by Brian Focht | Aug 28, 2013
Frightening news out of corners of the security world, the ABA Journal is reporting that hackers’ newest targets include lawyers and law firms. “Cybercriminals tend to focus where the weak spots are,” says Gerhard Eschelbeck, chief technology officer at Sophos, a computer security firm, “[and] law firms are soft targets.” Eschelbeck said that, unlike the movie versions, the hackers he’s talking about are not pimply-faced nerds, or Matthew Brodderick in his parents’ house, but rather nation-states looking for valuable information. “Law firms need to understand that they’re being targeted by the best, most advanced attackers out there,” says Shane M. McGee, general counsel and vice president of legal affairs at Mandiant Corp., a cybersecurity firm. “These attackers will use every resource at their disposal to compromise law firms because they can, if successful, steal the intellectual property and corporate secrets of not just a single company but of the hundreds or thousands of companies that the targeted law firm represents. Law firms are, in that sense, ‘one-stop shops’ for attackers.” So what can be done? As I reported last week in my discussions about the “Bring Your Own Device” (BYOD) movement (BYOD: 5 Steps to Protect Your Client and Save Money and 10 Tips for Developing Effective BYOD Policies), one of the biggest keys is coming up with a policy that will be enforced firm-wide, with universally applicable consequences. What other ways can you and your firm best protect yourself from hackers? The article had these suggestions: Secure all mobile devices by having your IT department/consultant encrypt your sensitive data; Ensure that any contracts you have with cloud-based data... read more
by Brian Focht | Aug 27, 2013
A little while back, I wrote an article about the security hazards posed by using Dropbox as your firm’s go-to cloud-based data storage, and why you might want to consider alternatives to Dropbox. While ideal for collaboration and portability of documents, the potential security risks inherent in using Dropbox are significant, unless you adopt specialized encryption software. Other major security issues include that one time when they turned off the password requirement for millions of accounts, stripping them of the little security they had. Those security threats are made even more serious when you consider that the recent ABA Tech Survey reported that Dropbox was, by far, the preferred cloud-based data storage service for attorneys. Well, again a tip-of-my-hat to the guys over at PC World, as they have come up with a list of four alternatives to Dropbox, ideal for small businesses such as law firms. 1) Spider Oak Free Storage: 2GB (same as Dropbox) Pricing: $100/year for 100GB, $600/month for 1TB (100 users) Best option for: Security Spider Oak, a cloud-based data storage service that already has numerous advocates in the legal field, is a fully secure online storage and syncing service. All of your data, and your password, are fully encrypted (using a combination of 2048-bit RSA and 256-bit AES encryption). Additionally, unlike the privacy policy at the heart of Dropbox’s little issue discussed above, SpiderOak has a “zero-knowledge” privacy policy, meaning that not even employees of SpiderOak have access to your documents without your password. This little feature also means you’d better freaking remember your password! SpiderOak has a desktop client, available for Windows, Mac... read more
by Brian Focht | Aug 23, 2013
Earlier this week I wrote about the rise of the “Bring Your Own Device” (BYOD) paradigm in modern business. What I did not discuss in detail was the best way to develop effective BYOD policies to guide your firm in the future. These policies will address how you protect your vital client information and firm data while allowing attorneys and staff the flexibility that mobile devices provide, along with the comfort of using their own devices. As such, it is CRUCIAL that the policies are developed with an eye toward the future, and are not assembled haphazardly. Here are my 10 Tips for Developing Effective BYOD Policies: 1) Development of the policy must be transparent and inclusive. This policy will govern what devices your attorneys and staff can use, how they can use them, and will, most likely, limit the ways they can use their devices for personal use. Remember that you’re still pitching this whole program as being beneficial, without regard for the fact that you’re actually pushing a business expense onto your staff. Therefore, everyone should feel like they had input. (For outside assistance, you can always check out some of the mobility management programs, like this one offered by CDW.) 2) The policies must be universal, in both applicability and enforcement. Nobody likes it when someone is able to “pull rank” to avoid doing something that everyone else has to do. Even worse is when someone higher up on the food chain is caught doing something against company policy, but there are no repercussions. For a policy to be effective, everyone has to follow it. The... read more
