How to Handle Heartbleed

I was out of the office last week when the Heartbleed bug burst into the news so, while I’m a little slow getting information posted about it, things seemed to have resolved themselves and I now feel comfortable providing our members with some information and recommendations about how to deal with it.

What is Heartbleed?

Many websites allow users to log in to complete tasks such as viewing and sending web based email, purchasing goods, viewing bank balances, transferring funds, paying bills, or doing legal research or interacting with client information such as calendar items, to-dos or client documents stored in the cloud. In order to keep your information confidential, the websites encrypt it before it’s transferred over the internet, using what’s called a private key. Many of these interactive websites use an open source program called OpenSSL to handle the encryption, and Heartbleed is a flaw in the program that allows an intruder to find the private key and use it to unencrypt the data being transmitted and read it, including usernames, passwords, the contents of email and financial data.

A real world analogy would be that you hid a key to your house in the potted plant next to the front door, but you left it so exposed that anyone coming up on the porch and looking into the plant could see it, take it, and gain access to your house if they wanted to. And like in this real world example, you’d never know that someone had used the key to come into your house unless you caught them inside.

There is no way to be sure at this point whether someone has or has not intercepted your data transmissions while you interacted with a site that uses the software with the flaw.

Does Heartbleed affect me?

If you use interactive websites that allow you to log on to engage in secure transactions, it’s likely that at least some of those websites used the software with the flaw. In addition, some other devices such as internet routers and telephones that use VoIP (voice over internet protocol) rather than the phone company’s copper wires, may also be affected.

The Alabama State Bar’s site uses an older version of OpenSSL, which did not contain the flaw.  Thus, none of our users were affected when logging in to our site.

Major sites that were affected include Google and Gmail, Yahoo and Yahoo Mail, Dropbox, Box, Instagram, Pinterest, Tumblr, Etsy, Flickr, Minecraft, Netflix, SoundCloud and YouTube. It appears that Facebook and Pandora may also have been affected. Although Amazon’s sales website was not affected, Amazon Web Services was, meaning that any website operator who uses this hosting service to provide its website has vulnerable users, too. The major banking sites don’t appear to have been affected, but USAA’s site was.  You can find a list of possibly affected sites here. To determine whether other websites that you log into are affected, try the Heartbleed Checker provided by LastPass.

What should I do now to protect myself?

Because Heartbleed is not a virus that infects your computer but a flaw in the software used to operate a website that you can interact with over the internet, you will need to change your password for every affected website, but you should first make sure that the operator of the website has fixed the flaw in their version of OpenSSL and also renewed the security keys and issued a new SSL certificate. As long as the website still relies on an unpatched version of OpenSSL for encryption or hasn’t renewed the security certificate after patching, the data you are transmitting remains vulnerable and changing your password won’t help.  In fact, doing so will expose the current and new password.

The LastPass checker linked to above should give you both an assessment of whether the site was affected and the date the most recent security certificate was issued. If it doesn’t, IT World writer Melanie Pinola has a good article on when to change your passwords and has also posted a spreadsheet listing all the sites she has checked, the date she checked them and her recommendation of whether it’s time to change passwords.

If you use the Google Chrome browser, there is an extension called Chromebleed which, once installed, will alert you if you navigate to a site that is affected and has not been patched, but this can give you a false negative because it won’t tell you whether the security certificate has been reissued.

Casemaker Now Has Legal Forms

Casemaker, the Alabama State Bar’s free legal research service, is once again offering discounted forms, via U.S. Legal Forms, from within the Casemaker website.

To take advantage of the forms and the 10% discount available if you purchase through Casemaker, just log into Casemaker through the bar’s website, and then select the Legal Forms link, which is the bottom link under the My Account information. The Forms Directory page lists frequently used types of forms at the top of the page and also allows searching by keyword and state. Individual forms and subject matter packages are available.

As with any commercially available legal forms, no representations are made concerning the correctness, accuracy, or compliance with current law of any of the forms included. These forms are intended to provide a stylistic beginning point for drafting, are not offered as legal advice, and should not be taken as such.

5 Steps to Easy(ier) Legal Accounting

The Legal Technology Resource Center, a part of the ABA Law Practice Division, is now facilitating free webinars to help lawyers with practice management issues, and the next one, 5 Steps to Easy(ier) Legal Accounting is Tuesday, April 8th, from 1:00 to 1:30 p.m. (CDT).

Sponsored by Clio, the cloud-based practice management system which is an Alabama State Bar Member benefit, this session will cover the basics of accounting, how legal accounting differs from accounting for other businesses, and how to select and integrate the best accounting tools for your practice.

