Top 10 err.. 16 LegalTech Talks of 2021! Now available!

The list is out!  Last year was an amazing one for LegalTech talks and thought leadership.  I presented over 70 times on Blockchain, Cryptocurrency, AI, Workflow, and the Legal Platform.  It was also a fascinating year where edgy concepts entered the LegalTech space, including the Metaverse and NFTs.  In all likelihood, these will continue to flourish in 2022.

If you’re game, you can watch the top sessions from the past year on a huge swath of LegalTech and general tech topics below:

Innovation:

Preparing Now for the Legal Technology Landscape in the Decades Ahead

Innovation in the Legal Industry

Dauntless Assent Into Legal Innovation

Blockchain, Cryptocurrency, DAOs, NFTs, Metaverse:

An Introduction to the Impact of Blockchain on Legal

Blockchain 2.0 Advanced Blockchain – Case Studies and the Evolution

Cryptocurrency Fundamentals

Cryptocurrency, DeFi, NFTs and the Metaverse

The Future of Contracts

Emerging Technology Conference on Blockchain and the Metaverse

Understanding Digital Identity & Its Impact on Legal

Artificial Intelligence:

Breaking Down AI – The Underlying Language and Technology of Artificial Intelligence

Artificial Intelligence and the Impact of Exponential Technology on Legal

Cybersecurity:

The State of Cybersecurity in Legal

The Dark Web — The Evolving Landscape and its Impact on the Legal Industry

Legal Platform & APIs

Legal Platforms, APIs, and the REvolution of Whizzbang LegalTech

Cloud:

Fundamentals of Cloud Computing

The vice grip of cybersecurity concerns on law firms

Originally published on Legal Insights UK & Ireland

By Joseph Raczynski

Law firms stand in a very precarious position in the cybersecurity world. Next to financial institutions, private legal institutions are a virtual honey pot for cybercriminals. Any breach, no matter the size, impacts the client, and certainly could destroy a firm’s reputation.

Four years ago, I toured over 50 law firms discussing cybersecurity with chief information officers (CIO), managing partners, lawyers and support staff. Each year since, it remains one of the hottest legal technology topics with my clients. The unfortunate situation is that, while law firms have dramatically shored up the barriers of defence, criminals have new methods to circumnavigate the ramparts.

Why law firms now?

Recently, I was at a CIO conference with 350 medium and large law firm CIOs in attendance. The keynote speaker stunned the crowd with a singular statement: “do you realise you [CIOs] are the gatekeepers to 71 percent of the non-public intellectual property (IP)?” The first reason law firms are attacked is because of IP. Criminals of all sorts see law firms rife with IP that can be pilfered.

One Asian country has allegedly lifted massive amounts of IP from technology companies, not from the companies themselves, but rather their law firms. Once obtained, they pass the IP to their nation’s internal network of state owned companies for development. Apple could have trade secrets stolen and then developed and sold in China before Apple could get it to market in London. To this end, Joe Patrice, Editor of Above the Law, once called law firms “the soft underbelly of the cybersecurity world”. The good news is that law firms have fortified their gates more recently to stymie the IP raiders.

The second reason why law firms are attacked is business information. Last year a known hacker in Russia targeted the top 25 law firms in the world to pull out any merger and acquisition (M&A) information. The criminals silently slip past firewalls, identify M&A documentation of companies set to merge, then can use that information to purchase stock—all before it is publicly announced.

Methods of attack

There is a myriad of tried and true means to crack networks and computers. Having been a white hat hacker script kiddie, years ago, I recently dipped my toe back into the space to see what has changed. My conclusion: it is easier to hack now than it was 10 years ago.

I bought a £4 specialised USB the other day, which will load any sort of script onto a computer in under four seconds. Simply choose the script from 100’s publicly available on the web, convert the code through a free compiler, load it onto the USB stick—and voila! In my testing, I could scrape the user names and passwords entered on my computer, and have it automatically sent to a test email account, simply by placing the ’bad USB’ or ’Rubber Ducky’ into my drive for a few seconds. Does your firm lock down USB ports? Perhaps it is worth considering as an attack of this nature can be executed with relative ease.

