Computer Security for Lawyers

Wendy Knox Everette & Brendan O’Connor

Wendy Knox EveretteWendy Knox Everette (@wendyck) is a hacker lawyer who began her career as a software developer at Amazon.com and Google, before going to law school, where she focused on national security law and computer security issues. She interned with the FTC, FCC, and several other three letter agencies, and completed a fellowship with ZwillGen in Washington, D.C. During her fellowship she assisted with vendor cybersecurity reviews, drafted data breach incident reports and assisted with incident response, as well as working with clients in responding to law enforcement requests for customer data. Currently, she lives in Washington State where she advises companies on risk and security regulations.

Brendan Francis O’Connor

● Once voted “least likely to be employable” by his graduating class… in law school

● His cat, who he had for five years before meeting her, prefers the company of his wife

● Is completely obsessed with how much he hates crypto currencies

End user securityDo attorneys have an obligation to secure their devices and communications?

Security 101: Passwords

1. Randomization2. Length3. Memorization vs saving it

https://www.csoonline.com/article/3228106/password-security/want-stronger-passwords-understand-these-4-common-password-security-myths.html

Elements of a strong password● The best option: generated by a password manager like LastPass or

1Password● Make it long: 10 or more characters ● Make it unpredictable● Make it complex: vary uppercase, lowercase, numbers and symbols ● Make it unique: use a unique password for each service ● Keep it secret: if you have to share it with someone, switch to a temporary

password, share that, then change it back

Password managers

● LastPass: https://www.lastpass.com/● 1Password: https://1password.com/● Not Ever KeePass:

https://www.techdirt.com/articles/20171220/18134638859/keeper-security-files-bullshit-slapp-suit-against-ars-technica-letting-many-more-people-know-not-to-use-software.shtml

● What about saving passwords in the browser?● What about Mac’s KeyChain to save passwords?

Why do strong passwords matter?

BUT...● Modern password cracking utilities don’t use pure brute force● They do know that you substituted a 4 for an A (so leet!)● They know phrases and quotations, not just words● They do know that a shockingly high percentage of “strong” passwords are

○ Xxxxxxxxx...1! (One upper case, N lower case, followed by a single number and a single special character, usually an exclamation point)

● Seriously, just use a password manager

Security 101: Multi Factor AuthenticationSomething you know + something you have

https://www.nist.gov/itl/tig/back-basics-multi-factor-authentication

Security 101: Updating your devices

Applying updates quickly & regularly

Would someone SPY on a LAWYER?● United States - Measures Affecting the Production and Sale of Clove

Cigarettes (Indonesia v. US) (DS406, WTO DSB, 2012)● GTMO● https://www.csoonline.com/article/3070110/security/fbi-hid-microphones-for-s

ecret-warrantless-surveillance-near-california-courthouses.html (San Francisco / federal)

● https://www.nytimes.com/2008/04/28/us/28lawyers.html (Oregon state/federal)

SBTx, Comm. on Prof. Ethics, Opinion 648 (2015)“In general, considering the present state of technology and email usage, a lawyer may communicate confidential information by email. In some circumstances, however, a lawyer should consider whether the confidentiality of the information will be protected if communicated by email and whether it is prudent to use encrypted email or another form of communication. Examples of such circumstances are:

[…] sending an email if the lawyer is concerned that the NSA or other law enforcement agency may read the lawyer’s email communication, with or without a warrant.”

SBCa, St. Comm. on Prof. Resp., Opinion 2010-179“Similarly, encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstance calls for it….”

ABA Formal Ethics Opinion 11-459“A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may gain access.”

Messaging security

● Messaging applications like iMessages or Signal can be more secure than email

● Seriously, use Signal. Download it right now, don’t wait for the end of class.

https://signal.org/download/

Email Security● Using a webmail provider like

GMail or Proton Mail○ Use a strong password○ Use multifactor

authentication● Email Attachments

○ When is it safe to open an attachment?

Mobile Phone Security1. Use a lock code or PIN to lock your phone. Longer is better. Alphanumeric is better than numeric.2. Don’t leave your phone unlocked and unattended.3. Do not install unknown and unverified programs on your phone. Only install apps from the

official Apple App Store or Google Play.4. If you plan to dispose of, give away, sell or re-use your phone, make sure that all

information is deleted.5. Backup your phone information regularly to a computer or the cloud. This will allow you to restore the

data if you lose your phone or it is damaged or compromised.6. When your carrier makes an update available, install the update. This helps to protect your

phone from being compromised.Consider using only trusted phone dealers and repair shops if you are worried that your phone may be tampered with before you purchase it or while being repaired. You may want to use an authorized but randomly chosen phone dealer or service provider.

