The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/51912
T ECH SUPPORT The firm's BlackBerry Enterprise Server (BES) enforces this policy for new Black- Berrys added to the network. Users must set a password before they can proceed to configuring the device. The password doesn't have to be "strong", meaning it need not include at least three of the four available character types — lower case letters, upper case letters, numbers, special characters — nor does it have to exceed four characters in length. But, as Post says: "There's always a bit of a trade-off between convenience and security. It would be more convenient not to enter a password at all, but then, obviously, there would be more chance that data could be accessed." It's not a risky trade-off, though, given that us- ers — and hackers — have only five tries to get the password right. After the fifth failed attempt, the BlackBerry in effect commits suicide, automatically wiping all user data. "We've had more than one panicky call from a lawyer saying, 'I've only got two more tries and it's going to wipe everything out! What do I do?'" If a lawyer reports a lost or stolen BlackBerry, Lerners' IT staff can send it a "kill pill," a command that, again, wipes all user data. This is assuming the device is still connected to the cellular network. Savvy hackers could dodge the kill pill by taking the device to a place with no cellular reception and avoid the device's suicide by not attempting to log in with the unlocking password. They could then use sophisticated hardware tools to directly access data on the BlackBerry. But because all data is encrypted on the Lerners devices using "strong" 256-bit Advanced Encryption Standard (AES), hackers would only retrieve gibberish. An encryption key, which works TPCanadianLawyer 8/29/06 7:11 PM Page 2 something like a password and deter- mines how the data will be scrambled, is automatically activated when the device is unlocked — the user only ever has to enter one password. At Lerners, the en- cryption key is periodically updated remotely from the BES. The so-called strong encryption is actually the weakest available, requiring only a four-character key to decrypt. "Stronger" and "stron- gest" require longer keys that are more difficult to hack, but even the weakest AES requires major hacking. Selecting the level of encryption was another one of the inevitable trade-offs, says the firm's director of infrastructure services, David DeSumma. Encrypting and decrypting data — even using the weakest encryption — slows the device down a little. Stronger decryption would slow it down more. Too much loss of convenience and performance, and se- curity measures begin to be counterpro- ductive, with frustrated lawyers simply not bothering to use the technology. Lerners has also taken measures to protect laptops, enforcing policies re- quiring seven-character unlocking pass- words that must use strong password protocols, plus encryption of the entire disk. In addition, the firm "encourages" lawyers not to store second copies of files SHE JUST FOUND THE HOUSE OF HER DREAMS. Protect your clients. Recommend TitlePLUS® title insurance.* TitlePLUS title insurance and you, together we make real estate real simple. Visit titleplus.ca or call 1-800-410-1013 for more information. *Underwritten by Lawyers' Professional Indemnity Company (LAWPRO® ). Contact LAWPRO for brokers in Manitoba, Saskatchewan and Alberta. ® Registered trademark of Lawyers' Professional Indemnity Company. Canadian Lawyer – Pub date: October 2006 (Due Date: August 31, 2006) 24 FEBRU AR Y 2008 www. C ANADIAN Law ye rmag.com Unfortunately it comes with a $10,000 nightmare.