Closing The Loop

Law firms are under enormous pressure to step up their data protection efforts. With 27 states adopting technology competency requirements at the time of this writing, attorneys who fail to make reasonable efforts to secure client information are risking their books of business, their reputations and, as a wide range of ethical guidance now hitches technology acumen to fitness to practice, their careers. 

No law firm wants to be the next Mossack Fonseca, which now hosts a separate damage control website to counter "inaccurate views" stemming from last year’s Panama Papers leak.

While it’s likely necessary for law firms to consult with qualified cybersecurity authorities to audit their security practices and IT systems, they must also pay close attention to a variety of emerging cyber attacks and vulnerabilities.  The four described below are only a sampling of the growing number of threats law firms should regularly patrol.

DDoS Attacks

Last summer’s data breaches involving Cravath Swaine and Moore and Weil Gotshal showed that even elite, deep-pocketed firms are not immune to cybercrime. During this data breach, a group of three hackers successfully infiltrated Cravath and Weil’s servers and stole confidential client information they used to make $4 million through insider trading (they've since been indicted). 

How did they obtain this information? With a now-prevalent hack called a distributed denial of service (DDoS). DDoS attacks occur when a hacker compromises multiple third-party servers and computers, and then sends mass website traffic from these compromised sources directly to a law firm’s website. Because the traffic volumes from a DDoS attack are typically well above what the firm’s website can handle, the attack causes the firm’s website to crash and become inoperable. 

DDoS attacks occur when a hacker compromises multiple third-party servers and computers, and then sends mass website traffic from these compromised sources directly to a law firm's website.

The real danger of DDoS attacks extends beyond taking down the law firm's website. Often, these attacks serve as diversions that occupy scrambling lawyers and IT personnel while cybercriminals execute more sophisticated strikes -- for example, infiltrating firm servers to retrieve steal client data. While DDoS attacks are difficult to avoid, firms can mitigate the effects of possible attacks by working with their web hosting provider to implement server-side DDoS mitigation software or by using a content delivery network (CDN) service with their websites such as Cloudflare or Incapsula

Dropbox Vulnerabilities

With over half a billion users, Dropbox has quickly become one of the most popular cloud-based document and data storage apps in the world. It has also become a go-to program for solo practitioners and small law firms; according to the most recent ABA Techreport, over half of solo and small firm lawyers use Dropbox to store, work on, and edit work-related documents.  These lawyers, however, should be paying close attention to Dropbox’s recent Smart Sync release, which allows users to directly access cloud-stored documents on their computers and devices without having to create and re-upload new versions of these files locally on their devices. 

Lawyers should be paying close attention to Dropbox's recent Smart Sync release, which allows users to directly access cloud-stored documents on their computers and devices without having to create and re-upload new versions of these files locally on their devices.

In order to do this, however, Smart Sync requires “kernel access” to the account holder’s device, meaning that versions of Dropbox using Smart Sync will have an all-access VIP pass to the core function areas of your computers and devices. If this access is placed in the wrong hands, both your computer and Dropbox account can be compromised -- as Dropbox can serve as a beachhead to access synced devices. While no Smart Sync breaches have been reported since Dropbox released this functionality in late January, it would behoove lawyers to explore cloud-storage software that provides more encryption functionality such as two-factor authentication, or use one-time password generation tools like Yubikey to add an extra layer of authentication to locally-stored files.

Stagefright

Lawyers, like everyone else, are likely to use personal devices to perform work outside the office, often outside the scope of their firm's BYOD policy. In fact, according to the ABA, about 1 out of every 4 lawyers use their smartphones to access the internet to conduct legal work, while 1 out of every 5 lawyers use tablets for the same purpose.

While mobile device operating systems are regularly updated to patch potential security gaps, hackers have been keen to exploit one glaring vulnerability impacting both Android and Apple users. The attack is initiated by sending a smartphone user an email containing an image file or link that, when clicked on by the user, causes the mobile device operating system to crash.

Stagefright attacks are initiated by sending an email containing an image file or link to a smartphone user that, when clicked on, causes the mobile device operating system to crash.

Once the device restarts, it sends Javascript code to the cybercriminal’s device that gives the criminal backdoor access to the victim’s device. After the victim’s device and the cybercriminal’s device subsequently exchange files, the cybercriminal eventually gains access to the target's device and can use it to spy on him or her. While the Android version of this attack is known as Stagefright -- named after Android’s media library framework, which is the central target in this type of attack -- the unnamed Apple version of the vulnerability can be much harder to avoid, since it can become activated after receiving an infected iMessage or email link. While Android users can use the Stagefright Detector app to determine whether their devices are at risk, both Android and Apple users should turn off MMS messaging in their settings to avoid putting their devices at risk.

SQL Injections

Email vulnerabilities can prove to be the downfall of law firms, and can compromise client trust if they are exploited. Hackers can access sensitive client data by executing an SQL injection, which overloads targeted email databases with malicious code instructions in order to open them up.

One way to figure out if your firm’s website or servers are vulnerable to SQL injections is to use Google Dorking, which is described in this Udemy tutorial. Google Dorking involves using specific search terms in Google’s search engine to pinpoint hidden files on your websites and servers that rely on scripts such as PHP, and then typing each URL you find in full, followed by an apostrophe afterwards into your web browser. If your browser displays the phrase “SQL error” after you try visiting the page, then that particular page or server connection is vulnerable to a SQL injection attack. Because PHP files are particularly vulnerable to SQL injections, any owners of Wordpress-based websites should be on guard. If you find that any part of your website or servers are vulnerable, consult with a qualified expert to patch it.

As told to Eric Pesale, a soon-to-be attorney and founder of Write For Law. Eric is a regular contributor to the Logikcull blog, focusing on the legal impact of emerging technologies. He can be reached at [email protected] or on Twitter at @writeforlaw.

New Call-to-action

Subscribe To Our Blog

New Call-to-action

Let us know what you thought about this post.

Put your comment below.