Heartbleed: What Lawyers and Law Firms Need to Know

shutterstock_92469592

Yesterday, partially in response to news about the “Heartbleed” computer exploit, Sam wrote a post about the importance of lawyers understanding how the internet works. Given all the media buzz about Heartbleed, I thought it might be useful for lawyers and law firms to understand what it really means for them, without either too much techno-jargon or over-use of dumbed-down metaphor.

So What is Heartbleed?

Related“Encryption: Enabling Basic Client File Security”

Leaky website encryption.

Lots of websites that require password log-in use an encrypted connection to your browser, called SSL. You can see this when you go to sites that have an “https” website prefix, as opposed to the normal “http” prefix—the “s” means they’re using encryption to protect the data sent between you and that website.

One version of SSL is an open-source software called “OpenSSL”. For the past two years, the OpenSSL software has had an unknown bug in its code that could have allowed people to see what was supposed to by encrypted data passing between you and the websites using OpenSSL.

“Heartbleed” is just the creative name—given by internet security researchers—to identify the software bug in OpenSSL that allowed for this potential encryption leak.

How Did Heartbleed Happen?

By accident.

Because OpenSSL is an open-source software project, volunteer software developers around the world are able to submit suggested code edits and fixes, which can later be incorporated into the core software. Two years ago, a German software developer submitted some code fixes—intending to clean up some small software bugs in OpenSSL—and accidentally created a new, unnoticed, bug—now called “Heartbleed”.

What Sites Are Impacted by Heartbleed?

Most of the big ones.

There are two ways to think about the potential impact of Heartbleed: direct impact and indirect impact.

The direct effects of Heartbleed involve theoretical access to your private data on sites that use the OpenSSL encryption code. These are usually “medium security” sites that require a password log-in and/or process payments.

  • Low security sites: Websites that don’t require log-in and don’t process payments rarely use SSL encryption and thus would not be directly impacted by Heartbleed.
  • Medium security sites: Non-financial-services websites that use log-ins and/or process payments AND use the OpenSSL software are the sites that were impacted. This includes Facebook, Google, Twitter, Yahoo! and more. You can find a list of major sites impacted by Heartbleed here.
  • High security sites: Most financial services websites (banks and credit card companies) have stronger encryption standards than OpenSSL and thus also aren’t directly impacted by this.

The broader indirect effects of Heartbleed involve the fact that many people use only a small number of (bad) passwords across the internet, which means that access to one of these passwords through the Heartbleed exploit could give someone access to additional sites using the same password.

Did Hackers Steal My Passwords or Client Files or Other Important Data?

Hopefully not.

Unlike the Target data breach last fall, Heartbleed was identified and announced before any known attacks occurred. Computer security researchers discovered the code problem last week and announced it immediately. Developers immediately started building software patches to fix the problem. Most effected sites have already implemented these fixes or will in the next couple of days.

It is certainly possible (maybe even probable) that in the past two years—since the creation of the “Heartbleed” code—a malicious hacker or espionage organization has been collecting and exploiting the vulnerability, but there isn’t currently any evidence that this happened to anyone.

UPDATE: It now appears—surprise to anyone?—that the NSA has known about Heartbleed for two years and didn’t tell anyone, because it’s been giving them easy access to otherwise-encrypted data.

What Should I Do About It?

Related Passwords: a User Guide for Lawyers and Law Firms

Use better passwords.

  • Minimum: Change your passwords today as soon as the sites you use are patched. If you do nothing else, use the list of vulnerable sites above and change all of your passwords on those sites. You really, really need to this today. That is the absolute bare minimum, though, and probably not enough to satisfy your ethical duties as an attorney.
  • Best practice: use a password manager and encrypt and back up you hard drive. There are four fairly-simple steps lawyers (and everyone else) can take to dramatically increase their data security.
    1. First, encrypt your hard drive. This takes just a few minutes and is usually free. By encrypting your hard drive, you secure your physical computer from snooping.
    2. Second, back up your hard drive. You’ll have to decide whether to use a file syncing tool like Dropbox or a pure back-up service like CrashPlan, or both, but your data should be backed up to a computer or server that is not in your office.
    3. Third, use a password manager. Password managers like LastPass, 1Password, PasswordBox, and KeePass allow you to create and manage unique, strong passwords for each of your website log-ins. Rather than having to memorize lots of different passwords for all of your sites (or worse, but more common, using the same password for all of your sites), password manager software generates super-strong passwords for each of your sites then stores them in an encrypted file that you access with one master password.
    4. Fourth, turn on two-factor authentication. Many web services (Google, Dropbox, etc) allow users to add “two-factor authentication” to their log-ins. This means that when you sign in, in addition to your username and password, you also need to input an additional piece of information—usually a code the site texts to you as you log in. This way, if anyone ever did obtain your password, not only would they not be able to log in, your phone would alert you that they were attempting to get in.