There are countless other ways to hack a computer or IoT (Internet of Things) device, but no greater risk is higher than email. Allen Paller, of the US-based SANS Institute, cites 95 percent of all malware and breaches start with email. Phishing attacks, discussed in a new government report published by the National Cyber Security Centre: ‘The cyber threat to UK legal sector’, states that 80 percent of law firms in the UK have had attempted phishing attacks in the last year. These sorts of attacks can be prevented in several ways:

  • Have processes in place when dealing with accounting so emails are not approval for funds transfer—use an internal application for requests and verification
  • Use software to distinguish ‘external’ emails from ‘internal’
  • Link protection—use real-time analysis of URLs and domains so that the user is safely redirected to valid domains when clicking ‘unknown’ links in emails
  • Assuring that all applications are running their most up to date versions

One of the largest law firms in the world, DLA Piper, was hit by ransomware last year. Fortunately, DLA Piper survived, though weeks of recovery at a tremendous cost. Still, these types of attacks can be devastating. They encrypt all files on your computer or network—leaving you two options: pay the ransom to get the password, or delete everything off the computer and rebuild with your backup files. Either option can leave a law firm, for a short or long period of time, with limited ability to address client needs.

The future of cybersecurity will be a multi-pronged approach. No longer is antivirus software the ultimate defence. Instead, law firms will need tools that detect intruders using artificial intelligence infused algorithms to figure out abnormal activity on the network. Blockchain will help securitise information and identities with a distributed network—compared to a central repository of sensitive information. Lastly, the General Data Protection Regulation has already, and will continue to, force all parties to take security more seriously or risk significant fines.

How prepared are law firms to face cyber security threats?

By Joseph Raczynski

The hacking of Panamanian law firm Mossack Fonseca last April resulted in 11.5 million leaked attorney-client privileged documents, exposing the widespread use of off-shore businesses by wealthy individuals and corporations around the world and highlighting the imperative need for proactive measures against corruption and other illicit financial activity.

But what it also revealed was just how vulnerable law firms can be to hackers and other cyber criminals.

Daniel GarrieDaniel Garrie is an arbitrator, forensic neutral and technical special master at JAMS, available in Los Angeles, New York and Seattle. He is executive managing partner of Law & Forensics LLC and head of the computer forensics and cybersecurity practice groups, with locations in the United States, India and Brazil. He is also a Partner at Zeichner Ellman & Krause LLP, where he heads their global cyber security practice, and an adjunct professor at Cardozo School of Law.

I recently spoke to Daniel Garrie, Global Head of eDiscovery, Forensics, and Cybersecurity Practices for Law & Forensics LLC, to get his insight into some of the cyber security issues facing law firms today:

Q. Daniel, why do hackers and other cyber criminals target law firms?

First, for information. All kinds of potentially valuable information: M&A information, IP information, real estate information, divorce information; information that can make people money or give them leverage. If you think about the law firms that just do mortgages, for example; getting a fully detailed mortgage package with social security numbers, bank account numbers, wiring information — that’s a pretty interesting piece of information.

Second, because in many cases, the law firm is the weakest link. Take the case of an M&A deal, for example. Why invest money and resources to hack the companies — which are more likely to have robust cyber security frameworks — when you can just hack the law firm, where cyber security resources are fewer and far more fragile?

Q. So law firms are not prepared to deal with these threats?

No, but not because they don’t want to be, but because of how law firms work as a partner profit-sharing entity. There has to be a reason to invest in measures to prevent them.

Q. And what are those reasons?

The consequences of unprotected and disclosed client data are two-fold. Not only do a law firm’s clients face potential reputational, financial, and legal risks when their private information is accessed and potentially distributed, the firm itself faces those same risks.

All law firms are competing for business and firms that don’t protect against cyber security threats run the risk of losing a substantial amount of business. Law firms are becoming acutely more aware of the fact that if they’re hacked, chances are, they’re no longer going to be a law firm.

Q. So what steps can law firms take to get prepared to deal with these threats?

First, focus on cyber hygiene. Do whatever it takes to put the right preventative measures in place in place:encryption, “least access necessary” policies, training and education for staff, etc. Second, find trusted partners.Do business only with those whom you can trust because if they are labeled as “hacked,” it could devastate your business, too.

