Email Security

In addition to the other IT upgrades in progress, we have been focusing on email security.  We have made a few changes in the last few days, and are planning a few more to come.

Quarantine Mail

Some of you may have notice an email in your inbox this morning from quarantine@messaging.microsoft.com.  The email contains a list of emails that were blocked from your inbox, and gives you the opportunity to download any emails you wish to receive.

Until very recently, we did not block any email that was addressed to you.  This email is a result of recent changes.  We implemented this feature to reduce the amount of spam and other unwanted email that arrives in your inbox each day.  The quarantine email is a daily summary of the email that we are blocking.  You only receive one email each day rather than receiving perhaps dozens of spam emails over the course of the day.

This will not block all spam, but hopefully reduces the amount that you receive.  Note that some mail is delivered to your mailbox and is diverted to your junk mail folder.  You may want to check that folder from time to time as well.

Encrypted Mail

Another feature recently added is the ability to send secure encrypted messages.  All internal mail is already encrypted.  But when you send to an outside party, email must necessarily be unencrypted in order for the recipient to be able to access it.

The firm now offers an option to send emails and attachments in a more secure way.  If you type  "securemail" or "#securemail" into the subject or text of an email, the recipient will receive a notices that says:

"You've received an encrypted message from [sender] To view your message Save and open the attachment (message.html), and follow the instructions. Sign in using the following email address [recipent's address]."

The email contains an attachment called "message.html" which the recipient must download and open.  It contains a message:

"Encrypted message
From [sender]
To [recipient]
To view the message, sign in with a Microsoft account, your work or school account, or use a one-time passcode."

If the recipient is already a Microsoft user, he/she can log in and access the text of your email and any attachments.  If not, the recipient can request a temporary pass code which is sent as a second email from Microsoft.  The recipient can use that code to access the content of your email.

If this sounds like a number of extra steps for the recipient, it is.  You may also get calls from recipients saying that this email looks suspicious to them.  Many hackers send similar emails to get users to download suspicious html files and open them on their computers.

Despite these concerns, you should use the secure mail option for any emails that contain private information.  This can include personally identifiable information (PII) such as birth dates or Social Security Numbers.  It would also include any medical records protected under HIPAA.

Box Links

If you want to get confidential information to someone outside the office, and do not want to go through the securemail option, there is another option available to you, at least for the offices that have already converted to Box.  Instead of attaching a file containing private information to an email, you can upload the document to Box.  Then, send an email to the recipient with a link to the document on Box.  The recipient can click on that link and download the information over an encrypted connection.

Multi-factor Authentication

Another feature that is coming soon is multi-factor authentication (MFA) also sometimes called Two-factor authentication (2FA).  We are implementing this because of the ever increasing number of hacker attacks on our email accounts.   With this implemented, a hacker cannot access your email, even if he/she knows your password.  Once you enter your email and password, you will be asked to enter a separate code, that is texted to your smart phone.

Once you have authenticated your computer or other device, you will not need to go through the process again, at least for a period of time, after which we may reauthenticate your device.

Again, it is an extra step, but one that is needed to provide the firm with better security.  We have not implemented MFA yet.  We are still working out a few details.  I wanted to let everyone know that it is coming soon.

Handling Suspicous Mail

In our ongoing efforts to protect our network and our client data, we have created a special email where you can send any suspicious emails  that you receive.  If you get anything that looks suspicious, please forward it to spam@margolisedelstein.com.  Do not open any attachments or reply to the sender.  Just forward the email for our evaluation and testing.  It is important that you do not attempt to act on the message yourself.  Hacking attempts via email are becoming more sophisticated every day.  If you have the slightest doubt, suspicion, question or hunch about an email, please forward it to the spam@margolisedelstein.com address for evaluation.

Ransomware

Over the weekend you may have seen various news reports of a worldwide ransomware attack hitting thousands of networks.

