User login

Let's talk about security

Feb
22
 

Hello everyone! This past week, a certain New York Times article went around on the LSTech listserv regarding a report from the cybersecurity firm Mandiant that strongly implied that the Chinese army is behind a particularly invasive string of hacks on American infrastructure. The attacks (over 140 documented since 2006) have “drained terabytes of data from companies like Coca-Cola, [but] increasingly [the group’s] focus is on companies involved in the critical infrastructure of the United States – its electrical power grid, gas lines and waterworks.” Their high-tech approach and continued menace classify them as an advanced persistent threat (APT).

So that’s pretty scary, but why are we talking about this? Surely the Chinese government can’t be too interested in a group of American legal aid organizations? Actually, that’s a maybe. A report by Bloomberg Law last year suggested that because lawyers by the nature of their work have access to very sensitive secrets and aren’t used to dealing with security issues, they are a “‘weak link’ in the security chain.”

 That’s fine, but how valuable can the kind of secrets held by legal aid attorneys be to a foreign government – or to anyone really, except for the opposing side? Maybe not too much, but as Kate Bladow pointed out on the listserv, (a) legal aid organizations probably don’t have a lot to spend on cybersecurity, and (b) they might be an attractive gateway to some “bigger fish;” that is, pro bono attorneys at large law firms who work with human rights cases or significant amounts of intellectual property. So – this is maybe a threat.

What definitely qualifies as a threat, however, are the methods used by this group, known as the “Comment Crew.” Primarily, this means “spearphishing:” gathering personal data about targets to make it more likely that they’ll open an email message equipped with malware. Phishing, spearphishing, and malware – among a host of other issues – are things that we all need to have on our radar in order to protect client data while working effectively.

phishing comic

So, with that (fairly long) introduction out of the way, let’s talk a little about some reasonable precautions we can all take to increase our Internet security. You’ve probably read it all before, but if you’re still not doing it – read it again.

Passwords

There’s a lot out there about password security. We all know that our passwords should have both upper and lowercase letters, numbers, symbols, hieroglyphs, gang symbols, and at least three letters from the Cyrillic alphabet. But of course that’s tough to handle when you’re logging into things all day and only have so much brain space for randomized, 65-character passwords. The solution, of course, is not easier passwords; it’s a password manager. I’ve seen recommendations for LastPass, KeePass, 1Password, and Password Safe.

What I didn’t realize about these services – and you might not either – is how easy they can be to use. Not only can they automatically save passwords they don’t yet have, sync to multiple devices (including smartphones), and allow login from a dropdown menu of your accounts, they can also automatically (and securely) log you in when you visit sites you specify. Basically, you don’t have to actually know your passwords ever again once you’re set up with a service like LastPass.

As far as generating those random passwords, you can certainly just give your keyboard a punch, see what comes out, and make that your password. Or, you can come up with passwords that only seem to be random by using a favorite poem, song, or quotation. Take the first letter of each word, throw in some capital letters, numbers, and symbols, and presto – it’s a password. By this method, the phrase “Be the change you wish to see in the world” becomes “Btcyw2sitw!”

Other important password tips include changing passwords regularly (some say as frequently as once a month), having a unique password for every login that stores sensitive or important information, requiring a password for your mobile devices, and definitely don’t write them down or share them with others. Furthermore, the answers to your security questions are usually pretty easy to guess or find out for a determined hacker – so, lie. Your mother’s maiden name was Smith? Not anymore! Now she’s Miss “3#fRny.” Cheers, Mom.

Two-factor authentication

The next step in password security is to enable two-factor authentication for any service that has it, like Google and Dropbox. With this extra layer of security, logging onto your account from a new device will require a short code, which is sent via voice, email, or SMS to a predestinated device like your phone or tablet. A hacker would therefore have to have access to that device as well as your account information in order to gain access.

2 factor verification

If you’re a heavy user of Google Apps, also take a look at a list of Google’s security and privacy tools for the Web.

Separate accounts for everyone who uses your computer, especially if you work from home

It’s not an issue of trusting or not trusting your kids and/or spouse; it’s just professional to take all reasonable precautions to protect client data.

