By Joseph Raczynski
An article of mine on blockchain published on the Wall Street Lawyer:
By Joseph Raczynski
An article of mine on blockchain published on the Wall Street Lawyer:
By Joseph Raczynski
BALTIMORE, Md. — “Three strikes and you are out of the firm.” This is the mantra of one law firm when dealing with employees who click on spear-phishing emails, according to Mounil Patel, Strategic Technology Consultant at Mimecast, an email and cloud security firm.
Patel’s comments came at the recent gathering of legal tech and cybersecurity officials, the LegalSEC Summit, presented last week by the International Legal Technology Association (ILTA) in Baltimore.
Simply stated, email is currently the largest hole in law firm and corporate security. Most other aspects of the firm have been shored up over the last several years, including firewall and antivirus protection, malware defenses, and monitoring of networks. However, as Patel pointed out, a law firm can have every monitoring and protection application in place, but email’s reliance on the human decision factor creates major headaches for the firm’s IT staff.
To illustrate, Patel described one incident where he received an email from someone with whom he had worked years ago at a previous company. The email was directed to him and clearly appeared to be from his old colleague’s email address. The cordial note brought up some of their old connections at the previous company and then asked if he would kindly review the attached resume to see if there might be a fit for him at his new company. Patel naturally opened the PDF and the virus payload was released. The point is, with today’s more sophisticated email attacks, there is almost no way for people to know what are genuine correspondences from friends or colleagues and what is a “virus bomb”.
It is interesting to note that many law firms and corporations are internally testing their own employees with such targeted spear-phishing attacks similar to the one Patel received. A client of Patel’s ran one such email security campaign and when an attorney was caught opening the attached files or following the links, that person immediately received a pre-recorded message via voicemail from the entire executive partnership that such behavior was unacceptable.
The message went on to state if they were caught twice more they would be terminated — three strikes and they were out.
One best practice noted by one chief information officer at the Summit was that before you start your phishing campaign, let the firm know you are conducting this. She found that attorneys began sending IT suspicious emails proactively. In addition, reaffirm those who do not click the phishing emails, by not noting that they are doing good work.
Email will continue to dog corporations and law firms for the foreseeable future. Ultimately it comes down to humans making decision on what to open and click on. At this point in time, a well-crafted targeted email attack appeals to most people, unfortunately. (In fact, the likelihood of an executive clicking on one of these attacks is at a stunning 96%, according to McAfee.)
So, heeding some of Patel’s advice could save your organization the pains of another attack launched via email.
By Joseph Raczynski
The importance of law firms understanding the dark web
Your very sensitive private client data could be available for all to see on the Internet right now. Technically this data would be on the Dark Net or Dark Web. It is the portion of the World Wide Web that is hidden or inaccessible from normal browsers. As corporations and law firms grapple with larger and more profound attacks, I think it is important to be aware of how individuals access it and what occurs there to better safeguard your firm from what is happening now. At the cybersecurity LegalSEC Summit last week in Baltimore, Kevin Lancaster CEO of Winvale, Todd Nielson, President at Secuvant Cyber Security, and Will Nuland, Sr. Security Researcher at Dell SecureWorks, spoke about the nuances around the Dark Net.
The Dark Web, born from a United States government program had positive intent from the onset. It created a cyberspace where people in disaffected regions could anonymously visit and share ideas freely. North Koreans and Iranians use this to congregate and postulate new ways to live. They could then visit this space in the ether and share ideas freely without the fear that they would be persecuted for espousing ideas incongruous with their government point of view.
How to get there:
The following is not advised, but is here as an awareness of how people access the Dark Web.
Mozilla Firefox has a plugin (Tor Project), a simple free application run by a nonprofit organization which turns your normal browser into a Tor Onion enabled browser. What that means is that the plugin creates a tunneled Internet to a minimum of 100 other locations around the world. You are essentially establishing a proxy connection to other computers who are running the same Tor software. This establishes a very strong sense of anonymity and security that no one knows who you are or where you live (IP address). If I live in Washington, DC after running the plugin I may show up as living in Prague, but first being routed through 99 other cities.
