GettyImages_dv485145.jpgAttorneys have a professional obligation to protect client confidences and communications, but technology has made this increasingly difficult.  As a recent article in the Wall Street Journal, “Lawyers Vigilant on Cybersecurity,” explains, lawyers face serious cybersecurity threats precisely because their clients entrust them with highly sensitive and classified information.  Criminal and state-sponsored hackers target law firms to gain access to these confidential cases, especially if the information involves corporate mergers or acquisitions.  In some instances, insider information could be sold for millions, and so tech-savvy criminals go after the weakest link—the lawyers with access to this sensitive data.

There are no statistics of how many firms have been hacked: The FBI doesn’t keep records on which types of businesses have been the subject of attacks, and law firms have been less than forthcoming about whether they’ve had security breaches.  Admitting client information leaks would be far too damaging to a firm’s reputation.  Law-enforcement officials suggest, however, that more and more often, law firms find themselves the targets of cyberattacks.  As the Wall Street Journal article notes, the FBI has evidence of confidential business documents exfiltrated from law firms via cyberattacks.

Recently proposed changes to attorney ethical rules by the American Bar Association (ABA) also suggest that the profession sees technical breaches as an industry-wide problem.  Earlier this week the ABA Commission on Ethics announced that its proposed changes to the Model Rules includes requiring lawyers to take proactive measures to protect their client’s information when using new technologies.  The proposed edits suggest that lawyers have to be more aware of both “inadvertent and unauthorized” disclosures—in other words, leaks from inside and hacks from outside a firm. These changes warn technophobes that they need to abandon their Luddite ways, because lawyers now have a duty to “keep abreast of changes in the law,… including the benefits and risks associated with relevant technology.” In other words, claiming ignorance is simply not an excuse.

By putting the onus on lawyers, the ABA is acknowledging what those of us who study and track security breaches have been shouting from the rooftops for years: preventing security breaches is not just about technology; it’s about changing human behavior.  As the Wall Street Journal article makes clear, “the weakest link at law firms of any size are often their own employees.”

Other industries face similar problems.  For example, a recent article on data breaches in the health care industry suggests that the epidemic of breaches of confidential health care information has more to do with human error than it does with IT shortcomings. As Larry Clinton, president and CEO of the trade association Internet Security Alliance succinctly points out, when it comes to data  breaches, “[p]eople are the biggest problem.”  Consequently, Collins predicts that breaches in hospitals and health care systems will only be prevented if these organizations approach these breaches as a “human-resource management issue and not an IT issue.” 

In other words, phones don’t just go around leaking information. Email accounts don’t shoot off confidential messages at random.  Computers are not really out to get us.  These technologies become weapons in the hands of adversaries because users didn’t take the necessary precautions to protect their data.   

Moreover, despite what people usually assume, taking these precautions doesn’t require having a Masters degree in computer science.  In many instances, all that’s called for is simple behavior modification coupled with a healthy dose of common sense

  • Password protect your cell phone, tablet and laptop. 
  • Use different passwords for different devices and accounts, and make sure they are hack-proof. Programs like Kaspersky Password Manager can generate virtually hack-proof passwords and keep a running list of all your different passwords.  
  • Don’t use free Wi-Fi connections, since hackers rely on free Wi-Fi to eavesdrop on users’ conversations.  
  • Don’t click on links in text messages because doing so might activate malware that could log keystrokes or even record phone calls. 
  • Be suspicious of any emails from unknown senders that ask you to open attachments or click on links—these so-called Trojan emails will retrieve data from your computer. 
  • Invest in good computer security software, and for heaven’s sake, keep its settings updated and make sure to run checks on it on a regular basis.  Otherwise, it’s like investing in an expensive alarm system for your home but refusing to set it before you go out. 

The real key to security for cell phone communications, internet browsing and emailing is human behavior. Peace of mind will only come once people change how they act. For lawyers, that time may be sooner, rather than later.   

