, police in St Petersburg, FL, arrested Benjamin Smith III
for accessing a residential WAP and connecting to the Internet –
from his car. Smith was charged with unauthorized access to a
computer network.

might get off. Who’s to say it was unreasonable for Smith to assume
what he did was Kosher? The WAP he used was wide open. With the
proliferation of Hotspots,
who can say whether a person can reasonably infer an Open WAP is
intended for public use?

current New York law, it is illegal to intentionally access someone
else’s computer, computer network or equipment without authorization
to do so where such computer or equipment, “…is equipped or
programmed with any device or coding system, a function of which is
to prevent the unauthorized use of said computer or computer

New York Penal Law also attempts to define “authorization”
by providing that to establish authorization, one must be either

give actual notice in writing or orally to the user;

prominently post written notice adjacent to the computer being
utilized; or

a notice that is displayed on, printed out on or announced by the
computer being utilized by the user9.

the Penal Law also provides for a presumption that notice of such
authorization is given where, “the computer is programmed to
automatically display, print or announce such notice ….”10

Scott R. Almas, who was instrumental in developing the business and
technology model to implement many of the Hotspots throughout
downtown Albany, New York, is a technology attorney at the law
firm of Lemery Greisler LLC. While Almas does not endorse the
unauthorized use of open WAPs, he points out significant problems
with New York’s law when viewed against the practical reality of the
proliferation of Open WAPs.

am particularly troubled,” Almas said, “by how a user is supposed
to know whether or not the owner of the Open WAP is authorizing use
of the access point where the owner broadcasts to the world the
presence of the access point and takes no steps to secure it. By the
very nature of WAPs, there is no reasonable way to post or provide
oral notice, and it can be difficult to interpret from the
broadcasted name of the access point whether authorization is

“In light of the fact that protecting the WAP is free, simple to do, and
strongly recommended by the access point manufacturers during the set
up process,” Almas said, “I believe anyone who sets up a
WAP and does not follow the advice to install even the most basic,
minimal safeguards should be presumed to be providing authorization
to access the Open AP for otherwise lawful Internet use.”

“The presumption should not,” adds Almas “extend to authority to access information on the WAP owner’s LAN, or other illegal or
harmful activities.”

Oops. Was That Your WAP?

    a mobile device automatically seeks and connects to a WAP, then
    accessing an Open WAP needn't even be intentional. </strong>

    new notebook computers ship with the Microsoft Windows XP or
    Macintosh OSX operating systems, and are equipped with internal
    wireless adapters (see sidebar). If the wireless adapter is switched
    on, the notebook will seek, and attempt to connect with, WAPs – even
    before the screen comes to life.

    People set their notebooks to connect to any available network, so
    the onus is on the owner of the WAP. I would think that if your WAP offers credentials to enter – such as an IP address – a user might reasonably think that they’ve been granted access to your WAP.

    And New York Penal Law Section 156.50 provides a defense for persons who
    had reasonable grounds to believe that they had authorization to use
    the computer. Therefore, unfortunately, the issue will likely be left
    for the Courts to decide whether such a presumption exists and is
    applicable in any given case.

    and the public must properly frame these issues and arguments, so
    that the Courts can properly interpret and apply the law.

    Your Needs

      <strong>You can protect your LAN while providing public access to your
      WAP and the Internet - so long as you configure your WAP properly</strong></li>

      Lemery Greisler, Almas’ Albany, New York law firm, provides a Hotspot
      to afford anyone in the area free access to the Internet. By giving
      pedestrians a good reason to mill about, this is a fine goodwill
      gesture towards local businesses at low cost.

      a perfectly reasonable thing to do, so long as you reasonably ensure (as did Lemery Greisler) that it is difficult for strangers to
      access your LAN from the Hotspot. They placed the Hotspot outside
      their firm’s firewall, thereby providing a public service at little
      risk to their own network.

      important that you, too, determine what you want your WAP to do, and
      deploy it properly.

      Don’t Panic … But Set A Policy

        <strong>A clearly communicated and strongly enforced written policy
        governing remote network access is essential. </strong>

        written wireless data security policy is vital in any environment; in
        a law firm, the lack of one could be expensive, embarrassing and
        time-consuming. It could create civil liability – and even criminal
        liability (see sidebar) – for the firm.

        people in the firm must be made aware of the policy, not matter their
        position: it does you no good to take steps to increase security if
        your receptionist or even a junior associate tells a caller
        information about your WAP and network. This happens far more often
        than you’d think. Specifics on what the policy should cover are
        listed below, within the proposed standard.

        Everybody’s Not Doing It

          If you haven't
          locked down your firm's WAP, you're not alone. This problem is
          widespread and international.</strong> 

          In March, 2005, data
          protection company RSA Security reported that a survey it
          commissioned from netSurity found more than one third of wireless
          business networks in four major cities were unsecured – 38% of
          businesses in New York, 35% in San Francisco, 36% in London and 34%
          in Frankfurt.

