How to manage your client’s data responsiblyProtect your clients from fraud, identity theft and confidential information
Jeremiah Cruz
Nick Kavadias
Gabor Szathmari
Marbury ChambersCryptoAUSTRALIA2/11/2018
Who is CryptoAUSTRALIA
• A not-for-profit started by security and privacy enthusiasts.
• We have nothing to do with BitCoin, so please stop asking.
• We are for finding practical ways of dealing with the modern privacy and security challenges.
• We are looking for sponsors in order to continue our work and research.
• This may be a new concept to lawyers, but we are running these events for free*.
* This presentation does not constitute cybersecurity advice.
Who is Marbury Chambers
• http://marburychambers.com.au
Self Promotion..
Tonight’s speakers:• Jeremy – Network Security Expert• Nick – Solicitor and Technologist• Gabor – Cybersecurity Expert
We know how to internet…
@CryptoAustralia#cryptoaus
http://chat.cryptoaustralia.org.au
https://fb.me/CryptoStraya
Interact with us in the digital world…
What we are covering tonight…
1) Phishing and BEC Fraud
2) Password Security(2FA and Password reuse)
3) 100 point checks & ID verification
4) Document conversion practices
5) Secure document sharing practices
6) Data Disposal & Physical security (dos and don’ts)
7) Metadata in documents
8) What to do post-breach 🙏
Phishing and Business Email Compromise
What is BEC fraud?
Social Engineering / Spear Phishing:“I am the CFO, pay this invoice urgently”• Display name spoofing – real name, but not email• Email address spoofing – real name, email. Different Reply-To address• Email account compromise – real email account is broken into (data breach
credentials or spear phishing)
Impersonation:“Our payment details have changed, use this bank account instead”• One of your staff’s mailbox is compromised• One of your vendor’s mailbox is compromised
How does BEC affect my practice?
• Financial loss – direct & indirect loss. Could be enough to put you out of business? Litigation, insurance premiums, system remediation, investigation
• Notifiable Data Breach – if email account compromise - incident reportable to OAIC, fines?
• Reputational damage – Negative media coverage & Twitter rage
The biggest cyber security threats in 2018
Business Email
Compromise (BEC)*
Ransomware
Data
breach
Phishing
Identity theft
Good security
practices reduce
the risk of multiple
threats.
For a generic list of threat mitigation,
refer to the ASD Essential 8 https://acsc.gov.au/publications/protect/Essential
_Eight_Explained.pdf
*9 Billion dollar industry in 2017 https://www.trendmicro.com/vinfo/au/security/ne
ws/cybercrime-and-digital-threats/fbi-bec-
losses-in-2017-shot-up-to-over-us-675-million
Secret: “hackers” log into your webmail
Password hygiene
• Websites get hacked.• People reuse same
email and password across multiple online accounts. D’oh!
Haveibeenpwned
Do you have leaked passwords? https://haveibeenpwned.com/
Meanwhile on SpyCloud
Secret: “hackers” log into your webmail
Solution: Use Two-factor authentication
If you only do one thing to improve your
cybersecurity posture, it should be to turn
on 2FA for your email
Advice evolves with threats & as criminals
become more sophisticated.
e.g. 2FA via SMS can be attacked with SIM
swapping
Two-factor authentication
Most powerful defence from:
• Crappy passwords (Letmein1)
• Stolen passwords (phishing)
• Leaked passwords (reuse)
Two-factor authentication
Why we have just a few passwords?
Problems:• Too many passwords to
remember• Has my password leaked in a data
breach?
Password managers solve both
Password hygiene – Wallets
Remember a single password only• LastPass• 1Password• Dashlane• RoboForm
1Password
100 Point ID Checks
Personal Information and Verification of Identity (VOI)
100 points ID checks VOI required by NSW conveyancing rules since 2016
• Scan-to-email devices (bonus: unencrypted traffic)
• Images stored on copier HDD
• Documents sent/received over emails
• Asking clients to email you ID for a
100 point check
DATA LEAKS
EVERWHERE!
Bad practices - VOI checks
• Don’t ask for scanned documents to be sent over emails!
• Mailbox Compromise – Notifiable Data Breach
• Many scan to email office devices also insecure• Rely on VOI providers instead
• Secure smartphone app and web portal• https://www.dvs.gov.au/users/Pages/Identity-
service-providers.aspx
Bad practices
Document Conversion
Manage client data responsibly: Document conversion?
• DOCX =>PDF• PDF =>DOCX• OCR?
Bad practices - Online document conversion
Online2PDF.com, freepdfconvert.com...
• They provide a convenient service to convert documents to PDF
Bad practices - Online document conversion
Online2PDF.com, freepdfconvert.com...• Who’s behind the service?• What happens to your documents?• Why would you upload
sensitive documents to random strangers?
Manage client data responsibly: Document conversion?