A sophisticated friend of our firm was in the market for a luxury car and found one for sale via the Internet. His concern was aroused when the seller said she was handling the sale through a company called Escrow Atlantic, an international payments company.

GettyImages_130877362.jpg

Our friend asked us to look at this company, and the results make for a nice case study in the detection of possible fraud.

We started with the Escrow Atlantic website. It looks professional enough, but we always like to know who has registered an internet domain since that can provide a good clue as to who is behind the operation. Sometimes this is hidden information, but in this case it isn’t. It turns out that by going to Network Solutions’ Who Is registry here, we found that Escrow Atlantic’s site is registered to a man in Florida who has an Italian telephone number. His email address is a hotmail account with the name of a different individual.

None of this is tantamount of a scam, of course, but it’s a little unusual. Why not a company email address? Why an Italian phone number when, according to the company website, the company has no office in Italy?

We pressed on and tried to call Escrow Atlantic, but the toll-free number went to the voicemail of “Escrow Atlantic” (and not a particular person). The numbers for the Florida and Missouri offices went instantly to voicemail, and we were unable to connect with the London number.

A search for a business registration record at the Secretaries of State in Florida and Missouri turned up no record of a company called Escrow Atlantic. Nor was it registered under that name at Companies House in the United Kingdom, where you can do a free search here.

Finally, we emailed the Missouri office of Escrow Atlantic, and here we got quick responses, up to a point. Where is the company registered? We were referred to the website’s contact page with the office addresses and phone numbers. We asked again and were told that Escrow Atlantic is “Registered in the United Kingdom with offices in America and Australia.”

Unfortunately, when we responded that we could find no registration in the UK, the company went quiet on us. Of course, Escrow Atlantic could be a “DBA,” or doing business as – a business name different from the official company name – but it would be easy enough for the company to tell us that.

While we can’t say that Escrow Atlantic is not a reputable company, if it is it could do two things to boost our confidence:

  1. Get someone –  anyone – to answer the phone;
  2. Provide that most basic of information: the place of incorporation and the name of the company that was incorporated.

 

Good investigators are not necessarily smarter than the people they help. What often makes a good investigation is one in which “known” facts are independently evaluated once again.

GettyImages_130898168.jpg

Just as we sometimes want a second opinion on a complex medical or legal matter, gathering and weighing the credibility of facts can also benefit from a fresh pair of eyes.

The recent article by Jack Hitt in The New Yorker called “Words on Trial” explores the field of forensic linguistics. Famous for figuring out the identity of anonymous authors (as in the case of “Primary Colors”), or threatening notes based on word patterns and other signs, this field also looks at the apparently plain meaning of a transcribed phrase and whether or not the phrase could mean the very opposite of what’s printed on the page.

In one case described in the article, “I would take a bribe, wouldn’t you?” on the transcript could also have plausibly been “I wouldn’t take a bribe, would you?” and resulted in a hung jury. Another controversy was whether a transcribed “No, she didn’t” may have been “Sure, no, she did.”

All the more reason to interview people if you can, rather than rely on the reporting of others. We’ve repeatedly stressed the value of doing your own interviews in other entries, including “The Key to a Good Interview is Silence” and “Talk Isn’t Cheap, Even When Offline.”

Beyond the ability to listen and to tease out meaning, a second look at information can help because people are sometimes irrationally disposed to put too much or too little weight on one source or another. We’ve written in our “Fact Finding Test for Lawyers” about the inordinately heavy amount of trust people put into a Google Search.

Now comes a study from Penn State Professor Mike Schmierbach and Ph.D. candidate Anne Oeldorf-Hirsch that claims “a New York Times story posted on the newspaper’s website was seen by respondents as more credible than when the same story was posted on the newspaper’s Twitter feed.” This makes no sense because the Twitter feed links to the supposedly more trustworthy website.

But it does beg the question: how many times a day do we put the wrong amount of trust in a quotation, a statistic, an asserted fact or other piece of information?

