Last week in my post on Okta’s 2021 Businesses at Work report, I mentioned the F5 Labs 2020 Phishing and Fraud Report. It is cited in the Businesses at Work report for its warning on Office 365. In brief, that warning is that Office 365 is a rich target because if an attacker breaches Office 365, they have access to email and much more, including potentially to SharePoint and OneDrive. F5 Labs warns to use Multi-Factor Authentication (MFA) with Office 365.
The F5 Labs Phishing and Fraud report is full of useful information. It’s a tutorial on phishing, a source of exploit data, and a guide as to how to protect from phishing.
In this post, I share 3 of the many images in the report to tempt you to looking at the full report.
We’ve known for years that phishing is the number one cause of data breaches. F5 Labs estimated, as shown above, that the number of phishing incidents in 2020 was projected to increase by 15% compared with 2019.
As anyone who has an email inbox knows, phishing perpetrators are nothing if not topical. In addition, they prey on fear. These cyber-criminals were quick to capitalize on COVID-19. Starting in March 0f 2020, fear and false information about COVID-19 became a hot subject for phishing, as this list conveys.
The report explains financial fraud, deception techniques such as custom URLs, and the trajectory of phishing in the report. It concludes with pragmatic sections on “Protecting the Business” and “Protecting Users.”
F5 Labs also explains financial fraud, deception techniques such as custom URLs, and the trajectory of phishing in the report. Phishing is a challenging problem. It is social engineering. The attackers’ schemes mutate. We humans are the weak link. F5 Labs has useful research here, free tor the reading.
Each year I look forward to Okta’s Businesses at Work report. Okta anonymizes data from its more than 9,400 customer entities. These are customers which use the Okta Identity Network (OIN) with its over 6,500 integrations with cloud, mobile, and web apps, and with IT infrastructure providers. The report is free, not even a registration is needed. To my knowledge no other public report provides this level of data on cloud application usage.
For data lovers it’s a treasure trove of facts about cloud usage. There are over 28 charts and tables. Download it here. I’ll share a few of my favorite insights from the report.
Most Popular Apps by Number of Customers
Microsoft 365 wins. I attended a legal technology conference in 2014. In a session on SharePoint, hosted by Microsoft, the roadmap showed that Outlook, Exchange, and, yes, SharePoint were all moving to the cloud in the form of Office 365. People exited the room in fury. At that time, most law firms were adamant – No Cloud. While there will always be law firms, especially “Big Law,” which will keep Outlook, SharePoint, and the Office Suite on-premises, the adoption of Office 365 or Microsoft 365 in the legal sector has been swift over the past two years. The Okta data reflects this.
This chart shows that the gap in usage between Microsoft 365 and all other applications, including AWS and Salesforce, has only widened in the past 5 years.
Most Popular Video Conferencing Apps
This graph highlights the steep curve in Zoom usage which we all lived through in 2020. At Mobile Helix, we started using Zoom heavily in 2017. We even perform our LINK system deployments remotely over Zoom in about two hours. When the pandemic hit, we were easily able to deploy LINK with IT staff who were themselves working from home. Customers favor our over-Zoom deployment over an on-site visit as it ends up taking less of their time.
Customers Authenticating With Each Factor
Phishing has been up 220% during the pandemic per F5’s2020 Phishing and Fraud Report (an excellent report on phishing). The Okta report quotes, “F5 warns that the login page of our most popular app, Microsoft 365 (M365), is one of the most popular targets for generic phishing because attackers know that stealing Office 365 credentials can grant them access not only to email but also corporate documents, finance, HR, and many other critical business functions.”
Strong Multi-Factor Authentication (MFA) should be used with M365. The chart above shows that of Okta customers authenticating with a factor in addition to, or instead of a password, 82% use Okta Verify. The good news here is that weaker factors such as SMS and security questions are on the decline.
One of the positive conclusions from Okta’s 2021 Businesses at Work report has to be that as difficult as 2020 was, with 38M people applying for unemployment, if it had happened even 10 years earlier, how many people would have been unable to work from home? The growth of web-based applications, cloud-based services, and mobile apps resulted in most office jobs successfully transitioning to work-from-home in two or three weeks.
iOS has solid encryption, there is no backdoor, hence, your firm’s data is safe under lock and key, correct? Not necessarily. Enlightening new research by cryptographers at Johns Hopkins University (1) has surfaced weaknesses in the iOS and Android encryption schemes. Ironically, in the case of iOS, part of the weakness is related to a security hierarchy which is often unused.
