Category: Security

Windows Security Patches Released

Microsoft Released a security patch on Thursday, May 1st, which fixed all Windows versions of Internet Explorer, including for Windows XP!

XP has been out of support, but with a heavy installed base — estimated at 30% of the world’s computers by some — Microsoft made an exception to its policy by updating the operating system.  At a lot of law firms, there was a visible sigh of relief.  Kudos to Microsoft for doing the right thing.

Personally, I took the opportunity to change my default browser to Chrome, and I don’t regret it.  There are a few software packages I have which are not compatible.  For example, Copernic Desktop Search.  But I only use that for searches internal to my system, so I don’t really care.

In case you’re curious, data from NetMarketShare.com indicates that Windows 7 powers 49.27% of the world’s computers, while Windows 8.0 and 8.1 combined account for only 12.24%.   MAC versions 10.6 through 10.8 combined holds 3.25% of market share.   That number surprises me, as I’m seeing strong growth in the legal industry.

Computer Security Issues – Windows XP, Adobe Flash, Internet Explorer

When Homeland Security issues a warning about new risks of using your computer, you should stop and pay attention.  When mighty Microsoft tells you to temporarily stop using one of their programs due to a security issue, you should stop and pay attention once you’ve recovered from fainting.

Yes folks, our computing environment has just gotten a whole lot riskier, especially when exploring the internet.

First, let me advise you that the issues have not yet been resolved, despite reports issued based on misinformation and misunderstanding.  That’s because we’re dealing with multiple issues, on multiple software platforms.

The issue dealing with Adobe Flash Player was resolved (hopefully) by a security update from Adobe on Monday, April 28.  That problem involved a Flash bug that was attacking computer visitors of a Syrian government web site.  Although that bug was significant, it is not at all related to the major boo-boo in Internet Explorer.  And it’s doubtful it would have impacted too many of you in the legal environment.

The “big” Microsoft bug, which Microsoft is currently scrambling to address with a patch, affects versions 6 to 11 of Internet Explorer.  It potentially gives data thieves the same access to a network computer as a legitimate user.  Microsoft has acknowledged that there have been “limited, targeted attacks that attempt to exploit a vulnerability.”  Excuse me?  It can’t be so limited if Homeland Security is involved, along with every major media outlet.

The security flaw in Internet Explorer comes into play if you click on a bad link.  Not the type which gives you an innocent “404, Not Found” but rather the kind which takes you to a fake web site, where malicious code can be injected into your computer.  Some of these sites are so realistically designed, you have no clue they’re fake and “bad”.

This is the first major security flaw discovered since Windows XP support was discontinued.  That means that when the security patch is issued, both Internet Explorer and Windows 8.0+ will be updated.  Windows XP will remain vulnerable.

What should you do?

  1. Stop using Internet Explorer for now.  Use one of the competitors like Google Chrome or Firefox.
  2. Don’t click on links found on web sites which go outside that site.  Rather, use your “favorites” to get to the other site, or look up the other site and go there directly.  It’s estimated that as much as 40% of legitimate web sites may unknowingly have malicious code on their site.  One example would be replacing a legitimate link with one which misdirects you to a “bad” web site.
  3. Make sure you’re installing all security updates which arrive at your computer.
  4. Be sure your anti-virus and anti-spyware software is kept up to date, and is running continuously in the background.
  5. Make sure your firewall is up to date.
  6. If you’re still using Windows XP, make a permanent change to your internet browser choice.  Also, whichever browser you choose, you may want to have your security software checking each site before it actually allows you to land on it.  It will slow your travels, but keep you much safer.

Keep in mind that you will have to get off of Windows XP in short order.  Hey, I don’t like it one bit either!  But keep in mind that law firms must take due diligence in safeguarding client confidentiality.  Knowingly using software which will never receive additional security updates is much like putting your most confidential client documents in a trash bag, and throwing it off the Empire State Building.  It’s not a question as to whether those papers will be scattered on impact, but rather how far they’ll be scattered!

Security Issues on iPhone 5s

Attorneys who use the iPhone 5s should refrain from enabling Touch ID.  There have already been two patches in response to two security flaws.  But tech experts feel that the Touch ID feature is still a risk for phones carrying confidential client information.  Michael Pham of Winstead Attorneys has some insights in a post on the WinTech blog.  He suggests that employers implement strict written policies and  procedures that require employees to keep their mobile devices current with the latest  software updates concerning security, and that they notify the company the  minute a phone goes missing.  Wise advice.  I also recommend that remote swipe be enabled before any client information is synched to the phone.

