Category: Security

Two factor authentication (2FA) has long been the gold standard for securing online activity. Among other benefits, it can make password managers even more secure. As Apple legal tech guru Jeff Richardson explains at iPhone J.D.:

With two-factor authentication, it is not enough for the hacker to have your username and password; he must also have access to a device in your possession (such as your iPhone) which displays a number that changes every 30 seconds.  If the hacker is in some foreign country across the globe, he won’t have that, and his attempts to access your account will fail.

Legal ethics guidance sometimes recommends two factor authentication as a way to keep lawyer communications more secure.

Hard-based authentication, requiring a physical token for access, has some significant advantages over other methods.

Ars Technica article explains why recent advances in interfaces between iPads and iPhones and the Advanced Protection Program (APP), a security plan for high-risk users that requires hardware keys for account access much easier to use.

One drawback: If a problem develops with APP, it is much harder to fix than merely requesting a password change link. The Ars Technica article explains this risk and an approach to reduce the risk:

A word of caution, though, for anyone—regardless of what OS they’re using—considering APP. Once it’s turned on, the process for recovering accounts in the event of a lost password or keys is much more rigorous than normal and may start with a days-long “cooling off” period that locks users out of their accounts. Because they’re phishable, recovery codes aren’t an option with APP, either.

To hedge against the possibility of all of one’s keys being lost or destroyed, users can enroll as many keys as they want, and some can be kept off site, such as in an attorney’s safe or with a trusted friend.

It’s smart to include disclaimers in all your e-mail messages, right? A friend of mine summarized her advice at a CLE conference a few years ago as “Disclaim, Disclaim, Disclaim.”

Is it really that easy? Disclaimers have their place, but don’t expect too much from them.

A Lawyerist article entitled This Post is Privileged and Confidential has some good observations on the nearly ubiquitous disclaimers in e-mail messages:

There are several problems with these disclaimers, aside from cluttering up email threads. For one, attorney-client privilege and confidentiality are not the same thing.  Without digressing too much, suffice it to say that while all attorney-client privileged communications are confidential, only a small portion of the client information lawyers are required to treat as confidential is also privileged. Another incongruity is that an email intentionally sent from a lawyer to almost anyone except a client will not be confidential or privileged at all (setting aside agents or experts the lawyer may be contacting on the client’s behalf or negotiations subject to a confidentiality agreement or rule).  So for the vast majority of emails that lawyers send — to colleagues, to witnesses, to vendors, to friends, to listservs, etc. — the disclaimer is meaningless.

Undermining Disclaimers Through Overuse

Which brings us to the real problem with these disclaimers:

By overusing them, lawyers may be undermining the effectiveness of disclaimers in protecting the confidential or privileged nature of the information in the email in the (hopefully) rare event that an email is misdirected (or inadvertently produced in discovery).

In Scott v. Beth Israel Medical Center Inc., 847 N.Y.S.2d 436, 444 (2007), the court refused to find that a series of emails were privileged just because they contained a disclaimer that was found in every email sent by the plaintiff. Moreover, by overusing disclaimers and privilege warnings, lawyers are training the world to ignore them — which is precisely what we don’t want people to do.

Want to keep your communications confidential? Encrypt them.

Lots of discussion lately about risks of filling in quizzes on Facebook. This is merely a new example of an old problem:

Many websites, including banks, have gone to the practice of allowing users who have lost passwords to obtain access to their accounts through the use of “secret questions.” For years the classic secret question was “Mother’s Maiden Name.” Though there is now more variety in secret questions, they still represent a giant security flaw. Security guru Bruce Schneier has written many times about this issue, including this concise essay.

Serious attackers will often be able to figure out the answers by researching the subject–especially subjects who are indiscreet users of social media.  This is even more risky today, with the popularity of quizzes on Facebook. Close friends or relatives inclined to access your accounts may not even have to do all that much research. They may already know the brand of your first car, or the name of your favorite elementary school teacher.  At a minimum, protect yourself by never giving a real answer when you set up a “secret question.”

