Category Archives: CyberSecurity

Tech Snippets Today – Baker Donelson – Justin Daniels – Shareholder & Attorney, with Joseph Raczynski

Posted on by

Baker Donelson has always been at the tip of the spear when it comes to their focus on blockchain and other digital assets in legal. Today, I spoke with Justin Daniels, Shareholder, Corporate M&A Technology Attorney and all around NFT, blockchain, and cybersecurity guru. Those are my words, not his.

What I enjoyed about the discussion was Justin’s focus on the importance of cybersecurity for all emerging technologies as they develop, not as an afterthought. We touch on the FTX fiasco, ChatGPT, and the future of identity.

Baker has a practice group called the Blockchain and Digital Assets Technology where attorneys offer clients multi-disciplinary representation in the growing area of blockchain and digital asset technology, including corporate and business matters, securities, Anti-Money Laundering and Know-Your-Customer (AML/KYC), money transmitter, Office of Foreign Assets Control (OFAC), cybersecurity, privacy, intellectual property, litigation, government relations, and public policy. Clients benefit from working with a group that understands the underlying technology to help frame the legal issues affecting blockchain and digital assets, enabling them to collaborate to develop thoughtful, effective business solutions.

Cybersecurity at the centre – competing globally with different rules

Posted on by

 

Originally published on Legal Insights Europe.

By Joseph Raczynski

The topic of global cybersecurity will challenge each one of us. It is an unstable concoction of cultural norms and legal property rights patiently awaiting attention before it bursts. The overarching question is ‘how can legal organizations and overall society manage rising threats to the integrity of intellectual property (IP) whilst retaining and using information’? Add in the complexity that the global landscape is comprised of open societies, with freedoms and individuality, and close societies, of collectivism and oppression. The fundamentals of open society and IP rights—contrasted with closed societies and their misuse of IP through cyber threats will soon force change.

The Situation

The Council on Foreign Relations has been focusing recent seminars on emerging technology and cybersecurity as it relates to China and Russia. The thematic quintessence from the highest former administrators in the U.S. Intelligence Community is that the UK, Europe, and U.S. are under constant IP attack. They cited countless examples of nation states sending students and other professionals to the UK and U.S. with the sole intention of pilfering IP. Purportedly in one example, students at some of the best scientific universities are forced into this criminal role by their government. Their family, at home, is threatened if information from the student is not collected and given to the state. The majority of students have honest intentions in their travels—advancement of their own education and to enjoy the cultural exchange, but increasingly the U.S. Intelligence Community is alarmed at what they are finding. Commercial cyber espionage.

The cultural philosophies are starkly different, from one state to the next. The society of one state is open and the other closed. For example, pushing for individual’s governance of their own personal information manifested through General Data Protection Regulation—as with the European Union, while the other state created a ‘social credit’ score by ranking citizens based on their behaviour from data gathered by millions of facial recognition eyes in the sky. Both governments strive for rapid development in artificial intelligence, quantum computing, blockchain, and biotechnology. Governments develop these specialty areas in different ways. Eric Schmidt, former Google CEO, once said, “there will be two internets, one for China and one for the rest of the world”. The washing of information about the 1989 Tiananmen Square protests from every Chinese online forum and publication is cited as an example of the ‘other internet’. As a result, most teenagers in China have never heard of the protests which turned into a massacre.

Law firms as a collective serve as the largest holder of IP. As such, they are a top target for cyber espionage. The overarching laws are clear in the UK, and most often people abide by them. When there is conflict, legal process takes place and ultimately decisions are made, resulting in a final adjudication. What if no one paid attention to the decision? What if people did whatever they wanted, even though the IP for Flake candy bar is registered, China could copy it and sell it where ever they wished? This is the situation with the closed societies, and typically cybersecurity breeches are the means to an end for nation states looking to bolster their own companies.