The news is out and it’s not good. In fact, it’s downright troubling.  It seems that every day, usually several times a day, there is more and more information available about the dangers of the Internet.  It’s enough to make a Luddite out of even the most devoted technophile.  Here’s a sampling of some of the latest updates on the lack of privacy on the Internet, and threats to personal and financial information:

  • Online Tracking is Worse Than We Thought: UC Berkeley Law School recently released its first ever Web Privacy Census, which was aimed at measuring how companies track visitors to their websites. The report confirmed that all the top 100 web sites use cookies to track users and visitors. If that’s not worrisome enough, the study also determined that the use of tracking software on users’ computers has doubled in the past year. This is about more than tracking users anonymously to provide targeted advertising—like when you scroll a website for a grill and then you check your email and suddenly see ads for some of the same grills you clicked on from the sites you just visited.  Apparently, companies are just as likely to collect and use personal information in ways that may subject consumers to price discrimination, lowered credit scores and limits, and even identity theft.
  • Social Networking Can Be Dangerous: The FBI recently issued a new warning on social networking.  The FBI pointed out that hackers are not only threatening governments—they are also targeting individual users via social networks, exposing the users and their workplaces, if they are online in the office, to great harm.  Hackers either exploit personal connections through social networks or write and manipulate computer code to gain access and/or install unwanted software on personal or company computers or phones. 
  • Tweets and Facebook Posts May be Used Against You: The courts continue to weigh in on whether social networking may be used against users who post information on their personal sites.  While the judiciary’s responses vary on a case-by-case basis, so far the trend seems to be that posts on Facebook or tweets may be used as grounds for dismissals from jobs, or even against defendants in criminal or civil cases.

Politicians are paying attention.  Senators and Representatives have introduced a plethora of competing bills and held or plan to hold a number of hearings to discuss how best to protect Internet users.  A good summary of the most recent efforts can be found on the Data Privacy Monitor blog run by the law firm Baker Hostetler.  Issues being addressed include protections to safeguard users’ privacy, requiring greater transparency from companies about how they troll for information from users and what they use that data for, and clearer terms of use that allow consumers to easily opt out of having their time online tracked.  In addition, the National Telecommunications & Information Administration (NTIA) has announced its first meeting to develop a code of conduct in order to uncover how companies that provide apps for mobile devices deal with personal information.

Keeping up with all the changes is daunting, but as we’ve said before, in our entries “The Myth of Online Privacy” and “Fight Hackers With Encryption,” there are simple steps you can take to protect yourself.  This article, “How to Keep Your Facebook Profile Private Yet Usable,” written by Dave Copeland details the best ways to protect yourself on Facebook, short of not signing up in the first place. Numerous software programs exist to block tracking data from being stored on your computers.  Creating a clear Internet use policy for your company and making sure your employees understand what is expected of them is also a good plan.

And, as always, doing the bare minimum is crucial: encrypting emails, only using secure Wi-Fi connections and avoiding some of the most common tricks used to activate malware that can log keystrokes or record phone calls.

None of these measures will provide complete protection, but they are good places to start to ensure that you and your company are being proactive about guarding against some of the dangers that lurk online. 

GettyImages_125109629.jpgCardozo Law School recently hosted a multi-disciplinary conference on privacy and the Internet, “Anonymity and Identity in the Information Age.”  Lawyers, computer scientists and public health advocates wrestled with the challenges of protecting personal information at a time when so much data is easily obtainable online.  There were various tips and suggestions beyond merely mastering privacy settings on social media sites and avoiding public Wi-Fi hot spots when doing any online banking—although these are easy and important first steps.       

Recently there have also been a number of good articles inspired by the public acknowledgement that major Internet companies like Google have been less than forthright about their use and abuse of private information, as confirmed by the FCC’s decision to fine Google for its collection of private data during its Street View program.  The best ones, like “How to Muddy Your Tracks on the Internet” by Kate Murphy in the New York Times, are easy how-to guides for savvy Internet users interested in gaining control over their information.  Devoid of jargon, Murphy clearly details easy steps to take in the defense against online snooping. 

