Tag Archives: hack

Juice Jacking

Posted on by
1
Photo by ThisIsEngineering on Pexels.com

While traveling is not as prevalent as it was before COVID-19, we remain mobile. That means you can still run out of juice while away from the office.

Did you know that using a charging port, borrowing a cable, or relying on someone else’s external battery can put your smartphone, tablet, or laptop at risk?

The problem is malware, in which hackers take advantage of USB connections to hide and deliver secret data payloads that a user might think was only transferring electrical power. This is called “juice jacking.” Its visual counterpart, known as “video jacking,” occurs when a hacker records and mirrors the screen of a device that was plugged in for a charge.  

Protect Yourself from Data Theft

The FBI recommends:

DoDon’t
Use AC power outlets to charge devicesUse USB charging stations in public places
Buy only from trusted suppliersAvoid cheap deals and free giveaways
Bring your own car chargerDon’t borrow car chargers
Bring your own USB cablesDon’t use someone else’s
Bring your own AC or battery backupNo borrowing!
FBI TECH TUESDAY

Best Practices

  • Consider buying a charging-only cable, which prevents data from sending or receiving while charging. 
  • Discard any free USB cables, chargers, adapters, or similar accessories that you received as a promotional item. They are too risky, warns the FBI. Microcontrollers and electronic parts have become so small these days that criminals can hide mini-computers and malware inside a USB cable itself.  
  • As we move into the holiday season, you may be tempted to buy cheap electronic accessories as stocking stuffers or gifts. Please think twice. Consider the source and the manufacturer when making your purchases. Proprietary cables, chargers, adapters, docks, or battery backups often feel like they cost more than they should. (Pssst … Are you listening Apple?) But imagine what you’d spend trying to recover from data theft and fraud if a hacker gained access to your device? It isn’t worth it.

There’s another good reason to buy genuine electronic accessories from the manufacturer. They prolong the life of your device by charging it properly and completely.

As an example, the charging cables for your iPhone and iPad are not identical. The same is true of Samsung devices. I’m not saying that switching out proprietary chargers among your devices won’t work. I am saying that doing so is not optimal. And that’s within the same device manufacturer ….

Before we had to worry about juice jacking, I fell down the path of cheapie chargers. I learned quickly that I was wasting my money. If you don’t believe me, just Google “why cheap charging accessories don’t work,” to see pages of posts and warnings.

Better safe than sorry.

All Rights Reserved 2020 Beverly Michaelis

Cybercrime: An Ongoing Threat to Law Firms

Posted on by
1

In the most recent issue of Law Practice Today Sheri Davidoff describes how hackers exploit weak security measures to steal from you and your clients. The most common targets: your email, logins, and files.

Email hacks

Once a hacker gains access to your email, he or she may download your entire mailbox, set up a rule to forward your messages to their account, or use email content to begin victimizing clients.

Preventive steps

Use proper passwords

Pass phrases (sentences) are the best. Otherwise, choose passwords at least 14 characters in length which contain symbols and numbers. It is critical to create unique pass phrases or words for each login to limit the scope of a security breach. Do not share them. Do not write them on sticky notes posted to your monitor. A password manager can make the job easier.

Turn on two-factor authentication

This sounds fancy, and if you’re not familiar with it, intimidating. It is neither. Login as usual, have your smartphone or cell phone handy, and enter the code texted to you to complete your login. It’s that easy.

Biometrics

You can use your face or your fingerprint to login if your device or software supports it. A quick Google search generates pages of “pros and cons” posts, which I will avoid repeating here.

Limit substantive content in email

Consider limiting what you say by email when the information is sensitive. Pick up the phone or send the client a message prompting them to login to your secure client portal instead. As Davidoff points out in her post, “Hackers commonly search your correspondence for ongoing conversations of interest—such as a real estate purchase or other upcoming financial transaction. Then, they actively monitor these conversations to maximize their ability to intercept a payment.”

Malware and ransomware abound

The most likely way to get infected with malware or ransomware is to click on a suspicious attachment or link. Use common sense before you click and if in doubt: don’t! Even if the message appears to come from a trusted source. Pick up the phone or compose a new message and ask the sender if he/she sent the email. (Don’t ask by forwarding the suspicious message – you are only spreading the threat.)

The US Department of Homeland Security has valuable tips on combating malware and ransomware. Also, take a few minutes and peruse the resources available at the ABA Law Practice Division (search: “malware”) or checkout the Professional Liability Fund CLE, Data Security/Data Breach: What Every Lawyer Needs to Know to Protect Client Information.  

All Rights Reserved 2019 Beverly Michaelis

The Best Legal Blog Posts of 2016

Posted on by
2

2016-word-cloudIf you’ve followed my blog for a year or more, you know I generally publish a “Year in Review” post.  This December I thought I’d take a slightly different approach. Instead of a comprehensive list, I’m filtering it down to my personal favorites. And while it may be controversial, I’m calling this compilation The Best Legal Blog Posts of 2016.  There is plenty of good stuff out there, but this is the best that has appeared here.  Mostly my content, but also sourced from other great writers.

