chevron-down Created with Sketch Beta.

ARTICLE

Tips and Secrets for Legal Cybersecurity: A Cheat Sheet for Attorneys

Michael Andrew Iseri

Summary

  • All lawyers should want to keep abreast of the changes in the practice of law, including the benefits and risks associated with relevant technology.
  • The following article serves as a "cheat sheet" for newly minted and seasoned attorneys on best cybersecurity practices for the legal field.
Tips and Secrets for Legal Cybersecurity: A Cheat Sheet for Attorneys
AnnaStills via Getty Images

On March 22, 2021, the California Supreme Court updated California’s Rules of Professional Conduct. Rule 1.1, Competence, comment 1, now requires California attorneys to know the risks of the technology used in their legal practice, such as cyber threats and cybersecurity issues. This makes California the thirty-ninth state to incorporate a duty of competence with technology. Bob Ambrogi, “California Becomes 39th State To Adopt Duty Of Technology Competence,” LawSites, Mar. 24, 2021; see also Tech Competence (map and linked list of state rules), LawSites. The following article is not an article per se; rather, it’s a cheat sheet for newly minted and seasoned attorneys on best cybersecurity practices for the legal field.

Password Cracking in the Year 2022

By using lower- and upper-case letters, numbers, and special characters, you can greatly increase the complexity of a password. Please be advised that smarter password-cracking programs would go through the commonly used passwords first, use dictionary-word password algorithms, and use any known encryption or hashing algorithms exploits, birthday attack probability theory, and much more. The birthday attack is a probability theory that two or more completely different passwords could provide access to a service due to different passwords producing the same access granted key under probability theory. This is named after the phenomenon that in a room of 30 people, the probability that at least one person would have the same birth month and day as someone else is about 70 percent. The concept is that, at first glance, it does not seem likely to happen, but it is likely to happen if you break down the probability.

The following are estimated times for cracking passwords through brute force methods (a password-cracking program that goes through every character) in the year 2022.

List of Passwords and the Time It Takes to Crack Them

  • “9234567890” = 3 seconds
  • “abcDEF” = 6 seconds
  • “abcDEF!” = ~3 hours
  • “abcDEF!1” = ~25 days
  • “abcDEF!10” = ~6.5 years
  • “abcDEF!10*” = ~610 years
  • “abcDEF!10*A” = ~57,337 years
  • “MovingVacantHumble244” = ~494,607,663,621,551,360,000 years (This is the password used for Essay 1 of the California Bar Exam administered on July 27, 2021. A smart password-cracking program could probably do this in ~100 to ~1,000 years, from my guesstimate if I were to design that system.)
  • “asdfjkl;” = Either 1 second if it is a smart program or 12+ hours (Note that “asdfjkl;” are the keys that your hands rest on, on the keyboard, by default.)

How Long to Hack my Password,” Ramdom-ize. (These times are estimates at best and do not incorporate hardware, software, and network optimizations.)

Note that if you are using dictionary words or common phrases for your passwords, then a smart password-cracking program would check for those, such as “password1,” “letmein,” “avocad0,” or “il0vey0u.”

Password Management

The two best ways to maintain strong passwords are the following:

  1. Use a password management system (LastPass, 1Password, etc.).
    1. A huge benefit is that you can often implement an infrastructure system-wide administration control password management among a group of workers.
    2. They usually cost money to use for some fancy features
  2. Use coding-based passwords with entropy characters for complexity. You can write out code-based passwords for which you can swap out keywords or phrases that only you know the association to, along with using random entropy characters. This allows you to write out your password if you maintain your decryption methods a secret. The human mind is often amazing at decrypting known key phrases. . . . Usually. . . ..
    1. Example:
      1. Written-out code: Apple + Life + City + FavD
      2. Decryption:
        1. Apple è Pie;
        2. Life è 42;
        3. City è LALALAND;
        4. FavD è Wall-E
      3. Actual password: Pie42LALALANDWall-E
    2. A more complicated example would include random filler characters to enlarge passwords and increase password complexity.
      1. Written-out code: ! + Apple + Life + abcde + City + @ + 0982 + FavD + *
      2. Actual password: !Pie42abcdeLALALAND@0983Wall-E*

Important

Never save your passwords through your web browser (Chrome, Edge, Firefox, etc.)! Passwords that are “remembered” or “saved” through the web browser are stored in plain text, and they can be easily accessible through the web browser. All you have to do is search online for “show *web browser* saved passwords” and you can easily find instructions to look up the saved passwords in a web browser.