It’s important for firms to take proactive steps to protect confidential client data.  Failure to take reasonable precautions could spell malpractice.

Twitter username worth $50k?

A very interesting article on CNET News caught my attention.  The headline “Coveted $50,000 Twitter username swiped in tale of woe” intrigued me on more than one level.  First, of course, are the security issues.  Definitely read the article, and track back to the blog post, to get an idea of how vulnerable your online accounts can be.

Second, was the fact that a username could have such a value.  Maybe it’s time to start thinking creatively and reserving free account names that may become desirous later.  Hmmm . . . wonder if @Personal_Injury is available?

Although the latest update to the story includes a strong denial from PayPal about divulging information which allowed the hacker to hijack the user’s accounts, I tend to believe the user, Naoki Hiroshima.  There are tons ways a “confused caller” can get small bits of information over the phone; enough to later claim an account.

PayPal’s name has been associated with all sorts of online fraud, almost since they first started.  Don’t get me wrong, it’s not PayPal itself, but nefarious individuals who have exploited their name for phishing and identity theft schemes since day one.  For that reason alone, I have long advised attorneys to use something other than PayPal for credit card service (merchant account) their clients can use to pay.  Just the association to the name still leaves a chill of risk for many who remember the horror stories.

Keep Track of Your “Stuff”

We all lose stuff, even if only temporarily.  What if you could “tag” all your stuff with a tracker, so that when misplaced, you could locate it easily on your Smartphone?  That’s what Tile is for.  A Personal Asset Manager to help track one’s stuff.  It’s about time.

Currently, Tile only works with the iPhone 4S, iPhone 5, iPad Mini, iPad 3rd and 4th gen, and iPod Touch 5th gen.  And I can’t say it’s really cheap.  One Tile is $18.95.  The more you buy, the more you save per Tile.  Up to 10 Tiles can be put on one account.  You attach, stick or drop your Tile into/onto any item you might lose such as laptops, wallets, keys, guitars, bikes—you name it.

The good news:  The Tile app saves the last GPS location it saw your Tile.  It shows the location on what looks like a Google Map. Tiles come with a built-in speaker so you can easily hear it in close range.  You never need to replace the batteries or even charge your Tiles.

The bad news:  Tiles last a year. You’ll receive a reminder when it’s time to order new Tiles and you’ll get an envelope to recycle your old ones.  So think of it as an annual subscription cost for asset protection.  For an expensive electronic device, bicycle, or even a pet, the annual cost is well worth it.

If this takes off, it will no doubt expand to other operating systems.  I’m intrigued.  Are you?

Cyber Security and Data Privacy

Gibson Dunn & Crutcher LLP just published a very sobering article on this topic.  The article is entitled “Cyber-security and Data Privacy Outlook and Review: 2013,” and it is probably one of the most comprehensive reviews on the status of lawsuits, regulatory changes, and breaches I’ve read to date.  It’s guaranteed to make you wince.  The good news — maybe I should say the only good news– is that this arena has the potential to create lots of opportunities for lawyers.  Work abounds in class actions, defense, regulatory compliance, security audits and policies, trade secret protection, and white collar crime, to name but a few.

Just to give you an idea of how bad a year 2012 was in terms of security, here is a brief excerpt:

Data breaches continue to grow in both number and scale. This past year saw major hacks at Zappos (24M customer accounts), Statfor (private U.S. intelligence firm; 5M e-mails), Global Payments (1.5M credit card numbers), LinkedIn (6.5M passwords), eHarmony (1.5M passwords), Yahoo (0.5M passwords), Nationwide Mutual (1.1M customer accounts), and Wyndham Worldwide (600K credit card numbers). According to industry reports, this past year saw a sharp increase in browser-related exploits, such as luring an individual to a trusted website that has been infected with malicious code. Using browser vulnerabilities, attackers can install malware on the target system. In addition, the rise of “bring your own device” policies in the corporate world have led to security challenges for organizations. For example, many large organizations reported that security breaches were caused by their own staff, most commonly through ignorance of security practices.

This past year saw a dramatic increase in the number of breaches from state and local governments. Leading the pack was the South Carolina Department of Revenue, where an employee fell for a phishing e-mail that allowed hackers to steal 75GB of data containing the social security numbers, credit cards, and bank account information for 3.8M residents. The data also contained information about 700,000 businesses. The governor faulted outdated IRS standards, which did not require social security numbers to be encrypted. Another major hack affected the New York State Electric & Gas Company, in which 1.8M customer files were stolen that included social security numbers and some financial information. Investigations of the hack faulted out-of-date data security standards. Other notable breaches occurred at the California Department of Social Services (700K employees’ payroll information), Utah Department of Health (780K citizens’ health information), and the California Department of Child Support Services (800K health and financial records). Many of these attacks could have been prevented by following up-to-date security standards.