Ransomware is a form of malware (bad software designed from some  harmful or illegal purpose).  It encrypts all of the files on your computer then notifies you that if you want the description key, you must send the author money in exchange for the key.  Without that key, you will never be able to open any of the encrypted files again.

Most ransomware needs to be invited onto your computer.  Hackers do this by tricking you into clicking on a link and agreeing to install it on your computer.  This one was a little more dangerous since once it gets into a local network it can attack any computer that has not been updated with the most current Windows security updates.

All firm computers are configured to update themselves automatically.  This is why you occasionally get notices from your computer that it will need to restart to install updates.  It is very important that you don't disable this function, even if it is occasionally annoying.

If, at home, you are using an older XP computer, or a computer that does not have updates turned on, you are playing with fire.  You are vulnerable not only to this but other attacks as well.  It's a bit like leaving your front door unlocked when you leave for work each day.  Nothing may happen, but do you really want to take that chance?

The firm's primary defense against ransomware is a good backup system.  If our network gets hit with ransomware, we would have to delete all the current file and restore from backup.  Longer term, we hope to put in place a document management system that will protect our files from such attacks, even if some computers on the network become compromised.

To read more about the latest attack, check out these articles from the BBC, NPR, and the Verge.

Protecting Information on Your Smart Phone

Every year, we seem to become more dependent on our smart phones for work.  More importantly, more confidential client data, in the form of emails, documents, access to cloud storage, and other means of access are left on our phones.  As a result, securing that data is increasingly important.  I have addressed this issue in my blog once before but thought it worth addressing the issue once again.

The first thing you can do, if you have not already, is to secure your phone with a password.  This is the easiest and most obvious form of protection.  All modern iPhones and most Androids, including the Samsung Galaxy line, also have fingerprint scans for opening your phone.  I recommend setting up both.  With the fingerprint, you can access your phone almost as easily as a screen swipe.  The password provides a backup entry if the fingerprint does not work for some reason.

Beyond the hassle of accessing your phone, I can think of two reasons people avoid it.  One is that if a phone is lost, an honest person who finds it cannot return it.  In my earlier post, I explained how you could set up identifying information on your start screen, which a user can see without opening the phone. Another concern is forgetting one's password and getting locked out.  The IT Department already stores many of your work passwords.  We are also happy to store this password as well.  But to be clear, if you set or change a phone's password and do not tell us what it is, and then forget the password yourself, we have no way of accessing the phone.  You cannot even reset it.  You might as well throw it away and buy a new one at that point.

Beyond a password, make sure your device is encrypted.  Without encryption a professional may be able to access your phone's data drive even without a password.  By default, iPhones are encrypted as soon as you add a password.  Android users must go through another step in settings to encrypt data.

Typically, our phones are not stolen.  More commonly, we lose them.  One of the best things to do is ensure there is a way to locate your phone if you lose it.  By default, Android devices are set up so that you can use a locator online, as long as you have a valid Gmail account configured on the device.  Your work email will suffice for this purpose..  Here is a good article on locating and wiping your lost device.  The firm uses device management.  If your phone has been set up properly, we will have the ability to wipe email off your phone, or wipe the device entirely.

If you use an iPhone, you must set up an iCloud account prior to losing the phone.  Without this, we cannot locate the device for you.  We can, however, wipe the phone's contents even with out an iCloud account. With the account, you have the ability to search for your device and locate it on a map.  It greatly increases your chances of recovering your lost device.  If you do not already have an iCloud account set up for your iPhone, I strongly recommend that you do so.  I also recommend providing the iCloud password to the IT Department for safe keeping.  Otherwise, if you forget it, having the account will be useless to you.

An iCloud account also does more than simply locate your phone.  It serves as a backup device so that your pictures, files, and settings can be stored in the cloud.  If a phone is list, stolen, or damaged, your iCloud can be used to restore those files and settings on a new device.  It also comes in handy when upgrading your phone.  An iCloud account is free for up to 5 GB.  If you decide you need more space, you are on your own to pay for it.  Typically, iCloud accounts get filled by pictures.  You can download the pictures and store them elsewhere to save space (I recommend using Google Photos, which works with both iPhones and Androids, and offers free unlimited cloud storage of your photos).