Once the application is launched you would need to find an index page, like the Hidden Wiki, which gives users a general launching off point for perusing the Dark Web websites. It is not a pure search and find environment like Google, though some sites are indexed. Sites are not set up with URL structure like we have on the Open Web, http://www.thomsonreuters.com. In fact they appear to be hashed with letters and numbers in a random pattern. They also end in an .onion compared to the normal .com that we tend to see. So an example address might be: ijfije856ya5lo.onion.
Unfortunately, once a user passes into this realm, there is a minefield awaiting. The Wiki page starts with the benign and dives headlong into the frightening and disturbing. You can buy $10,000 of fake US dollars for the equivalent of $5,000 in Bitcoin, the currency of choice. The cryptocurrency Bitcoin is also generally considered anonymous. Other possibilities include, hiring a hacker, buying prescription drugs, and buying illegal drugs, and acquiring arms or if you so desired, get involved in unregulated medical trials. On the darker side, you can even hire a hit man.
Law Firm Perspective on Dark Web:
The key important piece to this post is that law firms are now being brought into the dark side. Criminals are stealing IP information, M&A information and dropping off onto the Dark Web. Other groups are grabbing proprietary information or sensitive client information from law firm networks and saving it onto the Dark Net to either expose the firm, or to hold at ransom. Hackers for hire have been used to target corporations and law firms.
One of the subjects that was asked of the panel, how should firms handle the Dark Web? In my time consulting around this subject, I was curious about the response. The group was split. Some thought that companies should not use their own networks to access the environment, others stated that in a controlled access situation, they could monitor what is going on the Dark Web to protect their brand. In fact, it was stated that nearly two million people a day visit, but most are monitoring what is happening. Law firms and corporations should be looking for client names, login and passwords, email address of their respective company.
With the increase in cyber-attacks, all entities have to be aware of how the hackers operate. Understanding the Dark Web in the context of this is part of the due diligence for any corporation or law firm today. Fortunately a new wave of companies are surfacing which can monitor the Dark Net on behalf of your organization.
By Joseph Raczynski
Learning from colonial piracy about the war on cybersecurity
“It is a small world. It’s a fragile world. No one is safe until everyone is safe.” These are the cautionary words of Rod Beckstrom of The Rod Beckstrom Group, the keynote speaker at the cybersecurity LegalSEC Summit last week in Baltimore. With over 350 legal technology professionals leaning into his every word, he set the stage for where cybersecurity is headed with an advisory tale from history now repeating itself on the Internet. His intent, to arm the guardians overseeing 80-90% of the country’s IP information all sitting in the same room at that moment in time.
History of Pirates
In 1491, the “Erdapfel” of Martin Beheim was created. It is the oldest surviving terrestrial globe – excluding the Americas. This sphere was cutting edge technology of the day. Like any technology its uses can be for the betterment of humanity or its decline. Not surprisingly, around the release of the globe, piracy began to flourish. Seafaring scoundrels viewed the world anew with this technology and seized upon its bounty.
These salty scofflaws took four unique forms in their day. One group of pirates were sponsored by the Dutch, Spanish, and British empires respectively. Another group realized they could band together using their private ships to attack on the high seas for gems and precious metals. The third formed a coalition around pirating for a cause. The last group were one-off ships that would attack others for jewels or money. These four pirating entities have a present day adaptation. They translate to State Actors (e.g. China, Iran, North Korea), Organized Crime (e.g. in Russia or Estonia), Hacktivist (e.g. Anonymous) and Lone Hackers (e.g. anyone and everyone). One new addition, in the Cyber Age there is also the internal threat to organizations known as “Insider Joe” attacks which are very prevalent.
Present and Future
As Beckstrom described in this presentation, the wars over the years require time for forces to align. During the Nuclear era, once the major powers acquired these arms, everyone realized it was in the best interest of each country not to use them, i.e. mutually assured destruction. This is ongoing right now with Cyberwar. He said that China or Russia could hobble the infrastructure of the United States tomorrow, but they realize that if they did that, the US would do the same to them, therefore no one conducts this sort of cyber-attack.
