Computer Security for Lawyers - 03... · The best option: generated by a password manager like...
Transcript of Computer Security for Lawyers - 03... · The best option: generated by a password manager like...
Wendy Knox EveretteWendy Knox Everette (@wendyck) is a hacker lawyer who began her career as a software developer at Amazon.com and Google, before going to law school, where she focused on national security law and computer security issues. She interned with the FTC, FCC, and several other three letter agencies, and completed a fellowship with ZwillGen in Washington, D.C. During her fellowship she assisted with vendor cybersecurity reviews, drafted data breach incident reports and assisted with incident response, as well as working with clients in responding to law enforcement requests for customer data. Currently, she lives in Washington State where she advises companies on risk and security regulations.
Brendan Francis O’Connor
● Once voted “least likely to be employable” by his graduating class… in law school
● His cat, who he had for five years before meeting her, prefers the company of his wife
● Is completely obsessed with how much he hates crypto currencies
Security 101: Passwords
1. Randomization2. Length3. Memorization vs saving it
https://www.csoonline.com/article/3228106/password-security/want-stronger-passwords-understand-these-4-common-password-security-myths.html
Elements of a strong password● The best option: generated by a password manager like LastPass or
1Password● Make it long: 10 or more characters ● Make it unpredictable● Make it complex: vary uppercase, lowercase, numbers and symbols ● Make it unique: use a unique password for each service ● Keep it secret: if you have to share it with someone, switch to a temporary
password, share that, then change it back
Password managers
● LastPass: https://www.lastpass.com/● 1Password: https://1password.com/● Not Ever KeePass:
https://www.techdirt.com/articles/20171220/18134638859/keeper-security-files-bullshit-slapp-suit-against-ars-technica-letting-many-more-people-know-not-to-use-software.shtml
● What about saving passwords in the browser?● What about Mac’s KeyChain to save passwords?
BUT...● Modern password cracking utilities don’t use pure brute force● They do know that you substituted a 4 for an A (so leet!)● They know phrases and quotations, not just words● They do know that a shockingly high percentage of “strong” passwords are
○ Xxxxxxxxx...1! (One upper case, N lower case, followed by a single number and a single special character, usually an exclamation point)
● Seriously, just use a password manager
Security 101: Multi Factor AuthenticationSomething you know + something you have
https://www.nist.gov/itl/tig/back-basics-multi-factor-authentication
Would someone SPY on a LAWYER?● United States - Measures Affecting the Production and Sale of Clove
Cigarettes (Indonesia v. US) (DS406, WTO DSB, 2012)● GTMO● https://www.csoonline.com/article/3070110/security/fbi-hid-microphones-for-s
ecret-warrantless-surveillance-near-california-courthouses.html (San Francisco / federal)
● https://www.nytimes.com/2008/04/28/us/28lawyers.html (Oregon state/federal)
SBTx, Comm. on Prof. Ethics, Opinion 648 (2015)“In general, considering the present state of technology and email usage, a lawyer may communicate confidential information by email. In some circumstances, however, a lawyer should consider whether the confidentiality of the information will be protected if communicated by email and whether it is prudent to use encrypted email or another form of communication. Examples of such circumstances are:
[…] sending an email if the lawyer is concerned that the NSA or other law enforcement agency may read the lawyer’s email communication, with or without a warrant.”
SBCa, St. Comm. on Prof. Resp., Opinion 2010-179“Similarly, encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstance calls for it….”
ABA Formal Ethics Opinion 11-459“A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may gain access.”
Messaging security
● Messaging applications like iMessages or Signal can be more secure than email
● Seriously, use Signal. Download it right now, don’t wait for the end of class.
https://signal.org/download/
Email Security● Using a webmail provider like
GMail or Proton Mail○ Use a strong password○ Use multifactor
authentication● Email Attachments
○ When is it safe to open an attachment?
Mobile Phone Security1. Use a lock code or PIN to lock your phone. Longer is better. Alphanumeric is better than numeric.2. Don’t leave your phone unlocked and unattended.3. Do not install unknown and unverified programs on your phone. Only install apps from the
official Apple App Store or Google Play.4. If you plan to dispose of, give away, sell or re-use your phone, make sure that all
information is deleted.5. Backup your phone information regularly to a computer or the cloud. This will allow you to restore the
data if you lose your phone or it is damaged or compromised.6. When your carrier makes an update available, install the update. This helps to protect your
phone from being compromised.Consider using only trusted phone dealers and repair shops if you are worried that your phone may be tampered with before you purchase it or while being repaired. You may want to use an authorized but randomly chosen phone dealer or service provider.
