Working at Home: Security Issues

Digital Detectives, a Legal Talk Network podcast, is one of my favorites. This month hosts Nelson and Simek ( interview David K. Reis, who provides some good advice about working at home security issues. After emphasizing the phishing threat, he pointed out a couple of other risks:

One is security for home printers. If you are going to print confidential client information or other confidential firm information, there can be security issues with the printers storing it, if it’s a wireless printer that isn’t configured securely, someone may be able to intercept that. So printers are a second thing other than the phishing and protection against the usual security threats.

A third one is paper documents. If you are printing confidential law firm or client documents at home what do you do with drafts, what do you do with old ones? We all over our shredding bins and security in the office, don’t just throw it in regular trash at home and we actually did an alert on that earlier before the current one on the importance of paper in cybersecurity during the work-at-home.

Source: Work-At-Home and Remote Access – It’s Time for a Security Review – Legal Talk Network


Ransomware: An Instructive Example 

“Ransomware,” or hacker blackmail attempts to extort money by threatening to release confidential/embarrassing information, is on the rise. “Phishing” or its variant, “spear phishing” seem to be the most common vector.

  • “Phishing” is basically spam that contains a poison pill in the form of a trojan horse attachment or link to a drive by download website.
  • “Spear phishing” is the same, except it’s targeted to make it more attractive to a particular organization or even a particular person.

Thanks to Ben Schorr for an interesting example:  The University of California San Francisco paid hackers $1.14 million (after negotiating them down from $3 million). BBC News has a transcript of some of the negotiations.

But Jan Op Gen Oorth, from Europol, which runs a project called No More Ransom, said: “Victims should not pay the ransom, as this finances criminals and encourages them to continue their illegal activities.

“Instead, they should report it to the police so law enforcement can disrupt the criminal enterprise.”

Brett Callow, a threat analyst at cyber-security company Emsisoft, said: “Organisations in this situation are without a good option.

“Even if they pay the demand, they’ll simply receive a pinky-promise that the stolen data will be deleted.

“But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?”

Phishing and is worse than a nuisance: It can destroy your business. Specialized software can help, but the first line of defense is high quality training of your employees. Supplement this by testing their responses to test break-in attempts–and embarrassing the employees who show themselves to be too gullible.

Tech Republic has more tips.


Potential for Attack on Internet Infrastructure

The conventional wisdom is that the resilient nature of Internet protocols makes it difficult or impossible for an attacker to take down or cripple the Internet. A couple of respected Washington Post columnists have some doubts about the conventional wisdom. I think they have a point.

David Ignatius advises:

America’s botched response to the coronavirus pandemic is a warning that, unless our broken political and administrative systems are fixed, the country could experience a similar breakdown in future national crises, such as a massive cyberattack.

This stark message was contained in a little-noticed white paper recently released by the bipartisan Cyberspace Solarium Commission, titled “Cybersecurity Lessons From the Pandemic.” As the paper highlighted, the covid-19 outbreak has been a stress test for our national crisis-management system — and that system has, to a frightening extent, failed. The challenges of a cyberattack would be even greater. …

Part of the problem with our covid-19 response is specific to Trump, who seems to view unpredictability and lack of planning as positive management tools. But another president, with better management skills, would still face bureaucratic blockages that are endemic to our system. White House coordinators similar to the proposed cyber director — the U.S Trade Representative, say, or the Office of Science and Technology Policy — struggle in any administration to frame coherent government-wide policy, as noted in a recent Lawfare essay by Mieke Eoyang and Anisha Hindocha.

Economics columnist Robert J. Samuelson thinks Big Tech’s  privacy/monopoly/abuse of power issues are small potatoes next to the threat of a crippling cyberattack:

The consequences of a massive cyberattack could make the disruptions caused by the pandemic seem like child’s play. There might be simultaneous assaults on the nation’s power, communication, financial and transportation networks. People would stumble about in a cyber fog with public and private communications channels, from email to cable TV, disabled or overwhelmed.


