Categories
Productivity Tips Security

Nicole Black Tips on Collaboration

Very timely! LLRX is hosting Nicole Black‘s article “Securely Collaborate and Communicate Remotely: A How-To for Lawyers.” Nicole likes portals.

Glad to see her emphasize a recent change in the ABA Ethics Committee’s recent change in its approach to unencrypted emails:

[I]n the mid-1990s, bar association ethics committees across the country began to approve the use of unencrypted email when communicating with clients and for nearly two decades lawyers used email to communicate with clients since no other more secure methods were available. But most ethics opinions acknowledged that the standard established was an elastic one that could conceivably change as technology advanced and more secure options became available.

Since then, technology has improved significantly, and more secure electronic communication methods have emerged, rendering unencrypted email insufficient for certain types of client communication, as the ABA acknowledged in Formal Opinion 477 last year. In this opinion, the Ethics Committee concluded that unencrypted email may not always be sufficient for client communication.

Specifically, the Committee advised that lawyers must assess the sensitivity of information on a case-by-case basis and then choose the most appropriate and sufficiently secure method of communicating and collaborating with clients. Options offered in the opinion included encrypted email and “the use of a Virtual Private Network, or another secure internet portal.”

Categories
Security

Facebook Quizzes and The Folly of “Secret Questions”

Lots of discussion lately about risks of filling in quizzes on Facebook. This is merely a new example of an old problem:

Many websites, including banks, have gone to the practice of allowing users who have lost passwords to obtain access to their accounts through the use of “secret questions.” For years the classic secret question was “Mother’s Maiden Name.” Though there is now more variety in secret questions, they still represent a giant security flaw. Security guru Bruce Schneier has written many times about this issue, including this concise essay.

Serious attackers will often be able to figure out the answers by researching the subject–especially subjects who are indiscreet users of social media.  This is even more risky today, with the popularity of quizzes on Facebook. Close friends or relatives inclined to access your accounts may not even have to do all that much research. They may already know the brand of your first car, or the name of your favorite elementary school teacher.  At a minimum, protect yourself by never giving a real answer when you set up a “secret question.”

Why do banks and other online entities like to use such insecure techniques? From their point of view, it’s better than having to deal with an angry customer who has lost his password. Any losses the practice may cause are an “externality,” a cost not born by the bank.

Categories
Productivity Tips Security

Zoom Security Tips

Thanks to Jim Calloway for timely tips in his post Zoom Security Tips.

Categories
Security

Security Risks of 5G Cellphone Standard

Plenty of misunderstandings and oversimplified views of 5G cellphone security risks. Here’s the intro to Bruce Schneier’s analysis:

The security risks inherent in Chinese-made 5G networking equipment are easy to understand. Because the companies that make the equipment are subservient to the Chinese government, they could be forced to include backdoors in the hardware or software to give Beijing remote access. Eavesdropping is also a risk, although efforts to listen in would almost certainly be detectable. More insidious is the possibility that Beijing could use its access to degrade or disrupt communications services in the event of a larger geopolitical conflict. Since the internet, especially the “internet of things,” is expected to rely heavily on 5G infrastructure, potential Chinese infiltration is a serious national security threat.

But keeping untrusted companies like Huawei out of Western infrastructure isn’t enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standards­ the protocols and software for 5G­ ensure that vulnerabilities will remain, regardless of who provides the hardware and software. These insecurities are a result of market forces that prioritize costs over security and of governments, including the United States, that want to preserve the option of surveillance in 5G networks. If the United States is serious about tackling the national security threats related to an insecure 5G network, it needs to rethink the extent to which it values corporate profits and government espionage over security.

Categories
Security

The Ethical Obligation of Maintaining Reasonable Cybersecurity Measures | ABA Law Practice Today

ABA Law Practice Today has an excellent reminder that cybersecurity implicates multiple provisions of the Model Rules:

[The leading ethics opinion] eferences five of the Model Rules of Professional Conduct as the foundation of the opinion. These rules pertain to the duty of competence, the expectation of keeping clients reasonably informed, attorney-client confidentiality, and the responsibility of a managing or supervisory attorney to ensure a firm’s compliance with the Rules of Professional Conduct for both attorney and non-attorneys alike.

Source: The Ethical Obligation of Maintaining Reasonable Cybersecurity Measures | ABA Law Practice Today

Categories
Security

Why the Cloud is the New Electricity–and What it Means to Lawyers

ABA TECHSHOW 2020 will be held  this year in Chicago on February 26 – 29, but the show’s blog is up and running. This month it features a link to an interview with cloud expert Andy Wilson in podcast and transcript formats. The topic is “The Cloud is the New Electricity–and What it Means to Lawyers.”

