Posts tagged: computer security

Data Breach Prevention

Glaring headlines in the March 29, 2016 The American Lawyer detailed that 48 of our nation’s top law firms were specifically targeted by a Russian hacker seeking to trade on M&A information. Most of the firms found out they were a target only because their name was included in the article. On March 22, 2016 the FBI issued an alert warning law firms of criminals seeking access to their networks.

What should you do? First, realize that some of the largest firms have experienced breaches. And they have huge IT staff, and lots of money to throw at the problem. Don’t throw up your arms in disdain and say you have no chance by comparison. For firms of all sizes I recommend . . . READ MORE

Data Breach Prevention

It’s really not a question of IF your firm will experience a data breach at some point, but rather WHEN your firm will experience the breach. Don’t assume that your firm has no desirability as a target because of your size, or even your practice areas. Cyber criminals are increasingly targeting law firms of all sizes for private information about clients, which often enables them to more effectively target the client directly.  READ MORE

Cyber Security and Data Privacy

Gibson Dunn & Crutcher LLP just published a very sobering article on this topic.  The article is entitled “Cyber-security and Data Privacy Outlook and Review: 2013,” and it is probably one of the most comprehensive reviews on the status of lawsuits, regulatory changes, and breaches I’ve read to date.  It’s guaranteed to make you wince.  The good news — maybe I should say the only good news– is that this arena has the potential to create lots of opportunities for lawyers.  Work abounds in class actions, defense, regulatory compliance, security audits and policies, trade secret protection, and white collar crime, to name but a few.

Just to give you an idea of how bad a year 2012 was in terms of security, here is a brief excerpt:

Data breaches continue to grow in both number and scale. This past year saw major hacks at Zappos (24M customer accounts), Statfor (private U.S. intelligence firm; 5M e-mails), Global Payments (1.5M credit card numbers), LinkedIn (6.5M passwords), eHarmony (1.5M passwords), Yahoo (0.5M passwords), Nationwide Mutual (1.1M customer accounts), and Wyndham Worldwide (600K credit card numbers). According to industry reports, this past year saw a sharp increase in browser-related exploits, such as luring an individual to a trusted website that has been infected with malicious code. Using browser vulnerabilities, attackers can install malware on the target system. In addition, the rise of “bring your own device” policies in the corporate world have led to security challenges for organizations. For example, many large organizations reported that security breaches were caused by their own staff, most commonly through ignorance of security practices.

This past year saw a dramatic increase in the number of breaches from state and local governments. Leading the pack was the South Carolina Department of Revenue, where an employee fell for a phishing e-mail that allowed hackers to steal 75GB of data containing the social security numbers, credit cards, and bank account information for 3.8M residents. The data also contained information about 700,000 businesses. The governor faulted outdated IRS standards, which did not require social security numbers to be encrypted. Another major hack affected the New York State Electric & Gas Company, in which 1.8M customer files were stolen that included social security numbers and some financial information. Investigations of the hack faulted out-of-date data security standards. Other notable breaches occurred at the California Department of Social Services (700K employees’ payroll information), Utah Department of Health (780K citizens’ health information), and the California Department of Child Support Services (800K health and financial records). Many of these attacks could have been prevented by following up-to-date security standards.

No wonder President Obama signed an executive order on February 12, 2013, seeking to strengthen the cyber security of critical infrastructure, by directing the development of a public-private sector cyber security framework, and increasing information sharing between the public and private sector.  If you’ve been following my blog, you’re read my previous posts “Another Cyberattack on a Major U.S. Bank;” “Cyberattacks on U.S. Banks — Are You Safe?;” “Beware Email Messages from Facebook Friends;” and “Trojan Infects 260,000 Android Devices” to name just a few.

It’s a very dangerous computing world.  That means you have to keep up to date on developments.  You need to keep your software updated to plug security holes as they’re discovered.  You need to actually use your shredder.  You need to avoid using public WiFi for accessing confidential information.  You have to train your employees not to click on links or email attachments which are unexpected, regardless of the source.  You should encrypt your laptop hard drive, and use a boot password too.  You should be sure you have enabled the ability to remotely wipe the data from your Smartphone before you put anything on there.  This is just a start off the top of my head.  If you’re not already doing all these things, or if you don’t even know about some of these things, perhaps your starting point should be a simple security audit by a qualified vendor.

Computer Security Alert: Protect Your PC From a Data Dump

A data what?  Yep, you  heard it right.  There’s a new computer security threat afoot which can fill your hard drive in seconds.

This new threat was just reported in BBC News : Technology.  According to the report, the vulnerability has been created by a loophole in the programming of HTML5.  While most websites are currently built using version 4 of the Hyper Text Markup
Language (HTML).  However,  that code is gradually being upgraded by the newer version 5.

One big change brought in with HTML5 lets websites store more data locally on visitors’ PCs.  Based on one’s browser, there is a limit of how much data can be placed on  your PC.  However, the loophole is enabled by a software routine which endlessly creates new, linked websites, enabling each  to dump huge amounts of data onto a target PC.  Oh, and did I mention that the actual creation of the linked websites, and data dumping takes place literally in seconds?

What data will it dump?  Well, it could be pictures of cartoon cats, as done in the demo created by Developer Feross Aboukhadijeh, the discoverer of the loophole. According to the news report, In one demo, Mr Aboukhadijeh managed to dump one gigabyte of data every 16 seconds onto a vulnerable Macbook.

Most major browsers, including Chrome, Internet Explorer, Opera and Safari, were found to be vulnerable to the bug.  Only Mozilla’s Firefox capped storage at 5MB and was not vulnerable.

What can / should you do?  Well, this has been reported, and is being worked on.  Your number one defense is to have a back-up emergency boot disk, so that if your hard drive is crammed with cr*p, you can still boot your computer.  You also need to have a good solid back-up, so that you can restore your software and documents after you reboot.

If you use one of the impacted browsers on either MAC or PC platform, you may want to make sure that your anti-virus software is set to scan sites for malicious code before you actually connect.  There is no mention in the report as to whether this is detectable, so I can’t say for sure it will protect you.  But it’s worth a try, and it’s always a good idea anyway, since malicious code can be placed on just about any web site.  Last, stay away from web sites which are known to harbor nasty stuff, like file and music sharing and game sites.  At least until you’ve heard this problem is resolved.

WordPress Themes