Original post in AnswersOn

Law Firm and Corporate Cybersecruity Presentation – UMB

By Joseph Raczynski

Recorded at the University of Maryland, Baltimore during the “Cybersecruity and You” morning session. Discussed is the current landscape of cybersecurity at law firms and corporations, the primary issues these organizations are finding and general awareness of what is happening.

LegalSEC: Shedding Light on the Dark Net 

By Joseph Raczynski

The importance of law firms understanding the dark web

Your very sensitive private client data could be available for all to see on the Internet right now.  Technically this data would be on the Dark Net or Dark Web.  It is the portion of the World Wide Web that is hidden or inaccessible from normal browsers.  As corporations and law firms grapple with larger and more profound attacks, I think it is important to be aware of how individuals access it and what occurs there to better safeguard your firm from what is happening now.  At the cybersecurity LegalSEC Summit last week in Baltimore, Kevin Lancaster CEO of Winvale, Todd Nielson, President at ‎Secuvant Cyber Security, and Will Nuland, Sr. Security Researcher at Dell SecureWorks, spoke about the nuances around the Dark Net.

The Dark Web, born from a United States government program had positive intent from the onset.  It created a cyberspace where people in disaffected regions could anonymously visit and share ideas freely.  North Koreans and Iranians use this to congregate and postulate new ways to live.  They could then visit this space in the ether and share ideas freely without the fear that they would be persecuted for espousing ideas incongruous with their government point of view.

How to get there:

The following is not advised, but is here as an awareness of how people access the Dark Web.

Mozilla Firefox has a plugin (Tor Project), a simple free application run by a nonprofit organization which turns your normal browser into a Tor Onion enabled browser.  What that means is that the plugin creates a tunneled Internet to a minimum of 100 other locations around the world.  You are essentially establishing a proxy connection to other computers who are running the same Tor software.  This establishes a very strong sense of anonymity and security that no one knows who you are or where you live (IP address).   If I live in Washington, DC after running the plugin I may show up as living in Prague, but first being routed through 99 other cities.

darkweb

Once the application is launched you would need to find an index page, like the Hidden Wiki, which gives users a general launching off point for perusing the Dark Web websites.  It is not a pure search and find environment like Google, though some sites are indexed.  Sites are not set up with URL structure like we have on the Open Web, http://www.thomsonreuters.com.  In fact they appear to be hashed with letters and numbers in a random pattern.  They also end in an .onion compared to the normal .com that we tend to see.  So an example address might be: ijfije856ya5lo.onion.

Once there:

Unfortunately, once a user passes into this realm, there is a minefield awaiting.  The Wiki page starts with the benign and dives headlong into the frightening and disturbing.  You can buy $10,000 of fake US dollars for the equivalent of $5,000 in Bitcoin, the currency of choice.  The cryptocurrency Bitcoin is also generally considered anonymous.   Other possibilities include, hiring a hacker, buying prescription drugs, and buying illegal drugs, and acquiring arms or if you so desired, get involved in unregulated medical trials.  On the darker side, you can even hire a hit man.

Law Firm Perspective on Dark Web:

The key important piece to this post is that law firms are now being brought into the dark side.  Criminals are stealing IP information, M&A information and dropping off onto the Dark Web.  Other groups are grabbing proprietary information or sensitive client information from law firm networks and saving it onto the Dark Net to either expose the firm, or to hold at ransom.  Hackers for hire have been used to target corporations and law firms.

One of the subjects that was asked of the panel, how should firms handle the Dark Web?   In my time consulting around this subject, I was curious about the response.  The group was split.  Some thought that companies should not use their own networks to access the environment, others stated that in a controlled access situation, they could monitor what is going on the Dark Web to protect their brand.  In fact, it was stated that nearly two million people a day visit, but most are monitoring what is happening.  Law firms and corporations should be looking for client names, login and passwords, email address of their respective company.

With the increase in cyber-attacks, all entities have to be aware of how the hackers operate.  Understanding the Dark Web in the context of this is part of the due diligence for any corporation or law firm today.  Fortunately a new wave of companies are surfacing which can monitor the Dark Net on behalf of your organization.