🔒 Cybersecurity for lawyers

• Beware of "lookalike" domain names
• Use a trusted DNS server (e.g. by using a VPN, or DNS-over-https, or Tor)
• Check for a padlock, but it doesn't mean you're connecting to the right site

An obvious example: you want google.com, but the site is using g00gle.com — visually similar. But you might spot it — especially if you are not expecting Google to use zeros as “o”s in their URLs.

What about a URL which is believable (e.g. Google-email.com), but actually nothing to do with the company in question?

Other similar approaches — trying to make the URL so long that you cannot see it all in your address bar, and the bit you can see looks right (e.g. Google.com.fehfw8fey98ffrf1gwffgeqt473guyfqgaifafrf67ct7821fft4yf4t1fu14dtd15fqgyurogftyr3go,com

You might not spot that the bit after the .com should be a forward slash, and not a full stop.

(In this case, Google controls both g00gle.com and google-email.com — probably for the very reason of trying to lessen the risk to users.) But these all rely fooling you with a similar, but not correct, URL and, with some additional scrutiny and care, you should be able to keep yourself safe from these type of attacks.

Unfortunately, even if you type the right URL into your browser, there is no guarantee that you are connecting to the correct site.

That's because:

• the system which handles the conversion of domain names to IP addresses — the domain name system — is fundamentally insecure. While some sites have adopted techniques to mitigate this, you are unlikely to know which sites have done this.
• networks often try to be helpful and offer you a DNS service — but the outcome is that you are using the Internet equivalent of their own personal phone book, and you have no idea if they've replaced some of the phone numbers with fake ones.

The net result is that you could type the right URL into your browser, but still be directed to a fake site.

Make sure that you are using a DNS server which you trust — although you may find some networks block DNS traffic other than to their own DNS server.

To mitigate this, you can:

• use a VPN, as long as you make sure that your DNS look-ups go over the VPN tunnel. In doing this, you will be using your own choice of DNS server, rather than the DNS server offered by the network you are connected to.
• use DNS-over-https if your browser supports it. This only protects the browsing you do using that browser.
• use Tor.

I’m going to talk about https and encryption in a couple of minutes, Now, hopefully, it would be pretty tricky for me to show a padlock for this, but some of the companies which issue the certificates used for security have not got it right every time.

There are a couple of things I could do.

One would be to generate a self-signed certificate, and hope that you agree to accept it. But that is a bit of a giveaway.

Second, I could try to persuade you to accept a file onto your computer which would trust all certificates which I sign. [How easy is it to do this]

If I manage to do this, then you see the right URL in your address bar, and you see a padlock so you think “oh, good, the connection is encrypted”, but you are still sending your data to me, rather than to your intended destination. And if you put in your username and password, you are sending them to me, enabling me to then log in to your account, and pretend to be you.

To protect against this type of attack, you might consider something called two-factor authentication:. I’ll talk about this in the recording about passwords but the gist is that, as well as sending a username and password, both of which are things which you know, you are also sending a one-time token, only valid for that one login, which is generated by something which you have — it could be a phone, or a specific hardware device.

It would not stop the rogue site from getting your username and password but it should make it harder, if not impossible, for them to log in pretending to be you, as they would not have the ability to generate that one time token.

I have already mentioned https — the secure version of hypertext transfer protocol, which is the series of messages for the transfer of data to and from a web server.

Generally told to look for the padlock.

Unfortunately, what the padlock means, and what trust should be placed on the site as a result, has not always been communicated well.

The padlock means just one thing: that the connection between your computer and the receiving web server is encrypted

Nothing more. Not that the operator is who you think they are, or that, even if they are, they are not doing something unwanted with your data. You may be sending data to a completely untrustworthy third party, pretending to be someone that you known. You might be sending your data to them securely because of the padlock, but still to the wrong person. “secure” v “trusted”. No padlock, not encrypted.

As a general rule of thumb, be very wary giving personal data to a site which is not showing a padlock. But don’t rely on a padlock as a sign that everything is fine.

Check that the URL is what you are expecting.