HIPAA, Confidentiality, and Google

I start this post with a warning.  I am going to discuss a few aspects of HIPAA as it relates to our use of Google Apps for Business.  This is not meant to be an authoritative or complete analysis of the HIPAA requirements for protecting medical information.  As lawyers, you are ultimately responsible for taking any necessary steps to keep medical records confidential, as you are obligated to keep pretty much any client information confidential.  I am merely posting some thoughts that might help with your efforts to protect client confidentiality while using the firm's online resources.

Even if you do not deal directly with medical records, you may find parts of this article helpful in ensuring protection of client confidentiality in your storage and transmission of electronic records.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed, among other things, to create an obligation for heath care professionals and insurance companies to ensure the privacy of client medical records.  A law firm which handles such records is not covered directly by HIPAA, but is considered a "Business Associate" of those covered and therefore must take care to protect the privacy of medical records in our possession.

If you wish to read more about the HIPAA Privacy Rule in general, I recommend this page at HHS as a good place to start.  At its most basic level, the idea is that we take care to make sure that medical records are not disclosed to anyone who should not have them.  HIPAA seems to be maddeningly vague and exactly what level of security or care is really required though.  We often get questions about compliance from some of our clients.  We need to make sure that we comply with whatever the client requires of us.

On question that we sometimes get is whether our email system is compliant.  Gmail has a HIPAA Business Associate Agreement which Google says ensures compliance with HIPAA with the use of Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Sites, and Google Apps Vault services.  Notably, some Google Apps for  Business services including, Google+, Google Groups, and Google Voice are not covered by this Agreement.  Google also publishes an Implementation Guide which gets into more detail about what can be used and what settings best comply with privacy requirements.

Gmail

Some clients have asked about our ability to send and receive encrypted email communications. Gmail requires encrypted communications between our terminals and the Google servers.  This allows us to create or read an email over an encrypted connection.

However, when an email travels between any two different email systems, they must be unencrypted or else the receiving system will not be able to read the message.  HHS, which is responsible for enforcement of HIPAA, does not prohibit use of unencrypted emails.   (See, e.g., HHS FAQ).  Some clients, however, wish to have fully encrypted end to end communications with the firm.  To set up secured connections, we must have a shared encryption key with the other organization's domain. Gmail includes the ability to set up a shared key.  If a client demands this, I can work with their IT staff to get it set up.  Doing so would encrypt correspondence between our two firms.  However, anything sent to a third party would not be protected by this encryption.

Google Drive

Another important concern for many people is Google Drive (which includes Google Docs).  This can be a great online collaboration tool.  You can upload document to a drive, share it with others, who can then download them to their system.  With a limited document types you can even edit the documents online and work collaboratively.

There is relatively little written about privacy requirements here.  But certainly, when setting your share settings, you would not want to make the document public, which would expose them to anyone on the Internet.  There is an option to share documents to "anyone with a link".  This is essentially public, but hides the documents from search engines.  Someone could not simply run a search and come across your documents.  It would be pretty difficult to find those document without a clickable link leading directly to them.  But since you have not control over who might be forwarded those links, it is not a good idea to share any confidential data at this level.

Google indicates it is acceptable to share confidential files to specific authorized users.  When you set a share for a specific email address, the user will receive an email with a link to the shared document or folder. The email address of the other users need not be a Gmail address, but the user will have to register his or her email address with Google, if not already registered, in order to access the documents.

Typically, you would only give a user read only access unless you are working collaboratively. Otherwise, the user can edit or delete your files.  Even if a file is read only, the user can still download the file and make changes to a copy offline.  They simply cannot edit the online version of your document.

