Subscribe

Archive | Technology

Investigating Internet Crimes

Written by experts on the frontlines, Investigating Internet Crimes provides seasoned and new investigators with the background and tools they need to investigate crime occurring in the online world. This invaluable guide provides step-by-step instructions for investigating Internet crimes, including locating, interpreting, understanding, collecting, and documenting online electronic evidence to benefit investigations.

investigating_internet_crimesThis year I served as technical editor for this excellent book by Todd Shipley and Art Bowker. Cybercrime is the fastest growing area of crime as more criminals seek to exploit the speed, convenience and anonymity that the Internet provides to commit a diverse range of criminal activities. Today’s online crime includes attacks against computer data and systems, identity theft, distribution of child pornography, penetration of online financial services, using social networks to commit crimes, and the deployment of viruses, botnets, and email scams such as phishing. Symantec’s 2012 Norton Cybercrime Report stated that the world spent an estimated $110 billion to combat cybercrime, an average of nearly $200 per victim.

Law enforcement agencies and corporate security officers around the world with the responsibility for enforcing, investigating and prosecuting cybercrime are overwhelmed, not only by the sheer number of crimes being committed but by a lack of adequate training material. This book provides that fundamental knowledge, including how to properly collect and document online evidence, trace IP addresses, and work undercover.

  • Provides step-by-step instructions on how to investigate crimes online
  • Covers how new software tools can assist in online investigations
  • Discusses how to track down, interpret, and understand online electronic evidence to benefit investigations
  • Details guidelines for collecting and documenting online evidence that can be presented in court

Blackhatonomics: An Inside Look at the Economics of Cybercrime

blackhatonomicsBlackhatonomics: An Inside Look at the Economics of Cybercrime explains the basic economic truths of the underworld of hacking, and why people around the world devote tremendous resources to developing and implementing malware.

The book provides an economic view of the evolving business of cybercrime, showing the methods and motivations behind organized cybercrime attacks, and the changing tendencies towards cyber-warfare.

Written by an exceptional author team of Will Gragido, Daniel J Molina, John Pirc and Nick Selby,  Blackhatonomics takes practical academic principles and backs them up with use cases and extensive interviews, placing you right into the mindset of the cyber criminal.

The Russian Software Pirates

Every day here and in dozens of other Russian cities, pirate dealers sell copies of the world’s most popular software titles at $5 per CD-ROM.

Despite fears about the economy, small and medium-sized businesses are flourishing in this elegant northwestern Russian city – and pirated software is installed on almost all of their computers.

Nearly all high-end computer games, Encyclopaedia Britannicas and other educational and reference CDs are distributed through illegal sources.Bootlegged software use is certainly not limited to Russia. Industry analysts say that 27 percent of the software running on American computers is pirated.

And the Business Software Alliance, which monitors business software piracy, says 43 percent of PC business applications installed in Western Europe are illegal copies.

In Russia, however, the piracy rates are a stunning 91 percent for business applications and 93 percent for entertainment software, according to Eric Schwartz, counsel to the International Intellectual Property Association, a Washington, D.C.-based organization that lobbies internationally on behalf of the copyright industry.

Schwartz said that piracy in Russia costs American entertainment software manufacturers $223 million a year and business software makers almost $300 million. The Business Software Alliance estimates worldwide revenue losses to the software industry from piracy at $11.4 billion.

Under the 1992 agreement with the United States that guaranteed Most Favored Nation trading status, Russia is required to effectively enforce anti-piracy laws, but actual enforcement is virtually nonexistent.

Meeting the Dealers
The dealers, who operate in stalls and kiosks around major transportation hubs or in full-scale markets usually 15 minutes from the city center, offer an enormous range of titles, usually bundled in a form their manufacturers would never dream of.

“That’s Windows 98, Front Page 98, Outlook 98, MS Office 97 SR1 and, uh, yeah, Adobe 5.0,” said Pyotr R., a student at St. Petersburg Technical University, of a single CD-ROM. “On the disk there are files, like ‘crack’or ‘serial’ or something, and that’s where you’ll find the CD keys,” he said, referring to the codes that unlock CD-ROMs and allow users to install the programs.

Pyotr (who spoke, as did all others interviewed for this article, on condition of anonymity) sold that disk, plus a second one containing Lotus Organizer 97, several anti-virus programs and some DOS utilities, for 60 rubles or about $10.

Another dealer was offering Windows NT 4.0 for $5, and Back Office for $10. According to Microsoft, the recommended retail prices for these products are $1,609 and $5,599.

Many Russians, who during the days of the Soviet Union bought most necessities through black market sources, think nothing of buying their software this way. They even defend the markets as providing a commodity that had been long-denied them.

After the collapse of the Soviet Union, inexpensive computers began to flood into the country from Taiwan, Germany and the United States, increasing the importance of these illegal software markets. Spending at least $800 on a computer was an enormous investment for Russians, even relatively well-paid St Petersburgians who earn an average salary of around $350 a month. Those who did buy one were in no position to consider purchasing software legitimately, even if it were readily available, which it often wasn’t.

These days, though, legitimate outlets for hardware and software are popping up everywhere in Russia; computer magazines offer licensed versions of everything available in the United States and Western Europe, and software makers advertise in the city’s well-established English-language media.

The markets continue to thrive with an alarming degree of perceived legitimacy. Outside the Sennaya Square metro station in St. Petersburg, a police officer approached a pirate dealer (who offered, among other things, Adobe Font Folio and QuarkXPress) and angrily chastised him for not prominently displaying his license to operate the stall. When the dealer complied, the policeman moved on.

Customers feel secure that the pirated copies will work and that belief appears well-founded. Bootlegged titles come with a written guarantee – good for 15 days from the date of purchase – that they’re virus-free and fully functional.

And files on the CDs themselves boast of high-quality, code-cracking techniques: “When so many groups bring you non-working fakes, X-FORCE always gets you the Best of the Best. ACCEPT NO IMITATION!” boasts one.

“There’s a lot of viruses around in Russia,” said Dima V., a system administrator who runs several small company networks in St. Petersburg using bootlegged copies of Windows NT 4.0, “but most of the disks you buy in the markets are clean. The guys are there every day and if they give you a virus you’ll come back – it’s just easier to sell you the real thing.”

Foreigners get in on the action
Russians are not by any means the only people installing the pirated programs. While employees of multinational companies or representatives of American companies would never dream of risking their job by violating copyright laws, self-employed Westerners, or ones who have established small Russian companies have no qualms about doing so.

They also pose a question software manufacturers find difficult to answer: Who would buy a network operating system package for $5,000 when it’s available for $5?

“Nobody,” said Todd M., an American business owner in St. Petersburg, whose 24-PC network runs a host of Microsoft applications that were all bootlegged.

“There’s just no financial incentive for me to pay the kind of prices that legitimate software costs,” he said. “I mean, it would be nice to get customer service right from the source, but we have really excellent computer technicians and programmers in Russia and they can fix all the little problems that we have.”

Customer support and upgrades are just what the manufacturers point to as advantages of licensed software, even in markets like Russia.