Not good if you cannot see a padlock — but seeing one doesn’t mean that everything is fine.

Encrypts the communication between your browser and the server. Without it, anyone observing your traffic could see not only the other party to your communication, but what you are sending to them — for example, the content of forms, and the pages on the site.

Encryption does not make you invisible: DNS provider can still see your DNS lookups, and ISP can still see where you are going online. But not the pages which you are visiting, or the content of your transmissions, such as form contents.

So if you are sending your credit card details online, and don’t want them to be available to anyone observing your traffic, make sure you use an encrypted connection — but make sure you have verified that the site in question is what you are expecting.

Some degree of checking that the certificate has been issued to the right site?

There’s a strong chance that your browser offers a “private browsing” mode.

This was commonly discussed as a mode which you were supposed to use when buying a present for a loved one, so that they would not find traces of your secretive gift habits if they happened to use your computer. In reality, it’s pretty much universally known as “porn mode”, for much the same reason.

If you do not want your browser to retain a record of what sites you have visited, private browsing mode is reasonable way of doing this — it saves you having to clear your history, cookies, cache etc manually.

But private browsing does not stop the sites you visit from logging information about you, such as your IP address.

And it does not change any visibility which your network provider has of your traffic.

So it can be a useful tool if you do not want your computer to retain information about your browsing, but be aware that it does not hide your browsing from your Internet provider.

If you want to do that, then Tor, especially via Tor Browser, is a better option.

Loading images from remote servers

Every time you connect to a site, you are sending information to it — your IP address, and some information about your browser configuration. Where a page hosts images from multiple other sites, you are sending your information to all of those sites.

So every time you load a page containing a Facebook element, your computer is talking to Facebook. Easy to build up a picture of your activity over time.

Imagine every time you go into a shop, or visit a friend, or read a news story, you are ringing someone and saying “hi! I’m over here now!”. That is basically what is happening.

Technically, it does not matter if you are logged in or not — but staying logged in to Facebook, Twitter, LinkedIn etc can only help matters.

Sites may store information on your computer, in the form of cookies.

You can delete these (or refuse to receive them in the first place) through your browser settings.

Blocking all cookies might make some sites work poorly — if a cookie is used for keeping your login session active, for example, or maintaining the content of your shopping basket before you check out, disability cookies could result in a really poor user experience or failed transactions.

Removing cookies will limit the information that a site can collect on you, but will mean you need to keep logging in.

Information injected into your browsing by your ISP. VPN may assist — assuming that your VPN provider is not modifying your traffic too…

Even without cookies, still possible to track you:

Combination of IP address and browser-specific information. EFF’s “panopticlick” tool: https://panopticlick.eff.org

Looks at the variety of information available from your browser, and suggests how many other browsers will look indistinguishable from yours. When I tested my browser, it showed it would be pretty easy to identify it: 1 in 100,000 browsers.

A slightly controversial topic is that of blocking ads.

This entails running software either on your phone or laptop, or else on the network itself, which attempts to detect requests your devices make for adverts embedded in webpages, and blocking them. The software to do this is readily and freely available.

The reason I say it is controversial is that, for all its sins, online advertising, especially targeted advertising, funds as lot of sites, and blocking ads may have an adverse impact of their viability. That’s increasingly why, if you have an ad blocker running, you see “ad walls” pop up on the page you are trying to visit, telling you to drop you ad blocker or else leave.

For me, that’s probably a good enough sign to leave, but others may feel differently.

Generally, irritating though they are, particularly when they block the flow of text on a page, it is not the advertisements themselves which are objectionable.

More usually, it is the fact that the advertisements are targeted. And, to achieve this, data about the sites you are visiting, and about your computer and software, and sent to third parties who run advertising networks, to enable them to try to shove you the advert which they think will get the best reaction from you.

You might be surprised just how many people are tracking you on your favourite websites — tools such as Ad Block Plus and Ghostery, which you add in to your browser, can help you see just how much is going on. Unfortunately, there is no common way of accepting the advertising without the tracking, so your option is pretty much accept both or block both.