But however empowering it may feel to think we’ve finally mastered the privacy settings of the technologies we use every day, the truth of the matter is that despite all our best efforts, information can and will be leaked.  As computer science Professor Steven Bellovin of Columbia University explained at the Cardozo conference, you can protect your email correspondence from being cross-referenced with your browsing history if you avoid Google or Yahoo email accounts and instead set up your own mail server.  But your messages are still fair game to Google if you email someone with a Gmail account.  Or you can activate your browser’s privacy mode to help wipe clean your browsing history.  But this change will stop short of concealing your computer’s I.P. address, the unique identifier that distinguishes it from all other computers.  And as Murphy points out, deciding to take that extra step and mask your I.P. address means incurring additional costs and possibly severely compromising your Internet speed.

Or you may assume that because you’ve never posted your address or physical whereabouts on Facebook or Twitter that you’ve managed to conceal where you actually live.  But the minute you post a picture, the image’s metadata may pinpoint the coordinates of where you took the shot.  So if you snapped that picture of your new puppy at home, you might be giving out your exact location when you upload it to Facebook. 

And then of course there’s the likelihood that information will be leaked by plain old human error, yours or someone else’s. There are always cautionary tales about someone inadvertently sending an email “Reply All” when it clearly shouldn’t have been.  At the Cardozo conference one computer privacy expert sheepishly admitted to making this rookie mistake himself—a confession that inspired chuckles of recognition from far less computer-literate audience members. 

And the actions of others, even if they were acting innocently, may expose your personal information as well.  For instance, one of our clients asked us to track down the settlor of a trust whose whereabouts had long since been a mystery.  But his family was all over Facebook, constantly updating their information with details about their home life and travels.  Eventually, we were able to locate him through them. 

Or take for example the recent news story of the Italian mobster finally arrested after being on the run for nine years.  He didn’t make a mistake, but his girlfriend did.  Police had been monitoring the mobster’s pregnant girlfriend’s social media sites for information about his whereabouts.  They hit the jackpot when the girlfriend decided to use Facebook to share photographs of her growing belly with friends and family.  In one of the photographs she posed in front of a sign for a beach in the Costa del Sol town of Marbella.  Then she uploaded another shot of her outside a well-known Italian restaurant in Marbella.  Soon after she sent the mobster an email predicting that she was going to go into labor sometime soon—an email that, unbeknownst to her, the police were monitoring.  Sure enough, the police apprehended the mobster when he arrived in Marbella shortly thereafter. 

So, despite the feelings of invincibility and invisibility that the Internet seems to inspire, the truth of the matter is that complete privacy or anonymity online are impossible.  

With all the focus on tech IPOs that reward gaming and chatting, it’s nice to see a company dedicated to privacy getting a little of bit of venture cash behind it. With just $1.5 million raised so far, CertiVox is still a tech minnow, but its idea is a solid one: people need to be able to trust that some privacy online is still a possibility.

key.jpgRemember all that spam e-mail for male enhancement and mysterious lottery winnings? Most people have become wise to the classic spam or phishing schemes, and hackers have stepped up their game. The new tactics are spear-phishing (researching and targeting specific users) and whale-phishing (targeting executives who have access to the most information).

One way this works is for hackers to research their target in the social network, pick one of the target’s “friends” and set up an e-mail account that looks like it belongs to the friend. The target won’t think twice about clicking on the malicious link that comes in from their friend. With this tactic, some hackers seek to simply create mischief, others are targeting corporations.

Recently we wrote about a particularly worrying study on corporate security breaches – think Sony, Lockheed Martin and Citigroup. The data shows that the problem lies largely with employees’ mobile devices and the completely unencrypted transfer of information. People are using Facebook, sending e-mails and clicking on links, all of which results in a public transfer of information that can be intercepted. Hackers bet on our complacency and “that’s just how the internet works” attitude and win every day.