Law firms are not a sovereign territory so all aforementioned groups are threats and in turn are seeking them out. These groups have tools which are sold on the Dark Web as out of the box solutions and can wreak havoc for firms in very little time. In the graphic below Beckstrom outlines an ecosystem where various parties work together but in isolation to earn money or take down a company. The scripts are created by people and sold to criminals. While another sets of criminals have harvested millions of credentials. In conjunction the Criminal Operator uses both to target a law firm or corporation. Those proceeds or goods are then routed through Mules. These are everyday people who simply accept packages and send them along to someone else which keeps the money flowing. In most of the law firm attacks, mules are not used, instead data is either released or held at random by the Criminal Operator.
The only way to combat this said Beckstrom will be a new world of robots fighting robots (computer bots), which is now occurring. This next era defense is sifting through huge amounts of data and applying cognitive computing and artificial intelligence with a layer of deep learning on top. In this light he underscored the importance of preparedness. One of the world’s largest banks, JPMorgan, has decided to pledge a half billion dollars toward the fight on cybersecurity.
Beckstrom closed with the warning to each firm CIO that the time is now to invest heavily in cybersecurity. Every one of the attacker profiles mentioned are attempting to break in and get access to law firm and corporate information. Prepare now because time is short – we are not safe until everyone is safe – by taking the responsibility to invest.
By Joseph Raczynski
By Joseph Raczynski
The word “Cloud” can be a divisive word at law firms. Recently uttering the term during technology meetings with East Coast-based law firms with between 50 and 3,000 attorneys elicited starkly differing responses based on firm size and practice dominance.
Most of the midsized firms with whom I have met over the last year were favorable toward its use in most cases. One CIO declared it was firm negligence not to use the Cloud for data. He cited the inability for most firms to retain the expertise necessary to safeguard data inside the firm. Typically, larger law firms with clients in the financial industry explicitly forbid embracing such services outside of their network. Indeed, these clients underline this conservative firm posture by pushing for responses to 300-part questionnaires about how the law firm handles their data and outlining privacy and security practices related to the Cloud.
Despite this push from the financial industry, I would argue that we are in an interstitial period of Cloud adoption at law firms. In the not too distant future, I believe that many of the firms today which avoid or disallow its use will accept it. Law firms are risk-adverse institutions. While Cloud technology may appear laden with hazard, it might actually be the opposite. Initially when the Cloud — a rebranded name for a decades old concept — returned, early adopters encountered data breaches.
Years of security issues were thrust into the headlines, and those goaded reputable Cloud providers toward major investment around protecting their services. Now with far tighter rein of control, Cloud providers are much better positioned to court law firms of all sizes. Unless a firm has a solid technology budget and the ability to retain top-notch security experts, an argument could be made that housing data in a secure cloud would be more prudent than inside an internal firm network.
A recent New York Law Journal article by Ted Sabley on “Does Adoption of Cloud Computing Shift Cyber Liability Risk?” will give some readers pause for thought on greater adoption. Sabley mentions each of the largest Cloud providers have baked in new and surprising contract terms. They’ve shifted the liability in the End User License Agreements (EULA) to the customer. That is, if there is a breach of customer data hosted on the Cloud, the user bears the responsibility. This seems to be the case with Amazon Web Services (AWS), Google, Microsoft and Apple Cloud platforms.
Whether or not a customer shoulders the responsibility of a breach, the common practice for everyone dealing with Cloud providers should be the following:
Currently firms of all sizes find themselves in two camps when it comes to the Cloud. Midsized firms have generally flown into the Cloud, while big firms hover between land and air, in a bit of a fog-like state. With increasing pressures of expense and the challenges of retaining network and cybersecurity expertise, the future for law firms is undoubtedly in the clouds.
By Joseph Raczynski
This is the third and final post in a series about blockchain, an online public ledgering system, and how it will soon significantly impact many aspects of the legal industry. In the first post, I demonstrated the potential and the pitfalls of Bitcoin and its underlining blockchain technology; and in the second post, I described what full global adoption of a cryptocurrency would entail. In this installment, I will explain the potential legal implications of blockchain technology.