“There are enormous incentives,” said Microsoft’s Mark Thomas, “to buying legitimate software, and they start with excellent customer support and service and upgrades. We spend $3 billion a year on research and development and the money that we make goes right back into making products better and better products. The pirates don’t make any investment in the industry.”

And local industry, Thomas pointed out, suffers disproportionately in the face of piracy.

“A huge amount of our resources are put into making sure local industry builds on our platform,” he said. “When a local company creates packages for, say, accounting firms, and somebody can come along and buy it for $5, these local companies can lose their shirts.”

Piracy getting worse
Despite heavy lobbying by industry representatives and government agencies, piracy has worsened. As CD copying technology becomes cheaper, large factories in Russia and other countries, including Bulgaria, churn out copies of software copied by increasingly sophisticated groups in countries around the world, especially in Asia.

Encyclopaedia Britannica wrote off Malaysia as a market effectively destroyed by pirates, who sold 98 out of every 100 copies of its flagship Encyclopaedia three-CD set for a fraction of its recommended retail price of $125. The same disks, which have not officially even been offered for sale in Russia, are readily available in the St. Petersburg markets for $10.

“For Encyclopaedia Britannica, the cost of piracy is millions a year,” said James Strachan, EB’s international product manager. “One hundred percent of the value of our product is an investment in the authority and depth of our content,” he said. “Piracy causes us extreme concern and we do everything we can to root it out and prosecute.”

Todd M., the businessman with the 24-PC network, offers little hope that the situation will soon change in favor of manufacturers.

“With all the problems I have running my business here in Russia, from armed tax police to Byzantine procedures and customs duties, software piracy just doesn’t register with me,” he said.

“It’s the one thing about doing business here that’s somebody else’s problem.”

A sample network access policy

In order to protect our network, computers and the confidential data of our clients, [Firm Name] (the “Firm”) has instituted this Network And Computer Access Policy. We’re protecting against not just the damages and liability created when unauthorized access occurs, but also against viruses and physical damage to our systems.

Introduction
This document sets forth standards which must be adhered to by all employees, contractors and any user granted access to any machine on the Local Area Network (LAN) at any time, whether physically present at the Firm or via remote access.

Failure to comply with the policies set forth in this document will result in disciplinary action, and may result in termination of employment.

Definitions
For the purposes of this document, an “Employee” is any employee, contractor, agent, temporary worker, vendor and any other person in a position to know or obtain information about computers or devices on the LAN.

The firewall is a hardware or software device which protects the ports of computers on the LAN. For the purposes of this document, “Remote Access” shall mean access to the Local Area Network from any location outside the firewall by any method, including but not limited to Virtual Private Network (VPN), dial-in modem, frame-relay, SSH, cable-modem and any other method of accessing the LAN from outside the firewall.

Policy Scope
The Policy applies to any person granted authorization to access any computer or device on the Firm’s LAN (an “Authorized User”). This includes but is not limited to contractors, temporary workers, vendors, sub-contractors, employees, attorneys and partners authorized to access any of the Firm’s computers, locally or via Remote Access, for any reason, including email and Internet or intranet web browsing.

Physical Security
All computers and devices on the LAN must be physically secured when leaving them unattended. All servers must be additionally secured with locking devices such as keyboard locks.

Any notebook or laptop computer, Personal Digital Assistant (PDA), Internet-capable cellular device, Wi-Fi-enabled device or other device capable of connecting via Remote Access to the LAN (A “Mobile Device”) must be secured with a BIOS password, and user authentication. Any Mobile Device must run up-to-date anti-virus protection and properly configured software firewall (see __ below).

Any Authorized User must take reasonable steps to ensure that any Remote Access to the LAN is treated with the same security approach as a connection made within the Firm.

Information Security
It is essential that each Employee be instructed never to tell even the most seemingly innocuous detail about the Firm’s Information Technology (“Sensitive Information”) to a third party. While it may seem inconvenient or rude, all Employees – from temporary receptionist to senior Partner – must treat as suspicious any request from any third party person not personally Known to that Employee. Private detectives and others who specialize in information retrieval may call several people in a firm, asking each for a seemingly innocuous detail, which combined can result in a breach of the Firm’s security. Employees must jealously protect any information about the Firm’s Information Technology, including but not limited to:

  • Never telling a caller any details including but not limited to server names, Internet Service Providers, telephone provider, email server information (including email server name), printer type, computer brand, router type or brand;
  • Never telling a caller the name of your Information Technology specialist, whether that Information Technology person is in-house or contracted;
  • Never telling a caller the name of any Wireless Access Point (WAP) SSID; never confirming the presence of a Wi-Fi WAP;

Any caller not personally known to the Employee who requests Sensitive Information must be referred to the appropriate department head or Partner, without giving such person the name of such appropriate department head or Partner. If such referral is not possible or practical, then the Employee must request from the caller a callback number, to be given to the appropriate department head or Partner, without giving such person the name of such appropriate department head or Partner.

Password Security
All Authorized Users must use strong passwords. Unacceptable passwords include but are by no means limited to,

  • first or last names, or combinations thereof;
  • names of an Authorized User’s children or pets;
  • words found in a dictionary, combinations of dictionary words with a sound alike digit (second2, etc);
  • use of the words or variants on the word password, admin, update, access, login, computer, terminal, workstation, work, home, etc.

Strong Passwords are a string of at least eight characters of upper and lower case letters and numbers.

Authorized Users should change their password regularly.

No Employee may leave a password written down in proximity to the computer or device which the password accesses.

No Employee may ever provide their login or email password to anyone, including family members.

Acceptable Use
Authorized User may access the Internet for Firm business or personal information provided that they:

  • do not jeopardize the security of any Firm or confidential client information which may be present on the computer being used to access the Internet;
  • do not violate any of the Firm’s policies;
  • do not engage in illegal or prurient activities;
  • do not engage in outside business interests;

Wi-Fi Security
Any Wi-Fi Access Point (WAP) must be configured to comply with the four-step Proposed Standard of Reasonable Wireless Network Security in Law Firms available at http://www.delmaropensource.com/standard.htm. This proposed standard provides four steps to securing a WAP, which includes:

  • Changing the WAP defaults (administration password, router name, router IP address, SSID name, etc);
  • Encrypting the signal using the best available encryption method, in order from most to least desirable, WPA2, WPA, 128-bit WEP;
  • Requiring VPN access into the LAN from anywhere outside the Firewall;
  • Implementing a written access policy, such as this one

Wireless (Wi-Fi) Access
Any access to any computer or device on the LAN behind the firewall must be via VPN. Any Authorized User accessing the LAN via VPN from their home or other WAP (a, “Remote WAP”) must apply all four steps above to the Remote WAP.

Remote Devices
Any Employee using any Remote Device must ensure that such device is updated with the most recent security patches for their Operating System.

All machines on the LAN and any Remote Device must run current versions of anti-virus software with regularly updated virus definitions. Note that new viruses are introduced every hour; “regularly updated virus definitions” means at a minimum of once each week. It could be argued it is reasonable to update every 24 hours.

Any Remote Device must be running a properly-configured firewall program such as Zone Alarm or Computer Associates eTrust. Users at Public Hotspot must be aware that, if such Remote Device is not running a firewall, a malicious user can gain access to the Remote Device and install software or remove files from the Remote Device’s hard drive.

Any Authorized User using a Remote Device outside the firewall must use the VPN to send and receive Firm email. No Firm email may be sent using third-party email services (including but not limited to gmail, hotmail, etc).

Any Authorized User accessing any computer or device on the LAN for remote management or administration must use SSH or VPN. For remote file transfer, SCP, SFTP or VPN must be used. Under no circumstances shall Telnet, FTP or other un-encrypted access method be used.

No Employee using any Remote Device shall access the LAN while connected to any other network, except a personal network over which such Employee has complete control.


Also in this series…
A proposal for Reasonable Wireless Security for law firms

A sample network access policy

Wifi encryption standards

“There’s nothing on my desk worth stealing”

…and free hotspots for all


There’s Money In Them Thar Parts

When you find your 14 year-old son in the middle of the living room with a guilty look on his face, a screwdriver in his hand and your nifty new UMTS cell phone in a million pieces on the floor, hold off on blowing up for a second – the pieces you see represent the achievements of some of today’s greatest European start-ups. And there’s opportunity in them thar parts.

“We make the software that runs OC layers one through three of the handset,” said Clifford Dong, CTO at Zesium, a Munich start-up that last year received a seed investment of €2 million from 3i. He’s referring to the “seven layer” stack concept which includes level 1, the ‘physical layer’ which actually sucks and blows bits into the airwaves; layer 2, responsible for guaranteeing the safe delivery and receipt of data, and layer 3, which deals with what data will be transferred along with mobility management, radio resources and call control.

3i says that because Zesium’s business is personnel, not finance, intensive, they don’t expect to have to sink any further money into Zesium any time soon – even though the company is making extraordinary headway and faces little competition to date. “They have very specialized know-how,” said Peter Boehringer, investment manager at 3i, “and there are several large manufacturers who would rather buy the software than build it, and Zesium is very good at building this software.”

Some larger handset manufacturers, Boehringer said, are committed to building it themselves, but Boehringer thinks that those companies might not have the manpower they would like, and therefore even they might end up at Zesium’s door. “We’ll just build it and see what happens,” Boehringer said.

VCs say that this kind of guts-building is exactly where small start-ups can benefit best from the spending frenzy as European telcos prepare to invest what Commerzbank estimates will be &euro87.5 billion over the next four years and a total of €175 billion over ten years.

“We see a trend,” said Max Oppersdorff, Vice President of EM Warburg Pincus in Munich, “that hardware vendors are acting more like general contractors. The major part of what they supply they make in house, but they’re trying to buy from third parties that are out on the edges of advanced technilogy where perhaps the vendors are not as advanced – and sometimes the customers themselves are even demanding this.”

Much of the spending flurry will be focused on issues of infrastructure, and while much of the backbone and base station action is likely to be taken up by the Nokias, Lucents and Ericssons of the world, there are literally dozens of niche areas in which small, independent and fast moving technology companies can move in and own the space.

Take, for example, base station amplifiers. The frequency and bandwidth used by the next generation of mobile phones pushes the envelope of the specs of existing base station transmitter equipment, and there is an enormous and immeiate need for more efficient linear amplifiers. Amps, in the boxes at the bottom of base stations, currently require fans and other cooling technology, and must be constantly monitored. The infrastructure cost associated with all this coddling can add up.

“Telecoms spend tens of millions of pounds in any year on electricity,” said Dave Cheesman at Advent Venture Partners, “and a lot of that goes to wasted power in amplifiers .”

Advent is backing, along with Deutsche Bank and 3i, a company called Wireless Systems, which makes range of patented, next generation, wide-band linear, high efficiency amplifiers. Wireless just closed its third funding round for $23 million.

Opportunities Everywhere
New hardware and software technologies – or even new applications of existing technologies – are also absolutely essential. Squeeze any portion of the mobile world and an opportunity just might pop out: the next generation of mobile phones, and their increased bandwidth, means that handset range given the available power will decrease. To combat this, handsets require far more efficient antennas in order to provide services without sucking dry batteries in the dialing process.

Consider, too, the humble handset. The amount of technology crammed into those tiny little buggers is astounding: aside from the chips, switches and other hardware, today’s typical handset already contains around 2MB of code. That is expected to quadruple in size as mobile devices become more complex.

Or ponder the very deployment of base stations. New generation mobile cells will be smaller, and therefore more will be required. Companies that make a new generation of network planning software will be of intense interest to telecoms looking to maximize the efficiency of physical placement of base stations, and even the angle at which to point the antennas to squeeze every gram of coverage possible out of the new systems.

Even backlighting technology is being reconsidered: Advent’s Cheesman says that current systems, which use light emitting diodes (LEDs) and molded acrylic light guides to sorta – shove the light where it’s needed are less than perfect. “They use lots of power and don’t supply even lighting,” said A. Kianin, Technical Director for Elumin in Wales. Elumin uses electro-luminescent material for a range of applications, from private jet refurbishments to escape lighting on aircraft, to night vision devices and, of course, mobile telephone handsets.

EL’s nothing new in the world, but it is relatively new to handsets. It uses a light-emitting phosphor sandwiched between layers of insulation and conducting electrodes which are then laminated together. The result is a light that can produce various brightness with negligible heat. Advent has recently invested more than €2.5 million into Elumin, which Kianin says, expects to begin production for “a big company” of their backlighting products as early as November.

Germans Flip Over Tax Reform (In A Good Way)

German business leaders are euphoric over a tax overhaul that lets them redirect investment once tied up in other German companies, and funnel it into high-growth sectors like high-tech. But there is growing concern among German retail investors that the package, introduced by the German government after years of debate may pose more questions than it answers.

The tax scheme, expected to reduce by almost DM60 billion German tax receipts by 2005, includes a provision that removes corporate long-term capital gains taxes. This ends the post-war German tax regime which effectively required German companies to hold stock in one another.

Business leaders hail the long-debated reform, and are almost counting their earnings already from investments in euro-dot.coms and high-tech ventures. But according to an n-tv poll published in the Abendzeitung, 51% of Germans surveyed said they felt that the tax package would hurt, not help them, despite a personal income tax cut for both low and high income earners.

Some labor leaders worry that a mass shift of funds by banks and insurers away from more esoteric or even merely poorly performing holdings and into industry consolidation and mergers and acquisitions could threaten German jobs, and the decades-long peace between German industry and labor unions.

But business leaders insist that freeing up their investment capital will allow them to invest in high growth sectors. “This decision increases strategic development for German corporations,” said Stefan Radloff, Senior Vice President Accounting & Financial Controlling, for Infineon Technologies, “However, we do see further discussion necessary regarding individual points of the decision, particularly within the area of corporate income tax law and tax write-off regulations.”

The funding from capital gains “will allow companies to focus on their core competencies ,” said Peter Klostermeyer, senior analyst at VMR, “German old economy companies, for example, in steel and mining, already have in place an IT business or Internet division, so they’ll probably take money out of cross-investments and use it to build up and possibly spin-off these divisions.” The value-adding investments would garner the attention of investors and increase stock prices.