7. Your phone may allow you to disable “Location Services” altogether if there are times you do not want your location to be tracked and made available to third-party apps. Note that your location information will still available to the mobile phone network provider as your phone pings nearby cell phone towers.
Be very wary when connecting to WiFi access points that don't require passwords, or to WiFi networks in public spaces such as a coffee shop. It may be better to incur data charges than incur the risk of connecting to a public WiFi network.When you use a web browser, look at the address bar and check to see if there is a green lock icon. The URL should also begin with “https” -this means that the browser is using HTTPS, which is a form of encryption. If anyone on the network sees your traffic, they can’t read any of it! Read more: https://support.google.com/chrome/answer/95617?hl=en
For your home WiFi:● WPA2-PSK (not “mixed mode” WPA)● Make sure you update your router software
(https://arstechnica.com/information-technology/2018/06/widely-used-d-link-modemrouter-under-mass-attack-by-potent-iot-botnet/, https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-infecting-50000-devices-is-worse-than-we-thought/)
Secure file exchange
There are many ways to securely exchange documents, from password-protecting them to using a strong encryption method. Which one you use will be based on how sensitive the information is and what you & your client agree on.
Lifehacker has a list of five encryption tools they recommend for localencryption of files: http://lifehacker.com/five-best-file-encryption-tools-5677725
Secure file exchange: Password Protected PDFs
Saving a PDF file with a password helps to protect the information from being easily read by someone who is sniffing traffic on the network (as could happen on an open wifi network that is not protected by a password), or if they gained access to your email.
Creating one on Windows: https://www.digitaltrends.com/computing/password-protect-pdf/
Creating one on Mac: https://support.apple.com/guide/preview/password-protect-a-pdf-prvw587dd90f/mac
Secure file exchange: Password Protected Zip files
7Zip for Windows:
● Download: http://www.7-zip.org/ ● Tutorial:
http://www.gofree.com/Tutorials/ZipCompFiles.php
Keka for Mac OS X:
● Download: http://www.kekaosx.com/en/ ● Tutorial:
http://www.kekaosx.com/en/doc.php
Secure file exchange: Veracrypt
Veracrypt runs on Windows and Macs, and allows you to create encrypted containers, which are like disk images, to hold files. These encrypted containers can then be exchanged through use of Box or some other shared drive service, or with USB keys. This is a good tool if you have especially sensitive files that you need to exchange, and your client has agreed to install the software and exchange encrypted containers.
● https://www.veracrypt.fr/en/Home.html
Bac
kups
As ransomware has increased as a threat, it’s important to take time to make sure that you have backed up your critical files, especially if you are in a small law office and store important client files. This handout will point you to some options for making backup copies of your data.
If you can, you should encrypt your backups. However, it is better to have unencrypted backups than to not backup anything because you haven’t gotten around to setting up an encrypted system.
● Backblaze! (We’re not shilling for them, but there’s a reason all of Brendan’s family and many friends use it)
Backups:
Windows 10 built-in backup:
https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473
Backups: Mac OS XMac OS X Time Machine (built-in backup software) tutorial: http://osxdaily.com/2015/07/12/set-up-time-machine-backups-mac-os-x/
Web Applications
● How to secure a google apps or O365 account
● https://landing.google.com/advancedprotection/
● Vendor security analysis is hard--for lawyers, just rely on the big vendors
Lear
ning
m
ore Attorney Specific
1. Operational Security for Lawyers: https://lawyerist.com/series/operational-security-for-lawyers/
2. Computer Security Tools and Concepts for Lawyers: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2831739
3. Cybersecurity for Attorneys: Understanding the Ethical Obligations: https://www.americanbar.org/publications/law_practice_today_home/law_practice_today_archive/march12/cyber-security-for-attorneys-understanding-the-ethical-obligations.html
4. Keys Under Doormats (“golden keys” aren’t): https://dspace.mit.edu/handle/1721.1/97690
Questions (Lots)Wendy: @wendyck, [email protected]: @USSJoin, [email protected]