Here’s Wilson’s take on the security issue:

Well, ironically, I guess that most of the cloud providers that are coming to their door are orders of magnitude more secure than the way that they are handling data. There’s been a couple of studies that have been put out around law firm cybersecurity risk and 80% of Am Law 100 law firms have already been hacked; you probably heard of some of the biggest ones, DLA Piper was shut down for an entire week.

And one in four law firms, which 80% of law firms are fewer than 10 attorneys, have been breached, but they probably don’t know it because they don’t have the technology to even detect an intrusion.

Whereas a cloud service, what a cloud is offering is trust, like hey, listen, trust us to host your data because we have a team of engineers that are monitoring for detection, we have a software enabled that’s monitoring for intrusion detection, we have encryption at rest, we have SOC 2 Type 2 certifications, we have all these things. But fundamentally what they are selling is trust, and there’s ways to verify that trust if you are a law firm.

Most of these companies are going to have a security page where they list all their certifications, you can ask for copies of their SOC 2 Type 2, which is a big difference than a Type 1 certification, not just what Amazon provides. You can’t get by with that. I wouldn’t trust that, because obviously Amazon’s data center is SOC 2 Type 2 certified, amongst other things, but maybe the vendor selling the services hasn’t actually achieved a level of SOC 2 certification on their own, which is a red flag. So you can test that.

If you want to — if you are spending a lot of money in these cloud services, you can hire 10 testers, almost like white hat hackers, where they will try and penetrate the production environment of this cloud service. I wouldn’t recommend that for anything. If you are not going to spend $100,000 or more a year in these services, you probably can’t afford that.

Categories
Security

ABA CLE Programs

The ABA offers a variety of CLE programs. Their January 9 program looks promising. It’s part of their Best of ABA TECHSHOW series:

Bitcoin and Blockchain for LawyersWhat are the benefits and potential pitfalls of blockchain technology? What are cryptocurrencies, digital coins, initial coin offerings (ICOs) and how they are regulated.

Categories
Productivity Tips Security

Password Mangers: What to Look For

PC World has a review of password managers (they like Lastpass), but perhaps more important, they provide a list of reasons to adopt one of these products:

  • Password generation: You’ve been reminded ad nauseam that the strongest passwords are long, random strings of characters, and that you should use a different one for each site you access. That’s a tall order. This is what makes password generation—the ability to create complex passwords out of letters, numbers, and special characters—an indispensable feature of any good password manager. The best password managers will also be able to analyze your existing passwords for weaknesses and upgrade them with a click.
  • Autofill and auto-login: Most password managers can autofill your login credentials whenever you visit a site and even log you in automatically. Thus, the master password is the only one you ever have to enter. This is controversial, though, as browser autofill has long been a security concern, so the best managers will also let you toggle off this feature if you feel the risk outweighs the convenience.
  • Secure sharing: Sometimes you need to share a password with a family member or coworker. A password manager should let you do so without compromising your security.
  • Two-factor authentication: To an enterprising cybercriminal, your password manager’s master password is as hackable as any other password. Increasingly, password managers support multi-factor authentication—using a second method such as a PIN, a fingerprint, or another “trusted device” for additional verification—to mitigate this risk. Choose one that does.
  • Protection for other personal data: Because of how frequently we use them online, credit card and bank account numbers, our addresses, and other personal data can be securely stored in many password managers and automatically filled into web forms when we’re shopping or registering an account.

Password generation: You’ve been reminded ad nauseam that the strongest passwords are long, random strings of characters, and that you should use a different one for each site you access. That’s a tall order. This is what makes password generation—the ability to create complex passwords out of letters, numbers, and special characters—an indispensable feature of any good password manager. The best password managers will also be able to analyze your existing passwords for weaknesses and upgrade them with a click.

Categories
Security

Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks 

Ransomware can kill you. Fatal heart attacks are more common at facilities that have security breaches:

Just As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.

The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

“Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes,” the authors found. “Remediation activity may introduce changes that delay, complicate or disrupt health IT and patient care processes.”

“The exploitation of cybersecurity vulnerabilities is killing people,” Scanlon told KrebsOnSecurity. “There is a lot of possible research that might be unleashed by this study. I believe that nothing less than a congressional investigation will give the subject the attention it deserves.”

Source: Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks — Krebs on Security

Categories
Security

Take Affiliate Site Reviews With a Grain of Salt

Krebs on Security has a warning about reliability of reviews on sites funded by affiliates (i.e., receiving a commission on products sold through the site, like the Amazon Affiliate program)

For better or worse, there are hundreds of VPN providers out there today. Simply searching the Web for “VPN” and “review” is hardly the best vetting approach, as a great many VPN companies offer “affiliate” programs that pay people a commission for each new customer they help sign up. I say this not to categorically discount VPN providers that offer affiliate programs, but more as a warning that such programs can skew search engine results in favor of larger providers. That’s because affiliate programs oft