Secure Your Devices

Even if Google remain secure, if you end device, (your laptop, phone, or tablet) is not secured, you are creating a major security hole.  Make sure your devices are protected by a finger print or password if you receive or maintain any confidential information on that device.  Also, firm cell phones are secured with Mobile Device Management.  If your phone is lost or stolen, we have the ability to wipe the contents remotely.  Be sure to tell us if a device is missing.  We need to wipe the data before the carrier cuts off service to the device.  So call us before Verizon.

Avoiding Cyber Attacks

For many years, hackers attempted to access networks and data with viruses that could automatically move, replicate, and embed themselves on new computers.  Today, network security, firewalls, and anti-virus software have rendered most of these attacks ineffective.  But that does not stop hackers.  They have moved on to the next weakest link -- you.

Most current system attacks trick unwitting users into allowing hackers and malware into the system.  Once embedded there, the hacker can invite in other malware and begin to do real damage to a network.  Therefore we must all be vigilant against potential threats to our network.  There are several issues that everyone should consider:

Email providers have gotten pretty good about preventing dangerous attachments from getting through.  But they are not foolproof.  If you get an attachment that looks suspicious, have someone from IT take a look at it.  Often, you can view a document without opening it.  If the sender or the document itself says that viewing it properly requires granting a permission, or enabling macros, that is a big red flag to stay away.

Because many email providers block dangerous attachments, hackers may include a link asking you to connect to a web site.  That site may be infected.  If a link looks suspicious or is even unfamiliar to you, question whether you should click on that link.  If the link has a "php" in the address, that means it is designed to run a script.  Sometimes this is legitimate, but often not.  It requires closer scrutiny.

Just because you know the sender, that does not mean the message is safe.  Many times, hackers will access the email account of an innocent party, then send emails to everyone in the address book.  We recently had one hacker who remained connected to the account, responding to questions about the email and saying it was legitimate and that the recipient should go ahead and click on the link.  Poor grammar is often a tip off, but not always.  If you are not sure, pick up the phone and call the sender.

If a site asks you to enter any name or password where you do not usually do so, that is a red flag. A Google site, for example, should see you are already logged in and not ask again.  Hackers often create sites that look like a legitimate site, just to steal your name and password.  If you must create an account at a new site, be sure to use a name and password different from what you use for other sites.

If you go to a site and something strange happens, let IT know about it.  Years ago, a hack would be obvious right away as you were bombarded with advertising or had other immediate problems.  Sophisticated hackers today put malware that has little impact on you, but can turn your computer into a "zombie" used for distributing malware to others.  It is often a good idea to have someone run a couple of scans on your PC to make sure all is well.

If you think your home computer or other device (yes, phones and tablets are vulnerable), please don't connect to our network via VPN or use the firm's WiFi.  Your device can act as a Trojan horse, bringing malware inside our firewall to be released on the network.  If you ask, we can recommend several anti-malware programs to run and check out your home computer.

Never give your password to anyone, either via email or over the phone, unless their names are Mike, Mary, Lucy, or Bode.  No one from Google will ever ask for your Gmail password.  No one from Microsoft, Apple, your bank, your broker, or any other outside company should ever request that sort of information. If an outside vendor requests that sort of information, get their name and say you will call them right back, call the company's main number and ask to be transferred to that person.  Do not just call a number that the caller gives you. Do not rely on caller ID, which is easily faked.

In short, stay alert, if something looks suspicious get a second opinion before acting.

Security Reminder - be careful with emails.

I am regularly asked about whether it is safe to open an email.  Today's blog explores what is safe and what is not.

Hackers Think Employees are the Weak Link

A great deal of malware can sneak into a network this way.  Hackers used to try to force their way through firewalls.  But security has gotten so strong there that the new preferred method is luring a gullible employee on the inside to let them in.  Don't be that employee.