The Dilemma

According to the U.S. Intelligence Community, the challenge is that closed societies are breaking into law firms and corporations, stealing IP and using it to build their own companies. The speed of these new companies built on the backs of stolen IP is phenomenal and will be much more difficult for those UK organizations to compete against.

Certainly, corporate espionage has been around since before cobblers competed in shoe-making. The difference is that open societies, by their nature, are now threatened by IP exploitation in the UK and US. Going forward and beyond sanctions, as the super powers of the world grow in strength and play by a different set of rules, law firms and corporations will likely need to map new ways how they protect their information and IP. The UK, U.S., and Europe will need to figure out how a society that plays by a clear set of rules competes against a society that can hack any law firm and use that information to illegally profit.

The vice grip of cybersecurity concerns on law firms

Posted on by

Originally published on Legal Insights UK & Ireland

By Joseph Raczynski

Law firms stand in a very precarious position in the cybersecurity world. Next to financial institutions, private legal institutions are a virtual honey pot for cybercriminals. Any breach, no matter the size, impacts the client, and certainly could destroy a firm’s reputation.

Four years ago, I toured over 50 law firms discussing cybersecurity with chief information officers (CIO), managing partners, lawyers and support staff. Each year since, it remains one of the hottest legal technology topics with my clients. The unfortunate situation is that, while law firms have dramatically shored up the barriers of defence, criminals have new methods to circumnavigate the ramparts.

Why law firms now?

Recently, I was at a CIO conference with 350 medium and large law firm CIOs in attendance. The keynote speaker stunned the crowd with a singular statement: “do you realise you [CIOs] are the gatekeepers to 71 percent of the non-public intellectual property (IP)?” The first reason law firms are attacked is because of IP. Criminals of all sorts see law firms rife with IP that can be pilfered.

One Asian country has allegedly lifted massive amounts of IP from technology companies, not from the companies themselves, but rather their law firms. Once obtained, they pass the IP to their nation’s internal network of state owned companies for development. Apple could have trade secrets stolen and then developed and sold in China before Apple could get it to market in London. To this end, Joe Patrice, Editor of Above the Law, once called law firms “the soft underbelly of the cybersecurity world”. The good news is that law firms have fortified their gates more recently to stymie the IP raiders.

The second reason why law firms are attacked is business information. Last year a known hacker in Russia targeted the top 25 law firms in the world to pull out any merger and acquisition (M&A) information. The criminals silently slip past firewalls, identify M&A documentation of companies set to merge, then can use that information to purchase stock—all before it is publicly announced.

Methods of attack

There is a myriad of tried and true means to crack networks and computers. Having been a white hat hacker script kiddie, years ago, I recently dipped my toe back into the space to see what has changed. My conclusion: it is easier to hack now than it was 10 years ago.

I bought a £4 specialised USB the other day, which will load any sort of script onto a computer in under four seconds. Simply choose the script from 100’s publicly available on the web, convert the code through a free compiler, load it onto the USB stick—and voila! In my testing, I could scrape the user names and passwords entered on my computer, and have it automatically sent to a test email account, simply by placing the ’bad USB’ or ’Rubber Ducky’ into my drive for a few seconds. Does your firm lock down USB ports? Perhaps it is worth considering as an attack of this nature can be executed with relative ease.

There are countless other ways to hack a computer or IoT (Internet of Things) device, but no greater risk is higher than email. Allen Paller, of the US-based SANS Institute, cites 95 percent of all malware and breaches start with email. Phishing attacks, discussed in a new government report published by the National Cyber Security Centre: ‘The cyber threat to UK legal sector’, states that 80 percent of law firms in the UK have had attempted phishing attacks in the last year. These sorts of attacks can be prevented in several ways:

  • Have processes in place when dealing with accounting so emails are not approval for funds transfer—use an internal application for requests and verification
  • Use software to distinguish ‘external’ emails from ‘internal’
  • Link protection—use real-time analysis of URLs and domains so that the user is safely redirected to valid domains when clicking ‘unknown’ links in emails
  • Assuring that all applications are running their most up to date versions

One of the largest law firms in the world, DLA Piper, was hit by ransomware last year. Fortunately, DLA Piper survived, though weeks of recovery at a tremendous cost. Still, these types of attacks can be devastating. They encrypt all files on your computer or network—leaving you two options: pay the ransom to get the password, or delete everything off the computer and rebuild with your backup files. Either option can leave a law firm, for a short or long period of time, with limited ability to address client needs.