Mark Your Calendars: Obsolete Operating Systems

Operating systems do have expiration dates, known as sunsetting or end of life. When operating systems reach their end of life, they often no longer receive any security patches or new features. Below are some sunsetting dates of popular operating systems:

Microsoft Windows

  • Sunsetting of Windows XP
    • April 2014 (12 years of support)
  • Sunsetting of Windows Vista
    • April 2017 (10 years of support)
  • Sunsetting of Windows 7
    • January 2020 (11 years of support)
  • Sunsetting of Windows 8
    • January 2023 (11 years of support)
  • Sunsetting of Windows 9
    • Never (forever) (This is a joke: Microsoft skipped Windows 9 just as Apple skipped iPhone 9. That likely came down to marketing.)
  • Sunsetting of Windows 10
    • October 2025 (10+ years of support)

Apple

  • ~3 years of support for most recent OS
    • No official statement
    • Just a side note, the root certificate “IdentTrust DST Root CA X3” expired on September 30, 2021, that made older computers and phones receive certificate warnings when visiting certain websites that use Let’s Encrypt certificates. The affected devices were Apple computers running macOS 10.11 (“OS X El Capitan”) or less, computers running Windows XP Service Pack 3 or less (which sunset in April 2014), iPhones with iOS 9 or less, Nintendo 3DS game systems, and PS3 game consoles. Let’s Encrypt, Certificate Compatibility. I received lots of calls from people. . . .

“Internet Is Down” Stories (Or, I’m Not Crazy)

October 4, 2021

Facebook, Instagram, and WhatsApp went down to the public from roughly 11:40 a.m. to 6:00 p.m. eastern time. Alex Heath, “Locked out and totally down: Facebook’s scramble to fix a massive outage,” Verge, Oct. 24, 2021. Reports also stated that this affected internal systems that disrupted employees’ abilities to communicate and work. This outage required Facebook engineers to visit the main U.S. data centers in California to manually restore services. Id. This was not as bad as when Facebook, Instagram, and WhatsApp went down for almost 24 hours on March 13, 2019. Thomas Ricker, “Facebook returns after its worst outage ever,” Verge, Mar. 14, 2019.

December 7, 2021

Amazon Web Services (AWS) cloud servers went down from 10:45 a.m. to 6:00 p.m. eastern time. Richard Lawler, “An Amazon server outage caused problems for Alexa, Ring, Disney Plus, and Deliveries,” Verge, Dec. 7, 2021. AWS are virtual webservers hosted by Amazon that help various internet companies to function online with video streaming and other online processes. The affected services included Netflix, Disney Plus, Alexa AI Assistant, Kindle eBooks, Amazon Music, Ring and Wyze, Tinder, Roku, Venmo, Amazon Flex, Amazon warehouse machines, and work apps for Amazon delivery workers. Id.; Richard Lawler, “Amazon outage isn’t just online: delivery vans and warehouse bots aren’t moving packages,” Verge, Dec. 7, 2021. The horror. . . . The horror.

January 5, 2022

Kosovo banned cryptocurrency mining to try to prevent more rolling blackouts. “Kosovo bans cryptocurrency mining after blackouts,” BBC News, Jan. 5, 2022. This happened after a declared 60-day state of emergency in December 2021. Id.

February 2, 2022

North Korea suffered numerous internet outages for almost two weeks. . . . That was caused by one American person known as P4x, who hacked the country’s internet. Andy Greenberg, “North Korea Hacked Him. So He Took Down Its Internet,” Wired, Feb. 2, 2022. North Korea spies reportedly hacked P4x while they were primarily targeting western security resources to steal hacking tools and software vulnerabilities. Id. P4x used distributed denial-of-service (DDoS) and other vulnerabilities to attack North Korea’s internet infrastructure and its own national homebrew operating system, Red Star OS. Id.

    Author