Category Archives: Passwords

Password Tip

Have you ever saved a password in your browser, while logging into a website? If yes, it is a good idea to turn off that feature, which allows you to save that information, in your browser and choose a password manager!

Here are the steps to turn off the “save password” feature by browser:

Chrome

In Chrome, look for hamburger menu (icon looks like three horizontal lines stacked on top of each other) on far right hand side of browser, click Settings, click Autofill, click Passwords, toggle “offer to save passwords” off.

Firefox

In Firefox, look for hamburger menu (icon looks like three horizontal lines stacked on top of each other) on far right hand side of browser, click preferences, click Privacy & Security, look for Logins and Passwords section, uncheck “Ask to save logins and passwords for websites.”

Microsoft Edge

In Microsoft Edge, – click the three dot menu button (look for an icon that looks like …) on the far right hand side of the browser, Click Settings, Click the Passwords button, Toggle “Offer to Save Passwords” option to off.

Follow @SCBar_PMAP on Twitter for additional tips and contact pmap@scbar.org for assistance.

Seven Simple Suggestions

I know what you are thinking: don’t I have enough on my plate right now without making New Year’s resolutions? I agree. That’s why I have chosen a few very simple suggestions that might actually make your life a little simpler. Some of these resolutions, I mean, suggestions, also help you stay out of ethics trouble (win-win!). They are in no particular order of importance – start with the easiest for you to do. 

Get a password manager. We already know that passwords need to be complicated in order to be strong and we shouldn’t use the same one more than once (or write them on sticky notes or store them in Word file). The solution is a password manager. There are lots of good free and cheap password managers. Need to create a new password? Tell the password manager how long your want it and if you want to use letters, numbers, special characters, or all three. The password manager will create a password and save it for you. Later, when you visit that website and have to login, the password manager can fill in the information for you. All you need to remember is your login and password for the password manager! Popular password managers include Dashlane, LastPass, 1Password, and Roboform. You can also see if your internet security software offers a password manager – many do. 

Start using two factor or multi-factor authentication (MFA). I know that sounds techie, but stay with me. The easiest way to explain 2FA or MFA is to tell you that you’ve probably already used it. Log in to most financial institutions and you have to enter your password and then perform a second step, such as entering a code you receive on your phone by text. Voila! That’s MFA! Start adding this extra security layer now with all your email accounts. If you have a Google account, set up “2-Step Verification.” Not sure how? Google it. For the rest of the year, when you login to any of your online accounts or websites, look for instructions on how to set up MFA (and don’t forget that new password manager can store those logins and passwords). Trust me on this one, it may be the best and easiest way to protect yourself from hackers and safeguard client confidentiality. 

Check Google My Business. Yes, that’s actually what Google named their free marketing service. Do this: Google your law firm. Alongside the usual results list, you’ll see a block with photos, a map view, your firm address, phone, and other information. This is a free business listing and you need to “claim” it if you haven’t already. Click “Own this business?” or “Claim this business.” Do it, because if you don’t, someone else may and you may not like what they do next. But that’s not the only reason to claim it. You’ll be able to correct and add information and take other steps to help clients find you better. 

Try not to email clients anything confidential. Email fraud can occur when a lawyer emails details about a case to clients and other parties. If one of the people has had their email breached, the hacker may be watching email exchanges waiting for an opportune moment to intervene. This usually happens once they learn about money changing hands. They’ll spoof one of the parties’ email address and send their own settlement offer or bank routing instructions. If you need to discuss a case, use a client portal in a practice management program. If you’re using a cloud practice management program such as Clio, MyCase, Cosmolex, Rocket Matter (etc.) talk to the provider about how to set up secure portals for clients. Besides being more secure, clients appreciate being able to see how their case is progressing. 

Make sure that you have cyber insurance. According to a 2019 survey by the American Bar Association, one in four law firms have experienced a security breach. General liability and professional liability insurance policies may not cover all the costs of a cyber incident. Talk to your carrier and find out what your policies cover. Most lawyers discover that they need to add a cyber liability policy. Whether you are shopping for cyber insurance or reviewing your current policy, there are numerous articles on the internet outlining the claims that are frequently denied or not covered by cyber insurance, so read policies carefully.  

Hire a virtual receptionist. Clients hire law firms that have a live human answering the phone. For many small firms, a virtual receptionist/answering service can be a lifesaver. Banish the idea of the impersonal answering service your doctor uses after hours. Today’s virtual receptionists can help you all day by handling tasks a real receptionist would do. There are many companies to choose from, including Call Experts, Smith.AI, Ruby, and LexReception.  

Call the Bar for free help. The South Carolina Bar has lawyers on staff to answer questions about practice management (including technology), ethics, fee disputes, pro bono opportunities, and more. Bonus resolution: join a Bar section or committee for your practice area and take advantage of the free listserv!  