The future of cybersecurity will be a multi-pronged approach. No longer is antivirus software the ultimate defence. Instead, law firms will need tools that detect intruders using artificial intelligence infused algorithms to figure out abnormal activity on the network. Blockchain will help securitise information and identities with a distributed network—compared to a central repository of sensitive information. Lastly, the General Data Protection Regulation has already, and will continue to, force all parties to take security more seriously or risk significant fines.

Kill Chain: The 7 Stages of a Cyberattack

Posted on by

Originally published in the Thomson Reuters Tax & Accounting Blog

By Joseph Raczynski

In our new world reality where cyberattacks are a daily occurrence and every organization must focus on critical infrastructure surrounding cybersecurity, businesses have begun to think like the military. How can we defend our enterprise? To that end, it’s not surprising that companies have adopted soldierly, combative mindsets and terminology.

The term “kill chain” originates from the armed forces and refers to the structure—or seven stages—of a cyberattack:

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command & Control
7. Action on Objectives

Now, many proactive institutions are attempting to “break” an opponent’s kill chain as a defense method or preemptive action. One of the leaders in this space adapting the concept for Information Security is Lockheed Martin.

Thinking Like a Hacker
A hacker typically has a creative, analytical mindset. These individuals search for paths toward a solution—often devising serpentine and circuitous routes to attain their goal. It’s this approach that we need to build awareness around if we are to thwart an onslaught of attacks.

As an example, let’s pretend that a hacker wants to get into your Tax Consultancy LLP organization to pilfer the Social Security numbers of your clients. This is how they may think at every stage of the kill chain. Your goal is to understand the steps and proactively counter each one to protect your network.

Stage 1: Reconnaissance
Hackers begin by researching your company online—gathering names, titles, and email addresses of people who work for the organization. They identify one person to target and then plan their avenue of attack. They may use e-mail attachments with viruses, port surf the company network, drop a memory card containing malicious code in the parking lot, or decrypt WiFi traffic. In this scenario, let’s say they choose e-mail as their method. An e-mail containing a link is sent to the selected individual, who, once they click on the link, inadvertently downloads the malware.

Stage 2: Weaponization
Hackers have libraries of code at their disposal that they use and tweak for their attacks. They consider the networks, operating systems, and software that Tax Consultancy LLP—and every company they target—may run. By identifying these components through research, the hackers can customize their code to work in those environments. One of the most common ways to compromise a computer or network is to attack unpatched software by companies such as Microsoft Cisco—applications that have known vulnerabilities, but ones that Tax Consultancy LLP may not have updated.

Stage 3: Delivery
In this instance, the hacker has decided to target the CFO of Tax Consultancy LLP. Through research, the hacker knows the name of the CFO, where she lives, works and even personal information gathered from the Web. He knows she coaches an eighth-grade softball team, enjoys camping, and shops at a local Safeway Food store she once complained about on Google reviews. Armed with this information, the hacker decides to lure the CFO with a spear phishing tactic.

Stage 4: Exploitation
The hacker crafts a perfectly feasible email to the CFO.

“Dear Jenny, it has been too long since we last spoke! I hope all is well. The last time we chatted we were at Safeway, complaining about their so called “fresh fish” section. One of these days they will have fresh shrimp, not just the frozen variety. The reason I am writing is that our daughters are in the same softball league. They have grown up so fast! I know you are busy, so you may not be aware, but they are hoping to go to Florida for a tournament in a few months. We are trying to raise some money for the kids who currently don’t have the means to get there, can you please help by donating say $20 to the cause? You can click here to donate.”