Client Relations

eCourt and court procedures

Finances

Marketing

Security

Staffing

Technology

Time Management

All Rights Reserved 2016 Beverly Michaelis

7 Steps You Can Take Now to Protect Your Data

Posted on by
1

lockUnless you’ve been playing ostrich, you’re likely aware that data breaches and ransomware are about as common as Mom and apple pie.  Witness the recent hack of 272 million Gmail, Microsoft, and Yahoo! accounts.

Fortunately, there are simple steps you can take now that will help protect your data.  [With thanks and all due credit to Lane Powell’s Beyond IP Law post, The Scariest Hack So Far, for inspiring this elucidation of their original list]:

Step 1: Start Using Encryption

For your desktop, cloud-based accounts, mobile devices – anywhere or any place you store or transmit confidential or private information.  For a thorough discussion of how to implement encryption throughout your firm, see Encryption Made Simple for Lawyers, now a book available for purchase on the ABA website.  (Non-ABA members in Oregon can save money at checkout by using the OSB Professional Liability Fund discount code: OSBPLF.)

Step 2: Set Up Two-Factor Authentication for Cloud Services

“The concept of two-factor authentication is that a person cannot access another user’s account without something she knows and something she has. In the case of popular services (like Google or Dropbox), the solution is a strong password plus a secondary code that is sent via text to a smartphone or mobile device.”  Catherine Sanders Reach, Set Up Two-Factor Authentication: What Are You Waiting For?  [Read Catherine’s post for step-by-step directions or search Help in your cloud-based service for assistance in setting up two-factor authentication.]

Step 3:  Erect Firewalls

Firewalls sit between you and the rest of the Internet.  They protect unauthorized access to your computer by ignoring or repelling information that appears to come from unsecured, unknown, or suspicious locations.  The best firewall configuration is a one-two punch:  hardware firewall + software firewall.

Setting up a hardware firewall requires no effort on your part.  While you can buy a stand-alone appliance, hardware firewalls are now automatically incorporated into your router (the box in your office or house installed by your Internet Service Provider).

Software firewalls are installed on your computer system like any other application, and are also easy/breezy since they are typically built into anti-virus software.  (See discussion that follows.)

Step 4: Install Anti-Virus, Anti-Malware, Anti-Spyware Programs and Keep Them Updated

This seems pretty explanatory, but let me add some free advice:

  • Don’t disable automatic updates to your virus definition database
  • Run quick scans when prompted
  • Run full scans at least monthly
  • Don’t ignore notifications that your software isn’t running properly

For a list of the best anti-virus utilities for PCs, see this list from PC Magazine.  For a list of the best anti-virus utilities for Macs, check out this MacWorld post.  For other recommendations, run a Google search.

My personal opinion: run far, far away from McAfee.  [I really don’t give a rip that it is “now part of Intel Security.”]  First, McAfee blocked access to my work VPN (virtual private network).  There was no way to set a rule or create an exception and tech support was incredibly unhelpful.  Second, McAfee is notoriously hard to uninstall. Using Add/Remove Programs in the Control Panel is only the first step; you must download a separate application from McAfee to get rid of it.  I mention this because McAfee tends to come pre-installed on laptops or desktops purchased from retailers like Best Buy.  What to do?  If McAfee was inflicted on you (pre-installed), get rid of it.  Follow the link above for the uninstaller.  Next, buy Kaspersky.  I have been very pleased with Kaspersky from day one and it has never interfered with my VPN connection.

Step 5:  Run Operating System and Other Software Updates

This also seems self-explanatory.  Mac and Windows OS ship with automatic updates enabled – don’t fuss with this.  If Microsoft or Apple thinks you need a security patch, a fix, or upgrade, let it run.  The same goes for every application installed on your computer:  Microsoft Office, Acrobat DC, Quicken, QuickBooks – let automatic updates run.  If you’re not sure whether automatic updates are enabled, check Help or search the product’s website.  Some programs also allow you to manually search for updates. Acrobat DC is an example.  In the menu, select Help, and choose “Check for Updates…”

Step 6:  Be Ready to Kill Your System If You Suspect a Breach

In the original post which inspired me to write on this topic, author Jane E. Brown comments: “Consider using a “kill switch”— when suspicious events happen, the IT department should automatically be notified and the network should shut down if no protective measures are taken.”

I have known of events that required a kill switch.  One Oregon lawyer was hacked via a phishing email.  The hacker was able to get enough information from the lawyer and the lawyer’s system to contact clients by email and request that they input credit card information to pay their bills. Fortunately, a few clients recognized that this request was outside the lawyer’s usual billing process and called the office.  The lawyer had to pull the kill switch and take other steps, including freezing bank accounts.  This turned out to be a smart move, as within 24 hours the hacker also attempted to withdraw thousands of dollars from the lawyer’s trust account.

Step 7:  Lose Your Device?  Lose Your Credentials.

There are some obvious times when it makes sense to reset or revoke user names and passwords (login credentials):

  • At termination
  • If a network-connected device is lost
  • You experience a security intrusion
  • Your security, privacy, or confidential policies are breached

Final Thoughtsth

None of these steps are difficult, but bouncing back from a security breach is.

 

 

[All Rights Reserved 2016 Beverly Michaelis]