Cyber security through the litigation process
July 2016 | SPOTLIGHT | LITIGATION & DISPUTE RESOLUTION
Financier Worldwide Magazine
Information security, popularly now known as cyber security, is a topical area with repercussions that could potentially affect every business and individual connected to any form of computing system. Information and breaking news on hacking, cyber terrorism and breaches of data protection come at an alarming rate, with the Law Society’s Gazette providing facts that show law firms alone have lost over £85m in the past 18 months. Delving deeper into this, one in 10 law firms were successfully broken into via electronic means. With the problems that a cyber attack can cause for a law firm, either through the breach of personal data, the theft of sensitive documents or the loss of finances, cyber criminals have the law industry firmly within their sights.
In April 2016, the Telegraph reported on a couple who had lost over £200,000 while they were partaking in an email discussion with their property solicitor; or so they thought. In a new digital twist on the tried-and-tested fraud methods, many criminals are now finding ways to place themselves between clients and solicitors in order more effectively to deceive those in need of assistance. Cyber criminals are continually finding new methods of attack in an attempt to scam, con and fraudulently gain from their illegal activities. One of the key areas that is causing issues currently is the increasing trend to interfere with email communications between those in the law industry and their clients, breaking into email accounts and diverting large payments resulting in a financial loss for both the client and the law firm.
By breaking into the communication accounts of a solicitor, barrister or other member of the law industry, a cyber criminal is able to read, delete and potentially alter the contents of any messages they find stored there. Instructions to send money to a bank account for the payment of services may well have been sent legitimately but then the sort code and account number may have been altered to be a mule account belonging to the cyber criminal. Alternatively, the email could have been sent to trick the client into paying outright without any indication of a legitimate transfer being required; similar to the well-known ‘Friday afternoon fraud’.
Building further on this information, a study of the Panamanian law firm Mossack Fonseca reveals that the 2.6 terabytes of data was primarily comprised of email content; again showing the issues that an external hacker can cause for a business once access to stored emails is gained. Politicians, country leaders and other high-profile figures were all implicated in the scandal, originating from a single email server. Little is currently known about the techniques used to break into this email server, but the guessing of a password or ‘social engineering’ access from a complacent employee is just as likely as any external vulnerability being exploited.
A further case study would be the relatively recent announcement that a Russian cyber criminal (or gang of cyber criminals) is targeting US law firms including Cravath Swaine & Moore, Freshfields and Hogan Lovells. Financial theft was not the aim of these attacks; simply, the wish to break client confidentiality and gain ‘insider’ information that could enable the criminals to conduct insider trading. With information on mergers, lawsuits and acquisitions, a cyber criminal is in a position to exploit the high value of information contained within the confidential information stored by the law firm. The criminals are further assisted by the use of Dropbox and other external, third-party online storage tools; it should be noted that many law firms already have stringent security measures in place surrounding these services.
Even if best practice techniques are successfully adopted in order to reduce the risk of these threats, there is one further technique that we regularly encounter. Email spoofing is when a malicious attacker tricks an email into displaying an email address that is different to the actual originating email address. Using forensic tools, it is possible to determine when an email address is made to look different from the true address. Despite many calls to add this functionality, the majority of current email programmes are incapable of performing this function. This often-used technique could be used to supply bank details or instructions that appear to come from the law firm. A way of defending against this attack is discussed below.
Ultimately, the methods that can be used to mitigate the chances of any of these attacks occurring are based on the oldest recommendations of security housekeeping. Ensure that all passwords used inside the law firm are strong. You should have been told to ensure you use both letters and numbers and ideally non-alpha numeric characters such as ‘£$%’, but it is a lesser-known fact that simply changing the letters to numbers (for example, l3tme1n instead of letmein) adds no appreciable extra security from the majority of hackers. Consider using a random password generator and using that as your more secure password.
An additional level of security that can significantly improve systems is the use of two factor authentication, which can be implemented on the majority of email and other communication services. This requires any user on a new or different computer logging into the email system for the first time to input a code that has been sent (usually via text, or some other similar method) totally separately to the interaction with the computer user. This second factor should not be available to the hacker in the majority of cases and access will therefore be denied. This is currently considered one of the strongest methods that can be used, and standard security advice for those operating in secure environments. Simple Apps such as Google Authenticator make this process very straightforward, allowing almost any user to successfully create a code on a mobile phone that can be input into the computer and combined with the password to create the two factor protection.
Of course, the ultimate defensive measure is one of the oldest security methods in the book. When instructions come in for a payment to be made, ring the company or client making the request and ensure that the bank details are correct. If at all possible, speaking to a voice you recognise will ensure the best level of security. By bypassing the email process, there is the chance of eliminating the possibility of a hacker sitting between you and the client intercepting the email. On the flip side, encourage your clients to ring you before making any payments if payment details are received just to check they are originating from you. This will help to minimise the risk of an attacker successfully getting a client to transfer money to the wrong account, saving both sides time, money and embarrassment.
Traditional methods of attack, finding vulnerabilities in the firewall of a network and using these to gain access to the entire network, are dying fast thanks to ever-more sophisticated defensive technologies. New methods involve the sending of malicious attachments and links to company addresses, hoping that one complacent employee will open one or more of these items. Doing so will allow total access to the workstation, internal servers and network traffic. The best of hackers will sit in the network, with defensive measures in place, silently monitoring and storing information that could later be sold; the gaining of digital intelligence varies greatly from the traditional break-in-and-grab approaches used in physical corporate espionage.
Many companies are moving to bolster their network defences most effectively through the use of employee training. Regardless of this, computer security is not a static field; it requires continual discussion, retraining and new advances. The faster the reaction time of the community, the lower the chance of a successful high-profile breach of confidential, valuable, privileged data.
George Jennings is head of Digital Forensics, Aaron Pickett is a computer forensic examiner and David Anthony Sykes is a partner at IT Group. Mr Jennings can be contacted on +44 (0)845 226 0331 or by email: firstname.lastname@example.org. Mr Pickett can be contacted on +44 (0)845 226 0331 or by email: email@example.com. Mr Sykes can be contacted on +44 (0)207 096 3791 or by email: firstname.lastname@example.org.
© Financier Worldwide
George Jennings, Aaron Pickett and David Anthony Sykes