Ride The Lightning

This was a disturbing story. If your law firm is breached, you have an ethical duty to tell your clients. You also have a statutory duty since almost every state has a data breach notification law.

Yes, I'll back up. Here the gist of the story. A large New York law firm was advised by the FBI that it had suffered a data breach. Interesting that the FBI always seems to know while the law firms are blissfully ignorant. Off the record, the agents said the attack came from China. They showed the partners a listing of the files and it amounted to all client files.

All of this was disclosed to Alan Paller, the Director of Research for the SANS Institute. The managing partner and the IT partner wanted to know why the files were stolen, how they were likely to be used and how to prevent such attacks in the future. All logical enough.

As Paller pointed out, law firms are often less secure than their corporate clients, so the Chinese target the law firms. When asked if they had any clients doing business in China, one of the partners replied concisely: "Sh*t."

Here's the part that astonished and dismayed me:

"Paller: What are you planning to tell your clients?

Attorney: Are you crazy? Can you think of a better way to destroy their trust in us than letting them know we had lost every document they gave us under (attorney-client) privilege?"

Actually, I can. Let them know that their attorneys, in violation of their ethical duties and state law, will keep the data breach a secret. That ought to effectively destroy all trust forever. I hope the New York State Bar and New York's Attorney General have seen this story. It looks like they have some investigating to do.

Hat tip to friend and colleague Sean Harrington.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Not long after my last post about how the FBI nabbed "Sabu" who was really Hector Monsegur, reputedly the leader of the hacker group LulzSec, SC magazine posted a fascinating piece about Sabu's activities while he was cooperating with the FBI.

It sure appears, based on what the article relates, that the FBI was pretty much using Sabu to foment hacks among others so that it could gather evidence against other hackers. Internet activist and Anonymous observer Gregg Housh concluded that a lot of hacks might not have happened without the encouragement of Sabu, including the Stratfor hack. Sabu (and therefore his "friends" in the FBI) not only knew the hack was coming but volunteered the use of a server to store the stolen data.

Housch said "The FBI pretty much left Stratfor out to dry - they screwed Strator knowingly. That pretty much blows my mind." Mine too. Aren't we supposed to be the good guys? If what is alleged in the article is true, I hope Stratfor is consulting with its attorneys.

Based on the facts recited in the article, some of the busted hackers may well have a decent entrapment argument. Sabu giving away stolen credentials to a Brazilian government website to another hacker? How is that not entrapment? He facilitated the hack while under the FBI's supervision. Juries and judges notoriously don't like informants to take pivotal actions in the commission of crimes by others.

And I'm wondering who the heck was in charge of the Sabu operation that allowed all these hacks to continue even when he wasn't directly inciting them. Aren't there rules about that for our g-men?

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

If you believe Hollywood, there's a lot of glamour involved with the life of a hacker. Not so much in real life, as a recent Fox article highlighted. Hector Monsegur, 28, was confronted by FBI agents in June of 2011 in an unlikely place - a public housing unit in New York. Monsegur proved to be the hacker known as "Sabu," thought to be the ringleader of the Anonymous offshoot group LulzSec.

Monsegur lived on public assistance with his two young children. The children gave law enforcement the leverage needed to secure Monsegur's cooperation - he didn't want to go to jail and be separated from them. When arrested, Monsegur and his associates had been on a month-long hacking spree involving the CIA, Fox, Sony and several financial institutions, causing billions of dollars in damages.

But here he was, a welfare recipient and unemployed computer programmer living in very modest surroundings. Hardly the stuff of the silver screen. So how did they get him? He was brilliant - but also lazy. He had always hidden his IP address through proxy servers. But he slipped up once and logged into an Internet relay chatroom without masking his IP address. That was all the FBI needed.

For a while, they waited and watched his online activity, but their hand was forced when he was "doxed," and his real name and address were posted online. The FBI had already gotten his Facebook account, where he was selling stolen credit card numbers to other hackers - that was enough to charge him with aggravated identity theft. By August, he had pled guilty to a dozen counts of hacking charges and had agreed to cooperate with the FBI.

Not until this week was all this made public. "Sabu" had decided to give up his buddies in Anonymous to the FBI and five them were recently arrested, two in Britain and two in Ireland. The fifth individual, Jeremy Hammond, was charged with being behind the "Stratfor" hack in December of 2011.