No wonder President Obama signed an executive order on February 12, 2013, seeking to strengthen the cyber security of critical infrastructure, by directing the development of a public-private sector cyber security framework, and increasing information sharing between the public and private sector.  If you’ve been following my blog, you’re read my previous posts “Another Cyberattack on a Major U.S. Bank;” “Cyberattacks on U.S. Banks — Are You Safe?;” “Beware Email Messages from Facebook Friends;” and “Trojan Infects 260,000 Android Devices” to name just a few.

It’s a very dangerous computing world.  That means you have to keep up to date on developments.  You need to keep your software updated to plug security holes as they’re discovered.  You need to actually use your shredder.  You need to avoid using public WiFi for accessing confidential information.  You have to train your employees not to click on links or email attachments which are unexpected, regardless of the source.  You should encrypt your laptop hard drive, and use a boot password too.  You should be sure you have enabled the ability to remotely wipe the data from your Smartphone before you put anything on there.  This is just a start off the top of my head.  If you’re not already doing all these things, or if you don’t even know about some of these things, perhaps your starting point should be a simple security audit by a qualified vendor.

Computer Security Alert: Protect Your PC From a Data Dump

A data what?  Yep, you  heard it right.  There’s a new computer security threat afoot which can fill your hard drive in seconds.

This new threat was just reported in BBC News : Technology.  According to the report, the vulnerability has been created by a loophole in the programming of HTML5.  While most websites are currently built using version 4 of the Hyper Text Markup
Language (HTML).  However,  that code is gradually being upgraded by the newer version 5.

One big change brought in with HTML5 lets websites store more data locally on visitors’ PCs.  Based on one’s browser, there is a limit of how much data can be placed on  your PC.  However, the loophole is enabled by a software routine which endlessly creates new, linked websites, enabling each  to dump huge amounts of data onto a target PC.  Oh, and did I mention that the actual creation of the linked websites, and data dumping takes place literally in seconds?

What data will it dump?  Well, it could be pictures of cartoon cats, as done in the demo created by Developer Feross Aboukhadijeh, the discoverer of the loophole. According to the news report, In one demo, Mr Aboukhadijeh managed to dump one gigabyte of data every 16 seconds onto a vulnerable Macbook.

Most major browsers, including Chrome, Internet Explorer, Opera and Safari, were found to be vulnerable to the bug.  Only Mozilla’s Firefox capped storage at 5MB and was not vulnerable.

What can / should you do?  Well, this has been reported, and is being worked on.  Your number one defense is to have a back-up emergency boot disk, so that if your hard drive is crammed with cr*p, you can still boot your computer.  You also need to have a good solid back-up, so that you can restore your software and documents after you reboot.

If you use one of the impacted browsers on either MAC or PC platform, you may want to make sure that your anti-virus software is set to scan sites for malicious code before you actually connect.  There is no mention in the report as to whether this is detectable, so I can’t say for sure it will protect you.  But it’s worth a try, and it’s always a good idea anyway, since malicious code can be placed on just about any web site.  Last, stay away from web sites which are known to harbor nasty stuff, like file and music sharing and game sites.  At least until you’ve heard this problem is resolved.

Another Cyberattack on a Major U.S. Bank

Citizens Bank of PA has been hit by cyberattacks, according to an article in Philadelphia Business Journal.  In keeping with my previous post on this topic, “Cyberattacks on U.S. Banks – Are You Safe?” these attacks are still being blamed on Iran, despite their continued denial of involvement.

Thus far the financial institutions have spent millions trying to shore up their security and ward off attacks.  At this point, they are requesting assistance of the U.S. government, according to an article in the Wall Street Journal.  This is significant, coming from an industry which flatly rejected the imposition of security measures previously.

Cyberattacks on U.S. Banks – Are You Safe?

McAfee warned of this months ago, and their predictions are coming true.  U.S. Banks are under attack.  As are some cloud providers, for that matter.  The attacks are more massive and organized than ever before.  An article in CNet News on December 13, 2012 revealed that a report released by McAfee Labs predicted an impending attack on U.S. financial institutions — dubbed Project Blitzkrieg — was a “credible threat.”

Project Blitzkrieg is believed to be headed by an individual known as vorVzakone, according to McAfee. In September, vorVzakone announced a massive fraud campaign to be launched against 30 U.S. banks in spring 2013. VorVzakone also put out a call to arms for fellow hackers to join his cause. The attacks are said to be done with a highly developed Trojan that could infect victims’ computers, plant software, and allow cybercriminals to steal information and money.