“Apple provides interfaces to enable encryption in both first-party and third-party software, using the iOS Data Protection API. Within this package, Apple specifies several encryption “protection classes” that application developers can select when creating new data files and objects. These classes allow developers to specify the security properties of each piece of encrypted data, including whether the keys corresponding to that data will be evicted from memory after the phone is locked (“Complete Protection” or CP) or shut down (“After First Unlock” or AFU) …
… the selection of protection class makes an enormous practical difference in the security afforded by Apple’s file encryption. Since in practice, users reboot their phones only rarely, many phones are routinely carried in a locked-but-authenticated state (AFU). This means that for protection classes other than CP, decryption keys remain available in the device’s memory. Analysis of forensic tools shows that to an attacker who obtains a phone in this state, encryption provides only a modest additional protection over the software security and authentication measures described above.” (JHU – bold is our addition)
The reality is that most of our iPhones are commonly in “After First Unlock” state because we rarely reboot our phones. To achieve maximum security, we would have to power down our iPhones and authenticate after each use. That is, scores or hundreds of times per day. Otherwise, all data in the AFU state is vulnerable to law enforcement agencies or criminals with the right forensic tools. As the Hopkins researchers noted, “Law enforcement agencies, including local departments, can unlock devices with Advanced Services for as cheap as $2,000 USD per phone, and even less in bulk, and commonly do so.”
“There’s great crypto available, but it’s not necessarily in use all the time,” says Maximilian Zinkus, Johns Hopkins University. The Hopkins researchers also extended their analysis to include the vulnerability of iCloud services and device backups:
Device owners may take actions to ensure greater security. Apple Insider cites a few user actions including: Use SOS mode; use the setting which locks iOS devices after 10 failed login attempts; and don’t use iCloud back-ups. But these user-optional mitigations are not adequate for enterprise security, and they don’t address the forensic techniques used to steal data in the AFU state. Enterprises need systematic approaches across all firm-managed devices.
Why Secure Containers Are Needed
Sophisticated attackers and government agencies have a variety of available tools at their disposable to extract sensitive data from a seized or stolen device. The preponderance of evidence shows that law enforcement is largely successful in cracking open a device and extracting sensitive information as needed. Evidence further suggests that these techniques are ported to even the latest iOS versions and devices (take a close look at https://www.grayshift.com/ – they offer the state-of-the-art in device forensics). What can you do to truly protect sensitive data? The built-in capabilities of the operating system are not sufficient.
Secure containers provide an additional layer of encryption by implementing an entirely independent encryption mechanism to protect data. To examine the protection offered by secure contain apps, we will refer to our LINK app in this discussion. LINK not only uses its own, independent encryption scheme, Link also uses its own built-in encryption technology. In other words, the LINK encryption software stands entirely independent from the operating system, regardless of whether that operating system is intact or compromised. As long as encryption keys are protected well, then secure containers can provide the kind of locked-down encryption that law firms want to protect email and documents, which encapsulate a large majority of a firm’s most sensitive data.
LINK’s data protection exceeds iOS in a few significant ways:
LINK is an app, and iOS apps are routinely removed from memory. Hence, while LINK does necessarily keep encryption keys in memory when the app is active, once the app is removed from memory its encryption keys are too. This stands in contrast to iOS’ “AFU” encryption.
LINK allows IT to identify data that is only accessible when the device is online. This makes it awfully difficult to get the encryption keys for that data, especially once the device has been identified as lost or stolen and flagged for a remote wipe.
LINK’s online encryption keys are really hard to guess. Offline keys are hard to guess too, as long as your organization uses complex A-D passwords. Online keys are not derived from a user’s passcode or even a user’s A-D password. LINK’s encryption keys are derived from randomized 32-character strings that are generated on the LINK servers using entropy available on the server. Brute-forcing the key derivation is unlikely to work, which means an attacker would have to compromise the LINK Controller that sits safely inside our customers’ networks, then break the encryption scheme protecting sensitive data stored in our Controller database. Getting LINK data is a lot more complicated than stealing or seizing a mobile device.
