♫  I want security, yeah
Without it I had a great loss, oh now
Security, yeah
And I want it at any cost, oh now…♫

Lyrics and music by: Margaret Wessen, Otis Redding; recorded by Otis Redding.

I have been giving a number of presentations lately that in part, deal with the (in)security of law firm systems.  This is based on the findings of the Legal Technology Resource Center of the ABA (“LTRC”) in their 2013 Legal Technology Survey.  They reported that 15% of reporting law firms acknowledged that they had a security leak.  43% reported being infected by a virus, spyware or malware.  Only 53% of firms reporting having a disaster recovery plan in place (these stats cause me to picture a Venn diagram showing those firms that were infected, had a security  leak and those who had a disaster recovery plan and the degree of overlap…or lack thereof…but I digress…)

Bloomberg reports that China-based hackers target law firms to get secret deal data.  Unfortunately the law firms being hacked were Canadian – and Bloomberg states that they rifled one secure computer system after the next – eventually hitting 7 different law firms as well as the Treasury Board and Canada’s Finance Ministry.

Bloomberg further states that in a meeting with 200 law firms in New York City with Mary Galligan, head of the cyber division in the New York City office of the U.S. Federal Bureau of Investigation and her group: “..the FBI issued a warning to the lawyers: Hackers see attorneys as a back door to the valuable data of their corporate clients.”

Obviously this column is far too short to deal with this issue in any depth except to help raise awareness and to leave our gentle readers with one technique to protect sensitive communications and data.

Bruce Schneier is one person that I listen to when he speaks on security.  Bruce has been writing about security issues on his blog since 2004, and in his monthly newsletter since 1998. He writes books, articles, and academic papers. Currently, he is the Chief Technology Officer of Co3 Systems, a fellow at Harvard’s Berkman Center, and a board member of EFF.

Bruce said – if you want to evade NSA (and basically any other spying) then don’t connect to the Internet. OK you say, how is that possible today?  Well Bruce recommends having one computer with an air gap.  This is a physical isolation of a computer (or network of computers) from the internet.  If you want to get really really paranoid – you buy two identical computers, configure one by connecting it to the internet for a little as possible to get it running (and as anonymously as possible), upload those results to a cloud-based anti-virus checker and then transfer the results of that to the air gap computer using a one-way process.  Then once you have the computer configured – never, never ever connect it to the internet again.  Disable the Wi-Fi so it never gets accidentally turned on. Turn off all auto run features.

Bruce advises transferring files using a writable optical disk (CD or DVD).   You can verify the data written to such a disk. Encrypt EVERYTHING moved on and off that computer (and of course have full hard-drive encryption on this air gapped computer).

Bruce states that even this is not foolproof.  He has further suggestions in his blog. You can take things even further. Bruce should know – he is looking at Snowden documents. Bruce wants security at any cost…

(cross-posted to tips.slaw.ca)