It would appear that some members of Anonymous have lost their anonymity.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

It is laudable that the FBI has taken the Supreme Court's decision in U.S. v. Jonesseriously, and now recognizes that law enforcement needs a warrant to place a GPS tracker on a vehicle in order to comply with the Fourth Amendment. I wondered when I penned my earlier post on this subject what the reaction might be.

I was pleased to see that the FBI fairly quickly took action and turned off approximately 3000 GPS trackers, most of them attached to motor vehicles. The ABA Journal also reported that the FBI is developing new guidelines (sorely needed) for the of GPS devices and considering broader implications, including whether an agent can lift a trash can lid without committing a trespass.

Not a detail I would like as an FBI agent, but humorous images aside, I looked it up and apparently previous law has said that if you place the garbage can on a common area (like a sidewalk), it is fair game, but not if it is on your property. Note to self: Have John relocate the trash cans.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Last month, I posted about a law firm data breach where a former partner allegedly used Dropbox to purloin tens of thousands of law firm files before breaking away to start a new law firm. This got me thinking about Dropbox as a security threat generally.

I received a thoughtful e-mail from Frank McClain and I am remiss in not posting it sooner. Here is a portion of what he wrote:

Sharon,

Thank you for Ride the Lightning, I always enjoy it. Your down-to-earth insight into the technical realm of eDiscovery and computer forensics is always interesting. I just read your 2/15/12 post, "Another Law Firm Breach - This Time By An Ex-Partner???" and wanted to respond to you directly.

Late in 2009, I started research into Dropbox, and for this very reason - I could see the potential for abuse. I finally finished up an article for Forensic Focus this past June, and have some other posts on my blog as well as on SANS. I worked a case somewhat similar to that you referred to in your post, where some partners split from a firm; leading up to that they backed up data to cloud services (not Dropbox, but similar). A friend recently had a case where Dropbox was central to it as well.

From a more traditional Information Security standpoint, these types of services could be used by an external attacker to get information out of a network, but I think the greater threat is the insider. I've expanded my research from Dropbox into other cloud backup and synchronization services, to help shed greater light into this area, and am starting on a presentation to share that with the larger community.

And you're right, Dropbox is not a spy application, and cannot remotely control a system by itself. I guess it's conceivable that spyware could be introduced through it, depending on what you've set it up to synchronize, but you've still got the question of execution (built in timer, maybe?). I've included a link to my blog below, as it has links to the rest of my public research, in case you're interested.

Regards,

Frank McClain

http://forensicaliente.blogspot.com/2011/07/dropbox-forensics-follow-up.html

Thanks for writing Frank. I'm glad you agree that Dropbox and similar services pose more hazards than we once realized. Keep up that research - the day doesn't go by without a new threat!

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

It seems as though this subject has been around forever at conferences, but I'm happy to say that there are new developments which you'll hear about if you attend ABA TECHSHOW this year (March 29-31). My co-presenter, Bruce Olson, will be discussing and showing examples of e-discovery software which is useful and budget-friendly in small cases. I was particularly delighted to learn that the makers of Digital WarRoom will be exhibiting this year, so be sure and take a test drive.

If you haven't heard of Nuix's Proof Finder 2, that's a just-released tool you need to know about.

As always, there are lot of tips to help you narrow your searches, look for low-hanging fruit and minimize your outlay while maximizing your results. Yes, Virginia, there is way to cut e-discovery costs and still do a credible job. Bruce and I emulate Ebenezer Scrooge in our approach to e-discovery, so if you are also parsimonious, make sure you check this session out!

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Why oh why do people post their location on Facebook? I've bemoaned this before but still cringe when I see my otherwise brilliant friends on the lecture circuit post their whereabouts.

I know there's a saying that goes "that's so five seconds ago" but frankly I am content to be days late to the Facebook party in order to avoid broadcasting that I'm out of town. I am cautious even though we have two large dogs and a house sitter.

Over lunch with our Merrill Lynch financial advisors (and a shout-out is due them for taking such good care of a small company) this week, I heard yet another story illustrating why it makes no sense to tell your "friends" where you are. The family in question posted that they were in New York for the weekend - when they came home (yes, you've guessed it), everything of value (and much that wasn't valuable) was gone.

Here's the kicker: Days later, the victims were reading their Facebook page when, lo and behold, they stumbled upon a photo of their neighbors wearing their stolen college sweatshirts. Yup, their neighbors robbed their house and then had the monumental stupidity to post photos of themselves wearing the stolen apparel on Facebook.

This is why we sometimes say that we teach not Facebook: The Nuts and Bolts, but Facebook: The Nuts and Dolts.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq