Ensure Extra Security on Your iPhone – Replace Your 4 Digit Pin

For most users of the iPhone, the simple 4-digit pin is sufficient security as it encrypts your device, but it is easily hackable as there are only 10,000 possible combinations. In fact, according to Popular Science, “If you needed any more incentive to beef up your iPhone’s password, here’s one: security researchers at MDSec have tracked down a device called an “IP Box” that can brute force the phone’s 4-digit security code and gain access to its data.” When Apple releases iOS 9 this month, all phones running it will require 6 digits, but even with those extra digits are not strong enough. As an attorney, you need to go beyond basic security to ensure attorney-client privilege. That’s where the complex passcode comes in. Passcodes can feature letters and are unlimited in length. Pick a combination of upper and lower cases, as well as numbers and make sure it’s at least 8 characters in length. You can test the strength of your passcode at https://howsecureismypassword.net/.

To turn off your old pin and set your new passcode, go to Settings on your iPhone, which looks like this gear icon:

settings icon

From that menu, scroll down till you see Touch ID & Passcode:

touch id

From that menu, scroll down till you see Touch ID & Passcode:

simple passcode off

If you have a 4 digit pin set up, you will be asked to enter it. After you do, scroll down and toggle Simple Passcode to Off:

change passcode screenshot

 

Et Voila! You now have made your iPhone more secure.

 

How to unshorten and shorten links

unshortmeYou might be familiar with shortened links from social media or email. They’re handy for keeping things tidy and within a character limit, but you can’t see what you’re clicking on. What if the link is malicious or just a waste of time? Turn that short link into a long link with unshort.me and see where you’re going. Copy and paste the short URL into the text box, and the site will expand it for you. A Chrome extension is available, allowing you to right-click and unshorten any short link you see on the web.

Conversely, you may want to shorten links, either to make a character limit or clean up an email. For instance, the URL or link for the 2012 Law Practice Management & Tech Tips for Lawyers program is http://www.chicagobar.org/source/Meetings/cMeetingFunctionDetail.cfm?section=Calendar&product_major=C8215W&functionstartdisplayrow=1. Instead, to get to the same webpage you can shorten the link with Bit.ly to: http://bit.ly/1EaKaU7.  The first link is long, can’t really be read to someone, it breaks onto a new line, and is cumbersome. Bit.ly neatens it up.

bitly

There are many URL shorteners available for free on the web, such as ow.ly, goo.gl, and the originator of this technology, tinyurl.com, but Bit.ly has some really useful features. It has browser plugins for all major browsers so it is always available in one click.  You can also add notes to the link, create link bundles (see: http://bitly.com/bundles/catherinereach/3), create private links, share via email in one click, and also track whether people have clicked on the link. Finally, you can customize the link so the above Bit.ly link (http://bit.ly/1EaKaU7) can be: http://bit.ly/2015techtips.

Check it out and get your free account at http://bitly.com

Disaster Planning: Turn Off Email Address Autocomplete

February LPMT Tech Tip

Headline after headline after headline reveal attorneys suffering disaster because of mis-sending email. While slowing down and paying more attention can help, turning off some of the convenience features built into email applications can’t hurt. In MS Outlook (2010 & 2013) go to File – Options – Mail – Send Messages and uncheck “Use Auto-Complete List to Suggest Names when Typing in the To, CC, and BCC Lines”.

autocomplete

 

 

 

 

Then click on “Empty Auto Complete List”.

autocomplete button

 

 

 

 

If that seems a bit too nuclear you can selectively remove old or easy to abuse AutoComplete email addresses that appear in email by clicking on the X next to the name that appears. This will clear it from your auto-complete list.removefromlist

 

 

 

 

 

If you use keyboard shortcuts like <Cntrl + Enter> to send an email you can turn it off. Why? Because this method  is so quick that it can be dangerous! You can turn off that shortcut by unchecking the option box, which appears in the same options menu as turning off AutoComplete. Now you won’t be able to create a disaster in the blink of an eye.

cntroenter

 

 

 

 

For Gmail you must delete individual contacts for them not to show up in AutoComplete, though you can go to Settings and choose to add contacts youself instead of the default “When I send a message to a new person, add them to Other Contacts so that I can auto-complete to them next time”.

gmailcontacts

 

There are other remedies for common mistakes like the “Reply All” monitor from Sperry for MS Outlook or Google’s “Undo” option in Labs (which can also be done in MS Outlook and is actually just putting a short delay on the “send” time). However, the main way to having embarrassing, costly or worse things happen from misuse of email is just to slow down on the send button.

 

5 THINGS YOU CAN DO RIGHT NOW TO PROTECT YOUR LAW FIRM FROM HEARTBLEED

blue-red-cables-heartAs an attorney you work with sensitive client documents. Whether you entrust those documents to a file cabinet in your office or a cloud service, like Dropbox or Box, the onus is on you to safeguard your client’s information. Using cloud services provides a huge benefit to large and small businesses alike and have been embraced by many attorneys and firms. But when there is a serious security breach like Heartbleed, it’s imperative that you have a basic understanding of what happened, what it means to you, and what it could mean for your clients.

How it works

Heartbleed is the result of a bug in the “OpenSSL” encryption mechanism, which is widely used across the Internet by websites both large and small. This bug has been present on web servers across the Internet for several years. Hackers could have taken advantage of this vulnerability in the past, if they had found it themselves before it was publically announced on April 7th 2014. The bug allows malicious hackers to submit a specific request to a web server that triggers the server to respond with much more information than it should. This additional information could be meaningless letter and numbers or it could be sensitive information from website visitors including usernames and passwords, credit card information, or other sensitive and private data.