You don’t have to be an ABA or Law Practice Division member to take advantage of this short, non-CLE credit program which may help you move forward with improvements to legal accounting in your practice or firm. Sign up now.

Check Out PacerPro – It’s Free!

Lawyers who practice in the federal court system have long grumbled that the PACER system is clunky and hard to use. One lawyer, Gavin McGrane, was so disgruntled that he decided to invent a better mousetrap and, thus, in 2012 PacerPro, a $25 per month service that provided a more workable web interface for the PACER system, was born.

Beginning in January of this year, PacerPro became a free service and, since no one should look a gift-horse in the mouth, if you practice in federal court you may want to check it out. According to the FAQ on the site, it costs nothing to register to use PacerPro’s basic services, which include simultaneous searches across multiple district courts in real time, one-click downloads, bookmarking of cases and more; however, you do have to have a PACER account and regular PACER charges apply.

Free PacerPro basic service is likely designed to get you hooked on additional paid services in the future but if it’s half as good as it sounds like it is, it’s probably worth a try.

Hat tip to former ASB President Alyce Spruell for suggesting this post.

Is it Time for Office 365?

If you’re like me, you can only absorb and assimilate so much change at one time. I think that’s one reason lawyers often stick with old – or even completely outdated – software. Even more than we dislike the “unnecessary” expense of the upgrade we hate the disruption having to learn something new causes in our already over-full days. But if your firm is still using an older version of Microsoft Office (and by older I mean 2007 or its predecessors) it really is time you thought about upgrading.  While the number of Office permutations available has made deciding how to proceed a little daunting, the flexibility those options offer – especially to solos and small firms – makes it worth your while to sort out the options.

Catherine Sanders Reach of the Chicago Bar Association has written an excellent article entitled Office 365: Big-Firm Function, Small Firm Budget that sorts out what’s available and what it costs, and will help you decide what combination of downloaded software and cloud-based services is right for you.  The article also covers Hosted Exchange options that will allow small firms to reap the benefits while avoiding the expense of hosting their own Exchange Server, and it even points out potential problems, such as the need to keep your Office and Adobe Acrobat versions in line in order to avoid interoperability issues.

If you’re considering an upgrade, Catherine’s article as well as this How to Geek comparison of Office 365 and Office 2013 will help you see your way forward.

Does “The Cloud” Raise Storm Warnings at Your Firm?

Ever since Formal Opinion 2010-02 cleared the way for Alabama Lawyers to utilize cloud-based services in the practice of law, I’ve received more and more calls from lawyers who are interested in the benefits and advantages of internet-based practice management and other systems but are still afraid to allow confidential firm information to reside on computers that are not under their direct control.  The opinion requires that lawyers using such services do due diligence before signing up, but it’s not long on what that entails.   Fortunately, there are some resources that will help lawyers feel a little more confident in assessing cloud-based services.

The March/April issue of Law Practice hit my desk today, with a great short article by Sharon Nelson and John Simek on How to Select a Law Firm Cloud Provider.  And, because it’s the ABA TECHSHOW issue, it’s got some other great technology-themed feature articles including Social Media 2.0: Key Drivers of Social Media and How to Use them in Your Office; I Submit My iPad as Exhibit A: Using iPads in Court; and More than a Locked Door: Tips for Securing Your Law Practice.

If you’ve been thinking it’s time to move the technology you’re using in practice to the next level, be sure to check these and the other great articles in this issue out while it remains posted online for all to freely enjoy, and benefit from.

Get Paid Quickly! LawPay Offers Special Incentive

Despite the need to carefully manage cash flow, some lawyers are still making it hard for their clients to pay them. They do this by failing to accept debit and credit cards. However, for most individuals and smaller businesses, paying by credit card is a preferred method – they get up to another 30 days interest-free from the credit card company along with travel points, cash back or other benefits. Accepting credit cards is also advantageous to the law firm because it directs the client to a lender who is more skilled in assessing credit risk than you are, and puts the risk of non-payment on that lender. For those who are moving into the virtual practice of law, taking credit card payments is practically required.

LawPay is the Alabama State Bar’s approved provider for credit card merchant services and through March 14th they are offering a special incentive for ASB members who join.  The contract is month to month, and they’ll even waive the $150 virtual terminal fee and the first three months of program fees.  Participating law firms save  20-25% off standard credit and debit card fees.  If you are already accepting credit and debit cards, you should compare your current processor with the ASB member benefit.

Call 866-276-0950 or visit the LawPay/Alabar by March 14th to take advantage of this offer.


Get every new post delivered to your Inbox.

Join 36 other followers