After This and the Target Data Breach, Should I Fear the Cloud?

Related“It’s Time for Lawyers to Re-Think the Cloud”

No, but maybe.

Fear of things you don’t understand isn’t a particularly useful thing. The “cloud” (software and data that is stored on servers outside of your location that you access through the internet) is a complex and changing thing. This complexity allows for some truly amazing innovations in technology, but also comes with potential risks.

Lawyers have a particularly-strong duty to understand what is happening with their confidential client data.

A good understanding of how the cloud—and a law firm’s particular web applications—works should also include a good understanding of the variety of ways that lawyers and law firms can protect themselves from risk.

Proper, rational risk analysis requires learning about the likelihood and magnitude of potential harm, as well as the cost and burden of both possible security measures, but also the alternative options. For instance, if your “fear” of the cloud leads you to keep everything in paper form, you are almost certainly leaving your important client data at greater risk to theft, fire, flood, or snooping than if you use best practices in the cloud.

That said, this analysis is very dependent on your particular circumstances.

What’s next?

Nobody knows.

Here’s the reality: stuff like this (and probably worse) is inevitable. As the sophistication of web and mobile applications grows so do the methods of hackers and espionage operations. Similarly, increasing reliance upon and interactivity between these apps makes your data more vulnerable to hacks and bugs.

Who knows whether the next big internet security news with be a big data breach, a code exploit, a hack into one of your favorite websites, or something totally unforeseen. The question isn’t whether there will be security problems on the internet, but whether you are being smart about how you use technology to keep yourself as secure as possible.

It is legitimate to question whether these tradeoffs are worth it for your particular situation, but that requires education of what’s really going on, and a rational analysis of the costs and benefits of technology use and data security protocols, not just a resort to fear and doubt.

Heartbleed is a big deal in internet security, but hopefully its biggest effect will be in getting you to use more care in how you protect yourself online.

Featured image: “Businessman in suit puts his head down on his laptop computer ” from Shutterstock.

, , , , , ,

  • Nadia

    Changing passwords blindly right now is a terrible idea (and bad advice) because you may expose your new passwords! Fixing Heartbleed bug is a two step process: 1) the server must fix the bug itself by applying a software patch and 2) the server must change its encryption keys and security certificates. Please use LastPass free tool to see if the website you are concerned about is affected, applied the patch, and changed the certificate: https://lastpass.com/heartbleed/ LastPass will tell you in plain terms what course of action you should take: change the password or wait until it is safe.

    Dropbox is ok to change now. So is Yahoo. Gmail? Don’t be so sure. Activate two-step authentication process just in case.

    • Aaron Street

      Terrible idea AND bad advice? Ouch.

      I’m not sure I understand the logic of how changing your password exposes your password in any way different from using your password. (Attorneys will log into Google this weekend, whether or not their SSL has been patched).

      The big risk for most attorneys isn’t that one site could be compromised, it’s that most attorneys use the same password for multiple sites. Because of that, changing all passwords today (to unique passwords), is an important step, even if some more need to be changed again next week.

      I clearly mentioned in the post that some sites are still working on fixing the hole.

      I also noted that two-factor authentication is important to implement immediately.

      So, yes, for some sites, you should wait a few days to change your password (or change it again then).

      • Jonathan Kleiman

        Right… obviously…

        • Kathie McClure

          I also read this article as telling lawyers to change all their passwords now regardless of whether the website on which the password is being changed has taken the requisite remedial steps. Every security technology expert who has written or been interviewed about Heartbleed is advising not to change a password in a vulnerable website until the website owner (or LastPass) indicates it is now safe to do so. The remedial steps include: 1) applying the patch; AND 2) terminating the existing SSL Certificate and obtaining a new SSL Certificate. See Heartbleed.com.

          • http://samglover.net/ Sam Glover

            I’ve updated the post to clarify this. But here’s the thing. If you use a site that takes more than 48 hours to patch the biggest security hole in the history of the Internet, stop using that site.

            • Kathie McClure

              I couldn’t agree more!

    • Jonathan Kleiman

      If you mean keep the old password because a new password might also be exploitable, I’m not sure if you’re serious.