Backups (to the Cloud and locally) and file sync

If you’re really not backing up yet, drop everything you’re doing and start now. See our earlier post on online backup solutions to find one that will work for you.

Beyond that, most experts suggest also buying a hard drive for local backups. Lawyerist recommends the ioSafe SoloPro or Rugged Portable, which are a little pricey at $250 for the 1TB SoloPro or $160 for the 500GB Rugged Portable – but are basically indestructible. If nothing else, you can reenact this scene from Office Space and still have your data when you’re done.

Next, make sure you know the difference between file backup and file sync. While backups ensure that you won’t lose data should something unfortunate happen, file sync is designed so you can work from any location. It syncs your files across multiple devices, so if you delete something in one place, it disappears across the board. Dropbox does offer a “Packrat” (paid) option that works as a pretty good file backup; as long as you know the difference you should be fine.

Don’t fear the Cloud

This article about Cloud security begins with a quote from Batman Begins, which is just too apt not to reproduce here:

“This is a world you’ll never understand. And you always fear what you don’t understand.”
– Carmine Falcone

The main point is, the Cloud is just about as safe a place to store your data as anywhere else, if you take reasonable precautions. You wouldn’t leave your paper files lying around in a public place, so don’t do the digital equivalent and leave your files with inadequate security. A big part of this is understanding how the Cloud works, when your files are protected, and when they’re not.

Dropbox-logoFor example, Dropbox doesn’t encrypt your files (more on encryption below) until they reach the server, but it does encrypt the connection. So the “pipe” that your data travels through is secure, even if the data itself is not. And, once data reaches the Dropbox servers, it’s encrypted pretty well. Some Dropbox employees have the encryption key, meaning that they could technically look at your files (other data sync services like SpiderOak and Wuala encrypt data before it leaves your computer, so you’re the only one with the key). However, the Dropbox of course prohibits its employees from looking through your files and frankly, with the amount of data that they store, I’m not sure what would tempt a rogue employee to go through my files as opposed to all the others they have access to. It seems like a remote possibility at best.

Understanding the way your Cloud applications (such as Dropbox) function can go a long way to helping you assess the security of those applications. When shopping for a new Cloud-based service, consider asking some of these questions to assess potential security threats. But don’t obsess about it: most experts, ethics boards, and the Cloud Security Alliance agree that with reasonable precautions, like those discussed here, the Cloud is a perfectly viable space in which to work. Check out this chart by the American Bar Association to see what your state has to say about the Cloud, and these guidelines and best practices by the Lawyerist to see an example of responsible, secure lawyering in the Cloud.

Encryption

One issue that came up a lot in my research that I think is kind of overlooked is encryption. It’s fairly easy to do and makes a huge difference if someone does intercept your data – either by stealing your actual computer or by stealing data in transit. Try TrueCrypt (a free, open-source solution), BitLocker (for PC), or FireVault (for Mac) to encrypt files, or PGP (Pretty Good Privacy; acquired by Symantec in 2010) for email encryption. Make sure that you also encrypt USB sticks and other portable media that store sensitive information.

Run scans and software updates

Make sure that you regularly run an antivirus program, many of which are available online for free. Examples include AVG Anti-Virus, avast! Antivirus, Microsoft Security Essentials or Windows Defender, Comodo Antivirus, Avira Free AntiVirus, Panda Cloud Antivirus, ClamWin Antivirus, and many others. Software like these could save you a lot of trouble by detecting a problem early, before it’s really a problem. And at $0 the price is right, so why not?

Also make sure to run software updates whenever you’re prompted to. Updates often contain security changes, so putting it off until later leaves your computer vulnerable in ways you might not know about.

Be careful out there!

Even if you’ve done all the things listed above and your office is super-secure, there will probably come a time when you have to leave the bubble, travel into the world, and use its Wi-Fi or computers. What then?