Now comes CertiVox, whose goal is to provide government-grade encryption to corporations and your web browser. Their new (and free) PrivateSky plug-in allows you to encrypt what you do online and show it only to those for whom it’s intended. Your e-mail is no longer an open postcard and your Facebook rants stay private. For corporations, there are more robust solutions for the entire network.

A concern here is that a good encryption product, one that does not allow the product’s creator to see the message, could fall into the hands of criminals. Governments can crack highly sophisticated encryption programs, but at what cost in time and money? If CertiVox gets big enough, will it have to cough up its code to government authorities in order to keep going, as Research in Motion did in India?

While we don’t vouch for CertiVox’s reliability or competitiveness, it’s certainly a step in the right direction that such a company is able to raise cash to keep itself going.

(Photo Credit: Sasha Wolff) 

If 90% of U.S. companies are falling victim to computer hackers, according to a new Ponemon Institute study, is it that the companies are woefully unprepared or are the hackers are particularly smart? Looks like this one is on the companies.

hacking.jpgA research center dedicated to privacy and data protection, Ponemon looked at 583 U.S. companies and concluded that data breaches are “almost a statistical certainty.”

Most companies say there’s little they can do about it. That includes big names such as security firm RSA, Lockheed Martin, Oak Ridge National Laboratories and the International Monetary Fund.  Tech departments blame financial resources and complexity of networks as top reasons for breaches. Nearly two-thirds of the attacks resulted in losses anywhere from $250,000 to $2.5 million

But dig deeper and the numbers tell a story about risk that could be better managed.  Most companies are already running a firewall on their network and have anti-virus and anti-malware installed in their employees’ computers.  The problem is, the study found that 63% of breaches occurred from unsecured employee devices – laptops and mobile phones.  The vast majority of threats originate from website and social media malware and malicious software downloads.

Either the companies’ anti-virus software is outdated, or employees allow themselves to be too liberal with what they download.

This therefore looks like a training problem. Employees, and not just the IT department, should be aware of how to start lessening the risk.

  • If attacks are coming in from laptops and mobile devices (smartphones, tablets, etc.), it’s time to implement a new policy on how employees connect to the network or enterprise systems when out of the office.  The days of living one’s personal life on a company-owned device may have to come to an end.
  • Only 30% of companies report the use of encryption, while citing theft of information assets as their top concern. An encryption policy seems like a no-brainer. Data theft is a lot easier to tolerate when to the thieves it appears as a meaningless mishmash that would take sophisticated computers days or weeks to decrypt. The thing about encryption, though, is that you have to use it. If it’s turned off or if your password is your birthday or the name of your dog, it won’t help you.

A chilling story in the Wall Street Journal’s Digits Blog yesterday told us that LinkedIn, Netflix and Foursquare “stored various forms of users’ personal data in plain text on a mobile device, putting sensitive information at risk to computer criminals.”

As if to confirm worst-case scenarios, Citibank then revealed that hackers have accessed the accounts of some 200,000 credit card customers in North America.

binary.jpg

Even with a rash of data breaches, encryption is the part of computer security we tend to forget about. We know increasingly that social networking can let too many strangers into our lives and that we should think twice before entrusting anyone with sensitive financial information.

But how many of us encrypt data on our computers? It’s so easy to do, and I would argue that it should become best practice for professionals everywhere. Our firm does so it, so that if our computers were ever stolen thieves would find nothing but encrypted garbage where case files should be. We like the free, open-source Truecrypt program, available here. Other alternatives are available but at a cost.

But what about email? There is plenty of evidence that a deleted email can stick around in many forms on your computer or server even after you hit “delete,” but few think about the dozen servers between your office and the server of the person receiving your email. Both you and the recipient can do whatever you want, but your unencrypted email may be stuck (for years or decades) on multiple servers in multiple countries, all ready to be hacked.

