Dropbox Tips

App-Dropbox-icon

Despite all the concerns and discussion out there over cloud usage by legal professionals, Dropbox still remains one of the most popular applications among lawyers. I am not going to discourse on whether or not that should be the case – the internet is rife with the opinions of very capable commenters on the subject – just remember that there are Bar rules out there about lawyers employing reasonable measures to ensure security when using the cloud. My personal use, however, takes into account the potential risks as well as rewards of using this free and cheap multi-user, cross-device sync app that a majority of cloud users have embraced. That means I enable security features whenever possible and store documents I have no fear of others potentially having access to.  While that may limit others’ use of the service, I still find plenty of utility in Dropbox when I need to collaborate or share with someone else – and I have chosen not to use my other favorite sharing / storage service, Google Drive.

First, as with any other online service, make sure you have a very secure password – please, no 1234567! Did you know that is one of the most popular passwords out there? No duh! Make it hard to crack with letters, numbers, symbols and mixed caps. Also, disable automatic user log in on your computer and log out on your devices when not using the service. And, now that they offer it, enable two-factor verification – I have it on all services that allow for it, like Facebook, Twitter, Google, etc. Dropbox has it too – all this means is that when you (or anyone) attempts to log into your account on Dropbox, you will get a text message on your phone with a verification code that you will also need to enter to get into your folders. Dropbox also encrypts files on its side of the fence and you can too – check out Boxcrypter, which I wrote about here in the Studio, for an extra level of encryption on YOUR side of the fence. Some content creations applications, like Microsoft Office and Adobe Acrobat, let you password protect at the document level. You also can set Dropbox to selectively sync only certain files, thus limiting unwanted access where syncing isn’t really necessary.  No guarantees that these steps will prevent any and all security breaches, but it certainly improves your odds in keeping your data intact.

Besides syncing, sharing and backup, there are some pretty cool uses for Dropbox. Automatically upload your photos from your devices to Dropbox by enabling the auto upload feature in the app. Set up remote printing by creating a print queue folder, and setting up a script that will look to the folder and print locally at home anything you add to it while on the road (thanks Amit Agarwal at Digital Inspiration Blog). If you use 1Password for your secure password storage, you can use Dropbox as a password backup application. Backup your WordPress blog to Dropbox using plug ins such as  WordPress Backup to DropboxWP Time Machine andBackupBox. Use Wappwolf to automatically share, convert files, sync, zip, unzip, encrypt, decrypt  and employ actions in other applications such as  Evernote, Facebook, Flickr using Dropbox. There is little doubt that Dropbox’s popularity is one of its benefits – there are plenty of very smart users out there who create applications to extend the reach and utility of Dropbox because they use it too.

One last little gift to you: MakeUseOf has a cool chart showing off some of Dropbox’s tips, tricks, keyboard shortcuts, and tools and plug ins. Check it out – this really only scratches the surface of what you can do with the service. And remember, always sync responsibly!

dropbox-tips-shortcuts

Advertisements

Social Scavengers – Your Data, Social Media-Style (Infographic)

By DonkeyHotey

By DonkeyHotey

With PRISM, SocMint and other hair-raising on-line privacy news, it isn’t a bad idea to stop and take stock of what your favorite social networks are taking away from their relationship with you. Bear in mind that when you share online on a free service, you have to reasonably expect that the service may be getting something in return. As I always like to remind: read the fine print of the privacy policy, make informed choices about what you share and what you do online and never post anything that you wouldn’t want available to some random stranger. With that idea firmly entrenched, check out this infographic by Baynote, via LeadersWest.

infographic_big_brother_tech_company_06192013

The Shodan Search Engine IS a Bit Scary

Shodan_logo

But it may be indicative of the lurking loss of privacy and security we seem to freely exchange for the convenience of connectivity.

There are search engines out there specializing in all sorts of online information. I have highlighted some here, for example search tools that delve into the deep web. Shodan is different. Shodan searches for devices connected to the Web. Like servers. Printers. Routers. Webcams. Security cameras. Control systems for water parks. Really? Yup, really. And it can see what is secured out there and what is unsecured. From a CNN Money article that ran the rounds yesterday:

A quick search for “default password” reveals countless printers, servers and system control devices that use “admin” as their user name and “1234” as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.

Search parameters include location by city or county, latitude or longitude. Or search by hostname, operating system or IP address. It also allows you to export your search results by XML, so you can take it with you, with the IP and physical location associated with the result. And, if you don’t want to do the heavy lifting, let some other hackers users do the work for you with shared searches.

SHODAN   Computer Search Engine

Even scarier, use Shodan Exploits to search for known vulnerabilities and exploits lurking out there.

