Yesterday, partially in response to news about the “Heartbleed” computer exploit, Sam wrote a post about the importance of lawyers understanding how the internet works. Given all the media buzz about Heartbleed, I thought it might be useful for lawyers and law firms to understand what it really means for them, without either too much techno-jargon or over-use of dumbed-down metaphor.
So What is Heartbleed?
Leaky website encryption.
Lots of websites that require password log-in use an encrypted connection to your browser, called SSL. You can see this when you go to sites that have an “https” website prefix, as opposed to the normal “http” prefix—the “s” means they’re using encryption to protect the data sent between you and that website.
One version of SSL is an open-source software called “OpenSSL”. For the past two years, the OpenSSL software has had an unknown bug in its code that could have allowed people to see what was supposed to by encrypted data passing between you and the websites using OpenSSL.
“Heartbleed” is just the creative name—given by internet security researchers—to identify the software bug in OpenSSL that allowed for this potential encryption leak.
How Did Heartbleed Happen?
Because OpenSSL is an open-source software project, volunteer software developers around the world are able to submit suggested code edits and fixes, which can later be incorporated into the core software. Two years ago, a German software developer submitted some code fixes—intending to clean up some small software bugs in OpenSSL—and accidentally created a new, unnoticed, bug—now called “Heartbleed”.
What Sites Are Impacted by Heartbleed?
Most of the big ones.
There are two ways to think about the potential impact of Heartbleed: direct impact and indirect impact.
The direct effects of Heartbleed involve theoretical access to your private data on sites that use the OpenSSL encryption code. These are usually “medium security” sites that require a password log-in and/or process payments.
- Low security sites: Websites that don’t require log-in and don’t process payments rarely use SSL encryption and thus would not be directly impacted by Heartbleed.
- Medium security sites: Non-financial-services websites that use log-ins and/or process payments AND use the OpenSSL software are the sites that were impacted. This includes Facebook, Google, Twitter, Yahoo! and more. You can find a list of major sites impacted by Heartbleed here.
- High security sites: Most financial services websites (banks and credit card companies) have stronger encryption standards than OpenSSL and thus also aren’t directly impacted by this.
The broader indirect effects of Heartbleed involve the fact that many people use only a small number of (bad) passwords across the internet, which means that access to one of these passwords through the Heartbleed exploit could give someone access to additional sites using the same password.
Did Hackers Steal My Passwords or Client Files or Other Important Data?
Unlike the Target data breach last fall, Heartbleed was identified and announced before any known attacks occurred. Computer security researchers discovered the code problem last week and announced it immediately. Developers immediately started building software patches to fix the problem. Most effected sites have already implemented these fixes or will in the next couple of days.
It is certainly possible (maybe even probable) that in the past two years—since the creation of the “Heartbleed” code—a malicious hacker or espionage organization has been collecting and exploiting the vulnerability, but there isn’t currently any evidence that this happened to anyone.
UPDATE: It now appears—surprise to anyone?—that the NSA has known about Heartbleed for two years and didn’t tell anyone, because it’s been giving them easy access to otherwise-encrypted data.
What Should I Do About It?
Use better passwords.
- Minimum: Change your passwords
today. If you do nothing else, use the list of vulnerable sites above and change all of your passwords on those sites. You really, really need to this today.That is the absolute bare minimum, though, and probably not enough to satisfy your ethical duties as an attorney.
- Best practice: use a password manager and encrypt and back up you hard drive. There are four fairly-simple steps lawyers (and everyone else) can take to dramatically increase their data security.
- First, encrypt your hard drive. This takes just a few minutes and is usually free. By encrypting your hard drive, you secure your physical computer from snooping.
- Second, back up your hard drive. You’ll have to decide whether to use a file syncing tool like Dropbox or a pure back-up service like CrashPlan, or both, but your data should be backed up to a computer or server that is not in your office.
- Third, use a password manager. Password managers like LastPass, 1Password, PasswordBox, and KeePass allow you to create and manage unique, strong passwords for each of your website log-ins. Rather than having to memorize lots of different passwords for all of your sites (or worse, but more common, using the same password for all of your sites), password manager software generates super-strong passwords for each of your sites then stores them in an encrypted file that you access with one master password.
- Fourth, turn on two-factor authentication. Many web services (Google, Dropbox, etc) allow users to add “two-factor authentication” to their log-ins. This means that when you sign in, in addition to your username and password, you also need to input an additional piece of information—usually a code the site texts to you as you log in. This way, if anyone ever did obtain your password, not only would they not be able to log in, your phone would alert you that they were attempting to get in.
After This and the Target Data Breach, Should I Fear the Cloud?
No, but maybe.
Fear of things you don’t understand isn’t a particularly useful thing. The “cloud” (software and data that is stored on servers outside of your location that you access through the internet) is a complex and changing thing. This complexity allows for some truly amazing innovations in technology, but also comes with potential risks.
Lawyers have a particularly-strong duty to understand what is happening with their confidential client data.
A good understanding of how the cloud—and a law firm’s particular web applications—works should also include a good understanding of the variety of ways that lawyers and law firms can protect themselves from risk.
Proper, rational risk analysis requires learning about the likelihood and magnitude of potential harm, as well as the cost and burden of both possible security measures, but also the alternative options. For instance, if your “fear” of the cloud leads you to keep everything in paper form, you are almost certainly leaving your important client data at greater risk to theft, fire, flood, or snooping than if you use best practices in the cloud.
That said, this analysis is very dependent on your particular circumstances.
Here’s the reality: stuff like this (and probably worse) is inevitable. As the sophistication of web and mobile applications grows so do the methods of hackers and espionage operations. Similarly, increasing reliance upon and interactivity between these apps makes your data more vulnerable to hacks and bugs.
Who knows whether the next big internet security news with be a big data breach, a code exploit, a hack into one of your favorite websites, or something totally unforeseen. The question isn’t whether there will be security problems on the internet, but whether you are being smart about how you use technology to keep yourself as secure as possible.
It is legitimate to question whether these tradeoffs are worth it for your particular situation, but that requires education of what’s really going on, and a rational analysis of the costs and benefits of technology use and data security protocols, not just a resort to fear and doubt.
Heartbleed is a big deal in internet security, but hopefully its biggest effect will be in getting you to use more care in how you protect yourself online.
Featured image: “Businessman in suit puts his head down on his laptop computer ” from Shutterstock.