Cross-Holding
Cross-holding was introduced after WWII as a means to promote consensus among German corporate management, which had to maintain holdings in diverse industries – such as insurance companies investing in tire manufacturers, construction firms and banks. The velvet hammer of compliance with this system, widely credited with smoothing the course of the German Wirtschaftswunder – economic wonder – was that corporations would be hit with earth-shattering capital gains taxes should they sell their cross-holdings.

All that changed when the compromise, a mainstay of parliamentary debate in Germany since before the Kohl era, was passed.

German Business Ready To Rock
Though the Financial Times has reported that Deutsche Bank Chairman Rolf Breuer plans aggressive divestment of Deutsche Bank’s estimated €23 billion in industrial holdings (including DaimlerChrysler and until last month, insurance group Allianz), Breuer has made clear the bank “…will try to avoid overcrowding the market with potential sellers. We will have to do it smartly.”

Banking analysts also believe that the odds of a fast-paced sell-off are slim. “As far as I can see, this will encourage some divestiture, but on balance I think this issue may be overblown,” said an analyst at Commerzbank. “Banks have really enjoyed the earnings smoothing capacity of these cross holdings, which has allowed them to realize profits that can offset costs such as restructuring – without this, the volatility in the German banking climate over the last few years would have been very significant. And dumping the shares would dilute the price, and banks aren’t dumb.”

Analysts also say that in addition to pure financial motives that would encourage a steady and slow sell off as opposed to a rapid money move, there is also a very real sense of tradition.

“These are legacy positions,” said the Commerzbank source, “and there are some very strongly-held views that these are the family shield, so you won’t see a wholesale sell off within a short space of time, but rather a slow, gradual process.”

But the overhang – the market’s sense of “waiting for the other shoe to drop” on releases of chunks of stock, may in itself provide downward pressure on German stock prices over the long term.

Changing Insurance Landscape
For the insurance industry, at least for insurers with large portfolios, the newly found freedom from cross-holding would seem to be an equal shake. While German companies in other industries will surely divest themselves of some of their insurance holdings, German insurers will be free to consolidate further within Germany as well as to expand across European borders.

“This won’t mean any immediate change in ratings,” said Karin Clemens, Associate Director at Standard & Poors, “but this will speed up the consolidation process within the German insurance market. And it would mean opportunities to broaden. For example, Allianz can’t further expand in Germany, so we would expect them to try to build their positions outside Germany – but we also expect further that it will allow foreign insurers the chance to get in to the German market.”

Labor Unions
Some have expressed concern that shifting capital out of certain sectors could threaten German jobs, and the peaceful relations between industry and labor unions that has been a hallmark of the German post-war success.

“We support the tax reform package in general, and think it is good for Germany and for Europe” said Claus Eilrich, a spokesman for IG Metall, Germany’s largest labor union, “but we have some problems with the corporate capital gains cut. Germans must pay a tax for everything, so we question why large corporations should get what amounts to a present from the government – this even took the insurance and banking industries by surprise.”

Personal Income Tax
The German plan also provides a healthy tax cut for the wealthy, and much smaller cuts for middle and lower income earners. Some believe that this “Supply side” approach creates an unbalanced economic model, but German economists feel confident the mixture is a prudent one.

“That supply-side issue is always a problem,” said Rudiger Parsche, Expert for Financial and Tax Matters at Munich’s IFO Institute for Economic Research, “but I think this package has a good mix, reducing tax rates significantly and increasing the minimum amount of tax free income to DM15,000 by 2005. So taken altogether we suppose that the package will also increase the demand side.”

Visiting The Front Lines

The future is wireless, or at least that is what Nokia, Ericsson and a host of startups and network operators are earnestly hoping. But the quick success of 3G – The Third Generation of mobile telephony – is more than profitable icing for these companies; it has now become a matter of survival….

This article, which ran in the February, 2001 issue of Tornado Insider magazine, looks at the overall climate in European development of 3G, and then explores how each of Europe’s largest telecom networking manufacturers, Ericsson and Nokia, is coping with the challenge.

…………………………………………………….

For some time, both Ericsson and Nokia have vigorously embraced the role of global industry hothouse by developing new divisions and enhancing old ones to deal with the 3G challenge. But it is about more than money.

“For a fraction of what the operators spent on 3G licenses, they could buy 10 application startups to help with rollout,” says Martti Malka, a partner in Nokia Venture Partners, which is independent from parent Nokia. “It’s not the money; it’s the business model, and the successful operator is going to look to third parties to come up with the innovative business propositions.”

Resources for innovation, too, are only part of the problem. Ericsson has established itself as a curious anomaly. The heavily bureaucratic, press release-driven monolith commands a sensational ability to introduce and gather support for industry-wide protocol initiatives, like Bluetooth and OSGI, its home gateway protocol. Nokia, meanwhile, has made huge progress in end-user customer loyalty through its desirable handsets, capturing 30 percent of the worldwide handset market. Nokia is claiming great gains in GPRS and 3G networking contracts as well.

Nokia and Ericsson realize that in order to give their customers, the operators, the return they’re demanding, they must aggressively court small startups working on applications, services, and hardware for 3G. They’ve partnered with VCs for some, and will continue to do so for others. They have also spent considerable time and money making sure that when 3G rolls out it will live up to the hype.

Enter the startups
“We know we have to develop this market and the key issue is getting the right applications,” says Bengt Larsson, marketing manager for Ericsson Business Innovations (EBI), an independent subsidiary of Ericsson. “It’s not until we have the applications on board that we will see the 3G market take off.”

Nokia Venture Partners, with $500 million under management, concentrates on early stage mobile Internet companies, and looks specifically toward those creating enabling technologies. A perfect example is AVS Technologies, an Espoo, Finland, company whose MVQ (motion vector quantization) method is a high-end video compression and transfer technology that compresses video streams 10 times more effectively than RealPlayer or Windows Media.

For its part, EBI, as well as main divisions of Ericsson such as its Mobile Location Services, work closely with small startup companies developing applications that would eventually work with an Ericsson 3G network. For instance, Ericsson Mobile Location Services works and co-markets with It’sAlive, a startup games-maker funded by Speed Ventures in Stockholm. It’sAlive just rolled out its first product, a location-based game called BotFighters, in which SMS messages appear when opponents are in firing range.

BotFighters is currently running in Sweden on regular public networks. “Ericsson would welcome any application developer who would like to try out a 3G application to come and use it on our demo network in Kista. It’s one of the few places in the world where you can actually test 3G applications in a practical environment,” says EBI’s Larsson.

The first step taken by application startups is a visit to the Ericsson and Nokia developers’ websites, which allow any company to register to receive technical specifications, assistance, emulators, and limited access to the developers’ community for the particular product in which they’re interested. Companies that push past that point and go for a more formal partnership, like It’sAlive, are given co-marketing support and access to live research and development projects, not out-of-the-box technology.

While Ericsson and Nokia are both taking to their roles with gusto, developing deals with laundry lists of third parties from startups to global players, there are subtle differences in their approaches. The following profiles look at the efforts by each of the vendors, and compare and contrast their approaches.