      • Nadia

        No, what I had an issue with is the implication from Aaron’s article is that changing the passwords today fixes the issue on your end. Even with using the password manager, that does not put users in the clear for two reasons: 1) they don’t know if the bug has been patched on the server and 2) if the keys have been reissued. And if most users stick to their practice of using the same bad password across multiple websites, changing that password across all sites, some of which are either still vulnerable to data leeching or outright decryption using old set of keys, that makes it even worse. They will still be exposed and you are lulling them into a false sense of security here.

        Please make it clear to your readers: some websites are not secure today, will not be secure tomorrow, and even if they apply the patch, they still may not be secure. The users will still have to check or re-check whether the website changed the keys/SSL cert and change their passwords after that happens, whether it is for the first time or again after they change every password today.

        For explanation why this is necessary, see here: http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/. In short, a server with unpatched Heartbleed bug allows disclosure of information third parties should not have, including private keys. If whoever was using Heartbleed bug to siphon the information got a hold of private keys, it does not matter if you change your password after the patch. The patch would prevent siphoning of new information, but not the decryption of all information using old keys. Using these private keys, that person would have access to your new password as well. No where in your article, Aaron, is this made clear to your readers.

        No, I am not affiliated with LastPass in any way. I don’t even use their software. But it’s nice to see that in the absence of understanding of the scope of the problem or the risks to the users, you resort to an ad hominem attacks on credibility (with the Lawyerist’s tacit comment approval). Makes me feel really good about contributing to this community. If you know of another easy way to check whether in addition to patching OpenSSL the site also updated its SSL cert, why don’t you post the link here instead of attacking someone who helps your readers figure out the real scope of the problem?

        • Jonathan Kleiman

          I still don’t understand why it makes more sense to keep your old passwords instead of using temporary new ones for now

    • Jonathan Kleiman

      I believe Nadia is affiliated with lastpass.com

  • Jonathan Kleiman

    I agree with Nadia that you should wait for the All Clear to trust your passwords with a given business. But as somebody who hangs around on IRC occasionally, I can tell you that the hackers are laughing, and nobody knows what’s been taken. It has been exploitable for months. Change your passwords.

  • Avram E. Frisch

    I guess the lesson is to not use open source products. Also, lastpass itself was compromised, so how can you trust it to manage your passwords?

    • http://samglover.net/ Sam Glover

      LastPass was affected, but not compromised. It has multiple layers of security, and OpenSSL was just one.

      Why do you think the lesson here had anything to do with the fact that OpenSSL is open-source software?

      • Avif

        They claim that they are safe, but that is assuming that they are trustworthy, which is a big assumption. Trusting all your passwords to one company who then was susceptible to a hack would kill their business instantly, so if they had to lie about it, they probably would. As to why this is an argument against open source, there are two reasons. One, Apple and Microsoft largely avoid open source products and their software was not affected by this bug, and furthermore, the open source model is about doing things on the cheap and OpenSSL is really a small operation and did not have the resources to be incorporated in so many pieces of software.

        • http://samglover.net/ Sam Glover

          LastPass has been incredibly transparent through a number of security incidents. In fact, I value transparency far more than invulnerability when it comes to data security. Everything gets hacked. What I want to know is when, and what it’s going to do about it.

          Apple and Microsoft largely avoid open source products

          You’re not serious, are you?

          I’m not sure I can count all the open-source components in Apple software, but Apple has a convenient list right here. Microsoft’s list of open-source projects is similarly lengthy.

          The open-source model is not just about cost. In fact, sometimes it is not at all about cost. Regardless, many people (me included) believe open-source software is generally more secure than closed-source software because there are more people auditing the code. (And no, we’re not talking about basement hackers. Google uses and contributes to many open-source projects, to name just one major company with a vested interest in open-source security.)

          • Avif

            Though apparently OpenSSL is a lot more a project of four part time people working in their basements.

            • http://samglover.net/ Sam Glover

              That’s my understanding, and the failure of so many Internet companies to support such a vital component of their server software is pretty lame.

    • http://www.seo-for-lawyers.com/ Luke Ciciliano

      I would just add that many of the most secure products there are stem from open source. As opposed to close company having only it’s own employees work on a product, open source initiatives regularly result in talented engineers from around the world contributing/looking for bugs.

  • Molly Clarke

    Good advice! I’ve also read that it is important to conduct an internal security audit to identify and upgrade vulnerable internal systems and services. This may include routers, network storage devices, and other access points. This information came from the article “Tips for Handling the Heartbleed Bug“. This post touches upon some of the points brought up in the comment section and goes over when to change passwords.