Source: https://www.itnews.com.au/news/abbyy-temporary-data-breach-exposed-200000-scanned-docs-511612
Online document conversion
Convert documents offline with Adobe Professional
Secure document sharing practices
Bad practices -Document sharing over emails
Problem statement:
Your email file attachments and embedder download links remain in your ‘Sent’ email folder forever, waiting for a hacker to login and download them
Bad practices -Document sharing over cloud-based file storage services
File sharing with Dropbox, OneDrive, random service:• Download links are valid forever• Mailbox gets hacked → Links are still live
Transferring sensitive documents securely
• Send web links instead of file attachments where appropriate
• Use expiring web links
Services: Google Drive, Sync.com, Tresorit...
Bad practices
Transferring sensitive documents securely
• https://send.firefox.com(currently in pilot)
• Password protect
• Link expires after 1 to 20 d/l
Or 24 hrs (you pick)
Transferring documents securely
Storing documents securely
Cloud file storage – Who is your adversary?• Hackers? - Dropbox, G Drive, OneDrive + Two-factor
authentication turned on
• Government? - End-to-end encrypted service: Sync.com, Tresorit
• Encrypt your disks, USB flash drives and smartphones• BitLocker - Windows 10 Professional
• FileVault – Mac
• Android supports disk encryption
• On iOS disk encryption is turned on by default
Data disposal
Prudent data disposal practices
Laptops, computers:
• Magnetic disks: overwrite
• DBAN (https://dban.org/)
• SSD: Physical destruction
• USB flash drives: Physical destruction
iPhone: Factory reset
Android*:
1. Encrypt device2. Remove storage and SIM cards3. Factory reset4. Remove from Google account
Phones (SD card): Physical destruction* https://www.computerworld.com/article/3243253/android/how-to-securely-erase-your-android-device-in-4-steps.html
Prudent data disposal practices (cont’d)
Physical security (dos and don’ts)
Physical security (dos and don’ts)
• Shredding documents• Diamond cut shredder
• Secure document disposal service
• Can secure dispose digital media for you
• Digital certificates (e.g. PEXA key)• Leave them unplugged when not in use• Cut the built-in smart card in half to dispose
Metadata issuesGood document management practices
Metadata in Documents:What can go wrong?
1. Disclosure of instructions
• Comments, tracked changes
2. Identification of personnel:
• Disclosure of author or commentator who wishes to be anonymous
• Metadata from multiple authors, silent partners
What can go wrong? (cont’d)
3. Disclosure of former or existing clients
• Everyone is using templates – Recycled documents
4. Embarrassment
• Nasty comments left in the document that was supposed to be private
Recent decision where metadata was the turning point:
• Wadler v Bio-Rad Laboratories
• Sanford Wadler general counsel – his employment was terminated for whistleblowing
• Employer claimed erratic work and workplace outbursts
• Employer introduced a piece of evidence of an unfavourable performance review (a document)
• The document established the performance review was created one month after the employee was terminated.
• Jury awarded $8 + $5m in damages
Metadata in legal documents
Office documents
• Track changes
• Comments
• Hidden content
Removing metadata - Tooling
• Adobe’s Redact Tools
• Windows Explorer’s – File Properties
• Workshare Secure - integrates with MS Exchange
• Payne Group Metadata Assistant 5.0 – Compatible with MS Office and Windows. Integrates with document management systems and email clients – thepaynegroup.com
• cleanDocs – Removes Word, Excel, PDF – docscorp.com
• BEC MetaReveal – MS Office and MS Outlook – beclegal.com
• Litera Microsystems Metadact
Removing metadata – More information
Law Society Journal – 2018 March – page 76
Helen Brown: Why it’s time to wise up about metadata
https://lawsociety.cld.bz/e/LSJ-March-2018/76
What to do when you get hacked 🙏
• Disconnect your computer from the Internet and stop using it
• Contact your MSP and have cloud account passwords reset
• Notify Lawcover - They have an incident response team
• Checklist: http://lca.lawcouncil.asn.au/lawcouncil/images/cyber/CP-What-to-Do.pdf
Summary
1) Use 2FA and don’t reuse your password
2) Use a VOI provider for identity checks
3) Share documents with expiring links
4) Dispose data securely
5) Shred documents & protect digital certificates
6) Remove metadata as appropriate
7) Notify Lawcover when the house is on fire
Where to get help
• Law Council of Australia Cyber Precedent, great learning resource
• Law Council cyber-attack checklist
• Lawcover crisis management team can help you clean up the mess.
• Victim of identity theft, you should contact IDCARE, NFP helping people
• Have a conversation with your IT Service Provider, or staff. Use these slides as a talking point!
“You don't have to run faster than the bear to
get away. You just have to run faster than
the guy next to you.”
@CryptoAustralia#cryptoaus
http://chat.cryptoaustralia.org.au
https://fb.me/CryptoStraya
Get updates:https://cryptoaustralia.org.au/newsletter
Next workshop:
https://www.meetup.com/Cybersecurity-for-Lawyers-by-CryptoAUSTRALIA/