Dell? He’s All Wrong In Europe…

To hear Hermann Oberlehner tell it, Michael Dell has got it wrong in Europe. “We’ve looked at this very carefully,” he said, “and in Europe outside the U.K., the Dell model just won’t work.”

This statement might ordinarily be dismissed as having come from a jealous also-ran. But Oberlehner is founder and chief executive of Gericom AG, based in Austria, which has quietly become the leading vendor of personal notebook computers in Germany. Last quarter, Gericom shipped 111,000 units in Europe, beating out such heavyweights as Dell Computer Corp., Toshiba Corp., International Business Machines Corp. and Acer in Germany.

In Europe overall, Gericom is the No. 5 vendor in mobile computing, according to International Data Corp., with a 9 percent market share.

“They are a very aggressive vendor in the consumer portable market, with a very strong focus on the lower-end consumer market,” said Stefania Lorenz, senior analyst for European personal computing at IDC.

But Oberlehner said he realized in the mid-1990s there was a hole in the European mobile computing space. As manufacturers struggled to make ever-slimmer notebooks for the lucrative corporate market, consumers were being left behind.

Gericom discovered that, with modifications, cheaper Intel Corp. chips designed for desktop computers would work in notebooks. While the company had initial quality control problems and a high rate of return – some say as high as 30 percent – new heat dissipation methods were employed, and the problems were worked out.

“Where before everyone had thought ‘smaller,’” said Ranjit Awtal of Gartner Inc., “Gericom asked, ‘Just how much mobility do you need to move your computer from the kitchen to bedroom?’

“They took risks when other vendors were reluctant. By providing a cheaper, slightly heavier and less mobile PC, Gericom actually paved the way for much of the mobile growth in the European home market today.”

By about 1996, Oberlehner, looking to cut costs and frankly tired of contending with retailers, took a hard look at Dell’s U.S. mail-order business and seriously considered emulating it in Europe.

“We tried to compete using the Dell model here in Europe,” said Oberlehner, who established Gericom in Linz in 1991, “but we discovered that we just didn’t need to – in fact, that it just wouldn’t work here.”

Of course, Dell has been doing just fine in Europe, with about 10 percent of the overall PC market, trailing only Hewlett-Packard Co.

Oberlehner believes that on the Continent, the customer’s buying experience differs drastically from that in North America. In Europe, customers prefer a more intimate sales environment, and they trust that salespeople have experience with the machines they proffer. The selection process is heavily geared toward comparison shopping by cost, brand and features, especially local-language and culture-based add-ons.

This, Oberlehner said, is unlike the experience in North America and Britain. “Americans are poor computer buyers,” he said. “They don’t look at specs – they look at the brand, the size, and buy. Dell works so well because the entire American retail system is set up with enormously costly pitfalls.”

Since no one cares about the specs, the logic goes, the sales team does not need – and often does not have – much information. Customers buy the name, and when they have a problem or the machine does not do something they need it to, they can bring it back to the retailer because of the generous U.S. return policies.

Oberlehner says that while profit margins in the United States are higher than in Europe so are costs. So Oberlehner stopped looking at retailers as adversaries and began seeing them as a symbiotic necessity: Where the retailers can provide marketing access to a customer base, Gericom can get the product quickly to market. As long as Gericom is willing to move quickly and provide post-sales support and service, the model works, he says.

But to succeed, he said, you must be willing to take razor-thin margins and produce using small teams working around the clock. Gericom, which outsources much of the assembly-line production of its notebooks to the Taiwan-based assembler Uniwell and some other Asia-Pacific companies, employs fewer than 300 people in Austria.

Gericom’s home-turf advantage also means that it can, for example, ship 7,000 units overnight to the main distribution centers for leading European retailers such as MediaMarkt, Lidl, Carrefour or Dixons without breaking a sweat.

And relying on local sales support and marketing initiatives rather than trying to centralize or even regionalize means that local buyers feel that the machines cater to them – whether the band name on the box is Gericom, Gerico, a Dixon line or something else.

“We can’t possibly compete with big vendors in the corporate market,” Oberlehner said, “where you have multinational needs. But likewise, the multinationals can’t compete with us in providing local support and computers that local people need. It’s not a question of price; it’s a question of tuning the products to meet the needs of each local market.”

Gericom keeps its focus on mobility. It was the first notebook maker to introduce a GPRS-enabled notebook computer, and it followed up with partly “ruggedized” notebooks aimed at the upper portion of its lower-end market.

Into the future, Oberlehner is counting on an “enormous potential” for replacing desktop computers with laptops in Europe. It cites research that says that fewer than 60 percent of German households own a computer, for example, and of those, only 15 percent have a laptop.

A proposal for Reasonable Wireless Security for law firms

It’s just past 8.30 am on a busy Tuesday. A five-person legal team
has just arrived to work with your firm on that big case. For the
next four days, these five lawyers will be camped in your conference
room. And their first question is, “How do we get Internet
access?”

[Ian Sacklow co-wrote this white paper]

At
many small and mid-sized firms in the US, the answer is increasingly,
“We’ve got Wi-Fi1.”
A Wi-Fi Access Point (WAP) allows your computer or personal digital
assistant (PDA) to connect to the Internet, or a computer network, at
high speed, without wires (see sidebar).

Wi-Fi lets your clients use the Internet or access their corporate
network. It allows your partners, associates and interns access to
the web and your Local Area Network (LAN) from the library or
lunchroom – or the coffee shop across the street.

In
the immediate future, lack of a Wi-Fi connection to the Internet will
be as disruptive to a law firm as the lack of an Internet connection,
or a mobile phone.

As
we adopt new technologies, no matter how revolutionary or wonderful
they may be, we must not be reluctant to address their
vulnerabilities. An improperly or incompletely configured WAP has
vulnerabilities. Fortunately, there
are inexpensive and easy-to-employ safeguards against many of them.

Executive Summary
This article is intended to provide attorneys and support staff with
an overview of Wi-Fi, and the challenges they face as they maintain
the confidentiality of client documents and information in a wireless
network setting. This article proposes a standard comprising the
steps which law firms should take to reasonably prevent intrusion
into their LAN via their WAP, and thereby protect the confidentiality
of their clients’ information.

The
article is geared towards those in the many law firms which don’t
have full time Information Technology (IT) departments, or formal
computer training. The steps suggested do not provide a guarantee
against unauthorized intrusion. They do provide a reasonable amount
of security at reasonable expense2.

When
it comes to a lawyer’s duties to maintain confidentiality, I’ve been
told there has been no landmark ruling about what are reasonable
measures to protect client data across a WAP. A poorly configured WAP
can expose your clients’ confidential information. Unless you wish to
be the test case to establish that standard, you should establish and
maintain reasonable levels of security when deploying a WAP.

It
is submitted that the steps I propose are reasonable, and it is hoped
that they would therefore be adopted as a standard to be followed and
provide a safe harbor for law firms seeking to protect the
confidentiality of client information in a wireless network setting.

The proposed standard includes four steps to protect and encrypt the
traffic on the WAP. Any WAP not so protected shall be considered to
be an “Open WAP.”

