Month: August 2020

Working at Home: Security Issues

Digital Detectives, a Legal Talk Network podcast, is one of my favorites. This month hosts Nelson and Simek ( interview David K. Reis, who provides some good advice about working at home security issues. After emphasizing the phishing threat, he pointed out a couple of other risks:

One is security for home printers. If you are going to print confidential client information or other confidential firm information, there can be security issues with the printers storing it, if it’s a wireless printer that isn’t configured securely, someone may be able to intercept that. So printers are a second thing other than the phishing and protection against the usual security threats.

A third one is paper documents. If you are printing confidential law firm or client documents at home what do you do with drafts, what do you do with old ones? We all over our shredding bins and security in the office, don’t just throw it in regular trash at home and we actually did an alert on that earlier before the current one on the importance of paper in cybersecurity during the work-at-home.

Source: Work-At-Home and Remote Access – It’s Time for a Security Review – Legal Talk Network

MIT Technology Review

MIT Technology Review Algorithm Article

Subscribers to the MIT Technology Review get  a nice perk: The Algorithm, a weekly email newsletter about tech trends. It’s an easy way to keep up with important tech developments. A timely article this month: problems with predictive policing algorithms.

Transitioning from Twitter to Blogging

Bob Ambrogi interviewed Lindsay Griffiths, author of Zen & the Art of Legal Networking blog. Sometimes 280 characters just won’t cut it:

Originally, I thought that it didn’t make sense for me to blog. And I didn’t think I had anything to say. But I started on Twitter first and I realized that when I would respond to things that people were saying or questions that people had that I had much more to say than  140 characters at that time permitted me to answer…I started to realize that maybe I did have something to say and I did have a viewpoint that felt valuable and I could interact on a larger platform.

Ransomware: An Instructive Example 

“Ransomware,” or hacker blackmail attempts to extort money by threatening to release confidential/embarrassing information, is on the rise. “Phishing” or its variant, “spear phishing” seem to be the most common vector.

  • “Phishing” is basically spam that contains a poison pill in the form of a trojan horse attachment or link to a drive by download website.
  • “Spear phishing” is the same, except it’s targeted to make it more attractive to a particular organization or even a particular person.

Thanks to Ben Schorr for an interesting example:  The University of California San Francisco paid hackers $1.14 million (after negotiating them down from $3 million). BBC News has a transcript of some of the negotiations.

But Jan Op Gen Oorth, from Europol, which runs a project called No More Ransom, said: “Victims should not pay the ransom, as this finances criminals and encourages them to continue their illegal activities.

“Instead, they should report it to the police so law enforcement can disrupt the criminal enterprise.”

Brett Callow, a threat analyst at cyber-security company Emsisoft, said: “Organisations in this situation are without a good option.

“Even if they pay the demand, they’ll simply receive a pinky-promise that the stolen data will be deleted.

“But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?”

Phishing and is worse than a nuisance: It can destroy your business. Specialized software can help, but the first line of defense is high quality training of your employees. Supplement this by testing their responses to test break-in attempts–and embarrassing the employees who show themselves to be too gullible.

Tech Republic has more tips.

Potential for Attack on Internet Infrastructure

The conventional wisdom is that the resilient nature of Internet protocols makes it difficult or impossible for an attacker to take down or cripple the Internet. A couple of respected Washington Post columnists have some doubts about the conventional wisdom. I think they have a point.

David Ignatius advises:

America’s botched response to the coronavirus pandemic is a warning that, unless our broken political and administrative systems are fixed, the country could experience a similar breakdown in future national crises, such as a massive cyberattack.

This stark message was contained in a little-noticed white paper recently released by the bipartisan Cyberspace Solarium Commission, titled “Cybersecurity Lessons From the Pandemic.” As the paper highlighted, the covid-19 outbreak has been a stress test for our national crisis-management system — and that system has, to a frightening extent, failed. The challenges of a cyberattack would be even greater. …

Part of the problem with our covid-19 response is specific to Trump, who seems to view unpredictability and lack of planning as positive management tools. But another president, with better management skills, would still face bureaucratic blockages that are endemic to our system. White House coordinators similar to the proposed cyber director — the U.S Trade Representative, say, or the Office of Science and Technology Policy — struggle in any administration to frame coherent government-wide policy, as noted in a recent Lawfare essay by Mieke Eoyang and Anisha Hindocha.

Economics columnist Robert J. Samuelson thinks Big Tech’s  privacy/monopoly/abuse of power issues are small potatoes next to the threat of a crippling cyberattack:

The consequences of a massive cyberattack could make the disruptions caused by the pandemic seem like child’s play. There might be simultaneous assaults on the nation’s power, communication, financial and transportation networks. People would stumble about in a cyber fog with public and private communications channels, from email to cable TV, disabled or overwhelmed.