Gmail Provides Some Protection

Fortunately, there are a number of things in place to protect you.  With Gmail, you cannot be infected simply by opening and reading an email.  Gmail does not allow any scripts to run in emails.  You also cannot be infected simply by viewing an attachment.  The Gmail viewer prevents scripts and executable files from running in an attachment.  In fact, Gmail even prevents someone from sending you an exe file.

That said, you can receive a dangerous email attachment, download it, run it, and then infect your computer.  Hackers can send attachments with dangerous macros, or scripts, or hide an executable file inside an encrypted Zip file.  Do not download and run attachments unless you are sure of the sender and what is being sent.  Even a Word Document can contain macros that can harm your computer if you download it and try to load it in MS Word. If you have any doubt, run it by the help desk.

Links are Risky

Hackers are nothing if not inventive.  Because it is difficult to infect a users via email, many hackers might send you a link in an email to go to another site. This site could very well be infected by malware that can install itself on your computer.  DO NOT CLICK ON A LINK UNLESS YOU ARE SURE OF WHERE IT LEADS.

If you put your mouse over a link, it will show you the address where it leads.  This may be different from the address in the text of the link.  If it is different, that is a big red flag.  Also, if the address has "php" in the address, that is an indication that the site will attempt to run a script.  Again, that is a big red flag that usually means stay away.  Again, the help desk can check out a link if you are the least bit suspicious.

You may get an email that is what is known as a fishing attack.  This is where a hacker is fishing for information that will help him get into our network through other means.  For example, say you get an email from PNC bank that leads back to a link like this:  

http://www.pnc-support.com/login

You click on the link and see a login for your PNC account.  You enter your name and password.  You have just given the name and password of your bank account to a hacker.  Why?  www.pnc-support.com is not a valid domain.  Notice the hyphen between "PNC" and "support".  That means it is all part of the same word, not broken up by a dot.  Anyone could register such a domain and put a fake clone of the PNC web site there.  You enter a name and password, which is collected, then they say you entered it wrong and re-route you to the real web site.  You log in and are none the wiser. Hours later, or maybe minutes later, someone withdraws all the money from your account and transfers it to Russia.  Good luck getting it back. (The link in this example is one I just made up.  It does not really lead anywhere and will not harm your computer).

This is why email links can be very dangerous.  If you are not 100% certain of the sender, don't click on anything.  Even a sender you know could have its email hacked in order to send you dangerous link.  This does happen regularly. Even if you know the sender, if the wording of the message seems odd, or a link seems suspicious, don't fall for it.

ABA Article on Ransomware

The ABA Journal recently wrote an article about Ransomware, a trend where hackers introduce malware to encrypt all the files on your computer (or the entire network) then demand payment to unencrypt them again.  This is a serious threat.  Many companies have been hit by this.  If you care to read the full article, you may do so at this link.  (I promise this is a valid and safe link.  I'm not trying to trick you).  At the end of the article is a link to a quiz, which you might find interesting.  That link is also valid and safe.

Protecting Your Cell Phone Data

Protecting Your Data

As the US Supreme Court noted last year in Riley v. California, we are more and more carrying our whole lives on our cell phones. While that case dealt with the Fourth Amendment implications of searching phones, I want to discuss the client confidentiality implications.

Our smart phones allow access to a great deal of work related information.  This can include emails, text messages, your contacts, access to files saved on Google Drive, or other files you may have downloaded directly to your phone. It is easy to imagine a scenario where your phone could be lost or stolen, making all of that information available to whomever finds it.  

Pennsylvania law states that “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” (PA Rules of Professional Conduct Rule 1.6).  Since this languages comes from the ABA Model Rules, most other States have similar if not identical rules.

There are several reasonable precautions that can prevent exposure of confidential information when a phone is lost or stolen.