I can hear you now – “Oh.Em.Gee. How long has this been out there?” Three years. When you search one of their shared searches for, say, video web servers, you will see results from 2010 forward. Shodan is celebrating its three year anniversary with a decent flurry of press activity. Great. Now more hackers users will know about this means of tapping stuff.

I totally understand that being fore-warned is to be fore-armed, and that the principle purpose of this is to enhance security rather than shake up that fragile concept, but my pessimistic self can’t help but consider all the nefarious uses such a tool could promote. It is all great if device owners take heed and actually start securing these devices. FWIW, SHODAN (Sentient Hyper-Optimized Data Access Network) apparently is a name used for a fictional AI antagonist in the cyberpunk action role-playing video games System Shock and System Shock 2. Take from that what you may/will.

Shodan invites you to register using your social logins, but I had no problem running some searches without registering. Check it out. And be chilled.

Mindreading Magic? Or Something More Sinister

Great video that drives home the point that you can never be too concerned about your Internet security.

 

Apple UDID Breach & You

So maybe you have heard about the Great Unique Device ID breach of 2012 – a hacker group has claimed that it has pulled 12 million device IDs and personal information associated with Apple iDevice users. Scary stuff. The info was grabbed from the laptop of an FBI agent using that Java exploit that was in the news earlier this year. Double Yow.

Alone, the UDID – that 40 character string associated with your device -presents little risk. When coupled with other data, there are heightened risks of identity theft and social engineering.

You can check your status, to an extent, by entering your UDID into a tool provided by LastPass that will compare it to the leaked list. To get the ID, plug your device into your computer, open iTunes, and click on the device in the left bar.  Click on the serial number and the UDID will appear. Then navigate to the LastPass tool here. This will check your ID against the 1 million that were leaked by the hackers. Unfortunately, it doesn’t check the remaining 11 million not yet disclosed.

There isn’t a fix for a leaked ID short of a brand new phone. All you can do is monitor your credit for unusual activity. And hope for the best.

Are You Safe & Secure On The Web?

Following my class at Solo Practice University on the changes to Google’s privacy policies and terms of service, I have found myself in a lot of conversations about web privacy generally. It pays to spend some time thinking about actions and consequences on the Web. So I thought I would discuss some tips here about staying as safe as possible in the virtual wilds of the World Wide Web.

 

First, consider your browser. The big three: Chrome, Firefox and Internet Explorer. Oh, and Safari too. 😉

 

Chrome comes with security settings enabled by default. These protections include malware and phishing notifications – it will warn if it detects malicious content on sites you may be visiting. Chrome can be adjusted to permit or refuse cookies, Javascript, pop-ups, plug-ins, images, and location sharing. You also can manage SSL setting and certificates. When you enable SSL, Chrome will encrypt all sensitive data communications. Settings can be found by clicking the wrench in the upper right corner of the tool bar. Click on options, then “Under the hood” and find the setting you wish to tweak.

 

IE has a “smartscreen filter” and several security settings enabled by default. It can identify impostor web sites designed to capture sensitive data. When loading files, it will flash high warnings for risky files, but allow loading of reputable or well known files. It will also alert you of potential harm before permitting software to enter your computer. Simply click on the “Safety “button in the Internet explorer, then “SmartScreen filter” and select it.

 

Firefox has its Favicon in the URL bar – hover and it will give an overview of whether a site is safe or not. Click it and you will get more information such as whether passwords are saved and number of visits. Firefox also warns against Trojans and other malware. Firefox maintains a list of phony phishing sites that are updated daily. It integrates with your antivirus software. To get into your Firefox settings, click on “Tools”, then “Options,” then “Security”.

 

Macs are often considered to be “safe” from such unwanted intrusions. But there have been instances of Mac-borne viruses, so it is worth getting familiar with your Safari security settings. Unclick the “open safe files after downloading” box in the General settings. Go into “Preferences” then “Security” and check the “Warn when visiting a fraudulent website” checkbox Safari will then advise when you are about to visit a website that has been reported as fraudulent or distributes malware.

 

On any browser, look for the “lock” icon and “https” in the URL bar. This connotes that the site is secure and is using encryption to protect your information.

 

Another concept that comes up frequently in web browsing is anonymous browsing through the use of proxy servers. Anonymous web browsing is browsing the Web without revealing your IP address or any other personally identifiable information to the websites that you are visiting. A proxy server is a server that serves as the “middleman” between your local request for action and the response from a server somewhere else. The request can be for a file, a connection, a web page or some other Web resource residing on another server. Many people use anonymous proxy servers to mask their identity while browsing. While there certainly nefarious reasons for doing so, it is a technique that can also be used to protect your privacy and disconnect you from search history. VPN (“virtual private network”) servers also allow anonymous browsing, and are often used within the enterprise to protect against infiltration by unwanted intruders or protect against the dissemination of sensitive information.