By Courtney Troutman
Director
Practice Management Assistance Program
South Carolina Bar

Four Tips for Better Password Security

Do passwords still matter? Isn’t it true that if an attacker really wants to, they can crack any password? Many lawyers have been asking this in recent years, frustrated by ever-changing advice on what constitutes a “safe” password. Yes, passwords do matter. Now is not the time to throw in the towel and become “low hanging fruit” for hackers.  

Lawyers should take reasonable steps to create and use secure passwords to protect client confidentiality and safekeep client property. (Rule 1.6 Confidentiality of Information, Rule 1.15 Safekeeping Property, SCRPC.) In 2012, ABA Model Rule of Professional Conduct Rule 1.1, Comment 8 was amended to advise that lawyers also maintain competence by keeping “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Since, then at least 37 states have followed suit with similar amendments. 

It’s true that there are such things as “bad” passwords. There are numerous lists of most hacked or “worst” passwords on the internet, including one by the UK National Cyber Security Centre https://tinyurl.com/rrgycfk. “123456” consistently tops all lists as the most commonly used password, followed closely by “qwerty” and “password.”  

Many online accounts force certain requirements on users – a minimum number of characters, an uppercase, a lowercase, a symbol, a number. This requirement can offer limited protection if you use a password like “trustno1” or “v3r!Fy.” Password crackers know to look for common substitutions for letters. 

Hackers use data from frequent corporate and website data breaches to perform “credential stuffing” – where hackers use stolen username and password credentials and try to login to other websites with those same credentials. Often, they are successful.  

Keeping in mind that what constitutes a strong password changes without warning and can even vary depending on the situation, here are a few tips: 

  1. Use Passphrases as Passwords – We listed some examples of problematic passwords above. A better password solution involves entropy, which is a lack of order or predictability, using passphrases – not a recognizable quote, but a string of words or text you can remember. Gary likes the “Diceware” method, which uses dice to come up with passphrases. A person rolls a set of five dice, each of which produces a random number between 1 and 6, and then matches the dice roll results with a list of predetermined words. The method is described in this Medium.com post: https://tinyurl.com/w4n9y7a. Courtney prefers to make up her own unique passphrases. 
  1. Never Reuse Passwords – In a February, 2019, Google/Harris poll of three thousand adults, sixty-five percent of the respondents reuse a password for one or all of their online accounts. As noted earlier in this article, hackers use information from breached web sites to perform “credential stuffing” to access accounts on other online web sites.   You should never reuse a password for any online site. In late 2019, Google announced “Password Checkup,” a new Chrome extension that warns you if the username and password you’re using were stolen in any data breaches and then prompts you to change them if they were. 
  1. Ideally Use a Password Manager – The best solution as far as organizing your password security is to use a password manager. Password managers are software applications that allow users to generate, store, and retrieve secure passwords for various online sites. Most password managers allow the generation of passphrases as well. Many password managers have smartphone apps and browser plug-ins so that you can easily retrieve a password. You only need to remember your master password to access the password manager. PCMag.com does an annual roundup of password managers. Most have a very reasonable annual fee. There are free versions available, but most limit the number of passwords you can save, and the terms and conditions can vary. As a general rule, Courtney recommends that lawyers not use free software or apps, but buy the pay version. Gary likes 1Password https://1password.com, and Courtney uses LastPass https://www.lastpass.com.  
       
  1. Use TwoFactor Authentication Whenever Possible – Two-factor authentication is the means of using two different types of information to login to an online account, such as a password, a PIN sent by text message or authenticator app, or a fingerprint/biometric. Most people are already familiar with two-factor authentication with online banking or cloud-based storage web sites. Enable two-factor authentication whenever possible with your online and cloud-based providers.  Visit Two Factor Auth https://twofactorauth.org for a list of websites that do and do not support two-factor authentication. 

Ronald Rotunda, in his February 2018 article for Justia “Lawyers, Passwords, and the Obligation to Keep Clients’ Secrets” https://tinyurl.com/vz9mess, summed up password security: “When we take these precautions, the modern-day equivalent of a deadbolt, we will know what to say when the client asks, “What are you doing to keep my information secret?”” 

By: Gary Moore
Assistant Dean for Academic Technology
University of South Carolina School of Law
SC Bar Technology Committee

Courtney Troutman, Director
SC Bar Practice Management Assistance Program
Liaison to the SC Bar Technology Committee. 