by Brian Focht | Aug 19, 2013
Everyone in business looks for that little tactical advantage, that one way to save money that has no impact on the quality of work. For most companies nowadays, overhead and employee perks have been one of the most popular places that companies have been seeking that edge – cutting back on company cars, health insurance plans, expensive office services. But that one perfect way to save, it turns out, didn’t happen through a cost-cutting analysis, but when the guy in the office next door began accessing his company email with his iPhone. In the fall of 2008, I offered to gather some information for my firm about a proposal to purchase Blackberrys for all of the attorneys in the office (at the time, of the 12 attorneys, only the five partners had firm-provided phones). It was the height of Blackberry dominance in the corporate business world, and many seemed to look at Blackberry as the only sensible option at the time. I prepared a full report to the associates about which line of phones and plans we should request, but to my shock, the plan to request the phones was voted down. I purchased my first iPhone shortly thereafter, and used its email system to connect to the firm’s Exchange server. Little did I know that instead of participating in the end of the glory days of Blackberry, I was part of a new trend in technology: “Bring Your Own Device,” or BYOD. Businesses everywhere have come to the realization that they can save a TON of money simply by allowing their employees to bring their devices with them... read more
by Brian Focht | Aug 14, 2013
So I read the headline of an article this morning that read: “Google Filing Says Gmail Users Have No Expectation of Privacy,” and I was a little amazed that Google would be so brazen. Sure, as a user of Gmail, Google’s industry-leading email platform, I am aware that they scan the emails I send out (see my earlier post about being a little creeped out when talking about Sherlock Holmes in an email led to Sherlock Holmes ads appearing on my Gmail page) and that privacy advocates and Google’s competitors have been shouting from the rooftops about Google invading people’s privacy. Still, I found it hard to believe that the headline of that article was accurate, so I dug deeper. As it turns out, Google is actually asserting that it’s not just Gmail users, but anyone who uses email at all that has no expectation of privacy regarding their emails. I tend to be the type of attorney who reads what non-lawyers write about lawsuits in general, and specific legal argument and contentions in particular, with a grain of salt. As a litigator, I’m very familiar with the concept of things that seem illogical, such as pleading in the alternative, but are a part of regular legal practice, and serve important goals. A party, at the beginning of litigation, should be allowed to plead in the alternative, because it is highly likely that not all the necessary facts and information are readily available prior to discovery (or even after discovery, if the proposed amendments to the federal discovery rules are adopted, but I digress). So what is the case,... read more
by Brian Focht | Aug 9, 2013
Ever heard of the “Master Key,” or know how your “weblogin Token” can be stolen? Both are serious issues that demand the question: “Is your Android device secure?” As an attorney, it’s likely that you use your phone or tablet to conduct business, including storing or discussing confidential client information. If any of the devices you use operate on the Android OS, you had better have the security of that information in mind, and know how to minimize your risks. In this three-part article, I hope to help you do just that. Finally, the story of the HTC One S and how you can protect yourself and your clients… (In Part 1, I will discuss the “Master Key” vulnerability, in Part 2, I will discuss the recently revealed security problem with Google’s “weblogin Token,” and in Part 3, I will talk about how Google’s piecemeal update system makes these vulnerabilities particularly worrisome, and what attorneys can do to protect themselves and their clients’ confidential information.) The final section of this article deals primarily with how attorneys can protect themselves and their clients from attacks through these particular vulnerabilities. Some of you may be saying to yourselves: “As long as I pay close attention to what I put on my Android device, I should be just fine.” To those of you who say that, I give you this: The HTC One S Recently, phone manufacturer HTC announced that they would no longer provide any updates for the HTC One S, a smartphone that operates on Google’s Android OS. The announcement serves as the perfect example of how Android’s manufacturer-based update system... read more