 

Worried about tracking cookies? There are ways to deal with those right within your browser. In IE, go to Control Panel, Internet Options, Privacy, and either choose the slider preset that blocks third-party cookies, or go into Advanced, Override automatic cookie handling, and then check Block under ‘Third-party cookies’. In Safari, go to Edit, Preferences, Privacy, and set ‘Block cookies’ to “From third parties and advertisers.” In Firefox, click on Options, Privacy, select “Use Custom Settings for History” from the drop-down menu and uncheck “Accept third-party cookies.” In Chrome, head to Options, then “Under the Hood,” then “Content Settings” in which you will check “Block third-party cookies From Being Set.” You also can deal with these within Google’s Ad Preference manager here or on a grander scale via the Opt Out From Online Behavior tool here.

 

Finally, there are tools to help you boost your security level on the Web. While the browsers all have some form of “incognito” mode, Cocoon is an extension for Firefox and IE, as well as mobile version, that blocks both cookies and IP addresses by routing your page requests through their servers. It has built in virus scanning tools and provides a disposable email address creator, keeping the spam out of your mail email inbox, as well as a handy “notes” feature – jot down notes on any web page and view them from your history. Very nice.

 

To access your browser’s incognito mode, do the following. In IE 9, InPrivate Browsing can be found with a Ctrl-Shift-P, Chrome’s Incognito Mode can be accessed with a Ctrl-Shift-N, Firefox’s Private Browsing mode is set with Ctrl-Shift-P, and Safari can too, with Private Browsing selectable from the Edit menu.

 

Maybe you don’t like so much social in your browsing, consider Antisocial for Chrome and ShareMeNot for Firefox. These will interfere with sharing buttons across the Web, such as Facebook’s “Like” and Google’s “+1”. Whether by preventing them from loading or by keeping them from reporting back to the social juggernaut whence they spawn, these extensions prevent tracking and keep your browsing and your social separate. Of course, you can log out of your social networks when you are done with them to keep sharing activity to a minimum as well.

 

Finally, although it doesn’t work on every site, HTTPS Everywhere will help enable HTTPS on sites that allow for it. When the site is HTTPS enabled, this extension will activate the HTTPS connection to encrypt your communication with those websites. Available in Firefox and Chrome flavors. Brought to you by the fine folks at the Electronic Frontier Foundation.

 

Use as many or as few of these tips to meet your comfort level on the Web. Remember to read privacy policies and terms of service on any of the sites on which you may want to spend time. Make sure you maintain control over your own information and web experience. Because if you don’t, who will?

 

 

The Cloud: A Foul Play?

Whether or not to use the Cloud in your legal practice: that is the question. To be, or not to be, in the Cloud depends heavily on the ethical rules that guide our profession. Not surprisingly, those ethics commissions are having just as much difficulty grappling with the question as are the ordinary practitioners faced with the attractive option of SaaS and cloud products. Is there an ethical trap inherent in the use of these tools, just waiting to be sprung?

Fortunately, the ABA Commission on Ethics is striving to be realistic in its approach to the use of cloud computing and possible violation of client confidentiality. The Commission has drafted a proposal to assist lawyers in making decisions regarding cloud services. 

The gist of the proposal, as well as the gist of the ethics opinions rendered by state bar associations, is that a lawyer need take “reasonable” steps to ensure client confidentiality and that this same standard applies to use of the cloud to transmit client data. Some opinions also combine the concept of flexibility with reasonableness, clearly a nod to the “everchanging nature” of technology. Protection level may be adjusted based on the client’s needs and nature of the information involved. And, rightly so, the onus should be on the lawyer to establish that he or she acted reasonably with respect to the use of technology for storage, manipulation and transfer of data. This includes a showing that the lawyer acted diligently by, for example, analyzing terms of service, privacy policies, security features and actively took the steps necessary to ensure the greatest level of protection available. This does not inecessarily require a complete refusal to use anything cloud in support of your practice.

Take a look at some  of the reported ethics opinions. From these, you should be able to get a sense of what is required of you when you opt to look to skyward for technological assistance. And remember, just because it comes from the cloud doesn’t necessarily mean that something wicked this way comes.

Cavalier Attitudes About Mobile Phone Security

We are all going mobile. And, generally speaking, that isn’t such a bad thing. To have a tool the approximate size of a deck of cards with you at all times that can manage your business and personal affairs over the “air” is a compelling sell indeed. However, along with the obvious benefits, there are certainly drawbacks, with security or lack thereof being not the least among them. In many respects, the lack of security does stand to some reason. What is far more troubling, however, is the general lack of awareness among mobile phone users regarding the risks associated with such “always on” connectedness.