While it’s true that hackers with enough patience and computing power can break many encryption codes, the idea is to raise the cost for criminals even to try.  If you encrypt just the tiny portion of your emails carrying sensitive financial information, you direct a hacker right to your most vulnerable material. If you encrypt thousands of emails, a hacker will give up after working for hours to unveil messages that say “Happy Birthday!” or “Tks, will do.”

Yesterday the U.S. Commerce Department issued its green paper on cybersecurity, but stopped short of recommending encryption of emails. It strikes us that for certain highly sensitive matters encryption of email is worth the trouble. There can be problems with forwarding, and in many cases it makes sense for both sides to have an encryption program. Otherwise, you need to keep the same string of messages going for a non-licensee to benefit from the encryption-licensee’s program.

At the very least, we should all make sure our email accounts have their own passwords. That way if someone looks at your desktop computer at work, your Microsoft Outlook can at least stay locked. Password protection for Outlook can be arranged by setting a password for your Personal Folders File (.pst) within Outlook. You can do this on the File menu under Data File Management.  

Imagine this: You have an iPhone, iPad and Mac computer. You use all three devices mostly for personal home use, but you also receive work e-mail on them. Medical records, tax returns, and other confidential information goes on these devices. They all sync amongst themselves and you’ve just started using Apple’s new server farm, iCloud. The system sends files into storage automatically over your wireless signal once a day and all your private data ends up on Apple’s new cloud. There’s no assurance that all these personal files cannot be intercepted, but Apple promises to keep them under secure lock and key. 

Steve Jobs.jpgNews from Apple’s World Wide Developer’s Conference is flooding the web today. Our call regarding iCloud was on the mark, but today’s formal announcement brings several serious worries into even sharper perspective. iCloud is designed for sharing not only music, videos and photos, but also to store your e-mail and personal calendar. And the system does this with all of your Apple devices, wirelessly, while running in the background. 

No need to hit “send.” Apple with just grab your information and store it for you. 

As Steve Jobs said regarding iCloud: “We think this is going to be pretty big,” and we wholeheartedly agree with him. It’s just that big in this case is not better. 

We now know that Apple will use next week’s Worldwide Developer’s Conference to unveil iCloud, its new cloud storage product. Apple’s first attempt at cloud storage, MobileMe, was such a failure that Steve Jobs publicly tore into the Apple team for tarnishing the company’s reputation. 

iClouds.jpgIt looks like the 2.0 version will probably be getting it right and customers will now be able to share their documents, movies, music and photos from the Apple “cloud” (and by cloud, we mean Apple-owned servers on the ground in fire-proof rooms). Most of Apple’s customers will use the company’s products without thinking twice about the sensitivity of the information they are handing over. 

That’s a lot of trust that could be misplaced. The risk for any form of cloud computing is that you no longer have exclusive access to your files. Cloud storage by Apple and others sounds economical in terms of hard-drive space saved at your office and used more efficiently by Apple, but cloud computing creates vast opportunities for theft of private information and, as we’ve written before here, there’s no proof that Apple will be able to protect yours. 

For now, speculation has it that iCloud will be used mostly for sharing movies, music and photos. But the plan is also to integrate it into the upcoming iPad and iPhone software iOS 5, creating an operating system that will be able to communicate with the Apple cloud with or without your approval. A further concern is that the very popular apps that define Apple’s devices could be able to transmit information over the new cloud-based system. 

Simply put, your files and information, including location and other personal data, are going to be somewhere in cyberspace, where they stand a chance of being intercepted. Or Apple could just have unlimited access to them. 

This type of information interception has the U.S. Senate taking first steps in formally drafting laws that aim to further protect personal data. In mid-April, Senators John Kerry and John McCain offered a privacy bill that would “strike a balance between consumer advocacy groups and the [tech] industry.” Now that Apple is introducing iCloud to their enormous following, the Senate’s discussion on adequate regulation could not be coming at a better time. 

Although the Kerry/McCain bill is a step in the right direction, a solution from lawmakers will probably take more time than is required for companies, such as Apple, to roll out new products and gather large quantities of sensitive information.