While Bitcoin may disappear in a few years — doubtful, but possible — the underlining technology is by far the most important development going forward. Blockchain is a public ledger. It can be applied to almost anything that you would normally save to a database or spreadsheet.
In the Bitcoin example, the blockchain shows the exchange of all the money that has ever changed hands in Bitcoin transactions. It does not list who owns the coins per se, just that they exist or that they changed hands. It is controlled by no single person but by all parties connected to the exchange. This public, but encrypted spreadsheet in the sky is in theory more secure and open than our current system of money exchange. The network maintains a collective history of all of the transactions that have ever occurred on the network. You can view all of the Bitcoins changing hands every moment of the day at Blockchain.info.
I have little doubt that blockchain technology will revolutionize the legal industry in the coming years… there is almost no doubt that this technology will be a significant disrupter to the legal profession and the overall market on many fronts.
And as you see the transactions scroll up, you soon identify several important legal implications. For one, none of this money has been passed through a bank or other financial institution, nor has it be screened by any government agency. That is, if you have a major transaction of $10,000 or more coming or going from the US — one that is normally required to be reported — it is not being reported via Bitcoin today. As you might surmise, many positives with this technology exist, but significant challenges, mostly concerning government regulators and current US laws, are also present.
While Bitcoin created the first blockchain, many other such chains have been created since. For example, there are other cryptocurrencies that use the technology. However, where this becomes most interesting is how related businesses could use a ledger-based blockchain platform. Fundamentally it is a program from which to build a system of accounting or process. One network called Ethereum, which has been described as a “decentralized virtual machine that can execute peer-to-peer contracts” is leading the charge with smart contracts and the law.
Here is how I see blockchain affecting the legal industry.
Creation of Contracts: The blockchain could alter the landscape of contract attorneys. Part of what makes the blockchain so special is that not only does it keep records which are immutable, it also creates a process around that. For example, I could create a contract which stipulates that when my patent was approved by the Patent and Trademark Office (PTO), my four partners would receive a 10% share in my company. How would that work? The contract on the blockchain would check to see if the patent was approved, then trigger a process releasing the shares to the partners. All of this would be automated and fall outside of human legal action. Indeed, you could go one step further and tie-in a payment system so that when that patent was granted, bonus funds could be dispersed automatically into the accounts of said partners.
Intellectual Property: If blockchain is ripe for anything it is IP. This technology creates a publically accessible, indisputable ledger of each filing which could be held not solely by jurisdiction but on a global scale benefiting everyone. This information would offer clean and clear rights of use for all parties. You could even submit your trademark through the system. Leveraging an algorithm identifying any likeness to the trademark, the system could then grant or dismiss it. All of which would become part of the public ledger for anyone to review.
Land Registry: Some Latin American countries are beginning to use blockchain as a means to keep track of who owns which land deeds. Wealth is created through ownership, and one of the most challenging aspects of developing countries is determining who owns a piece of land. Disputes often occur because of corrupt governments or individuals taking advantage of the under-educated. Having a public blockchain ledger would allow for everyone to be aware of who owns which parcel of land; and it would make the exchange of those plots much easier and more equitable.
If a family were to buy a plot of land that could be registered on the legal blockchain, it would be much more verifiable than even perhaps government records. All parties would be able to authenticate this as compared to one entity (the government) holding onto all the records. This process would even create a better base for the government to fairly tax individuals and businesses.
Establishing Records: In some African countries they are looking at using blockchain technology to keep census information. Voter records could also be added to this process as a means to have a central repository of eligible citizens. In this area, currently under development, blockchain seems primed for tremendous growth.
Financial Service Industry: The banking industry also is jumping into this arena. The theory is that our stock exchanges will become blockchain enabled. The idea is simply that every stock bought or sold would be on the ledger. You could trace back your own ownership of that equity and even tie that to your estate-planning documents. Extrapolating this out, those documents also could be housed on a blockchain with respective triggers for when you eventually die. Ultimately that information is then released to your beneficiaries based on that event (Date of Death) recording by the Social Security Administration (SSA).