Four Tip Friday

  1. I recently went to a CLE at USC Law School entitled How a Solo can be Han Solo – Using Technology for Courtroom Presentations. It was part of the law school’s Legal Tech series. Bill Booth, a lawyer in Columbia, was the speaker. He recommended checking out Miracast, a dongle that acts like a wireless HDMI cable. It is easy to setup and use. You can pick one up for about $40 on Amazon. Bill uses a Microsoft branded Miracast like this one:  https://www.amazon.com/Microsoft-Wireless-Display-Adapter-P3Q-00001/dp/B01AZC3J3M/ref=sr_1_6?keywords=miracast+2.0+microsoft&qid=1574274547&sr=8-6  but there are other brands as well. If you are having trouble with your current setup, consider picking one up and giving it a try. By the way, if you want to see courtroom presentation demonstration featuring Keynote and TrialPad with Apple TV, check out the Galactic Empire v. Han Solo trial on YouTube here  https://www.youtube.com/watch?v=giI2t4Gj_sg&t=30s It was part of a CLE for the York County Bar Association and is worth a look.
  2. Gary Moore, Assistant Dean for Academic Technology at USC, writes to remind us not to reuse passwords. Gary writes: “In a February 2019 Google/Harris poll of three thousand adults, sixty five percent of the respondents reuse a password for one or all of their online accounts.   As noted earlier in this article, hackers use information from breached web sites to perform “credential stuffing” to access accounts on other online web sites.   You should never reuse a password for any online site.”
  3. Here is a good tip I received from a solo small firm conference here in Columbia a couple of years ago. If you are an Amazon shopper, and you are wondering if you should pounce on a Black Friday deal, check out camelcamelcamel.com It is a free Amazon price tracker that will give you a better idea as to what kind of deal you are actually getting.
  4. Looking for ways to use your iPad in your practice? Thomas McDow, a lawyer in Rock Hill, uses the Duet app. With it, he can use his iPad as a second monitor. Duet is currently $9.99 on the Apple App Store.

By: Mike Polk, Chair, Technology Committee
Belser & Belser, PA
Columbia, South Carolina

Simple Data Security Steps

It costs little or nothing to prevent data theft or other digital mischief. Studies have repeatedly identified that you and your co-workers are far and away the most likely source of any digital security breach.  Computers and systems can only go so far in protecting us from our own laziness, bad habits, and outright goofball moves. 

Just a few habit changes and simple precautions will result in reasonable assurance that your digital information is safe from intrusion by all but the most dedicated hackers:

  • Use “strong” passwords and a different password for each device, site, and account.  If you do not know what a strong password is use a password manager (see below) or other app to create them for you.  And don’t use any of these passwords (https://www.passwordrandom.com/most-popular-passwords).
  • Use a “Password Manager” such as OnePass or LastPass which allows you to have to remember only a single (strong) password to unlock all the other passworded functions and can create “strong” passwords as needed.  Such programs save you from the big three password sins: (1) writing down passwords (and “hiding” them under your blotter, in your top drawer, or in a Word file); (2) using the same password for multiple purposes (one breach unlocks them all); and (3) not using “strong” passwords.
  • Don’t be “social engineered.”  Heart rates go up a tick when you see an email pop in with the subject line “Urgent,” “Payroll,” “Are you available?”  Better read “The 12 most common phishing email subject lines cyber criminals use to fool you.” https://www.zdnet.com/article/these-are-the-12-most-common-phishing-email-subject-lines-cyber-criminals-use-to-fool-you/.  BTW – this same 2019 study found that more than half of employees have replied to unsolicited emails or clicked links in them.
  • Don’t be a “phish.”  An amazing amount of information is just handed over to thieves by people believing that they are communicating with a client, a superior, or a government official.  For a good read on this see https://www.zdnet.com/article/what-is-phishing-how-to-protect-yourself-from-scam-emails-and-more/.
  • That includes government agencies, too.  As the federal government repeatedly broadcasts, the IRS does not call or email you out of the blue for any reason.  And whether IRS or not, don’t give your private information to anyone you do not positively know is on the other end of the line.  And don’t “correct” your personal information if someone says they have it but just want “to confirm” it – and gets it wrong.
  • Examine the email address. I can guarantee Bank of America or Citibank is not having someone from .az (Azerbaijan), .cz (Czech Republic), .ng (Nigeria) or .ru (Russia) working on account security issues.  Also look for closely misspelled email addresses (e.g., cittibank.com or citibanc.com instead of citibank.com). However, there are ways to fake email addresses as well as ways to fake website addresses. “Hovering” over a link in an email is no guarantee that it will reveal the “real” destination. If the email address looks authentic but the email is suspicious, call the purported sender to verify it.
  • Think before you toss or donate anything with a plug or USB port.  Almost all devices you use contain some type of information about you, your business, or you clients, including your cellphone.  But how about the office copier you just gave to the local homeless shelter or the thumb drive you threw in the trash?  In this TechCrunch story, a security researcher collected 366,300 files and images on 85 devices he found on “discarded” devices. For information on safely disposing of old tech, see Old Technology & Equipment.  
  • Finally, please don’t give “Nigerian Princes” or other “royalty” or corporate executive your credit card number no matter what their love or sob story.  That includes “friends” who email you with “travel emergencies” which require immediate funds transfers to “save” them for further troubles.  You may laugh but the “Nigerian Prince Scam” is still raking in the cash – a couple of years ago a raid in Nigeria netted $43.4 million in cash from a suspected “Prince.”