7. Your phone may allow you to disable “Location Services” altogether if there are times you do not want your location to be tracked and made available to third-party apps. Note that your location information will still available to the mobile phone network provider as your phone pings nearby cell phone towers.

Be very wary when connecting to WiFi access points that don't require passwords, or to WiFi networks in public spaces such as a coffee shop. It may be better to incur data charges than incur the risk of connecting to a public WiFi network.When you use a web browser, look at the address bar and check to see if there is a green lock icon. The URL should also begin with “https” -this means that the browser is using HTTPS, which is a form of encryption. If anyone on the network sees your traffic, they can’t read any of it! Read more: https://support.google.com/chrome/answer/95617?hl=en

For your home WiFi:● WPA2-PSK (not “mixed mode” WPA)● Make sure you update your router software

(https://arstechnica.com/information-technology/2018/06/widely-used-d-link-modemrouter-under-mass-attack-by-potent-iot-botnet/, https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-infecting-50000-devices-is-worse-than-we-thought/)

Secure file exchange

There are many ways to securely exchange documents, from password-protecting them to using a strong encryption method. Which one you use will be based on how sensitive the information is and what you & your client agree on.

Lifehacker has a list of five encryption tools they recommend for localencryption of files: http://lifehacker.com/five-best-file-encryption-tools-5677725

Secure file exchange: Password Protected PDFs

Saving a PDF file with a password helps to protect the information from being easily read by someone who is sniffing traffic on the network (as could happen on an open wifi network that is not protected by a password), or if they gained access to your email.

Creating one on Windows: https://www.digitaltrends.com/computing/password-protect-pdf/

Creating one on Mac: https://support.apple.com/guide/preview/password-protect-a-pdf-prvw587dd90f/mac

Secure file exchange: Password Protected Zip files

7Zip for Windows:

● Download: http://www.7-zip.org/ ● Tutorial:

http://www.gofree.com/Tutorials/ZipCompFiles.php

Keka for Mac OS X:

● Download: http://www.kekaosx.com/en/ ● Tutorial:

http://www.kekaosx.com/en/doc.php

Secure file exchange: Veracrypt

Veracrypt runs on Windows and Macs, and allows you to create encrypted containers, which are like disk images, to hold files. These encrypted containers can then be exchanged through use of Box or some other shared drive service, or with USB keys. This is a good tool if you have especially sensitive files that you need to exchange, and your client has agreed to install the software and exchange encrypted containers.

● https://www.veracrypt.fr/en/Home.html

Bac

kups

As ransomware has increased as a threat, it’s important to take time to make sure that you have backed up your critical files, especially if you are in a small law office and store important client files. This handout will point you to some options for making backup copies of your data.

If you can, you should encrypt your backups. However, it is better to have unencrypted backups than to not backup anything because you haven’t gotten around to setting up an encrypted system.

● Backblaze! (We’re not shilling for them, but there’s a reason all of Brendan’s family and many friends use it)

Backups:

Windows 10 built-in backup:

https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473

Backups: Mac OS XMac OS X Time Machine (built-in backup software) tutorial: http://osxdaily.com/2015/07/12/set-up-time-machine-backups-mac-os-x/

Web Applications

● How to secure a google apps or O365 account

● https://landing.google.com/advancedprotection/

● Vendor security analysis is hard--for lawyers, just rely on the big vendors

Lear

ning

m

ore Attorney Specific

1. Operational Security for Lawyers: https://lawyerist.com/series/operational-security-for-lawyers/

2. Computer Security Tools and Concepts for Lawyers: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2831739

3. Cybersecurity for Attorneys: Understanding the Ethical Obligations: https://www.americanbar.org/publications/law_practice_today_home/law_practice_today_archive/march12/cyber-security-for-attorneys-understanding-the-ethical-obligations.html

4. Keys Under Doormats (“golden keys” aren’t): https://dspace.mit.edu/handle/1721.1/97690

Questions (Lots)Wendy: @wendyck, wck@wendyk.orgBrendan: @USSJoin, bfo@ussjoin.com