The
proposed standard also includes a written security policy covering:

  • WAPs in the office
  • WAPs at the homes of those with remote-access authorization to the
    firm’s local area network
  • Computers which contain client data and access publicly-accessible
    WAPs (at coffee bars, airports, Bar Association Libraries, airports,
    etc.)

Wi-Fi: An Indispensable Tool

  • Wi-Fi is everywhere, and it’s no fad.

There were more than 10 million WAPs in US homes by the end of 2004, with an expected 14 million by the end of 2005.

At coffee bars, restaurants and offices throughout the world, you’ll see people working on Wi-Fi-enabled devices like notebook computers. Publicly-accessible WAPs, known as Hotspots,
are provided in scores of cities to
encourage Internet use. Many Hotspots provide the Internet access at no cost, to encourage foot traffic.

Other Hotspots, such as those at most Starbucks, Barnes and Noble,
Borders and Kinkos locations, charge access fees for Wi-Fi – about
$1.30 a day for a monthly subscription.

WAP Overview

  • The vast difference between connecting via Wi-Fi to the Internet, and connecting via Wi-Fi to your LAN is an important distinction.

Components
comprising a Wi-Fi network work in much the same way as
walkie-talkies and a base station. When you set up a WAP (sometimes
also referred to as a, “Wireless Router”), you are broadcasting a
radio signal to the area within a radius of up to 3003
feet from the WAP. By default, anyone with a mobile device equipped
with a Wi-Fi transceiver (“Wi-Fi Adapter”) can detect this
signal and request a connection. When the WAP recognizes the request,
by default it assigns to the requesting device a unique identifier
(an “IP Address”) which permits the WAP and mobile device to
communicate. Once this connection has been made, the mobile device is
granted access to the network to which the WAP is connected.

Most
people connect the WAP to a high-speed Internet connection. Once a
mobile device is connected to such a WAP that device can access the
Internet.

Some
people also connect the WAP to their Local Area Network (LAN). Your
LAN is the network of computers which contain your data and client
information. LAN access must be protected by a firewall, which
prevents unauthorized communications originating outside the LAN from
getting in.

For
reasons which will be made clear below, I highly recommend that
anyone accessing your LAN from anywhere outside the firewall –
be it through your WAP, their home computer or network (wired or
wireless) or a public Hotspot – do so through a Virtual Private
Network (VPN). A VPN creates a “tunnel” through which your
data is transported, crytographically encrypted, through the firewall
and on to the LAN.

VPNs are the number one thing people should be doing. A VPN lets trusted4 users be as productive as possible. Even if an unauthorized user gets
on to your WAP, you can keep him locked out of your LAN.

The
proposed standard therefore requires you place the WAP outside
your firm’s firewall. By creating a “demilitarized zone”
(DMZ) which is inside the WAP but outside the firewall, you grant
wireless Internet access via your WAP, while only Trusted users may
access the LAN, through the VPN.

Unless you intend to offer public Internet access (which you might,
see below), then you must also protect your WAP with encryption and
an authentication scheme, which requires user name and password, to
help keep unauthorized users out. While less important than
protecting your LAN, protecting your WAP from just anyone getting
Internet access can be important as well (see sidebar).

What’s
Your Responsibility?

  • Connecting an Open WAP to your firm’s LAN is literally as unsafe
    as placing your client files in an unlocked file cabinet in the
    center of a city street.

Lawyers in New York State mustn’t knowingly “… reveal a confidence or secret of a client”, and “…shall exercise reasonable care to
prevent … employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidences or secrets of a client.”5

An
Open WAP is a Hotspot – a publicly shared computer network open to
anyone, anywhere within 300 feet. In 2001, the DC Legal
Ethics Committee stated it is “…impermissible for unaffiliated
attorneys to have unrestricted access to each other’s electronic
files (including e-mails and word processing documents) and other
client records. If separate computer systems are not utilized, each
attorney’s confidential client information should be protected in a
way that guards against unauthorized access and preserves client
confidences and secrets.”6

The Delaware Bar opined that client confidentiality is
broken when a lawyer, “should reasonably anticipate the
possibility that his or her communication could be intercepted and
confidences disclosed.”7

An
irate client whose opponent became aware of embarrassing information
via such an interception might well make the argument that
maintaining an Open WAP doesn’t protect his data in a way that guards
against unauthorized access and preserves client confidences and
secrets.

Protecting
the confidentiality of client information on an Open WAP is
impossible. Cheap and simple steps can solve this problem.

Criminal Liability of Accessing a ‘Public’ Hotspot

  • You
    cannot rely on existing laws to prosecute “unauthorized” WAP
    access. It is difficult to determine how a user becomes authorized
    to access a WAP, and there’s no common mechanism by which to post a
    notice that he is not.

In
early July, 2005, police in St Petersburg, FL, arrested Benjamin Smith III
for accessing a residential WAP and connecting to the Internet –
from his car. Smith was charged with unauthorized access to a
computer network.

He
might get off. Who’s to say it was unreasonable for Smith to assume
what he did was Kosher? The WAP he used was wide open. With the
proliferation of Hotspots,
who can say whether a person can reasonably infer an Open WAP is
intended for public use?

Under
current New York law, it is illegal to intentionally access someone
else’s computer, computer network or equipment without authorization
to do so where such computer or equipment, “…is equipped or
programmed with any device or coding system, a function of which is
to prevent the unauthorized use of said computer or computer
system.”8.

The
New York Penal Law also attempts to define “authorization”
by providing that to establish authorization, one must be either

(i)
give actual notice in writing or orally to the user;

(ii)
prominently post written notice adjacent to the computer being
utilized; or

(iii)
a notice that is displayed on, printed out on or announced by the
computer being utilized by the user9.

Significantly,
the Penal Law also provides for a presumption that notice of such
authorization is given where, “the computer is programmed to
automatically display, print or announce such notice ….”10

Scott R. Almas, who was instrumental in developing the business and
technology model to implement many of the Hotspots throughout
downtown Albany, New York, is a technology attorney at the law
firm of Lemery Greisler LLC. While Almas does not endorse the
unauthorized use of open WAPs, he points out significant problems
with New York’s law when viewed against the practical reality of the
proliferation of Open WAPs.

“I
am particularly troubled,” Almas said, “by how a user is supposed
to know whether or not the owner of the Open WAP is authorizing use
of the access point where the owner broadcasts to the world the
presence of the access point and takes no steps to secure it. By the
very nature of WAPs, there is no reasonable way to post or provide
oral notice, and it can be difficult to interpret from the
broadcasted name of the access point whether authorization is
intended.”

“In light of the fact that protecting the WAP is free, simple to do, and
strongly recommended by the access point manufacturers during the set
up process,” Almas said, “I believe anyone who sets up a
WAP and does not follow the advice to install even the most basic,
minimal safeguards should be presumed to be providing authorization
to access the Open AP for otherwise lawful Internet use.”

“The presumption should not,” adds Almas “extend to authority to access information on the WAP owner’s LAN, or other illegal or
harmful activities.”

Oops. Was That Your WAP?

