Security Risks of 5G Cellphone Standard

Plenty of misunderstandings and oversimplified views of 5G cellphone security risks. Here’s the intro to Bruce Schneier’s analysis:

The security risks inherent in Chinese-made 5G networking equipment are easy to understand. Because the companies that make the equipment are subservient to the Chinese government, they could be forced to include backdoors in the hardware or software to give Beijing remote access. Eavesdropping is also a risk, although efforts to listen in would almost certainly be detectable. More insidious is the possibility that Beijing could use its access to degrade or disrupt communications services in the event of a larger geopolitical conflict. Since the internet, especially the “internet of things,” is expected to rely heavily on 5G infrastructure, potential Chinese infiltration is a serious national security threat.

But keeping untrusted companies like Huawei out of Western infrastructure isn’t enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standards­ the protocols and software for 5G­ ensure that vulnerabilities will remain, regardless of who provides the hardware and software. These insecurities are a result of market forces that prioritize costs over security and of governments, including the United States, that want to preserve the option of surveillance in 5G networks. If the United States is serious about tackling the national security threats related to an insecure 5G network, it needs to rethink the extent to which it values corporate profits and government espionage over security.

The Ethical Obligation of Maintaining Reasonable Cybersecurity Measures | ABA Law Practice Today

ABA Law Practice Today has an excellent reminder that cybersecurity implicates multiple provisions of the Model Rules:

[The leading ethics opinion] eferences five of the Model Rules of Professional Conduct as the foundation of the opinion. These rules pertain to the duty of competence, the expectation of keeping clients reasonably informed, attorney-client confidentiality, and the responsibility of a managing or supervisory attorney to ensure a firm’s compliance with the Rules of Professional Conduct for both attorney and non-attorneys alike.

Source: The Ethical Obligation of Maintaining Reasonable Cybersecurity Measures | ABA Law Practice Today

Why the Cloud is the New Electricity–and What it Means to Lawyers

ABA TECHSHOW 2020 will be held  this year in Chicago on February 26 – 29, but the show’s blog is up and running. This month it features a link to an interview with cloud expert Andy Wilson in podcast and transcript formats. The topic is “The Cloud is the New Electricity–and What it Means to Lawyers.”

Here’s Wilson’s take on the security issue:

Well, ironically, I guess that most of the cloud providers that are coming to their door are orders of magnitude more secure than the way that they are handling data. There’s been a couple of studies that have been put out around law firm cybersecurity risk and 80% of Am Law 100 law firms have already been hacked; you probably heard of some of the biggest ones, DLA Piper was shut down for an entire week.

And one in four law firms, which 80% of law firms are fewer than 10 attorneys, have been breached, but they probably don’t know it because they don’t have the technology to even detect an intrusion.

Whereas a cloud service, what a cloud is offering is trust, like hey, listen, trust us to host your data because we have a team of engineers that are monitoring for detection, we have a software enabled that’s monitoring for intrusion detection, we have encryption at rest, we have SOC 2 Type 2 certifications, we have all these things. But fundamentally what they are selling is trust, and there’s ways to verify that trust if you are a law firm.

Most of these companies are going to have a security page where they list all their certifications, you can ask for copies of their SOC 2 Type 2, which is a big difference than a Type 1 certification, not just what Amazon provides. You can’t get by with that. I wouldn’t trust that, because obviously Amazon’s data center is SOC 2 Type 2 certified, amongst other things, but maybe the vendor selling the services hasn’t actually achieved a level of SOC 2 certification on their own, which is a red flag. So you can test that.

If you want to — if you are spending a lot of money in these cloud services, you can hire 10 testers, almost like white hat hackers, where they will try and penetrate the production environment of this cloud service. I wouldn’t recommend that for anything. If you are not going to spend $100,000 or more a year in these services, you probably can’t afford that.

Password Mangers: What to Look For

PC World has a review of password managers (they like Lastpass), but perhaps more important, they provide a list of reasons to adopt one of these products:

  • Password generation: You’ve been reminded ad nauseam that the strongest passwords are long, random strings of characters, and that you should use a different one for each site you access. That’s a tall order. This is what makes password generation—the ability to create complex passwords out of letters, numbers, and special characters—an indispensable feature of any good password manager. The best password managers will also be able to analyze your existing passwords for weaknesses and upgrade them with a click.
  • Autofill and auto-login: Most password managers can autofill your login credentials whenever you visit a site and even log you in automatically. Thus, the master password is the only one you ever have to enter. This is controversial, though, as browser autofill has long been a security concern, so the best managers will also let you toggle off this feature if you feel the risk outweighs the convenience.
  • Secure sharing: Sometimes you need to share a password with a family member or coworker. A password manager should let you do so without compromising your security.
  • Two-factor authentication: To an enterprising cybercriminal, your password manager’s master password is as hackable as any other password. Increasingly, password managers support multi-factor authentication—using a second method such as a PIN, a fingerprint, or another “trusted device” for additional verification—to mitigate this risk. Choose one that does.
  • Protection for other personal data: Because of how frequently we use them online, credit card and bank account numbers, our addresses, and other personal data can be securely stored in many password managers and automatically filled into web forms when we’re shopping or registering an account.