Hopefully, you can see that reasonable digital security can be achieved by a few commonsense good practices. 

By: D.J. Rosinski, Esquire | South Carolina Bar Technology Committee

Let’s Be Careful Out There

One of my favorite television shows growing up was Hill Street Blues. Sergeant Esterhaus (played by Michael Conrad) would conduct roll call, and he would always close with the same words of advice. “Let’s be careful out there.” In keeping with that theme, the now revived South Carolina Bar Technology Committee focused its entry at the bar convention on People, Processes, and Technology: Practical Information Security for Attorneys. Here are some highlights from Mary Lucas, Jacqueline Pavlicek, and Jack Pringle, members of the committee and presenters. 

  1. You need to be constantly vigilant. Unfortunately, information security is not a one time fix. Just like the rest of our practice (and life), everything changes — the threats, the responses, the software, and the other tools required to keep information safe. 
  1. You don’t need to be a superhero to master the basics. Criminals look for easy targets. Regardless of where you are on the computer savvy scale, there are simple steps you can take to dissuade someone looking for an easy score, such as; 
  • Using strong, unique passwords for your online accounts (bonus points for using a password manager.) 
  • Patching and updating all of your software, applications, and operating systems. (You would be surprised at how much protection this affords.) 
  • Using dual factor authentication. 
  • Avoiding public computers or WiFi. If you are going to work at Starbucks, a hotel, or an airport, for example, use a virtual private network (VPN). 
  • Avoiding clicking on links in emails supposedly from your financial institution or other online account. (Your password manager might help you here because it shouldn’t log you in to a strange website.) 
  • Backing up your data. In this day and age, there is no reason not to have at least two backups. 
  • Testing your backups. In the words of Stan Lee, “”nuff said”. 
  • Password protect your cell phone and other mobile devices. 
  • Being skeptical. Part of being a lawyer is to plan for the worst and, to paraphrase Ronald Reagan, trust but verify. Applying that same skepticism to your digital interactions will make you a hard target. 
  1. You don’t need to run your organization like Fort Knox. Once again, merely doing the basics may keep your organization out of harm’s way by; 
  • Controlling access to your offices, computers, and computer networks. 
  • Protecting and security your computer networks (including wireless networks) . 
  • Installing updates and patches to all software. 
  • Backing up the data of the whole organization. 
  • Training all members of the organization. Anything helps. If you see something on the morning news about a new virus, pass it on. If you read an article from a bar journal of your choice about the importance of security, pass it on. Repetition is the key. A byproduct of this awareness may be more open communication, so if someone gets an email claiming to have nude pictures of the recipient and, to prove it, provides an old password, that person might be more apt to ask someone ahead of time before clicking on a link. (Note: If you haven’t heard, this is a real scam making the rounds.) 
  1. If you send or receive wires, 2019 is the year to tighten up your procedures. Here are some tips the speakers shared: 
  • Consider having two authorized people to send a wire — one to initiate and one to approve. 
  • Validate all payment instructions even if they appear to be internal, particularly if the instructions are marked urgent or confidential. It is worth picking up the phone or walking down to visit (imagine that—talking to someone face to face!) 
  • The best practice is to make and confirm payment methods or instructions by phone. Do not use the contact information in the suspicious email!!! 
  • Guard and monitor your bank accounts. 
  • Consider using encrypted email communications or client portal. (Don’t be surprised if in five or ten years encryption is the rule, not the exception.) 
  1. Consider calling in some professional help, or asking questions of the help you have. Everyone knows that person who you can rely on to fix your document formatting, to get the printer working, to install new software, to generally squash your tech bugs. However smart your neice or nephew is, or your friend’s cousin’s son in law, or whoever, make sure that they know the security end of things. Most people I know have a “break fix” mentality, that is, if it ain’t broke, don’t worry about fixing it. As discussed above and at the bar convention, that will not keep you safe. So,whoever you get to help you, check out the SC Bar website for some tips on the right questions them.  

So, on behalf of the SC Bar Technology Committee, let’s be careful out there. 

By: Mike Polk, Chair
SC Bar Technology Committee
Belser & Belser, PA
Columbia, SC