          Those numbers are about
          right – a safe, if not conservative, figure. It’s analagous to a car, which comes with locks built right in to the doors, but it’s up to you to depress the lock button.

          From Elite Geeks to An Unruly Mob

            One no longer
            needs to be a gifted programmer to be a successful intruder.</strong></li>

            Cracking WEP, the lowest form of Wi-Fi encryption, is increasingly trivial
            (see sidebar), and attorneys must never entrust WEP – no
            matter how large the bit-size – to be the sole means of protecting
            a LAN.

            The popular image of a “Hacker,” as a young, pale-skinned
            male perched behind a complex computer using arcane tools to
            penetrate computer systems is dated.

            Hacking, password- and encryption-breaking tools have become
            ubiquitous, sophisticated, simple to use and are totally free to
            download from the Internet.


            determined intruder with the right tools will get in no matter what
            you do – nothing offers 100% security or guarantees, but you
            should employ the best security you can install and maintain without
            unreasonably disrupting productivity. Take all reasonable steps to
            secure client information on your LAN with a well-configured

            you merely wish to allow Trusted users wireless Internet access,
            securing your WAP can likely be done by Dan – that geeky intern who
            likes Star Trek. It can take as little as 15 minutes, and can
            cost nothing: if you’ve got a WAP, you’ve almost certainly got the
            hardware needed (and if you don’t, you can spend as little as $40 to
            get it).

            you wish to allow the WAP to also grant LAN access, and you don’t
            have an IT person in-house, you might buy a combination VPN/WAP for
            as little as $149 (see sidebar). Otherwise, you may need to hire an
            outside consultant or installation specialist for a few hours’
            consultation or work to set up the VPN.

            Four Main Steps

            Linksys is the most popular WAP maker, examples below refer to
            Linksys products; your WAP’s instruction manual contains specific
            How-Tos and instructions to do all the following. All brands provide
            similar steps and menus, and all use the same terminology.


            The simplest solution for a range of common problems raised by WAPs is to
            change the default information on the WAP itself. This is
            accomplished by opening a web browser and surfing to the IP address
            of the WAP device.

            First go to the Setup Page:

              Change the Router Name<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><SUP>11</SUP></a>.
              Change the last two fields in the WAP's Local IP address to
              something other than what's there. Reasonable entries include

              go to the Wireless Basic Settings Page. The Service Set Identifier
              (SSID) is the name of the wireless network your users will connect
              to. By default it is set to “Linksys.”

                Change the SSID to something non-descriptive - not your firm's
                name. While the concept of security through obscurity is not to be solely relied upon, choose for your SSID something obscure, like B3QXR25. 
                Then, disable the SSID broadcast, so it won't be readily visible to
                users who don't know that the WAP is there (though &quot;war-drivers&quot;
                - people who drive around looking for Open WAPs - might see it.
                Yes, there's a war-driving subculture). 


                A hacker, using the default username of (nothing) and the default
                password of “admin” can take over your WAP and lock you out. In the Administration page:

                  Set a new, hard-to-guess administration password, using at least an
                  eight character string which is not a word found in a dictionary,
                  and which comprises upper and lower case letters and numbers.</li>

                  THREE: ENCRYPT THE SIGNAL

                  the best encryption method you possibly can, preferably WPA2 (see
                  sidebar). If WPA2 is not available, then deploy, in descending order
                  of preferability, either WPA or WEP. If you absolutely must use
                  WEP, use 128-bit encryption – which takes a bit longer to crack
                  than weaker versions of WEP.

                  STEP FOUR: VPN INTO THE LAN

                  You absolutely, positively may not allow access to your LAN through the
                  WAP except with the use of a VPN.

                  the VPN’s authentication is vastly more secure than Wi-Fi’s and
                  encrypts all data between the client (that’s your notebook computer
                  or PDA) and the LAN, it helps ensure that anyone gaining access to
                  the LAN is authorized.

                  Written Policy

                  Anyone who has been granted remote access to your LAN must abide by
                  the written remote access policy. This policy must cover the remote
                  users’ notebook computers, PDAs and other mobile data devices; their
                  home LAN and any home computers, and any other machines which they
                  may use to access the company LAN.

                  The policy must be clearly posted in the firm, and discussed with all
                  remote users and staff. It must explicitly set forth rules governing
                  what employees may tell outsiders about your computers, your network,
                  your WAP and your security policies. It must be regularly reviewed.

                  For a sample written policy, see http://www.nickselby.com/wifi

                  Protect Home WAPs

                  Anyone granted permission to access the LAN via VPN must apply all
                  four steps above to their home or other remote WAP. This not only
                  protects your LAN, it protects personal data they store on their home

                  Current OS Patches, Anti-Virus, Firewall & Spyware Blockers

                  Anyone accessing the LAN must ensure that their device is updated
                  with the most recent security patches for their Operating System.