Password generation: You’ve been reminded ad nauseam that the strongest passwords are long, random strings of characters, and that you should use a different one for each site you access. That’s a tall order. This is what makes password generation—the ability to create complex passwords out of letters, numbers, and special characters—an indispensable feature of any good password manager. The best password managers will also be able to analyze your existing passwords for weaknesses and upgrade them with a click.

Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks 

Ransomware can kill you. Fatal heart attacks are more common at facilities that have security breaches:

Just As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.

The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

“Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes,” the authors found. “Remediation activity may introduce changes that delay, complicate or disrupt health IT and patient care processes.”

“The exploitation of cybersecurity vulnerabilities is killing people,” Scanlon told KrebsOnSecurity. “There is a lot of possible research that might be unleashed by this study. I believe that nothing less than a congressional investigation will give the subject the attention it deserves.”

Source: Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks — Krebs on Security

Take Affiliate Site Reviews With a Grain of Salt

Krebs on Security has a warning about reliability of reviews on sites funded by affiliates (i.e., receiving a commission on products sold through the site, like the Amazon Affiliate program)

For better or worse, there are hundreds of VPN providers out there today. Simply searching the Web for “VPN” and “review” is hardly the best vetting approach, as a great many VPN companies offer “affiliate” programs that pay people a commission for each new customer they help sign up. I say this not to categorically discount VPN providers that offer affiliate programs, but more as a warning that such programs can skew search engine results in favor of larger providers. That’s because affiliate programs oft

Problems With E-mail Disclaimers/Warnings

It’s smart to include disclaimers in all your e-mail messages, right? A friend of mine summarized her advice at a legal conference a few years ago as “Disclaim, Disclaim, Disclaim.”

Is it really that easy? Some people think disclaimers can warnings may hurt more than they help.

A Lawyerist article entitled This Post is Privileged and Confidential has some good observations on the nearly ubiquitous disclaimers in e-mail messages:

There are several problems with these disclaimers, aside from cluttering up email threads. For one, attorney-client privilege and confidentiality are not the same thing.  Without digressing too much, suffice it to say that while all attorney-client privileged communications are confidential, only a small portion of the client information lawyers are required to treat as confidential is also privileged. Another incongruity is that an email intentionally sent from a lawyer to almost anyone except a client will not be confidential or privileged at all (setting aside agents or experts the lawyer may be contacting on the client’s behalf or negotiations subject to a confidentiality agreement or rule).  So for the vast majority of emails that lawyers send — to colleagues, to witnesses, to vendors, to friends, to listservs, etc. — the disclaimer is meaningless.

Undermining Disclaimers Through Overuse

Which brings us to the real problem with these disclaimers. By overusing them, lawyers may be undermining the effectiveness of disclaimers in protecting the confidential or privileged nature of the information in the email in the (hopefully) rare event that an email is misdirected (or inadvertently produced in discovery).

In Scott v. Beth Israel Medical Center Inc., 847 N.Y.S.2d 436, 444 (2007), the court refused to find that a series of emails were privileged just because they contained a disclaimer that was found in every email sent by the plaintiff. Moreover, by overusing disclaimers and privilege warnings, lawyers are training the world to ignore them — which is precisely what we don’t want people to do.

Want to keep your communications confidential? Encrypt them.

Cloud Ethics Opinions

Bob Ambrogi notes, “The ethics of cloud computing remains an evolving area of law and research involving it needs constant updating.”

The energetic Mr. Ambrogi followed up by finding several cloud ethics opinions to supplement the ABA Legal Technology Resource Center’s list.

The bottom line looks good:

The good news here is that all 17 of the states that have considered the issue agree that lawyers may ethically use the cloud, provided they take reasonable steps to minimize risk to confidential information and client files.

E-mail: Tool of Professional Self Destruction

A front page New York Times story indicates even prestigious law firms are not immune to clueless behavior:

Four men, who were charged by New York prosecutors on Thursday with orchestrating a nearly four-year scheme to manipulate the firm’s books to keep it afloat during the financial crisis, talked openly in emails about “fake income,” “accounting tricks” and their ability to fool the firm’s “clueless auditor,” the prosecutors said.

Dumb, dumb, dumb. Don’t engage in conduct like this, and if you must, show some common sense.