You probably know all the common-sense things: make sure to sign out of your accounts on public computers, don’t leave an account open and unattended in public, make sure you’re not saving the password when you login, clear the browser’s cache when you finish your session, and so on. But there are a couple other things you can do, too.

hotspotshieldBrowser extensions (also called add-ons or plug-ins) can do a lot to increase your security on a public or easily accessible Wi-Fi network (don’t think that just because it has a password it’s secure; anyone can ask for the password!). The Lawyerist suggests five web extensions for this purpose:

  • Adblock does what it sounds like: it blocks ads from automatically popping up.
  • Web of Trust (WOT) tells you about the trustworthiness of sites you visit, based on user feedback.
  • HotspotShield is a must-have when you’re using a public hotspot: it encrypts your connection so that anyone monitoring the network won’t see what you’re doing.
  • Disconnect (for Chrome and Safari) prevents third parties from tracking your web travels and prevents session hijacking (attacks that occur when visiting a website that links to a third party web service).

If you’re using a public computer, PCWorld suggests carrying a USB flash drive loaded with the Knoppix bootable operating system, which you can load up with 2GB of Internet tools, applications, and utilities. However, a more workable solution might be to simply load that same USB flash drive up with portable applications from PortableApps.com, which can all store temporary and cache files on the drive. Also consider adding a portable antivirus scanner (like ClamWin) to your flash drive, so you can check the computer out before you start working.

See this TechSoup article for a good overview of security practices for the mobile office.

Don’t trust anything with a hard drive

Remember that the data on your devices doesn’t disappear when you throw away, donate, or recycle them. And this doesn’t just mean computers – a few years ago, CBS reported on the ease of acquiring copies of sensitive documents from recycled copy machines. In order to really make sure that old data is safe, anything and everything that stores data needs to be wiped before leaving the office.

Simply deleting files is not enough; the hard drive needs to be either physically destroyed (cue: the copier scene from Office Space, again) or wiped. TechSoup recommends programs including Active @ KillDisk, Darik’s Boot and Nuke, WipeDrive, or Macintosh Disk Utility to wipe data.

Security policy for the office

To deal with the multitude of issues and practices discussed above, and all that comes with trying to convince everyone in the office to take proper security measures, consider writing an IT security policy for your organization if you don’t already have one. Use the policy to outline things like which devices can leave the office or access which networks, password protocols, and any other security measures that you decide on. Make sure it’s written so that everyone can understand what’s expected of them, and make sure they know about it and can access it easily (don’t be these guys).

See this guide for tips on writing an IT security policy, this incredibly detailed sample policy, or the attached FAQ document from Montana Legal Services Association, which covers topics you might consider including in a policy.

 Further reading

If the above just wasn’t enough for your ravenous IT security appetite, check out these articles for more:

Thanks for reading, everyone, and happy Friday! Stay safe out there,
Liz

Comments

Hi, Liz -

A couple of important points:

  • All legal aid organizations are attacked daily. Some of these attacks are successful. I'm not particularly saavy when it comes identifying hacked websites, but I've found and reported four websites in the legal aid community that have been the victims of websites attacks, which defaced their websites with URLs hidden in the source code. And while I was at Pro Bono Net, the LawHelp Interactive logs regularly recorded scripts that were probing for vulnerabilities. (Most of which were aimed at PHP-based systems, which LHI isn't.)
  • Most of these attacks are not aimed at a specific organization and are simply looking for any opportunity. The people behind these attacks may just be seeing if they can get into systems, collecting as many social security or credit card numbers as possible so that they can sell them, adding to their bot network, or gathering passwords to reverse engineer.
  • Some organizations are attacked by people who are specifically looking to get into their systems. This might be the Chinese Army, it might be Anonymous or another hacktivist, or it could be the opposing party in a case.
  • The people behind these attacks don't have to be highly skilled. Once a "hack" is in the wild, people package it up and sell it to others who use it. It can be a matter of following step-by-step instructions.
  • If your organization is hacked, please get help. You can report it to the FBI or the US-CERT. They may also be able to point you to resources that can help you understand what happened and fix your systems.

Thanks so much for sharing! This is some great info, and certainly stuff we should all be aware of.

Ms. Bladow also shared this article on payday loan spam on websites. Look out!