Personally I have little doubt that blockchain technology will revolutionize the legal industry in the coming years. The question is if it will be more like HTML — a behind the scenes technology — or if it will be a more obvious, almost tangible technology that we will all reference by name. There is almost no doubt that this technology will be a significant disrupter to the legal profession and the overall market on many fronts. The biggest industries — government, banking, legal, healthcare and others will either use it or be significantly impacted by it.
By Joseph Raczynski
This is the second post in a three-post series about blockchain, an online public ledgering system, and how it will soon significantly impact many aspects of the legal industry. In the first post, I demonstrated the potential and the pitfalls of Bitcoin and its underlining blockchain technology. The intent of this post is to describe what full global adoption of a cryptocurrency would entail.
First, I have little doubt that in a decade or less we will have a world currency akin to Bitcoin. The implications on both the legal world and government legislation will be significant. Right now there are dozens of cryptocurrencies out there: Dogecoin, Litecoin, Peercoin, and there are many more are on the horizon. Each has unique aspects but all have at their focus: security, ease of electronic money exchange, and the avoidance of a centralized banking system. Certainly the most popular cryptocurrency to date is Bitcoin which started the concept in 2009 after its creation by an anonymous inventor known as Satoshi Nakamoto, a Japanese equivalent to “Jim Smith”.
Bitcoin is incredibly intriguing because it is a natural product of the Internet, a decentralized forum of exchange and connectedness. Currently, for two people to exchange money we typically have to route money through various exchanges which all take fees merely for passing the money along. The success of cryptocurrencies demonstrates that those traditional fees are outdated and excessive for current transactions. While traveling in Thailand recently I took $100 out of an ATM. With the fees — i.e., Thai ATM fee, foreign transaction fee, and a cut of the exchange rate my bank charged — I spent $23 to get that $100. The fee for a similar transaction from dollars to Bitcoin would have been in the neighborhood of 20 cents. The fees of yesterday by the banks made sense decades ago, but now given today’s advanced and speedy technology those extraordinary fees bear little relation to the actual cost of transferring money.
Where do I see a cryptocurrency taking off?
The market for growth in this arena will increase substantially in the years ahead. That said, there is little question that several challenges to cryptocurrencies persist. One, a lost electronic wallet is gone forever. If you have not created a backup or saved it digitally in a safe place, you could lose all of your assets. Two, insurance does not exist. Cryptocurrency is not FDIC insured as are bank deposits. Again, it is the responsibility of the individual to own this and make sure they have diversified their assets in safe locations.
In my next post, I will review the countless — and there are legion — legal hurtles ahead. The legal industry will play a significant role in further defining cryptocurrencies and how its underlining technology, the blockchain, will be used.
By Joseph Raczynski
This is the first post in a three-post series about blockchain, an online public ledgering system, and how it will soon significantly impact many aspects of the legal industry. The intent of this first post is to show the marvels and the pitfalls of Bitcoin and its underlining blockchain technology. My personal account shared below is an experience with the virtual currency beginning five years ago until today; and the subsequent posts will embark on a legal discussion of the real magic behind Bitcoin, the blockchain system.
I still remember the day of June 19, 2011, when I transferred $40 from a little-used, barely funded State Department Federal Credit Union account into Dwolla, a nascent electronic money exchange. Dwolla was an intermediary, allowing people to send money to others or into various accounts electronically. I used it once to transfer money from my State Department Credit Union account to a Mt. Gox account.
There was no question at the time that I thought every aspect of this was cybersecurity risky. Transferring money from an established credit union was the first chance I took. What were the implications connecting these two entities? Would that exchange compromise my credit union account? What was I doing transferring $40 into a mysterious Tokyo based company, which was previously a trading place for fantasy trading cards named “Magic: The Gathering Online eXchange” aka (Mt. Gox)? The owner of the exchange, Mark Karpelès, had picked up the burgeoning enterprise a few months prior. The original owner who had converted the business from fantasy cards to Bitcoin bowed out after not being able to manage the new exchange’s growth.