    <li><p>
    <strong>If
    a mobile device automatically seeks and connects to a WAP, then
    accessing an Open WAP needn't even be intentional. </strong>
    </li>
    

    Most
    new notebook computers ship with the Microsoft Windows XP or
    Macintosh OSX operating systems, and are equipped with internal
    wireless adapters (see sidebar). If the wireless adapter is switched
    on, the notebook will seek, and attempt to connect with, WAPs – even
    before the screen comes to life.

    People set their notebooks to connect to any available network, so
    the onus is on the owner of the WAP. I would think that if your WAP offers credentials to enter – such as an IP address – a user might reasonably think that they’ve been granted access to your WAP.

    And New York Penal Law Section 156.50 provides a defense for persons who
    had reasonable grounds to believe that they had authorization to use
    the computer. Therefore, unfortunately, the issue will likely be left
    for the Courts to decide whether such a presumption exists and is
    applicable in any given case.

    Attorneys
    and the public must properly frame these issues and arguments, so
    that the Courts can properly interpret and apply the law.

    Determine
    Your Needs

      <li>
      <strong>You can protect your LAN while providing public access to your
      WAP and the Internet - so long as you configure your WAP properly</strong></li>
      

      Lemery Greisler, Almas’ Albany, New York law firm, provides a Hotspot
      to afford anyone in the area free access to the Internet. By giving
      pedestrians a good reason to mill about, this is a fine goodwill
      gesture towards local businesses at low cost.

      That’s
      a perfectly reasonable thing to do, so long as you reasonably ensure (as did Lemery Greisler) that it is difficult for strangers to
      access your LAN from the Hotspot. They placed the Hotspot outside
      their firm’s firewall, thereby providing a public service at little
      risk to their own network.

      It’s
      important that you, too, determine what you want your WAP to do, and
      deploy it properly.

      Don’t Panic … But Set A Policy

        <li>
        <strong>A clearly communicated and strongly enforced written policy
        governing remote network access is essential. </strong>
        </li>
        

        A
        written wireless data security policy is vital in any environment; in
        a law firm, the lack of one could be expensive, embarrassing and
        time-consuming. It could create civil liability – and even criminal
        liability (see sidebar) – for the firm.

        All
        people in the firm must be made aware of the policy, not matter their
        position: it does you no good to take steps to increase security if
        your receptionist or even a junior associate tells a caller
        information about your WAP and network. This happens far more often
        than you’d think. Specifics on what the policy should cover are
        listed below, within the proposed standard.

        Everybody’s Not Doing It

          <li>
          If you haven't
          locked down your firm's WAP, you're not alone. This problem is
          widespread and international.</strong> 
          </li>
          

          In March, 2005, data
          protection company RSA Security reported that a survey it
          commissioned from netSurity found more than one third of wireless
          business networks in four major cities were unsecured – 38% of
          businesses in New York, 35% in San Francisco, 36% in London and 34%
          in Frankfurt.

          Those numbers are about
          right – a safe, if not conservative, figure. It’s analagous to a car, which comes with locks built right in to the doors, but it’s up to you to depress the lock button.

          From Elite Geeks to An Unruly Mob

            <li>
            One no longer
            needs to be a gifted programmer to be a successful intruder.</strong></li>
            

            Cracking WEP, the lowest form of Wi-Fi encryption, is increasingly trivial
            (see sidebar), and attorneys must never entrust WEP – no
            matter how large the bit-size – to be the sole means of protecting
            a LAN.

            The popular image of a “Hacker,” as a young, pale-skinned
            male perched behind a complex computer using arcane tools to
            penetrate computer systems is dated.

            Hacking, password- and encryption-breaking tools have become
            ubiquitous, sophisticated, simple to use and are totally free to
            download from the Internet.

            PROPOSED
            STANDARD

            A
            determined intruder with the right tools will get in no matter what
            you do – nothing offers 100% security or guarantees, but you
            should employ the best security you can install and maintain without
            unreasonably disrupting productivity. Take all reasonable steps to
            secure client information on your LAN with a well-configured
            firewall.

            If
            you merely wish to allow Trusted users wireless Internet access,
            securing your WAP can likely be done by Dan – that geeky intern who
            likes Star Trek. It can take as little as 15 minutes, and can
            cost nothing: if you’ve got a WAP, you’ve almost certainly got the
            hardware needed (and if you don’t, you can spend as little as $40 to
            get it).

            If
            you wish to allow the WAP to also grant LAN access, and you don’t
            have an IT person in-house, you might buy a combination VPN/WAP for
            as little as $149 (see sidebar). Otherwise, you may need to hire an
            outside consultant or installation specialist for a few hours’
            consultation or work to set up the VPN.

            Four Main Steps

            Because
            Linksys is the most popular WAP maker, examples below refer to
            Linksys products; your WAP’s instruction manual contains specific
            How-Tos and instructions to do all the following. All brands provide
            similar steps and menus, and all use the same terminology.

            STEP ONE: CHANGE THE DEFAULTS

            The simplest solution for a range of common problems raised by WAPs is to
            change the default information on the WAP itself. This is
            accomplished by opening a web browser and surfing to the IP address
            of the WAP device.

            First go to the Setup Page:

              <li>
              Change the Router Name<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><SUP>11</SUP></a>.
                  </li>
              <li>
              Change the last two fields in the WAP's Local IP address to
              something other than what's there. Reasonable entries include
              192.168.11.1 or 192.168.0.25. 
              </li>
              

              Next,
              go to the Wireless Basic Settings Page. The Service Set Identifier
              (SSID) is the name of the wireless network your users will connect
              to. By default it is set to “Linksys.”

                <li>
                Change the SSID to something non-descriptive - not your firm's
                name. While the concept of security through obscurity is not to be solely relied upon, choose for your SSID something obscure, like B3QXR25. 
                </li>
                <li>
                Then, disable the SSID broadcast, so it won't be readily visible to
                users who don't know that the WAP is there (though &quot;war-drivers&quot;
                - people who drive around looking for Open WAPs - might see it.
                Yes, there's a war-driving subculture). 
                </li>
                

                STEP TWO: CHANGE THE ADMINISTRATIVE PASSWORD

                A hacker, using the default username of (nothing) and the default
                password of “admin” can take over your WAP and lock you out. In the Administration page:

                  <li>
                  Set a new, hard-to-guess administration password, using at least an
                  eight character string which is not a word found in a dictionary,
                  and which comprises upper and lower case letters and numbers.</li>
                  

                  STEP
                  THREE: ENCRYPT THE SIGNAL

                  Use
                  the best encryption method you possibly can, preferably WPA2 (see
                  sidebar). If WPA2 is not available, then deploy, in descending order
                  of preferability, either WPA or WEP. If you absolutely must use
                  WEP, use 128-bit encryption – which takes a bit longer to crack
                  than weaker versions of WEP.

                  STEP FOUR: VPN INTO THE LAN

                  You absolutely, positively may not allow access to your LAN through the
                  WAP except with the use of a VPN.

                  Because
                  the VPN’s authentication is vastly more secure than Wi-Fi’s and
                  encrypts all data between the client (that’s your notebook computer
                  or PDA) and the LAN, it helps ensure that anyone gaining access to
                  the LAN is authorized.