Rather than being a sweeping attack, McAfee said the campaign will selectively target accounts at investment banks, consumer banks, and credit unions. Going after selected groups makes it easier for vorVzakone to stay under the radar and not be detected by network defenses, according to McAfee.

The attack was to expected to hit hard in Spring, 2013.  But it looks like plans have moved up a bit.  And are not being executed as predicted.  A January 10, 2013 article in the Philadelphia Business Journal carried the title “PNC, Wells Fargo Cyberattacks Work of Iran, U.S. Believes. ”  The real story is based on a January 8, 2013 article in the New York Times entitled “Bank Hacking Was the Work of Iranians, Officials Say“:

But there was something disturbingly different about the wave of online attacks on American banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.

The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.

Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC.

A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks. . . . But American intelligence officials say the group is actually a cover for Iran. They claim Iran is waging the attacks in retaliation for Western economic sanctions and for a series of cyberattacks on its own systems.

Iranian officials emphatically deny any connection with the attacks.  However, the attackers allegedly stated last week that they had no intention of halting their campaign. “Officials of American banks must expect our massive attacks,” they wrote. “From now on, none of the U.S. banks will be safe.”

I don’t know what I believe about who or what is behind these attacks.  I do believe that the threat, no matter the source, is very real.  Thus far there has been no theft; simply a consistent disabling of the bank’s abilities to service online customers.  However, I have no doubt that this is camouflage designed to distract security professionals from the eventual real consequences of these attacks, which has the potential to create havoc with assets of individuals and businesses. 

What do you need to do? 

  1. Be mindful of the insurance limits which apply to all of your combined accounts.  (Excluding IOLTA.  See “Unlimited FDIC Insurance on IOLTA Accounts Due to Expire” for further details about this issue.) 
  2. Make sure that you are not dependent on online banking for essential transactions.  Even if you do your deposits and bill paying remotely, have good old-fashioned deposit slips and checks handy. 
  3. Be sure you print out your monthly statements if you do electronic review.  You may need to access your information quickly at a time when your financial institution is trying to clean up a mess.  Those with an audit trail of their own will always fare better.
  4. Be careful about where you conduct your business.  Never log onto your secure encrypted accounts from a public computer, or over a public WiFi connection.
  5. If you don’t have a password on your smartphone, netbook and/or tablet, put one on immediately.  Yes, I know it’s a pain that after 3 – 10 minutes of idle time you have to put in a password to resume work.  On the other hand, no one can pick up your device when you’re not looking, and find your autologin information for your bank!
  6. Be especially wary of any so-called email communications from your banking institutions asking you to logon and reset your password, enter your SSN, or other sensitive information, and especially if they provide you with a link to do so.  Verify the legitimacy of the request by calling the institution on the phone before clicking on the link.  Nowadays sophisticated fraudsters create web sites that are so close to the real thing it can fool most people into entering sensitive information.

These are just a few quick thoughts to get this issue on your personal radar screen.  I encourage you to add your thoughts in terms of what we need to do to protect our firms, ourselves, and our clients.

Beware Email Messages from Facebook Friends

Chances are pretty good you have friends on Facebook.  You may even have your own Facebook page and friends.  Let’s face it, if you have children or grandchildren, it’s your best bet for communicating with them.  No one seems to want to use regular email or even a telephone to communicate anymore.  It’s all about social media.  Instant updates about what everyone is doing.  While I like seeing the pictures immediately of friends’ grandchildren and children, and knowing what everyone is up to, I have to admit that the constant stream of electronic “chatter” is a bit much.  But I digress  . . .

Right now there is a deluge of emails coming to everyone’s inbox from alleged friends on Facebook.  Usually the subject line just says “For [your name]” and the only thing in the email is a link.  If you look closely, you will see that the email return address is not related to whomever it is supposed to be from. 

Even though we’re all so cautious and savvy about computing risks, I have to take a moment to remind you NOT to click on the link.  If you don’t look closely you won’t give it a thought, as it appears to have been sent from someone you know and trust.  But if you click on the link you will wind up on a site which will infect you with spyware.  Anld you probably won’t even know it.  Remember that zero day attacks can hit you before your anti-virus and/or anti-spyware has been updated to defend you.  That’s what the “zero” stands for.  So unless your security software is updating throughout the day, you probably have no defense at all.

So repeat after me:  Delete, Delete, Delete.  Say it again:  Delete!!!

WordPress Themes