Stage 5: Installation
There is a 96 percent likelihood that the CFO will click on the link in the spear phishing e-mail. When she does, the malicious software takes root.

Stage 6: Command & Control
Once the malicious code has been installed, it phones home to the hacker. The hacker then has the ability to control it, let it sit for an extended period of time, automatically listen to packets across the network, or crawl through the network. All of this depends on what was deployed and what the hacker wants from the system. In our imaginary scenario, the hacker is after Social Security numbers, so he may attack the central database of Tax Consultancy LLP that houses all of their clients’ information, most likely found in an unencrypted DBA system, or perhaps Excel spreadsheets or other email accounts. The hacker is then able to harvest the information and send it out through the firm’s firewall to a remote server as a repository.

Stage 7: Action on Objectives
Finally, the hacker is able to extract whatever information they’ve been targeting. They can now easily gather Social Security numbers contained in the firm’s data. Of course, the options for exploiting this sort of information are many. The hacker may sell the numbers on the dark web, file fake tax returns, or use them to apply for credit or new identities.

Be Vigilant
All of this happened because the hacker was able to effectively use each stage of the kill chain to astutely identify the company’s possible vulnerabilities and leverage them. Today, all businesses should spend time walking through these stages, identify vulnerabilities, and shoring up their defenses to eliminate them. It’s not an easy task, but the more critically each of us look at these seven stages of the kill chain, the better we can prevent the next hack.

Podcast: The Hearing With Kevin Poulter & Joseph Raczynski – Future Legal

Posted on by

Episode 2 of THE HEARING is now live!

In episode 2 of The Hearing Podcast Kevin Poulter speaks to futurist Joseph Raczynski on #legaltech #AI #blockchain and the future of the robot lawyer.

Listen now and subscribe to #thehearingpodcast on:

iTunes – https://tmsnrt.rs/2swyzmz

Spotify – https://tmsnrt.rs/2kOOpVw

SoundCloud – https://tmsnrt.rs/2Js4deI

Cyberattacks are here to stay – protect your organization with these 10 best practices

Posted on by

Originally published on the Thomson Reuters Tax & Accounting Community Connect

by Joseph Raczynski

Our online connections can be downright frightening! The diabolical among us seize every opportunity to plunder our personal information. In fact, FireEye, a leading cybersecurity corporation, has some startling statistics to support this. When conducting an audit of 1,200 companies, they found that 97 percent of the organizations’ networks had been compromised—meaning that the vast majority of these businesses had malware sitting on their servers collecting internal information and sending it back out through the firewall to a remote locale. For most of these companies, it was at least 225 days before they realized a bad actor was sitting inside their network syphoning critical business data.

That’s the bad news. Here’s the good news: There are best practices and tools that will help protect your organization from hacks. Here are 10 that I recommend.

Create an email address for junk.
Use it for newsletters, online merchants, cable companies and mobile carriers. These companies will be or have already been hacked. More than likely, phishing emails asking you to click on links will come from this group. By creating a separate inbox for junk, you’ll know that most of the email in this account can be ignored or taken with a grain of salt, while communications from trusted accounts will be sent to a different email address (although still be cautious about clicking on links in your “trusted” account, as well).

Encrypt your hard drive.
This will protect your information if ever you lose your computer or phone. Essentially, an encrypted hard drive requires that you enter a password on the device as soon as it boots up. It is not the Windows or iOS sign-on. If the Windows or iOS sign-on is the first thing you see when you start your computer or phone from scratch, your computer is not encrypted and is at risk.

Use a URL defense application.
If your company doesn’t already have one, encourage them to look into getting one. The software determines whether a link is safe by going to a special secure server when you click on it. If the link isn’t safe, the application blocks the content from ever hitting your computer or phone.