Rise and Fall of Bitcoin
This risky hoop-jumping money transfer I stomached in 2011 was to buy my first Bitcoin. I had heard about the new currency on an Internet message board focused on cybersecurity. As an undergrad studying economics, I believe that a decentralized, anonymous, secure currency was an amazing concept that absolutely made sense. But I was anxious for what might happen to my money, my account and my name in going through this process. After transferring the small sum into the Mt. Gox account I watched Bitcoin fluctuated from $11 to $22 per coin over a few months. When it hit $20 at one point I was able to buy two coins — thus turning the $40US into two Bitcoins.
So what is Bitcoin and why is there an appeal? When asked, my simplest response is that it is like holding and using cash on the Internet. Even better, it is universal, international, secure and anonymous peer-to-peer electronic cash. All currencies in the world can be exchanged for Bitcoin. The currency is not backed by anything (gold or silver), but neither is the US Dollar, circa 1971. The cryptocurrency (mathematically created denomination) allows people or companies to digitally exchange money quickly, securely, and without having to go through a bank or using a credit card — which traditionally charge a fee. Simply download an online digital “wallet” from the literally ton of apps to choose from, and you can transfer your Bitcoins into it. How do you transfer money into your wallet? Each wallet has a unique address (string of numbers and letters) which you use to receive money. If you wanted to transfer money to someone else, all you need is their address, the amount of Bitcoin desired to transfer and you can send money to them.
Another means of sending money is to scan a QR Code from someone’s app to transfer money from one wallet to another. You can even snap a picture of the QR Code with your phone and transfer the money. The currency can be transferred between neighbors, across the country and anywhere overseas with ease. The transaction fee can be free to as high as several pennies or dimes. As you can gather, users can completely circumnavigate the banking and credit card communities — which poses issues, but also has many benefits. It is a fascinating technology; and the underlying architecture and its platform, called the Blockchain, is even more intriguing.
Think of all the legal implications here. Currently, individuals and businesses can transfer unlimited sums of money from country to country without notification, identification or taxation. It is completely unregulated. More on the legal implications of this later.
The Mt. Gox Crash
Back to my passage through Mt. Gox. In 2011, the coins I held with Mt. Gox simply sat in my account. Monitoring the currency infrequently, I noticed that it increasingly fluctuated and became widely unpredictable with a thrust upward, rising from $20 to $266. In 2013, I was stunned to see the change. My $40 had turned into $532. As time went on the rapid changes to its valuation continued to gain momentum. By November 2013 (two years later), Bitcoin peeked at around $1,250 per coin. My $40 became $2,500 in “electronic paper” money. I was flabbergasted. At that stage, my imagination had the thing hitting $10,000 per coin, but that never came to pass. In fact, from that lofty point, the currency has fallen to a current $400 US per coin in March 2016.
Unfortunately, I never was able to cash out of that Bitcoin, because like most early investors, I had my money with Mt. Gox, which handled 70% of all Bitcoin transactions. Two weeks prior to the exchange closing, like many others, I tried pulling my money out, but the system would not allow it. It was equivalent to a bank run of the 1920s.
As was widely reported, someone just decided to make off with all of the Bitcoins that were held within Mt. Gox. It certainly seems obvious, but having worked with multiple banks over my life, you are semi-lulled into a sense of security around an institution and money. If a bank goes under, you rely on the FDIC insurance — not so with Mt Gox. Sure, if I had thought about it, it seemed feasible that something like this could happen. However, never would you assume that a single individual could shut down an exchange with $473 million in assets by tossing that sum onto a digital wallet and walking out the door. My $40 investment which jumped to $2,500 vaporized and now is in bankruptcy proceedings. Many other Bitcoin believes and cryptocurrency hopefuls literally lost millions of dollars from this exchange going insolvent. This experience underlined the possibilities of the currency, validated great underlining concerns, and clearly demonstrated that the legal world would benefit from understanding this technology.
In my next post I will touch on how these currencies will impact all of us in the near future and where the law with play a role.
By Joseph Raczynski