How to Handle Heartbleed

I was out of the office last week when the Heartbleed bug burst into the news so, while I’m a little slow getting information posted about it, things seemed to have resolved themselves and I now feel comfortable providing our members with some information and recommendations about how to deal with it.

What is Heartbleed?

Many websites allow users to log in to complete tasks such as viewing and sending web based email, purchasing goods, viewing bank balances, transferring funds, paying bills, or doing legal research or interacting with client information such as calendar items, to-dos or client documents stored in the cloud. In order to keep your information confidential, the websites encrypt it before it’s transferred over the internet, using what’s called a private key. Many of these interactive websites use an open source program called OpenSSL to handle the encryption, and Heartbleed is a flaw in the program that allows an intruder to find the private key and use it to unencrypt the data being transmitted and read it, including usernames, passwords, the contents of email and financial data.

A real world analogy would be that you hid a key to your house in the potted plant next to the front door, but you left it so exposed that anyone coming up on the porch and looking into the plant could see it, take it, and gain access to your house if they wanted to. And like in this real world example, you’d never know that someone had used the key to come into your house unless you caught them inside.

There is no way to be sure at this point whether someone has or has not intercepted your data transmissions while you interacted with a site that uses the software with the flaw.

Does Heartbleed affect me?

If you use interactive websites that allow you to log on to engage in secure transactions, it’s likely that at least some of those websites used the software with the flaw. In addition, some other devices such as internet routers and telephones that use VoIP (voice over internet protocol) rather than the phone company’s copper wires, may also be affected.

The Alabama State Bar’s site uses an older version of OpenSSL, which did not contain the flaw.  Thus, none of our users were affected when logging in to our site.

Major sites that were affected include Google and Gmail, Yahoo and Yahoo Mail, Dropbox, Box, Instagram, Pinterest, Tumblr, Etsy, Flickr, Minecraft, Netflix, SoundCloud and YouTube. It appears that Facebook and Pandora may also have been affected. Although Amazon’s sales website was not affected, Amazon Web Services was, meaning that any website operator who uses this hosting service to provide its website has vulnerable users, too. The major banking sites don’t appear to have been affected, but USAA’s site was.  You can find a list of possibly affected sites here. To determine whether other websites that you log into are affected, try the Heartbleed Checker provided by LastPass.

What should I do now to protect myself?

Because Heartbleed is not a virus that infects your computer but a flaw in the software used to operate a website that you can interact with over the internet, you will need to change your password for every affected website, but you should first make sure that the operator of the website has fixed the flaw in their version of OpenSSL and also renewed the security keys and issued a new SSL certificate. As long as the website still relies on an unpatched version of OpenSSL for encryption or hasn’t renewed the security certificate after patching, the data you are transmitting remains vulnerable and changing your password won’t help.  In fact, doing so will expose the current and new password.

The LastPass checker linked to above should give you both an assessment of whether the site was affected and the date the most recent security certificate was issued. If it doesn’t, IT World writer Melanie Pinola has a good article on when to change your passwords and has also posted a spreadsheet listing all the sites she has checked, the date she checked them and her recommendation of whether it’s time to change passwords.

If you use the Google Chrome browser, there is an extension called Chromebleed which, once installed, will alert you if you navigate to a site that is affected and has not been patched, but this can give you a false negative because it won’t tell you whether the security certificate has been reissued.

5 Steps to Easy(ier) Legal Accounting

The Legal Technology Resource Center, a part of the ABA Law Practice Division, is now facilitating free webinars to help lawyers with practice management issues, and the next one, 5 Steps to Easy(ier) Legal Accounting is Tuesday, April 8th, from 1:00 to 1:30 p.m. (CDT).

Sponsored by Clio, the cloud-based practice management system which is an Alabama State Bar Member benefit, this session will cover the basics of accounting, how legal accounting differs from accounting for other businesses, and how to select and integrate the best accounting tools for your practice.

You don’t have to be an ABA or Law Practice Division member to take advantage of this short, non-CLE credit program which may help you move forward with improvements to legal accounting in your practice or firm. Sign up now.

Check Out PacerPro – It’s Free!

Lawyers who practice in the federal court system have long grumbled that the PACER system is clunky and hard to use. One lawyer, Gavin McGrane, was so disgruntled that he decided to invent a better mousetrap and, thus, in 2012 PacerPro, a $25 per month service that provided a more workable web interface for the PACER system, was born.

Beginning in January of this year, PacerPro became a free service and, since no one should look a gift-horse in the mouth, if you practice in federal court you may want to check it out. According to the FAQ on the site, it costs nothing to register to use PacerPro’s basic services, which include simultaneous searches across multiple district courts in real time, one-click downloads, bookmarking of cases and more; however, you do have to have a PACER account and regular PACER charges apply.

Free PacerPro basic service is likely designed to get you hooked on additional paid services in the future but if it’s half as good as it sounds like it is, it’s probably worth a try.

Hat tip to former ASB President Alyce Spruell for suggesting this post.

Is it Time for Office 365?

If you’re like me, you can only absorb and assimilate so much change at one time. I think that’s one reason lawyers often stick with old – or even completely outdated – software. Even more than we dislike the “unnecessary” expense of the upgrade we hate the disruption having to learn something new causes in our already over-full days. But if your firm is still using an older version of Microsoft Office (and by older I mean 2007 or its predecessors) it really is time you thought about upgrading.  While the number of Office permutations available has made deciding how to proceed a little daunting, the flexibility those options offer – especially to solos and small firms – makes it worth your while to sort out the options.

Catherine Sanders Reach of the Chicago Bar Association has written an excellent article entitled Office 365: Big-Firm Function, Small Firm Budget that sorts out what’s available and what it costs, and will help you decide what combination of downloaded software and cloud-based services is right for you.  The article also covers Hosted Exchange options that will allow small firms to reap the benefits while avoiding the expense of hosting their own Exchange Server, and it even points out potential problems, such as the need to keep your Office and Adobe Acrobat versions in line in order to avoid interoperability issues.

If you’re considering an upgrade, Catherine’s article as well as this How to Geek comparison of Office 365 and Office 2013 will help you see your way forward.

Does “The Cloud” Raise Storm Warnings at Your Firm?

Ever since Formal Opinion 2010-02 cleared the way for Alabama Lawyers to utilize cloud-based services in the practice of law, I’ve received more and more calls from lawyers who are interested in the benefits and advantages of internet-based practice management and other systems but are still afraid to allow confidential firm information to reside on computers that are not under their direct control.  The opinion requires that lawyers using such services do due diligence before signing up, but it’s not long on what that entails.   Fortunately, there are some resources that will help lawyers feel a little more confident in assessing cloud-based services.

The March/April issue of Law Practice hit my desk today, with a great short article by Sharon Nelson and John Simek on How to Select a Law Firm Cloud Provider.  And, because it’s the ABA TECHSHOW issue, it’s got some other great technology-themed feature articles including Social Media 2.0: Key Drivers of Social Media and How to Use them in Your Office; I Submit My iPad as Exhibit A: Using iPads in Court; and More than a Locked Door: Tips for Securing Your Law Practice.

If you’ve been thinking it’s time to move the technology you’re using in practice to the next level, be sure to check these and the other great articles in this issue out while it remains posted online for all to freely enjoy, and benefit from.

Is The Government Spying on Your Law Firm?

Ever since Edward Snowden began his revelations about the domestic spying activities of the National Security Administration, lawyers have had to wonder whether their emails and phone calls have been subject to the agency’s scrutiny. The verdict is now in, and the result is guilty as charged, as is more fully set out in a story published in the New York Times edition of February 15th.

Legal computer forensics and security expert Sharon Nelson, blogging at Ride the Lightening, has a fantastic post on what this incident was really about, the implications for attorneys and our ability to maintain client confidentiality in an internet-connected world going forward.

A New Year and New Ideas

The January/February issue of Law Practice just rolled off the e-presses and, as the topic is Management, it’s chock full of good ideas that you can put to work to take your practice to new levels in 2014.

The magazine includes six feature articles that are right on point for the issues that attorneys are facing as changes in the economy and technology continue to squeeze the profit margins of law firms, small and large.  Of particular interest are The Changing Role of Legal Support Staff and Flying Solo: How Technology Has Leveled the Playing Field.   You’ll also find my Simple Steps column on Budgeting: It’s Not as Hard As It Looks, a Product Watch review of ITimeKeep, the Coolest Timkeeping Tool Yet, and a really interesting piece on What NSA Surveillance Means to Law Firms.

Law Practice is a benefit of membership in the ABA Law Practice Division, but it’s most recent issue is available to non-members as well.  Check it out while you can.

The XP Countdown Continues…

As I wrote back in October, all lawyers and law firms should be taking steps to move away from Windows XP before Microsoft officially ends support on April 8, 2014, but some may be running software that won’t run on another operating system and that they can’t upgrade or move away from.  If that’s the case for you, Windows Secrets has a great article on suggestions for ensuring that any remaining XP machines are as secure as possible if you do have to continue to run XP on April 9th and beyond.

Holiday Gift Guide for Lawyers

If you’re looking for a great Christmas gift for that lawyer in your life or, even more importantly, looking for things you can drop hints about to help your significant other more fully experience the joy of giving – to you! – then you need to check out Reid Trautz‘s ninth annual Reid My Blog Holiday Gift Guide for Lawyers.

As he does every year, Reid has come up with interesting, innovative or just crazy gifts that  will delight any lawyer.  Be sure to check it out before you finish your shopping this year. You’ll also find interesting practice management, ethics and technology information for lawyers there, as well.

Say Bye-Bye to Windows XP

Unfortunately, when it comes to Windows XP, the party’s over.  Microsoft will officially end support for XP Service Pack 3 and Office 2003 on April 8, 2014.

This operating system has been around for more than 10 years and it has been extremely stable, allowing law firms and other businesses to work without having to spend much time worrying with computer problems – at least not problems caused by the operating system.  But once Microsoft stops supporting and upgrading XP, all of the other software providers who have created programs that run on it will likely stop supporting them, too.

While there is some disagreement among computer security experts about whether we are likely to see the arrival of many new viruses and other zero-day security exploits that hackers have been holding in reserve until after security updates for XP run out, there’s no argument at all that an unsupported operating system is a lot more vulnerable to security breaches.  And if you are considered a “business associate” under HIPPA, you will no longer be considered compliant with HIPPA and HITECH when XP is no longer being supported.

So, if you haven’t yet thought about transitioning away from older computers with Windows XP, here is an interesting article with ideas to get you started.

Follow

Get every new post delivered to your Inbox.

Join 36 other followers