Lessons from Heartbleed

If you’re still in the dark about the “Heartbleed” bug, flip through Vox’s card deck or visit the Heartbleed website.

Last Friday, we highlighted some ways to check the security of your law firm technology. That same day, CloudFlare issued a challenge to the hacker community to steal its security certificate in order to answer the question: Can you get private SSL Keys using Heartbleed?

Yes, you can.

Over the past couple days, it has been reported that Heartbleed was used to steal 900 Canadian Social Insurance Numbers, which is the Canadian equivalent to the US Social Security Number, from the Canada Revenue Agency. Ars Technica has reported an arrest related to the breach. Meanwhile, CNet continues to update its list of affected websites and whether or not they have patched the hole. All of this is enough to make normal people nervous, and make lawyers panic. Dropbox was affected, but what about legal-specific applications?

Take a deep breath. Bob Ambrogi published a blog post listing sites used OpenSSL and have patched the hole, including MyCase and Clio. Legal specific applications not affected include: LexisNexis Firm Manager, RocketMatter, FastCase, CaseMaker, Thomas Reuters Firm Central, Westlaw and Diligence Engine.

Clio posted a Customer Notice to its blog that offers a good defense: two-factor authentication. 

It sounds exactly like it reads, but here’s the Wikipedia definition:

a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network.

Two stages to verify identity. Two. Like a password plus a PIN, and the PIN is delivered to a secondary source, like a smartphone. If you have one but not the other, you can’t login.

Check to see if any of the applications you use in your law practice have a two-factor authentication option. MyCase does, and so does Clio. If you aren’t using two-factor authentication, enable it today.

Google Apps user? Even just a regular Gmail user? Enable two-factor authentication on your accounts.

Once you do that, scroll to the “What Should I Do About It” section of Aaron Street’s Lawyerist post, and do the first three things:

  • Change passwords for all patched sites
  • Encrypt your hard drive
  • Backup your hard drive
  • Start using a password manager like 1Password or LastPass

It’s impossible to control everything on the Internet, but there are ways mitigate negative impacts and fulfill the ethical duties of being a lawyer in a tech-driven world.

Featured image: Heartbleed bug. Cracked Password and internet security issue, from Shutterstock

Check Also


Virginia’s New Data Protection Law

The new law signals an increased need for adaptability in privacy compliance.