                  All machines on the LAN must run current versions of anti-virus
                  software with regularly updated virus definitions. Note that new
                  viruses are introduced every hour; “regularly updated virus
                  definitions” means at a minimum of once each week. It could be
                  argued it is reasonable to update every 24 hours.

                  device accessing from outside the LAN must be running a
                  properly-configured firewall program such as Zone Alarm or Computer
                  Associates eTrust. The Basic Signal Set (BSS) is shared by all users of an AP; should the hotspot not block inner BSS connections, and you should assume it is not blocked, then if you connect to that AP and you are not running a firewall, a malicious user can gain access to your machine and install software or remove files from your hard drive. If you’re not encrypting your e-mail, it (and your password and username) can be very, very easily captured and viewed in plain text by others on the Hotspot –
                  unless you’re encrypting your email through a VPN, or an encryption
                  program such as PGP.

                  assume that others can see you on a Hotspot. Make sure you have a firewall running, and anything
                  you care about – such as email or confidential files – is encrypted
                  across a tunnel.

                  For Discussion

                  As when you access a Hotspot, you’re always looking for the balance
                  between ease of access and loss of security. The best we can do
                  is educate people about the upside and downsides of using WAPs, and discuss ways to protect yourself so that your information remains reasonably secure.

                  As I mentioned earlier, this is all very new. The proposed standard
                  is a first step towards reducing the likelihood that your LAN will be
                  compromised, or your Internet connection abused. In order to further
                  this recommendation and develop a final specification, I welcome your

                  Ian Sacklow, the founder of the Capital District Linux Users Group and
                  Information Systems Manager for Dodge Chamberlain Luzine Weber
                  Associates, an architectural firm with offices in East Greenbush,
                  Plattsburgh and Jericho, New York, co-authoried this white paper.

                  of the Capital District Linux Users Group contributed technical
                  information and fact checking for this article.

                  <p><a class="sdfootnotesym" name="sdfootnote1sym" href="#sdfootnote1anc">1</a>
                  Wi-Fi is short for &quot;Wireless Fidelity,&quot; the nickname for a
                  wireless area network (WAN) complying with IEEE 802.11
                  specifications. Wi-Fi&reg;
                  is a Registered Trademark of the Wi-Fi Alliance. 

                  <p><a class="sdfootnotesym" name="sdfootnote2sym" href="#sdfootnote2anc">2</a>Of
                  course as the state of the art changes, so must any standard be

                  <p><a class="sdfootnotesym" name="sdfootnote3sym" href="#sdfootnote3anc">3</a>One
                  can extend this range in a variety of ways, all fairly technical.
                  300 feet is the default, stock range without modification, and
                  therefore the range I discuss here.</p>

                  <p><a class="sdfootnotesym" name="sdfootnote4sym" href="#sdfootnote4anc">4</a>On
                  a network, a &quot;Trusted&quot; user is given access to sensitive
                  files. An &quot;Untrusted&quot; user may be granted access to
                  certain parts of the network, but not to areas containing sensitive

                  <p><a class="sdfootnotesym" name="sdfootnote5sym" href="#sdfootnote5anc">5</a>
                  New York Lawyer's Code of
                  Professional Responsibility , DR
                  4-101 [1200.19] 

                  <p><a class="sdfootnotesym" name="sdfootnote6sym" href="#sdfootnote6anc">6</a>
                   District of Columbia
                  Ethics Opinion 303, February 2, 2001</p>

                  <p><a class="sdfootnotesym" name="sdfootnote7sym" href="#sdfootnote7anc">7</a>
                   Delaware State Bar Association Opinion 2001-02

                  <p><a class="sdfootnotesym" name="sdfootnote8sym" href="#sdfootnote8anc">8</a>
                   New York Penal Law Section 156.05</p>

                  <p><a class="sdfootnotesym" name="sdfootnote9sym" href="#sdfootnote9anc">9</a>
                   New York Penal Law Section 156.00</p>

                  <p><a class="sdfootnotesym" name="sdfootnote10sym" href="#sdfootnote10anc">10</a> id.</p>

                  <p><a class="sdfootnotesym" name="sdfootnote11sym" href="#sdfootnote11anc">11</a>You
                  change the Router Name to slow down would-be intruders. Router Names
                  provide enough information to attackers to obtain all default
                  information for that WAP. <a href='http://coffer.com/mac_find/' target='_blank'>http://coffer.com/mac_find/</a> is one
                  Website which provides lookups which match Router Names with
                  manufacturer and model number, linking to the manufacturer website
                  which lists that machine's default settings and password.</p>

                  Also in this series…
                  A proposal for Reasonable Wireless Security for law firms

                  A sample network access policy

                  Wifi encryption standards

                  “There’s nothing on my desk worth stealing”

                  …and free hotspots for all