by Brian Focht | Aug 7, 2013
Ever heard of the “Master Key,” or know how your “weblogin Token” can be stolen? Both are serious issues that demand the question: “Is your Android device secure?” As an attorney, it’s likely that you use your phone or tablet to conduct business, including storing or discussing confidential client information. If any of the devices you use operate on the Android OS, you had better have the security of that information in mind, and know how to minimize your risks. In this three-part article, I hope to help you do just that. Next, what is the “weblogin Token,” and how does it affect my security… (In Part 1, I discussed the “Master Key” vulnerability, in Part 2, I will discuss the recently revealed security problem with Google’s “weblogin Token,” and in Part 3, I will talk about how Google’s piecemeal update system makes these vulnerabilities particularly worrisome, and what attorneys can do to protect themselves and their clients’ confidential information.) If you have an Android device, odds are you use that device to log in to a Google account somewhere. Be it Gmail, Google Calendar, Google Drive, or even Google Apps for Business, you probably log in using your Android device. For good reason: Google offers you an easy way to log in to all of your Google sites through your Android device through their “weblogin” program. The weblogin program works by creating a unique “token” on your device when you sync it up with your Google accounts. Any time you access those Google accounts from your Android device once the token is set up, you are automatically authenticated... read more
by Brian Focht | Aug 5, 2013
**UPDATED** as of 5:18 pm EDT Ever heard of the “Master Key,” or know how your “weblogin Token” can be stolen? Both are serious issues that demand the question: “Is your Android device secure?” As an attorney, it’s likely that you use your phone or tablet to conduct business, including storing or discussing confidential client information. If any of the devices you use operate on the Android OS, you had better have the security of that information in mind, and know how to minimize your risks. In this three-part article, I hope to help you do just that. First, what is the “Master Key,” and how does it affect my security… (In Part 1, I will discuss the “Master Key” vulnerability, in Part 2, I will discuss the recently revealed security problem with Google’s “weblogin Token,” and in Part 3, I will talk about how Google’s piecemeal update system makes these vulnerabilities particularly worrisome, and what attorneys can do to protect themselves and their clients’ confidential information.) A recent analysis revealed a new, disturbing vulnerability in the Android OS, ominously referred to as the “Master Key.” How disturbing? Apparently 99% of Android devices are susceptible. This vulnerability could potentially allow hackers to convert any app into a malicious Trojan without setting off the security system that Google uses to prevent apps from being modified, called the “cryptographic signature.” Specifically, each Google app has the “cryptographic signature” safety feature which acts essentially like a seal to indicate when an app has been tampered with (akin to the safety seal on a bottle of aspirin). Google’s system is set up to... read more
by Brian Focht | Jul 31, 2013
Yeah, I have to admit that I love Dropbox. It may be the second most useful app I have on my iPad (the most useful, is iAnnotate, which I’ll discuss at another time). It’s freaking great! Files transfer seamlessly (or as seamlessly as your internet connection allows). I can make changes on my computer at home, upload those changes to Dropbox, make additional changes on my iPad, then use Dropbox to transfer that version to my work computer. What’s not to love? Oh, right. Dropbox is, apparently, a gigantic, gaping hole in your company’s firewall and information security system. We all know that companies ban employees from using certain websites while at work. It’s not always helpful for business productivity for employees to always be on Facebook during the day, and while there would probably be a second revolution, it wouldn’t be hard to understand why companies would want to block sports or betting sites during the NCAA Men’s Basketball Tournament. Companies are wising up to the use of apps too, a problem that is becoming more prevalent in the growing world of “BYOD.” (Bring Your Own Device) A list of the Top 10 Most Banned Apps (for iOS and Android) was published earlier this month, and it contained plenty of the usual suspects: Angry Birds had a place on both lists, as did Facebook and Netflix. However, I was quite surprised to find Dropbox on both lists. Ok, actually, let me modify that: I was quite surprised to find Dropbox WAS THE #1 MOST BANNED APP ON BOTH LISTS. I figured, well, banning Dropbox circumvents the ability of... read more