Use a browser to identify fake websites.
If you don’t have a URL defense application, don’t click directly on an email link. Instead, open a browser and type in the company’s URL. This may be inconvenient, but many of the links embedded in emails connect to fake websites designed to download malicious software to your computer or phone.

Encrypt, encrypt, encrypt.
At some point, someone will break into your computer, phone, or network. Secure your documents, photos, and other important data beforehand by encrypting them in special encrypted folders. If hackers gain access, they will have to decrypt your important files—which isn’t easy.

Keep antivirus software updated.
While antivirus software has become a bit less effective, make sure yours is up to date and turned on. Many malware applications turn antivirus software off. If you see that your firewall or antivirus protection has been deactivated—usually there is a pop-up that will alert you—have your computer looked at by someone in IT.

Immediately update all software when prompted.
Some of the most recent attacks that have hit machines running Windows operating systems had patches that people put off for six weeks. Those debilitating viruses could have been prevented with a quick update requiring just a few minutes. Even better, turn on automatic updates for all of your applications.

Use a password management utility.
Look into an application like LastPass, which houses all of your passwords and randomly updates them for you so you don’t have to.

Make passwords more complex.
If you don’t use a password management application, create passwords that are actual sentences and vary them among your accounts. There are simple apps that can easily guess passwords, especially if they are short and don’t include a mix of letters, numbers, and symbols. A sentence password can look something like: MyMomW3ntT0HarvardIn1958! Just be sure to avoid including personal information in your passwords.

Authenticate, authenticate, authenticate.
If you have the option of dual-factor authentication, opt for the ones that use something like Google Authenticator. These apps create randomized numbers every 60 seconds which you input after your normal login and password. Sometimes people use a confirmation text with a number that you need to enter, but this is actually less secure than the authenticators. Not all services use this yet but will increasingly do so over the next few years with bank accounts and email.

Finally, in meeting with one of my customers recently, the chief technology officer of a 3,000-person institution mentioned that there had been 12 million attacks on his organization over the last six months—many from foreign actors. His institution is not alone. Malicious cyberattacks will only continue to increase, so implement the tips above, and be mindful of what you are doing with your data to protect yourself.

Podcast: The Legal Impact of Autonomous Vehicles (Part 2) with Phil Yannella of Ballard Spahr

Posted on by

Originally published in the Legal Executive Institute.

By Joseph Raczynski, Gregg Wirth, and Phil Yannella

In the second of our podcasts on autonomous vehicles, I speak to Phil Yannella, the co-practice leader of Ballard Spahr’s Privacy and Data Security Group, about security and regulatory issues around driverless vehicles.

 

yannella_philip-300x300

Phil Yannella of Ballard Spahr

In his capacity at the firm, Phil advises clients on the transfer, storage, and use of digital information, and has advised automobile companies on compliance with evolving cybersecurity and data privacy standards.

In the podcast, the pair discuss security issues, such the potential for hacking and data theft of driverless cars and trucks, as well as the state of the regulatory environment for this new technology both here in the U.S. and around the world.

Podcast: The Legal Implications of Driverless Car Technology with Akerman’s Gail Gottehrer (Part 2)

Posted on by

Originally published in the Legal Executive Institute.

By Joseph Raczynski, Gregg Wirth, and Gail Gottehrer

In a new two-part Thomson Reuters’ Legal Executive Institute podcast, Joe Raczynski, Legal Technologist and Futurist with Thomson Reuters Legal, discusses the hot topic of driverless car technology and its impact on the legal industry with attorney Gail Gottehrer, partner at Akerman LLP.

In part 2, (available below) Joe and Gail will discuss the opportunities for law firms in this evolving area. For example, law firms focusing on driverless cars can advise clients about various issues including: (i) changes in insurance coverage models; (ii) regulatory changes in affected industries, (iii) workforce/employment issues, (iv) data privacy and security issues, and (v) anticipating potential use of data in litigation.