Category Archives: IT Security

Google Simplifies E-mail Security

Google’s introduction of new encryption tools may be one of the most favorable security developments in a while. A New York Times article, Google Offers New Encryption Tool, explains:

The tool, called End-to-End, uses an open-source encryption standard, OpenPGP, that will allow users to encrypt their email from the time it leaves their web browser until it is decrypted by the intended recipient. It will also allow users to easily read encrypted messages sent to their web mail service. The tool will require that users and their recipients use End-to-End or another encryption tool to send and read the contents.

This could be a major blow to the N.S.A. Despite numerous cryptographic advances over the past 20 years, end-to-end email encryption like PGP and GnuPG is still remarkably labor-intensive and require a great deal of technical expertise. User mistakes — not errors in the actual cryptography — often benefited the N.S.A. in its decade-long effort to foil encryption.

The point is: NSA can decrypt or otherwise access just about any message–even if they have to break into your office and install spying tools on your computer. However, they can’t decrypt or steal every message. Even they don’t have that many resources. Increasing the use of encryption makes everyone safer from snoops, whether garden variety or super snoop.

 

New Ways to Stay Safe on the Internet

Lincoln Mead has some fresh ideas on Internet security in the ABA’s Law Practice Magazine. Here’s one that was new to me:

Web sessions come in two flavors: “http” and “https.” The latter is the important one as it designates that your connection to a Web server is encrypted. By default, the Web server will provide unencrypted “http.” You can force your browser to use “https” by installing a small browser plug-in. In Chrome and Firefox, use HTTPS Everywhere (https://www.eff.org/https-everywhere). However, in Internet Explorer and in Safari, no option currently exists to force “https.”

One consideration for forcing “https” is that it can affect the speed of the browser, as the tool tries to complete an “https” connection to services that may not offer such access.

Problems With E-mail Disclaimers/Warnings

It’s smart to include disclaimers in all your e-mail messages, right? A friend of mine summarized her advice at a legal conference a few years ago as “Disclaim, Disclaim, Disclaim.”

Is it really that easy? Some people think disclaimers can warnings may hurt more than they help.

A Lawyerist article entitled This Post is Privileged and Confidential has some good observations on the nearly ubiquitous disclaimers in e-mail messages:

There are several problems with these disclaimers, aside from cluttering up email threads. For one, attorney-client privilege and confidentiality are not the same thing.  Without digressing too much, suffice it to say that while all attorney-client privileged communications are confidential, only a small portion of the client information lawyers are required to treat as confidential is also privileged. Another incongruity is that an email intentionally sent from a lawyer to almost anyone except a client will not be confidential or privileged at all (setting aside agents or experts the lawyer may be contacting on the client’s behalf or negotiations subject to a confidentiality agreement or rule).  So for the vast majority of emails that lawyers send — to colleagues, to witnesses, to vendors, to friends, to listservs, etc. — the disclaimer is meaningless.

Undermining Disclaimers Through Overuse

Which brings us to the real problem with these disclaimers. By overusing them, lawyers may be undermining the effectiveness of disclaimers in protecting the confidential or privileged nature of the information in the email in the (hopefully) rare event that an email is misdirected (or inadvertently produced in discovery).

In Scott v. Beth Israel Medical Center Inc., 847 N.Y.S.2d 436, 444 (2007), the court refused to find that a series of emails were privileged just because they contained a disclaimer that was found in every email sent by the plaintiff. Moreover, by overusing disclaimers and privilege warnings, lawyers are training the world to ignore them — which is precisely what we don’t want people to do.

Want to keep your communications confidential? Encrypt them.

Jim Calloway’s Advice on Win XP

The ever-sensible Jim Calloway doesn’t want us to wind up with a big April Fool’s cap on our heads:

So for those of you who have used XP all these years, avoiding the pain of the Vista and the first release of Windows 8, why would I call you a fool for keeping on keeping on? Because the end of support means no security upgrades and many of us, including Microsoft, are predicting a huge malware spike in the days following April 8. It really makes sense, doesn’t it? A malware designer who has developed some atrocious thing to steal credit card numbers, hijack your computer or just make it inoperable who releases it now would likely be stymied by a patch or fix released by Microsoft the very next  “Patch Tuesday.” But after April 8, it will be clear sailing.

via Lawyers, Don’t be an April Fool for Windows XP – Jim Calloway’s Law Practice Tips Blog.

The Folly of “Secret Questions”

Many websites, including banks, have gone to the practice of allowing users who have lost passwords to obtain access to their accounts through the use of “secret questions.” For years the classic secret question was “Mother’s Maiden Name.” Though there is now more variety in secret questions, they still represent a giant security flaw. Security guru Bruce Schneier has written many times about this issue.

Serious attackers will often be able to figure out the answers by researching the subject–especially subjects who are indiscreet users of social media. Close friends or relatives inclined to access your accounts may not even have to do all that much research. They may already know the brand of your first car, or the name of your favorite elementary school teacher.  At a minimum, protect yourself by never giving a real answer when you set up a “secret question.”

Why do banks like to use such insecure techniques? From their point of view, it’s better than having to deal with an angry customer who has lost his password. Any losses the practice may cause are an “externality,” a cost not born by the bank.

Beverly Michaelis On Coping with Gmail Outages

Oregon Law Practice Management notes:

According to Business Insider, Google’s own redundant backups ensure that you will eventually reclaim all your data.  You can rely on this or implement your own recovery plan. [Hint: implement your own plan].

Pretty good hint! Beverly Michaelis goes on to explain exactly what to do and how to do it.

Lots of things to like about the Oregon Law Practice Management blog, including the elegant and effective “About” page, which has given me some ideas for upgrading mine. My favorite part is the use of Flickr photos showing the natural beauty of that wonderful state. 

 

Negative Attitudes Toward Encryption Linger

Did the Department of Justice unwittingly cause the current pathetically weak condition of U.S. computer security weakness?

Some would say that the Department’s treatment of leading encryption advocate Phil Zimmerman in the 90s, the government created a sort of cloud around the use of this common sense security practice. Through threats to prosecute those who developed and distributed strong encryption, the government discouraged vendors from making their products secure.

The case of United States v. Boyajian, 2013 WL 4189649 (C.D. Cal. 2013) (summary) is a great example. The issue was whether use of encryption meant it was more likely that the defendant had committed criminal acts?

The court decided that the encryption evidence carried a substantial risk of unfair prejudice to the defendant because it tended to prove that his character was dishonest and he did not respect the law due to the suggestion that defendant had a character trait for secretively flouting rules and social norms.

Wow! If I put a lock on my front door, it means I don’t want people, especially malefactors, entering at will. It doesn’t mean I’m a criminal. Encrypting my computer is no different.

The ill-considered DOJ policies from the 90s have left a legacy of ugly attitudes that have facilitated the wave of computer crime that threatens to engulf us today.

Future Looks Grim for Passwords as Security Mechanism

Dark Reading has a great explanation for why passwords provide less protection than they used to. Here’s an excerpt:

During the past half-decade, three factors have fueled a renaissance in password cracking. While password-recovery programs have gained immense computational power by offloading the intensive calculations of dictionary-based and brute-force guessing to off-the-shelf graphics processors, users continue to use the same mnemonics to create passwords that seem secure while being easily memorized. Yet the insecurity of websites — from LinkedIn to Stratfor and from RockYou to Sony — has given researchers real-world lists of millions of hashes from which to uncover the systems that people use to create their passwords.

The result is that, at the same time that the power of cracking programs has skyrocketed, researchers are smarter at guessing the ways that users might create passwords, whittling down the lists of possible passwords. By creating better word lists and more intelligent methods of mangling real words and phrases, hackers and researchers can make an untenable computational problem much more feasible, said Olga Koksharova, spokeswoman for password-recovery firm ElcomSoft, in an e-mail interview.

« Older Entries