Security Theater and Covid-19

A major Washington DC property management company is putting out guidance on reducing Covid-19 risks.

Some of their recommendations make sense. Taking employee temperatures when they report to work every morning seems reasonable.

Some are dubious. Requiring retesting temperature when employees return from lunch is almost certainly overkill.

IT Security Guru Bruce Schneier

Security theater is not new. Bruce Schneier, a leading IT security expert defined security theater and provided an example in his essay Beyond Security Theater:

“Security theater refers to security measures that make people feel more secure without doing anything to actually improve their security. An example: the photo ID checks that have sprung up in office buildings. No-one has ever explained why verifying that someone has a photo ID provides any actual security, but it looks like security to have a uniformed guard-for-hire looking at ID cards.” [Emphasis added]

Is security theater always bad? To the extent it reduces anxiety, it can be beneficial.

Other benefits are possible. One D.C. law firm decided that even though they could cover everything needed in their Covid-19 safety briefings in 20 minutes, they should last at least an hour.

Wasted time or wise precaution? Not sure, but if the law firm’s seriousness ever came into question, in litigation or otherwise, hour-long sessions might have at least some symbolic value.


Two Factor Authentication Progress & Precautions

Two factor authentication (2FA) has long been the gold standard for securing online activity. Among other benefits, it can make password managers even more secure. As Apple legal tech guru Jeff Richardson explains at iPhone J.D.:

With two-factor authentication, it is not enough for the hacker to have your username and password; he must also have access to a device in your possession (such as your iPhone) which displays a number that changes every 30 seconds.  If the hacker is in some foreign country across the globe, he won’t have that, and his attempts to access your account will fail.

Legal ethics guidance sometimes recommends two factor authentication as a way to keep lawyer communications more secure.

Hard-based authentication, requiring a physical token for access, has some significant advantages over other methods.

Ars Technica article explains why recent advances in interfaces between iPads and iPhones and the Advanced Protection Program (APP), a security plan for high-risk users that requires hardware keys for account access much easier to use.

One drawback: If a problem develops with APP, it is much harder to fix than merely requesting a password change link. The Ars Technica article explains this risk and an approach to reduce the risk:

A word of caution, though, for anyone—regardless of what OS they’re using—considering APP. Once it’s turned on, the process for recovering accounts in the event of a lost password or keys is much more rigorous than normal and may start with a days-long “cooling off” period that locks users out of their accounts. Because they’re phishable, recovery codes aren’t an option with APP, either.

To hedge against the possibility of all of one’s keys being lost or destroyed, users can enroll as many keys as they want, and some can be kept off site, such as in an attorney’s safe or with a trusted friend.


E-mail Disclaimers

It’s smart to include disclaimers in all your e-mail messages, right? A friend of mine summarized her advice at a CLE conference a few years ago as “Disclaim, Disclaim, Disclaim.”

Is it really that easy? Disclaimers have their place, but don’t expect too much from them.

A Lawyerist article entitled This Post is Privileged and Confidential has some good observations on the nearly ubiquitous disclaimers in e-mail messages:

There are several problems with these disclaimers, aside from cluttering up email threads. For one, attorney-client privilege and confidentiality are not the same thing.  Without digressing too much, suffice it to say that while all attorney-client privileged communications are confidential, only a small portion of the client information lawyers are required to treat as confidential is also privileged. Another incongruity is that an email intentionally sent from a lawyer to almost anyone except a client will not be confidential or privileged at all (setting aside agents or experts the lawyer may be contacting on the client’s behalf or negotiations subject to a confidentiality agreement or rule).  So for the vast majority of emails that lawyers send — to colleagues, to witnesses, to vendors, to friends, to listservs, etc. — the disclaimer is meaningless.

Undermining Disclaimers Through Overuse

Which brings us to the real problem with these disclaimers:

By overusing them, lawyers may be undermining the effectiveness of disclaimers in protecting the confidential or privileged nature of the information in the email in the (hopefully) rare event that an email is misdirected (or inadvertently produced in discovery).