Why do banks and other online entities like to use such insecure techniques? From their point of view, it’s better than having to deal with an angry customer who has lost his password. Any losses the practice may cause are an “externality,” a cost not born by the bank.

Plenty of misunderstandings and oversimplified views of 5G cellphone security risks. Here’s the intro to Bruce Schneier’s analysis:

The security risks inherent in Chinese-made 5G networking equipment are easy to understand. Because the companies that make the equipment are subservient to the Chinese government, they could be forced to include backdoors in the hardware or software to give Beijing remote access. Eavesdropping is also a risk, although efforts to listen in would almost certainly be detectable. More insidious is the possibility that Beijing could use its access to degrade or disrupt communications services in the event of a larger geopolitical conflict. Since the internet, especially the “internet of things,” is expected to rely heavily on 5G infrastructure, potential Chinese infiltration is a serious national security threat.

But keeping untrusted companies like Huawei out of Western infrastructure isn’t enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standards­ the protocols and software for 5G­ ensure that vulnerabilities will remain, regardless of who provides the hardware and software. These insecurities are a result of market forces that prioritize costs over security and of governments, including the United States, that want to preserve the option of surveillance in 5G networks. If the United States is serious about tackling the national security threats related to an insecure 5G network, it needs to rethink the extent to which it values corporate profits and government espionage over security.

ABA Law Practice Today has an excellent reminder that cybersecurity implicates multiple provisions of the Model Rules:

[The leading ethics opinion] eferences five of the Model Rules of Professional Conduct as the foundation of the opinion. These rules pertain to the duty of competence, the expectation of keeping clients reasonably informed, attorney-client confidentiality, and the responsibility of a managing or supervisory attorney to ensure a firm’s compliance with the Rules of Professional Conduct for both attorney and non-attorneys alike.

Source: The Ethical Obligation of Maintaining Reasonable Cybersecurity Measures | ABA Law Practice Today

ABA TECHSHOW 2020 will be held  this year in Chicago on February 26 – 29, but the show’s blog is up and running. This month it features a link to an interview with cloud expert Andy Wilson in podcast and transcript formats. The topic is “The Cloud is the New Electricity–and What it Means to Lawyers.”

Here’s Wilson’s take on the security issue:

Well, ironically, I guess that most of the cloud providers that are coming to their door are orders of magnitude more secure than the way that they are handling data. There’s been a couple of studies that have been put out around law firm cybersecurity risk and 80% of Am Law 100 law firms have already been hacked; you probably heard of some of the biggest ones, DLA Piper was shut down for an entire week.

And one in four law firms, which 80% of law firms are fewer than 10 attorneys, have been breached, but they probably don’t know it because they don’t have the technology to even detect an intrusion.

Whereas a cloud service, what a cloud is offering is trust, like hey, listen, trust us to host your data because we have a team of engineers that are monitoring for detection, we have a software enabled that’s monitoring for intrusion detection, we have encryption at rest, we have SOC 2 Type 2 certifications, we have all these things. But fundamentally what they are selling is trust, and there’s ways to verify that trust if you are a law firm.

Most of these companies are going to have a security page where they list all their certifications, you can ask for copies of their SOC 2 Type 2, which is a big difference than a Type 1 certification, not just what Amazon provides. You can’t get by with that. I wouldn’t trust that, because obviously Amazon’s data center is SOC 2 Type 2 certified, amongst other things, but maybe the vendor selling the services hasn’t actually achieved a level of SOC 2 certification on their own, which is a red flag. So you can test that.

If you want to — if you are spending a lot of money in these cloud services, you can hire 10 testers, almost like white hat hackers, where they will try and penetrate the production environment of this cloud service. I wouldn’t recommend that for anything. If you are not going to spend $100,000 or more a year in these services, you probably can’t afford that.

The ABA offers a variety of CLE programs. Their January 9 program looks promising. It’s part of their Best of ABA TECHSHOW series:

Bitcoin and Blockchain for LawyersWhat are the benefits and potential pitfalls of blockchain technology? What are cryptocurrencies, digital coins, initial coin offerings (ICOs) and how they are regulated.