                  Written Policy

                  Anyone who has been granted remote access to your LAN must abide by
                  the written remote access policy. This policy must cover the remote
                  users’ notebook computers, PDAs and other mobile data devices; their
                  home LAN and any home computers, and any other machines which they
                  may use to access the company LAN.

                  The policy must be clearly posted in the firm, and discussed with all
                  remote users and staff. It must explicitly set forth rules governing
                  what employees may tell outsiders about your computers, your network,
                  your WAP and your security policies. It must be regularly reviewed.

                  For a sample written policy, see http://www.nickselby.com/wifi

                  Protect Home WAPs

                  Anyone granted permission to access the LAN via VPN must apply all
                  four steps above to their home or other remote WAP. This not only
                  protects your LAN, it protects personal data they store on their home
                  machines.

                  Current OS Patches, Anti-Virus, Firewall & Spyware Blockers

                  Anyone accessing the LAN must ensure that their device is updated
                  with the most recent security patches for their Operating System.

                  All machines on the LAN must run current versions of anti-virus
                  software with regularly updated virus definitions. Note that new
                  viruses are introduced every hour; “regularly updated virus
                  definitions” means at a minimum of once each week. It could be
                  argued it is reasonable to update every 24 hours.

                  Any
                  device accessing from outside the LAN must be running a
                  properly-configured firewall program such as Zone Alarm or Computer
                  Associates eTrust. The Basic Signal Set (BSS) is shared by all users of an AP; should the hotspot not block inner BSS connections, and you should assume it is not blocked, then if you connect to that AP and you are not running a firewall, a malicious user can gain access to your machine and install software or remove files from your hard drive. If you’re not encrypting your e-mail, it (and your password and username) can be very, very easily captured and viewed in plain text by others on the Hotspot –
                  unless you’re encrypting your email through a VPN, or an encryption
                  program such as PGP.

                  Always
                  assume that others can see you on a Hotspot. Make sure you have a firewall running, and anything
                  you care about – such as email or confidential files – is encrypted
                  across a tunnel.

                  Call
                  For Discussion

                  As when you access a Hotspot, you’re always looking for the balance
                  between ease of access and loss of security. The best we can do
                  is educate people about the upside and downsides of using WAPs, and discuss ways to protect yourself so that your information remains reasonably secure.

                  As I mentioned earlier, this is all very new. The proposed standard
                  is a first step towards reducing the likelihood that your LAN will be
                  compromised, or your Internet connection abused. In order to further
                  this recommendation and develop a final specification, I welcome your
                  comments.

                  Ian Sacklow, the founder of the Capital District Linux Users Group and
                  Information Systems Manager for Dodge Chamberlain Luzine Weber
                  Associates, an architectural firm with offices in East Greenbush,
                  Plattsburgh and Jericho, New York, co-authoried this white paper.

                  Members
                  of the Capital District Linux Users Group contributed technical
                  information and fact checking for this article.

                  <p><a class="sdfootnotesym" name="sdfootnote1sym" href="#sdfootnote1anc">1</a>
                  Wi-Fi is short for &quot;Wireless Fidelity,&quot; the nickname for a
                  wireless area network (WAN) complying with IEEE 802.11
                  specifications. Wi-Fi&reg;
                  is a Registered Trademark of the Wi-Fi Alliance. 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote2sym" href="#sdfootnote2anc">2</a>Of
                  course as the state of the art changes, so must any standard be
                  updated.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote3sym" href="#sdfootnote3anc">3</a>One
                  can extend this range in a variety of ways, all fairly technical.
                  300 feet is the default, stock range without modification, and
                  therefore the range I discuss here.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote4sym" href="#sdfootnote4anc">4</a>On
                  a network, a &quot;Trusted&quot; user is given access to sensitive
                  files. An &quot;Untrusted&quot; user may be granted access to
                  certain parts of the network, but not to areas containing sensitive
                  data. 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote5sym" href="#sdfootnote5anc">5</a>
                  New York Lawyer's Code of
                  Professional Responsibility , DR
                  4-101 [1200.19] 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote6sym" href="#sdfootnote6anc">6</a>
                   District of Columbia
                  Ethics Opinion 303, February 2, 2001</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote7sym" href="#sdfootnote7anc">7</a>
                   Delaware State Bar Association Opinion 2001-02
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote8sym" href="#sdfootnote8anc">8</a>
                   New York Penal Law Section 156.05</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote9sym" href="#sdfootnote9anc">9</a>
                   New York Penal Law Section 156.00</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote10sym" href="#sdfootnote10anc">10</a> id.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote11sym" href="#sdfootnote11anc">11</a>You
                  change the Router Name to slow down would-be intruders. Router Names
                  provide enough information to attackers to obtain all default
                  information for that WAP. <a href='http://coffer.com/mac_find/' target='_blank'>http://coffer.com/mac_find/</a> is one
                  Website which provides lookups which match Router Names with
                  manufacturer and model number, linking to the manufacturer website
                  which lists that machine's default settings and password.</p>
                  


                  Also in this series…
                  A proposal for Reasonable Wireless Security for law firms

                  A sample network access policy

                  Wifi encryption standards

                  “There’s nothing on my desk worth stealing”

                  …and free hotspots for all


There’s Nothing On My Network Worth Stealing

Many computer users feel that, because they don’t engage in high-fallutin’ top secret information, they don’t have much to offer an intruder.

Targets of intruders, though, are as difficult to predict as the closing price of next Tuesday’s light sweet crude trading. In fact, the possibilities are endless. And here’s just one way leaving your WAP unprotected – essentially running a Hotspot – could cause you pain.

Lawyer? Or Terrorist?
Parked outside your office within connection range sits Mr. Soren Marrwaakle, a Danish terrorist associated with the dreaded Copenhagen Resistance, which has sworn to destroy the American way of life. Soren drives around large cities seeking unprotected wireless connections just like yours.

Soren connects, through your unprotected WAP, to the Internet and thence his public, anonymous email account. After receiving from his cell the floor plans to a target building, he transmits back an email message to his handler, acknowledging receipt of the plans and passing on a recipe for low-fat brownies he got from Emeril.com.

Has your firm just violated the Patriot Act? You know, the part which says you’re not allowed “…to commit an act that the actor knows, or reasonably should know, affords material support, including a safe house, transportation, communications, funds, transfer of funds or other material financial benefit, false documentation or identification, weapons (including chemical, biological, or radiological weapons), explosives, or training…” [emphasis added]

Perhaps more to the point, do you wish to explain your views to the 33 FBI Agents in blue windbreakers who are at this moment milling about your conference room?

Sure, after only three days, by which time they’ve become mostly convinced of your innocence, 18 of the agents leave. But how much do you think it will eventually cost you in time, effort, resources and bad coffee to get the rest of them to go? How many of your clients will express delight upon learning that their lawyers are under Federal investigation for aiding a terrorist group?

And how will those pictures of guys in blue windbreakers carrying boxes out of your office look in the Times Union?


Also in this series…
A proposal for Reasonable Wireless Security for law firms

A sample network access policy

Wifi encryption standards

“There’s nothing on my desk worth stealing”

…and free hotspots for all