In Scott v. Beth Israel Medical Center Inc., 847 N.Y.S.2d 436, 444 (2007), the court refused to find that a series of emails were privileged just because they contained a disclaimer that was found in every email sent by the plaintiff. Moreover, by overusing disclaimers and privilege warnings, lawyers are training the world to ignore them — which is precisely what we don’t want people to do.

Want to keep your communications confidential? Encrypt them.

Productivity Tips Security

Nicole Black Tips on Collaboration

Very timely! LLRX is hosting Nicole Black‘s article “Securely Collaborate and Communicate Remotely: A How-To for Lawyers.” Nicole likes portals.

Glad to see her emphasize a recent change in the ABA Ethics Committee’s recent change in its approach to unencrypted emails:

[I]n the mid-1990s, bar association ethics committees across the country began to approve the use of unencrypted email when communicating with clients and for nearly two decades lawyers used email to communicate with clients since no other more secure methods were available. But most ethics opinions acknowledged that the standard established was an elastic one that could conceivably change as technology advanced and more secure options became available.

Since then, technology has improved significantly, and more secure electronic communication methods have emerged, rendering unencrypted email insufficient for certain types of client communication, as the ABA acknowledged in Formal Opinion 477 last year. In this opinion, the Ethics Committee concluded that unencrypted email may not always be sufficient for client communication.

Specifically, the Committee advised that lawyers must assess the sensitivity of information on a case-by-case basis and then choose the most appropriate and sufficiently secure method of communicating and collaborating with clients. Options offered in the opinion included encrypted email and “the use of a Virtual Private Network, or another secure internet portal.”


Facebook Quizzes and The Folly of “Secret Questions”

Lots of discussion lately about risks of filling in quizzes on Facebook. This is merely a new example of an old problem:

Many websites, including banks, have gone to the practice of allowing users who have lost passwords to obtain access to their accounts through the use of “secret questions.” For years the classic secret question was “Mother’s Maiden Name.” Though there is now more variety in secret questions, they still represent a giant security flaw. Security guru Bruce Schneier has written many times about this issue, including this concise essay.

Serious attackers will often be able to figure out the answers by researching the subject–especially subjects who are indiscreet users of social media.  This is even more risky today, with the popularity of quizzes on Facebook. Close friends or relatives inclined to access your accounts may not even have to do all that much research. They may already know the brand of your first car, or the name of your favorite elementary school teacher.  At a minimum, protect yourself by never giving a real answer when you set up a “secret question.”

Why do banks and other online entities like to use such insecure techniques? From their point of view, it’s better than having to deal with an angry customer who has lost his password. Any losses the practice may cause are an “externality,” a cost not born by the bank.

Productivity Tips Security

Zoom Security Tips

Thanks to Jim Calloway for timely tips in his post Zoom Security Tips.


Security Risks of 5G Cellphone Standard

Plenty of misunderstandings and oversimplified views of 5G cellphone security risks. Here’s the intro to Bruce Schneier’s analysis:

The security risks inherent in Chinese-made 5G networking equipment are easy to understand. Because the companies that make the equipment are subservient to the Chinese government, they could be forced to include backdoors in the hardware or software to give Beijing remote access. Eavesdropping is also a risk, although efforts to listen in would almost certainly be detectable. More insidious is the possibility that Beijing could use its access to degrade or disrupt communications services in the event of a larger geopolitical conflict. Since the internet, especially the “internet of things,” is expected to rely heavily on 5G infrastructure, potential Chinese infiltration is a serious national security threat.

But keeping untrusted companies like Huawei out of Western infrastructure isn’t enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standards­ the protocols and software for 5G­ ensure that vulnerabilities will remain, regardless of who provides the hardware and software. These insecurities are a result of market forces that prioritize costs over security and of governments, including the United States, that want to preserve the option of surveillance in 5G networks. If the United States is serious about tackling the national security threats related to an insecure 5G network, it needs to rethink the extent to which it values corporate profits and government espionage over security.