What this means to you

It is possible that hackers could have retrieved any information that you have exchanged with a website affected by Heartbleed. The data retrieved would have been in relatively small chunks so it is not likely that complete documents would have been compromised. Hackers would primarily be looking for usernames, passwords, and other personal or financial credentials.

How to protect yourself

  1. Check to see if the websites you use were affected by Heartbleed
    LastPass, a company that offers a secure password service, has a webpage you can use to see if the websites you frequent were, or are, affected by the Heartbleed vulnerability at https://lastpass.com/heartbleed/. Many companies have already sent emails to their customers and/or released public statements. If you have any questions about the security of the websites you use you may also want to reach out to them for comment.

  2. Change your passwords
    As a precaution, even websites known to be unaffected by Heartbleed are recommending that users change their password. When was the last time you changed your passwords? You may want to take this opportunity to change them now and set a reminder on your calendar to change them on a set schedule.

  3. Use a password manager like LastPass
    Since you’re changing your passwords, now is a perfect time to evaluate secure password managers like LastPass, https://lastpass.com/. Services like LastPass help you to:

      • Keep track of all of your passwords across all of the websites you use
      • Make it easy to change and not have to remember all of your passwords
      • Use a different password for every website you use without having to remember each one
      • Encourage you to easily make use of very long and complex passwords

 

  1. Consider notifying your own clients
    In some cases, you might consider putting your own client’s minds at ease by notifying them that you are aware of Heartbleed and that you’ve checked with your partners and service providers to ensure that their systems are now protected against this vulnerability, especially if you use a secure client portal.

  2. Be vigilant
    Monitor any web service accounts that you have for suspicious activity, such as Dropbox, Box, your bank and credit card accounts. Keep a close eye on them as a precaution and if you notice suspicious activity change your password immediately and notify the company.

Set Up Two- Factor Authentication – What Are You Waiting For?

The threat of hackers compromising not only your information, but confidential client files, means it is more urgent than ever to take steps to protect your online accounts and services.  Fortunately, two-step authentication makes higher protection easy and seamless for today’s most popular web-based tools and services.

Read the article, appearing in the February 2013 edition of Law Practice Today

Disable Java Now

In the past two days I have received a Sans Security OUCH! Newsletter on security issues with Java from Oracle, followed by notices on technology media  AND daily news media that the Department of Homeland Security has issued a warning to uninstall or disable JAVA because of a zero day exploit that has not been patched which could lead to theft of personal information, access to data, etc. So, what to do?

It is likely that you will not notice the difference if you turn off Java in your browser. A few popular web conferencing tools use it, but you can re-enable it if necessary. For software like OpenOffice you need Java, but not enabled in the browser.

Java has instructions on the site to disable it in all browsers if you have version 7.10. If you don’t there are instructions for disabling it in every major browser.  DHS provides instructions on disabling Java in Internet Explorer if you are not running Java 7.10. This requires surgery so if you don’t have Java 7.10 the recommendation is to use a different browser for “different activities”.

If you want to check what version of Java you are running go here: http://www.java.com/en/download/installed.jsp . You can update it in Windows 7 by going to Control Panel – Java – Update.

Layering Security: Two Factor Authentication

“In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.”

Thus starts the story of Mat Honan, a writer for Wired Magazine. Mat’s story should be a cautionary tale for all, especially lawyers whose duties to maintain the confidentiality of client data extend the need for added security beyond just personal inconvenience.  Mat admits that much of what happened could have been avoided by using two factor authentication on his Google account and other security measures.  So, why didn’t he do it? Because adding layers of security means adding a layer of complication, and sometimes inconvenience. However, to unravel from a firm security breach or hack would be even more inconvenient.

Google’s Gmail, Google Chrome, LastPass, Dropbox, WordPress and many other popular services have added an extra layer of security that a user must enable called “two factor authentication”.  The concept of this security is that a person cannot access another user’s account without something she knows and something she has. In the case of these popular services the solution is a strong password plus a secondary code that is sent via text to a smartphone or mobile device.  Both are required to access the account. For two factor access to laptops there are devices like USB tokens and smart cards that must be plugged in for the machine to boot up. Likewise you can buy external biometric security devices, such as a fingerprint reader, which is a substitution for what the user has to what the user is.

The SANS Institute OUCH! newsletter this month provides further information and links on two factor authentication for popular online services. When enabling two factor authentication make sure to read all the instructions carefully. Matt Cuts blogs for Google on how the two factor authentication works with Gmail, and dispels some myths about any perceived difficulties this may add to accessing your email.

Want to learn more about security best practices for your law firm? Sign up for the CBA CLE (1.5 IL PR Credit)  “Lighting the Corners: Security Best Practices”  in person or webcast on November 20 at 12 CT.

Five Steps for Added Security

My new article in Slaw.ca “Five Steps for Added Security“:

Most lawyers and law firms know what they should be doing to maintain a secure computing environment in order to comply with ethics rules regarding confidentiality, as well as data breach notification laws. This list includes maintaining firewalls and up-to-date anti-virus and anti-malware, maintaining vigilance when opening attachments and surfing the Internet, using strong and different passwords for each important login, scrutinizing the security protocols of cloud providers, maintaining adequate backup files, and keeping operating systems patched. However, there are still almost dailyreports  of companies – and even law firms – experience breaches. What else can be done to minimize risk? In a fascinating four part discussion in Forbes, security expert Alan Paller, director of research for the SANS Institute, writes of a conversation with a managing partner and IT partner at a large New York law firm. The topic? A data breach at the law firm. The firm was notified by the FBI that client data had been found on servers in China. The partners wanted Paller to explain how this could have happened – and how to avoid a recurrence. What can you do to keep hackers at bay that you aren’t doing now?

 

Directory powered by Business Directory Plugin