As an attorney you work with sensitive client documents. Whether you entrust those documents to a file cabinet in your office or a cloud service, like Dropbox or Box, the onus is on you to safeguard your client’s information. Using cloud services provides a huge benefit to large and small businesses alike and have been embraced by many attorneys and firms. But when there is a serious security breach like Heartbleed, it’s imperative that you have a basic understanding of what happened, what it means to you, and what it could mean for your clients.
How it works
Heartbleed is the result of a bug in the “OpenSSL” encryption mechanism, which is widely used across the Internet by websites both large and small. This bug has been present on web servers across the Internet for several years. Hackers could have taken advantage of this vulnerability in the past, if they had found it themselves before it was publically announced on April 7th 2014. The bug allows malicious hackers to submit a specific request to a web server that triggers the server to respond with much more information than it should. This additional information could be meaningless letter and numbers or it could be sensitive information from website visitors including usernames and passwords, credit card information, or other sensitive and private data.
What this means to you
It is possible that hackers could have retrieved any information that you have exchanged with a website affected by Heartbleed. The data retrieved would have been in relatively small chunks so it is not likely that complete documents would have been compromised. Hackers would primarily be looking for usernames, passwords, and other personal or financial credentials.
How to protect yourself
Check to see if the websites you use were affected by Heartbleed
LastPass, a company that offers a secure password service, has a webpage you can use to see if the websites you frequent were, or are, affected by the Heartbleed vulnerability at https://lastpass.com/heartbleed/. Many companies have already sent emails to their customers and/or released public statements. If you have any questions about the security of the websites you use you may also want to reach out to them for comment.
Change your passwords
As a precaution, even websites known to be unaffected by Heartbleed are recommending that users change their password. When was the last time you changed your passwords? You may want to take this opportunity to change them now and set a reminder on your calendar to change them on a set schedule.
Use a password manager like LastPass
Since you’re changing your passwords, now is a perfect time to evaluate secure password managers like LastPass, https://lastpass.com/. Services like LastPass help you to:
- Keep track of all of your passwords across all of the websites you use
- Make it easy to change and not have to remember all of your passwords
- Use a different password for every website you use without having to remember each one
- Encourage you to easily make use of very long and complex passwords
Consider notifying your own clients
In some cases, you might consider putting your own client’s minds at ease by notifying them that you are aware of Heartbleed and that you’ve checked with your partners and service providers to ensure that their systems are now protected against this vulnerability, especially if you use a secure client portal.
Monitor any web service accounts that you have for suspicious activity, such as Dropbox, Box, your bank and credit card accounts. Keep a close eye on them as a precaution and if you notice suspicious activity change your password immediately and notify the company.