Ride the Lightning

How Easy is it to Breach a Law Firm? A Teenager Proves It’s Easy

September 18, 2018

A blog post from our friend Bob Ambrogi should give everyone pause. As Bob noted, in July CNBC reported that a Russian hacker was selling access to the data of a New York City law firm for $3,500 on the dark web. According to Q6 Cyber, a cybersecurity company, the firm isn't alone. Similar information is for sale from firms nationwide. Not good news, eh?

It doesn't have to be advanced cybercriminals at work here. During a session at the International Legal Technology Association Conference (ILTACON), "Watch a 15 Year Old Hack Your Firm's Users," self-taught teen hacker Marcus Weinberger revealed how easy it is for a novice hacker to gain access to a firm's network.

When the session began, attendees were advised to turn off their Wi-Fi. Then Weinberger created an imposter Wi-Fi network. But even before he could access it himself, an attendee had already logged on.

At Bob notes, this attendee was immediately vulnerable to:

• Having their password stolen. That's because too many people use the same password and login for all their accounts. So when they sign into fake public Wi-Fi, the hacker will take login information and use it to sign into other websites.
• A man-in-the-middle attack where a hacker inserts themselves between two parties exchanging information to gain access to it. So, for instance, if you're sending an email to a client, the hacker will be able to see it, too.
• Device control. Through fake public Wi-Fi, hackers can even take control of your device.

Weinberger explained that all it takes to fake public Wi-Fi are some Google searches, and purchases costing as little as $1.50 from eBay (if you're patient) and $50 from Amazon (if you're not). With a little time and money, you could have everything you need to breach a firm's network.

Scary, huh? So what do you do?

Law firms use the same strong security as global banks and brokerages to protect their networks and ensure their confidential data never ends up for sale. These security measures include:

• SOC 2 Type II compliance and certification. This is an independent confirmation of data security that employs a rigorous audit process to ensure electronic communications are protected.
• Encrypted emails and data both in storage and transit.
• Daily backup to multiple servers in discrete locations that are guarded 24/7 with both physical and cybersecurity.
• Continuous updating and monitoring by cybersecurity experts who are supported by intrusion-detection and virus-protection software.

All true, but for small budget-conscious law firms, it may be better to achieve an acceptable level of security through a self-contained law practice management system.

I am betting that my grandchildren will be making similar demos in another decade. Don't bet against me. 

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson