16/3/2023
Privacy + CyberSecurity Law16/3/2023
Privacy + CyberSecurity LawYour Privacy Rights are Our #1 Priority
Privacy by Design ➲ Our "Advertising Free" Approach
Proactive Measures We Have Taken to Protect Your Privacy
The Urgent Need to Step up CyberSecurity
Clarence Ling's LinkedIn Post is "On Point"
Notable Law Firm Data Breaches
Have you Questioned your Law Firm about its Privacy + Cybersecurity Measures?
Why do Blue Ocean Law Group use a *.law Website Domain?
DMARC Protected Website Domain
Digital Signatures + End-to-End Encryption
Why we use Security Keys to Lockdown Online Account Access?
Website ➲ https://... v. http://...
Explaining EFAIL and Why it isn't the end of Email Privacy ...
Optional ➲ Trustifi (1-Click to Decrypt) Email Encryption
Optional ➲ Secure Your Documents + Trade Secrets using Authentic8 / Genuin
Optional ➲ TraxPrint GPS Protected PDF Document Security
FREE Client Cybersecurity Alert Letter
FREE Digital Asset Safe Custody Vault for our Subscribers
FREE Equifax Identity Protection + Identity Guard Insurance for our Subscribers
Blue Ocean Law Group has opted (as far as is practical within local privacy regimes) to provide ALL our Clients with the same high level of privacy rights + protection as our Clients residing in California or the EU are legally entitled to claim.
Both California and the EU are global leaders in legislating to protect the privacy of their residents.
We value our client's privacy and foresee that Australia may eventually move towards catching up with California and the EU.
As we already comply with both California and EU privacy laws, we have simply extended a higher level of privacy protection to all our clients regardless of where they reside.
Please read our Privacy Policy (it can also be downloaded in PDF format here) for more information.
Our Privacy Policy, Cookie Policies and website Terms & Conditions are available in 3 other languages (Spanish, French and Italian) which can be found by scrolling to the bottom of this or any other blueocean.law webpage to the LEGAL section of our website footer at any time.
Blue Ocean Law Group takes an "Advertising Free" 'approach and does DO NOT SELL OR SHARE our users’ personal information in the traditional sense (i.e., in exchange for payment or for any other valuable consideration).
Wherever possible, Blue Ocean Law Group have taken proactive measures to protect your privacy.
For example, we have configured our Google Analytics setup on our website so that your IP Address is anonymized. This means that your anonymized IP Address cannot be used to link to you and consequently you can browse our website anonymously.
The above article by DAN GOODIN is from July 2022.
My guess is that over the past circa 2 years the spyware technology discussed has improved further, and at the same time, we can safely conclude that virtually no one (including the vast majority of the members of the legal profession globally) has proceeded to spend the few minutes required to turn on Apple's Lockdown Mode on all their devices (assuming they can do so).
Indeed, the anecdotal evidence from Gordon Muehl's April 9, 2024 article about the SecIT security conference held in March 2024, is that Gordon Muehl was the only 1 out of the 2,272 cybersecurity experts attending that conference that had enabled Lockdown Mode!
Therefore, it would not be at all surprising if your current lawyer has never heard about or has not yet enabled Apple's Lockdown Mode, or can't enable it because they do not currently use Apple devices.
The following has been extracted from the introduction to DAN GOODIN's above article:
"Mercenary spyware is one of the hardest threats to combat. It target ts an infinitesimally small percentage of the world, making it statistically unlikely for most of us to ever see it.
And yet, because the sophisticated malware only selects the most influential individuals (think diplomats, political dissidents, and lawyers), it has a devastating effect that’s far out of proportion to the small number of people infected."
“Clickless” exploits from Israeli firm hacked activists’ fully updated iPhones
This puts device and software makers in a bind. How do you build something to protect what’s likely well below 1 percent of your user base against malware built by companies like NSO Group, maker of clickless exploits that instantly convert fully updated iOS and Android devices into sophisticated bugging devices?"
....
"But the move is big because of its simplicity and concreteness. No security snake oil here. If you want better security, learn to do without the services that pose the biggest threat. John Scott-Railton, a Citizen Lab researcher who knows a thing or two about counseling victims of NSO spyware, said Lockdown mode provides one of the first effective courses for vulnerable individuals to follow short of turning off their devices altogether."
Increasingly businesses (especially law firms) need to step up their security to help you protect your privacy + trade secrets.
We are often surprised by what we discover in the public domain about how few other law firms appear to have taken very inexpensive and basic steps to reduce the risk that their law firm email might be used as a way "in" for a hacker or a way to phish information from their clients if a hacker uses their email to impersonate the law firm.
By way of example, as at the date this blog article was originally published, we have not been able to find a single law firm anywhere globally (other than ourselves) that has DMARC Email Authentication set up in accordance with a CyberSecurity company's recommendations.
Please refer to the discussion below and type in your current law firm's domain name to check whether they have taken proactive steps to eliminate this risk.
If they have not set up DMARC protection, then please consider what else they may not have done.
if they have set up DMARC protection, please let us know so that we can give them credit in this blog article.
I have extracted part of Clarence Ling's LinkedIn post below as I can't say this any better than he already has:
"You’ve seen what happened to Optus. Then you’ve seen Woolworths. Your cybersecurity isn’t good enough. I’ll say it again for the people at the back, your cybersecurity is not good enough.
Until you can look at the list below and know for sure that every step is covered, you will have really obvious vulnerabilities.
But a breach like that simply won’t happen to you, right?
If you’re lucky, sure, but there will always be malicious actors and a severe breach will be VERY costly.
In some cases, you would be lucky to see your business survive.
Think of the implications for your staff. Think of what it means for your family. So without further ado, here are our top cybersecurity tactics ...
... Email security: SPF, DMARC and DKIM are features that authenticate the emails sent by your domain. Malicious actors sometimes impersonate staff to gain an “in” to your networks."
This is a link that includes a summary of the most notable Law Firm Cyber Attacks as of November 2022.
From the Mossack Fonseca 2016 Panama Papers, one of the biggest data breaches (more than 11 million documents) in history believed to be an inside hack to the global law firm DLA Piper Ransomware attack in 2017 where the people and companies affected are unknown, right through to the Campbell Conroy & O’Neil P.C. data breach on February 27, 2021.
The list of breaches continues to be added to in April 2022, with midsized law firms McCarter & English and Stevens & Lee and we expect the list will continue to be added to in 2023.
The following is an extract from the Above The Law article about the April 2022 breaches:
'Unfortunately, even those who budget for technology don’t separately budget for cybersecurity defenses.'
'While law firms are waking up to the need for multifactor authentication, they are waking up slowly – and still battling the “it’s too annoying” bleating from lawyers who should be more concerned about their ethical duties of technology competence and securing client confidential data. Cry all you want, but your cyber insurance carrier will most likely force you to implement MFA or impose huge premium increases or deny coverage.
Stevens and Lee’s data breach consumer notification letter, dated on April 7, 2022 (only recently made public) was online ... '(Comment added: but appears to have now been removed).
On 16 March 2023 I received a notification about the article "IPH facing cyber breach" being published in Lawyers Weekly:
ASX-listed Law Firm IPH Limited is the latest company to suffer a cyber security breach – and halted trading earlier this week as a result
The following comments have been extracted from the article published in the Guardian 'HWL Ebsworth hack: sensitive information from dozens of government agencies may be compromised' by Josh Taylor dated 26 June 2023.
'Hundreds of law firm’s clients, including dozens of government agencies, waiting on confirmation of whether they are affected by data leaked in cyberattack.'
The Russian-linked ALPHV/Blackcat ransomware group hacked the law firm in April 2023. Earlier this month [June 2023], the group published 1.1TB of the data it claimed to have stolen, later established to be 3.6TB worth of data.
An analysis of more than 1,000 contracts with HWL Ebsworth published on AusTender over the past decade revealed that at least 60 departments or government agencies have used HWL Ebsworth’s services including the Defence Department, Home Affairs, the Australian federal police, Prime Minister and Cabinet, Services Australia and the Fair Work Ombudsman.
Many of the contracts are for the provision of legal services or advice but some detail much more sensitive work, including cases with the government insurance fund, Comcover, legal advice on monitoring the use of human embryos in research, and investigation into complaints of breaches of the public sector code of conduct at the Department of Veteran Affairs.
Prof Monica Whitty, head of department of software systems and cybersecurity at Monash University, said the hack should cause business and government to consider the cybersecurity risk of their suppliers closely.
'I think part of the problem is that a lot of organisations will use third parties in some way or another, but the consideration of their secure systems often doesn’t come into play,” she said. “So they may be keeping their own systems secure and thinking that’s enough. But when you’ve got third parties, you’ve actually got to think about and maybe ask the questions regarding their own cybersecurity practices.'
On July 22, 2023 I read about this latest cybersecurity breach to hit some of the biggest law firms in the US legal profession in an article in the NY Post by Isabel Vincent.
Increasingly, cybersecurity vulnerabilities are to be discovered via the supply chain.
In this case, it appears that software used to transfer files called MOVEit is the source of the massive data leak affecting the personal data of thousands of clients of Kirkland & Ellis, K&L Gates and Proskauer Rose, along with 50 other multinational corporations.
In light of continuing data breaches of law firms of all sizes, firms need to ratchet up their cybersecurity. Because the threats (and defenses) are always in flux, it is really imperative to have a security assessment at LEAST annually and then immediately remediate any critical vulnerabilities that are found.
If you think it is easy to convince law firms that these regular assessments are imperative, let us assure you that it is not!
Further reading: Data Breaches That Have Happened in 2022 and 2023 So Far by Aaron Drapkin [last updated on April 11, 2023]
Biglaw Firms Fall Prey To Cyberattacks, With Data Breaches On The Rise: The best defense to a cybersecurity incident is a good offense. Which law firms have been caught off guard? By STACI ZARETSKY [23 May, 2024].
Law Firm Data Breach Reports Show No Signs of Slowing in 2024 [American Lawyer].
As a starting point, do you know whether your data (including emails) are encrypted by your current law firm?
If your data is encrypted, especially using strong military-grade encryption, then if there is a data breach there is a much lower probability you or your business will be harmed as a result.
Blue Ocean Law Group have implemented additional Privacy + Cybersecurity capabilities (outlined below) that we understand are at least industry-leading and at best world-firsts.
We welcome you to contact us to discuss this further so that you can obtain a deeper understanding of what we can do to help you protect your privacy and trade secrets.
We recommend you start by checking by using this free Domain Health Checker to instantly determine whether your Law Firm's Website Domain or any Law Firm you are considering to engage to provide legal +/or consulting services (as well as your own) fully utilises widely known and available Email Authentication Protocols to protect you against attack or abuse by Phishers + Spammers.
Open this link and type in any Law Firm's Website Domain Name (as well as your own) and become better informed regarding decisions about who you trust with the protection of your privacy and trade secrets.
From Blue Ocean Law Group's inception, we have been actively working to source + implement leading privacy protection + cybersecurity measures to proactively protect both your Privacy Rights as well as our Business Reputation.
Here is the result showing that our web domain blueocean.law is protected!
Blue Ocean Law Group first raised lack of DMARC email authentication in the blog article Phishing Scams that lead to Data Breaches + Identity Theft ➲ Business Brand + Personal Protection dated 31 October 2022. As far as we are aware not one other law firm has yet taken any action to eliminate this cybersecurity threat.
Blue Ocean Law Group provide end-to-end encryption of your personal information by default.
Our software vendors have been carefully selected and vetted to ensure that your personal information remains end-to-end encrypted at all times.
This means that your data is encrypted, both in-transit and at rest.
The authentication required to gain access to your personal information is locked down tight (refer below) using FIDO2 USD Security Keys (wherever possible), and where this is not possible by two-factor authentication.
When we send emails, we include an S/MIME Digital Certificate (refer below) so that recipients know the email has been sent directly from our law firm.
It is difficult to understand given the ease of implementation of Security Keys for Online Account Access that they have not yet become standard practice for everyone, yes that includes you!
"Google's investment in giving USB security keys to all employees has been paying off. The employees haven't reported any takeovers of work-related accounts since 2017, when the new policy was introduced."
Our online searches indicate that Google has continued to maintain this secure position (zero hacks of Google work-related accounts using Security Keys) until the current day [being 27 April, 2023].
Further reading: To Stop Phishing, Google Gave Security Keys to All Employees by Michael Kan [PC Mag article dated July 23, 2018]
Google is giving free physical USB security keys to 10,000 users at high risk of being hacked - such as politicians and human rights activists.
Further reading: Google gives security keys to 10,000 high-risk users [BBC.com article dated October 11, 2021]
Like locking your car, house or office many people are simply unaware that they can easily add a Security Key to prevent unauthorised access to their Online Accounts.
In the event that a hacker obtains your password and the means to use it, for example, by impersonating you using a sophisticated identity theft technique enabling them to take control of your SIM card or gain access to your MFA codes by stumbling across your backup recovery codes on your network ... without physical possession of your physical Security Key they would still have no hope to hack your Online Accounts.
"Strongest Security: Setting up physical two-factor authentication, aka a Security Key, creates a single unique access point that can’t be duplicated. In order for you or anyone else to access your connected accounts, you’ll need your password as well as the physical key—something even the best hacker can’t work around."
Organisations that have adopted Security Keys as standard practice have seen their cybersecurity incidents quickly reduce to zero and stay there.
"Security keys are so good they’ll even prevent you from entering your information on a spoofed website, so even if a hacker manages to fool you, they won’t fool your security key. This bit of hardware acts as your digital bodyguard, keeping unwanted users away from your information."
Further reading: What is a USB Security Key, and Should You Use One? by Suzanne Humpries [article dated December 8, 2020].
🔒 In order to provide a high degree of privacy, SSL encrypts data that is transmitted across the web.
This means that anyone who tries to intercept this data will only see a garbled mix of characters that is nearly impossible to decrypt.
🔒 SSL initiates an authentication process called a handshake between two communicating devices to ensure that both devices are really who they claim to be.
🔒 SSL also digitally signs data in order to provide data integrity, verifying that the data is not tampered with before reaching its intended recipient.
There have been several iterations of SSL, each more secure than the last.
In 1999 SSL was updated to become TLS.
Originally, data on the Web was transmitted in plaintext that anyone could read if they intercepted the message.
For example, if a consumer visited a shopping website, placed an order, and entered their credit card number on the website, that credit card number would travel across the Internet unconcealed.
Leading 19 from 22 global Certificate Authorities (CA), and 4 major consumers (Apple, Mozilla, rundQuadrat, Zertificon) have recently agreed to new baseline verification standands required prior to issuance of S/MIME Digital Certificates (effective from September 2023).
The answer is a resounding “no”, but it’s not exactly something unique to Outlook.
Sure, it’s owned by Microsoft, a huge company that collects customer data and has had a questionable stance on privacy over the years. Although these aren’t points in Microsoft’s favour, the real issue is with the email itself.
Standard email just isn’t secure. Once a message leaves your inbox, there are numerous points at which it can be exposed to attackers. It’s a communication system that is good enough for much of our more mundane daily messages, but it falls tremendously short for those times when secrecy is necessary.
The answer is End-to-End Encryption.
In essence, it means to jumble up all of your messages into a complex code that attackers cannot decipher.
There are a range of different types of encryption such as S/MIME, OME and IRM, +/or PGP.
For Blue Ocean Law Group to be able to apply S/MIME End to End Encryption to legal matter-related emails being sent to you the following steps are required:
1️⃣ Either you or your organisation need to first acquire and install a S/MIME certificate;
2️⃣ You then need to send Blue Ocean Law Group digitally signing your email and including your S/MIME certificate;
3️⃣ We can then save the public key portion of your S/MIME certificate against your contact details;
4️⃣ Blue Ocean Law Group will then be able to send you a S/MIME End-to-End Encrypted email.
Where installation & configuration of a S/MIME certificate is beyond your technical capabilities or your technical support team (if any) refuses your request for any reason we alternatively offer Trustifi (An Award Winning Email Security Platform) which provides End-to-End Email Encryption that does not require the installation or use of digital certificates.
Please refer below for information about using Trustifi as a simpler alternative for End-to-End Encrypted email.
S/MIME, or Secure/Multipurpose Internet Mail Extensions, is a technology first developed in the 1990's that allows you to encrypt your emails.
S/MIME is based on asymmetric cryptography to protect the content of your emails (not the subject line which remains unencrypted) from unwanted access.
It also importantly allows you to Digitally Sign your emails to verify you as the legitimate sender of the email message, making it an effective weapon against many phishing attacks out there.
For more information please read this white paper "S/MIME for Enterprise Email Security".
Email offers convenience and benefits, but also poses some risks.
Hackers are savvy at targeting organizations via email, including intercepting messages to get at sensitive information or email spoofing with the intent of pushing to phishing sites or triggering malicious downloads.
Using S/MIME certificates to digitally sign and encrypt emails mitigates these risks.
Digitally signing and encrypting your emails ensures message privacy, keeps sensitive data from falling into the wrong hands, and assures the recipient that emails actually are coming from you and haven't been altered since they were sent.
In 2018, a team of researchers published the now infamous paper (dubbed #EFAIL) where they describe how to decrypt a PGP (Pretty Good Privacy) +/or S/MIME encrypted email via a targeted attack.
The paper caused a media frenzy and subsequently, the majority of commentary currently found online about PGP +/or S/MIME encryption has since made a reference to this major flaw which exposes encrypted content to potential exposure to hackers.
The rare expert commentator exceptions have taken a more balanced approach and rightly pointed out that there is no need to panic, PGP +/or S/MIME is not broken, and EFAIL is not the end of email privacy etc.
Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit.
Advising everyone to disable encryption altogether just makes no sense.
Aside from the massive false alarm, Efail is a very interesting exploit to wrap your head around.
The bottom line is that the EFAIL problem lies in how emails are processed by the recipient user's email client (for example, Apple Mail, Microsoft Outlook, Mozilla Thunderbird, etc.).
EFAIL can only be exploited If the recipient's email client allows or is configured to render HTML tags.
is to goIt is not a problem in the underlying PGP +/or S/MIME encryption.
To protect yourself against this vulnerability, and a lot of others, disable HTML rendering in your email client.
Many email clients allow for this and/or have settings to disable the loading of remote content.
This might be enough to stop Efail, at least attacks that would use img tags as the backchannel.
If you use PGP and your email client does not support these settings, consider changing to a safer client.
My main advice is to go ahead and disable HTML rendering now, even if you don’t use PGP.
At least that way there will be a lot fewer companies tracking you.
The configuration of S/MIME Email Encryption may be beyond your technical capabilities if you are an individual Client or Prospective Client, +/or you may not have the necessary time or access to a technical support team.
In these situations, we offer Trustifi (An Award Winning Email Security Platform) End-to-End Email Encryption known for its reputation for ease of use as an alternative solution.
With Trustifi’s automatic encryption software, sending and receiving encrypted email communications can all be accomplished with a single click of a button, providing the best email security service in the industry to both the sender and the end-user, whether you’re sending small or large files.
With Trustifi’s email encryption services, there is no need for either the sender or intended recipient to understand how secure email encryption works, know how to set it up or exchange encryption keys. The Trustifi platform has been built from the bottom up to be as straightforward as possible, all while preventing data loss by securing every email account with encryption.
In contrast to other email encryption vendors, Trustifi’s Single Click Encryption service is genuinely hassle-free
By using a *.law website domain we have made it easy for you to determine whether it is our website you are accessing or whether an email you have been sent is from our law firm.
No malicious actors or hackers can impersonate us as they simply cannot purchase a *.law domain name.
⚖️ *.law is a top-level-domain (TLD) that aims to:
Promote trust in the professional legal community by creating a:
✅ Verified;
✅ Exclusive; and
✅ Reserved online space in which only accredited lawyers and law firms can establish a comprehensive digital brand.
✅ Website users can have confidence they are dealing with an authorised and licensed lawyer/law firm.
✅ *.law offers effective branding to those in the legal community, with the ability to secure a domain name that clearly communicates who you are + the legal resources you provide.
Source: join.law - Why *.law?
If you want to proactively protect your Legal + Identity Documents from Fraud + Litigation by adding an Authentic8 / Genuine QR Code please contact our legal team to instruct us to add this optional additional level of protection.
This protection is especially useful for Estate Planning documents, where being able to independently verify a tamper-proof digital date/timestamp for the document as well as being able to verify every pixel of the document so that the contents of the document are incapable of being fraudulently altered is crucial in establishing a solid evidential footing regarding when the document was created and the exact contents of the document at the time it was signed and the Authentic8 QR code was added.
A new Trax Print product (currently in beta) allows you to add GPS Protected PDF Document Security to protect your Identity +/or Trade Secrets or other important documents from being viewed by anyone other than the person you nominate outside of GPS co-ordinates (address) you specify when you contact our legal team to instruct us to add GPS Protected PDF Document Security to one or more of your PDF documents.
Trax Print GPS Protected PDF Document Security can ensure that the document you send can only be opened by the person you sent it to at the location you specify, in other words, the document is GPS locked.
If required, you can instruct us to add multiple people and their respective GPS locations to the same PDF document.
If your GPS Protected PDF Document has been sent inadvertently or on purpose (leaked) to a person you have not approved, you can instruct us to upload the file to our GPS Protected PDF Document dashboard so we can view exactly who has attempted to open it (they will have been unsuccessful due to the GPS Protected PDF Document Security) and where this unauthorised third party is located.
You can then instruct us to contact the authorised person you nominated to receive the GPS Protected PDF Document to determine how your PDF document was leaked or inadvertently sent to the unauthorised third party, and to instigate the process of having it returned back into your possession.
All our new Clients are encouraged to generate our FREE Client CyberSecurity Alert Letter.
We also send you this link or a copy of the "Together we can help Prevent Cyber Fraud" brochure published by the NSW Law Society and LawCover (also available to download from our brochures page at any time).
However, we understand that attachments can always be overlooked or ignored.
In an abundance of caution, we recommend you take the time required to engage with our onlin process to step through what you need to know in detail to generate your FREE Client CyberSecurity Alert Letter so that you are fully aware of how best to protect your funds when transferring them to or from our bank account.
All our subscription plans include FREE ongoing access [$55 initial setup fee] to our Digital Asset Safe Custody Vault.
You can access your Digital Asset Safe Custody Vault via a web browser or download the App version locally to your desktop or laptop (Windows or Mac).
Our Digital Asset Safe Custody Vault platform provider The Prepared Company has attained both GDPR (the EU Global Data Protection Regulation) and a SOC 2 Security Attestation by an independent chartered accountant and is continuously monitored using Vanta.com.
Vanta is the leading automated security and compliance platform. Vanta helps your business get and stay compliant by continuously monitoring your people, systems and tools to improve your security posture.
You can access the latest Vanta Trust Report for The Prepared Company here.
A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
Identity Watch is a cyber-monitoring service included in a number of Equifax personal credit and identity monitoring plans.
Identity Watch is used to help detect fraud by constantly looking for information - such as credit and debit card numbers, phone numbers and email addresses - in places on the internet where information is known to be illegally traded.
All our subscription plans include FREE EquiFax Identity & Credit Protection
Identity Theft, Identity Protection Equifax Credit and Identity Guard Insurance supports you if you've become a victim of identity fraud.
It'll help you with the cost of restoring your identity and reduce the impact and risk associated with loss and theft.
All our subscription plans include up to $15k Identity Guard Insurance.
How to Protect your Reputation + Copyright Online ➲ 24/7 Active Monitoring + TakeDown Notice Options
Identity Theft Protection ➲ Smart List
Verification of Identity (VOI) [Authentic or Fake] ➲ Smart List
Digital Life ➲ The Law Playing Catch Up on Privacy + CyberSecurity
Social Sharing Image: Courtesy of Alfred Leung on Unsplash
Credits: This blog article was written by James D. Ford Esq., GAICD CIPP/US | Principal Solicitor, Blue Ocean Law Group℠.
Important Notice:
This blog article is intended for general interest + information only.
To the extent this article is deemed advertising or solicitation, it is hereby identified as such.
It is not intended to constitute legal advice; the statements made are opinions about general situations, and they are not a substitute for advice as to any specific matter.
We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.
Your comment has been received and we will approve it shortly.