BeSpacific blog highlighted a March 11, 2011 report by the Ponemon Institute, a group focused on security issues, on the findings from a survey of 734 U.S. mobile phone consumers over the age of 18. Ponemon was trying to get at two pieces of information: are consumers aware of the risks; and, do consumers care about the risks? The results, culled from their answers, are a tad shocking.

Ponemon reports that the key finding from their research is that users are unaware of the type and extent of security risks associated with mobile phone use and are not terribly concerned about them.  Users are far more concerned with security on their laptop or desktop computers than they are with respect to their mobile phones. They are also far more concerned that a marketer will try to contact them over their phone then they are about weak links in the security chain. A sizeable percentage store sensitive data on their phones, but over 50% of users have not enabled the basic security of a keypad lock or password protection. And a 57% majority report that security is not an important feature on their phone at all. Nearly half of consumers are unconcerned about transferring a device to another person without properly wiping the phone’s data. Most are unaware of being “tracked” while using their phones or the lessened security that accompanies jailbreaking a device. Less than half are concerned about insecure wi-fi to phone connections. Only about half are aware of and less than half are concerned about “cross-over” – security of business information jeopardized by personal use of a device.  And, it appears, a large percentage of smartphone use is mixed business and personal, with employers paying some or all of the bill.

Now, I am sure that Studio readers are well aware of the risks associated with mobile smartphone use and have implemented security measures to prevent against harm. But, as a public service, I list below the security scenarios addressed in the report. Maybe there is one you overlooked, who knows? But, knowledge being power and all, this is one arena in which ignorance is definitely not bliss.

1.   location data embedded onto image files can result in tracking of the smartphone user

2.   Smartphone apps can transmit confidential payment information (i.e. credit card details)

3.   Smartphones can be infected by specialized malware called “dialerware” that enables criminals to make use of premium services or numbers resulting in unexpected monthly charges.

4.   Smartphone apps may contain spyware that allows criminals to access the private information contained on a smartphone

5.   Financial apps for smartphones can be infected with specialized malware designed to steal credit card numbers and online banking credentials.

6.   If a social network app is downloaded on a smartphone, failing to log off properly could allow an imposter to post malicious details or change personal settings without the user’s knowledge.

7.   A smartphone can be disposed of transferred to another user without properly removing sensitive data, allowing an intruder to access private data on the device.

8.   In many cases, people use their smartphone for both business and personal usage, thus putting confidential business information at risk (a/k/a cross-over risk).

9.   A smartphone can connect to the Internet through a local WIFI network that is insecure. This may result in a virus attack to the smartphone.

10.   Smartphones contain basic security protections that can be disabled by jailbreaking, thus, making the smartphone more vulnerable to spyware or malware attacks.

11.   Smartphone users can be targeted by marketers based on how the phone is used for purchases, Internet browsing and location. As a result, the user may receive unwanted marketing ads and promotions on their smartphone.

Microsoft Seeking Stronger Laws Regarding Cloud Computing

No doubt spurred in part by the ongoing federal FCC/ FTC hearings on bringing the internet into the 21st century and dealing with security gaps in the cloud, Microsoft put in its request to Congress and state governments to firm up the legal framework for ensuring stratospheric privacy and protection. Microsoft’s General Counsel Brad Smith addressed attendees on these issues at a keynote at the Brookings Institute on January 19, 2010.

Microsoft identified the primary concerns as privacy, security, transparency, and international sovereignty, the latter being a major issue in connection with storage server locations that know no boundaries. Transparency means that consumers and businesses should know whether and how their information will be accessed and used by service providers and how it will be protected online.

Smith is justifiably concerned with privacy protections and the fact that laws currently on the books do not take into account the heightened risk and the broader ramifications of hacking in the cloud. Smith proposed a new law, which he dubbed the Cloud Computing Advancement Act, and urged the revamping of an existing law,  the Electronic Communications Privacy Act, in order to address the spectrum of risks. He also proposed stronger sanctions under the Computer Fraud and Abuse Act: currently, cloud hackers face the same penalties as hackers that attack an individual PC.

I see mass movement into the cloud and, as a techie,  I understand the value of it. As attorneys, however, it pays to be aware of what our current technology can ensure with respect to privacy and security, be versed on the scope of the laws supporting cloud integrity, and choose cloud services accordingly. Lawyers, or course, have heightened responsibility with respect to privacy, security, and privilege. Perhaps this is one area of technology in which lawyers can afford to be slightly behind the curve – right behind security developments.

Hat tip to eWeek. For further reading on the topic, check out these articles:

The ABC’s of Cloud Based Practice Tools

 Seeding the Clouds: Key Infrastructure Elements of Cloud Computing

A Pragmatic and Effective Approach to Cloud Computing — Real Benefits From the

IBM Perspective on Cloud Computing

HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email