Remote Wipes

If your margolisedelstein.com is set up as an Exchange connection, the IT Department has the ability to wipe your Google account (including phone, contacts, and calendar) from your phone remotely.  We also have the ability to wipe the entire phone back to factory default settings.  The IT Department always sets up phones using an Exchange connection for this very reason.  If, however, you decide to set up your own connection using only the gmail app, or using POP3 or IMAP4 connections, we would not have the ability to wipe data remotely from your phone.  For this reason, it is important to let IT set up your phone, or follow the instructions supplied by IT.

There are also times, however, when you may not be sure if your phone is gone forever, and may not want to wipe it.  You may be hoping it’s just lost in the couch cushions at home or that some good Samaritan may return it.  In such a case, you may not want to wipe your phone.  You may not even realize it is missing for hours, in which time someone else could access your data.

Password/Fingerprint Protection

One very reasonable way to protect data on your phone is to password protect your phone.  Both the iPhone 6 and the Galaxy S5 allow you to save your fingerprint as a way to access your phone.  You must also save a PIN code (for iPhone) or password (for the Galaxy) in the event your fingerprint does not work, or you want to let someone else use the phone. I recommend setting up both the password and fingerprint. You only need to use one or the other to access your phone.

You should have this security set up on your phone.  On the Galaxy S5, you can do this in SETTINGS, FINGERPRINT.  You will be asked to enter your fingerprint and also to set up a password.  Similarly, on the iPhone, go into SETTINGS, then TOUCH ID & PASSCODE to enter your fingerprint and PIN code.

Be very sure you do not forget your password as there is no way this can be reset.  You may want to send IT the password so we can keep a list for your own protection.

Using the fingerprint option makes opening your phone little different from the swipe you make to open it without a password.  So it really adds virtually no increased difficulty.  You also don’t need to enter anything to answer an incoming call.

Returning a Lost Phone if Locked

One other concern raised is that if your phone is password protected, a good Samaritan finding the lost phone would be unable to return it.  

You can address this on the Galaxy S5 by adding your phone number or email address (use your office number, not your cell!) to the lock screen.  Anyone who finds the phone will see this information without having the unlock code.  To set this, go into SETTINGS, then LOCK SCREEN.  Enter your OWNER INFORMATION and check the box to show this on the lock screen.

Another option with the Galaxy S5 is to set certain phone numbers that can be called from the phone without unlocking the screen.  You can set this in SETTINGS, SAFETY ASSISTANCE.  Click on MANAGE EMERGENCY CONTACTS and add your home and/or office numbers.  A good Samaritan finding the phone can call these numbers without unlocking the phone.

Unfortunately, the iPhone does not make things quite so easy.   You could design your own lock screen with your ID on it, but this is a difficult process:

1. Launch Notes from the home screen.
2. Tap Return 3-4 times on the keyboard to make room for the clock on the Lock Screen, and enter your contact information, as well as any other contacts who might be able to help reach you in case you lose your phone.
3. Take a screenshot by holding down the power button and pressing the Home button. Your screenshot will be added to your photos.
4. Go back to your home screen and launch Photos.
5. Find your screenshot (the last image that was saved) and tap the Share button at the bottom of the screen.
6. Tap Use as Wallpaper, and then pinch the screen to scale the image correctly to fit your screen.
7. Tap Set and choose Set Lock Screen.

This new image with your contact information will appear whenever anyone finds your locked phone

If all of this seems too complicated, there is an App for the iPhone called “ICE” (In Case of Emergency) which allows you to add your contact information to the lock screen.  This is a $1.99 App, but is easier than the multi-step process outlined above.

Of course, there is always the low tech approach of taping your name, number, and email on a card to the back of the phone.

Update - the ICE standard app for the iPhone is free.  You can create a lock screen using that app without buying any in-app purchases.  Just fill out the information, you want shown.  I entered my phone number and email under "other information".  Click on "Wallpaper" then "set up lock screen" pick the items you want shown and then "generate image".  Once done, exit the app, go into SETTINGS, then WALLPAPER, select a new wallpaper and choose the image generated by ICE.