LINK aggressively limits the amount of data available on the device, online or offline. We do so by simply expiring away data that sits unused on the device. This is a really simple way to limit exposure without much practical impact on a user. Users can always go back to their email (via search) or to the document management system to find what they were working on. There is no practical reason to store lots of old, unused data on a device that is easy to steal and, as it turns out, compromise once stolen.
LINK’s data is useless when obtained from an iCloud backup or a local backup to a Mac device. LINK’s encryption keys are never backed up. An attacker’s best hope is to brute force both the iOS device passcode and the user’s A-D password before IT notices that the device is lost or stolen. This is incredibly difficult to accomplish given Apple’s built-in protections against brute-forcing passcode and given a reasonably complex, hard-to-guess A-D password.
The JHU research simply reminds us that Apple’s interests diverge widely from those of an individual law firm. Apple has to balance the needs of law enforcement and users to make data accessible while still providing a reasonable degree of protection. Law firms’ best interests lie in maximally protecting data against unauthorized access. In order to achieve this latter goal, Apple’s built-in technology simply won’t suffice.
Seth Hallem is the CEO, Chief Architect, and Co-Founder of Mobile Helix, makers of the LINK App. With LINK professionals can review, annotate, compare, and email files, as well as use the firm intranet, using a single secure container app. www.mobilehelix.com
Working remotely became a neccessity almost overnight. But were firm architectures ready? Two common entry points to system hacks, social engineering and network vulnerabilities, threaten the security of remote working. In this session, Mobile Helix CEO and Chief Architect, Seth Hallem, will describe these vulnerabilities and propose practical and actionable ways to address these weaknesses using safe browsing, network proxies, authentication, authorization, and DLP. These mitigations apply to both desktop and mobile devices.
This is an ILTA Educational Webinar. It is free to members as well as to non-members as part of ILTA’s COVID-19 content. Non-members may register for a free login-in.
I’m a current events junkie. I’ll admit it. And I work with law firms. Thus, my favorite podcast? “Stay Tuned with Preet.” Yes, this is Preet Bharara, the former U.S. Attorney for the Southern District of New York. Check out an episode. Preet takes a few questions about the law at the beginning of each episode. Then he has a guest. Preet is not only smart, but surprisingly personable. It’s a fast-moving hour.
A recent guest was John P. Carlin, former Assistant Attorney General for the National Security Division at the Department of Justice and Chief of Staff to Robert Mueller at the FBI. He is currently a partner with Morrison & Foerster. Carlin is an international cybersecurity expert.
One of the things which caught my attention in this episode was Carlin’s story of the US subsidiary of a German company whose data was stolen by hackers in the Chinese military. The company, SolarWorld, in Hillsboro, Oregon, made solar energy components.
How was the data stolen? Email. Carlin said, “Email. It is the least protected part of the system, usually. Not like Intellectual Property which is encrypted or where special measures are taken to protect it. They stole email traffic.”
Last week I attended the sixth annual CodeX FutureLaw Conference, under the canopy of the redwoods on the Stanford University campus. I did not know entirely what to expect, but as my office is a few miles down El Camino Real from Stanford, I thought that it was worth investigating. I found the event to be stimulating and I would like to share what I learned so that others may consider attending FutureLaw in the future.
What is CodeX? It is a Stanford group, associated with the Law School, whose mission is to create legal technology that empowers all parties. It is ably headed up by Dr. Roland Vogl.
Peripatetic lawyers, take note from Friday, 1/5/2018, in the Washington Post:
“U.S. customs agents conducted 60 percent more searches of travelers’ cellphones, laptops and other electronic devices during the government’s 2017 fiscal year, according to statistics released Friday by U.S. Customs and Border Protection (CBP).
The agency said it searched 30,200 devices but the inspections affected only 0.007 percent of the 397 million travelers — including American citizens as well as foreign visitors — who arrived from abroad during the 12-month period that ended Sept 30.”1
They discussed the genesis of Mobile Helix, how the LINK app empowers lawyers on the go, the crossroads of usability and security in mobile apps, and our partnerships with iManage®, NetDocuments® and Handshake Software®.
Each December the International Legal Technology Association (ILTA) publishes their tour de force Technology Survey. Where BlackBerries were indispensable, iPhones dominate and iPads are nearly ubiquitous – but the Legal mobility scenario is dynamic. Here’s a look at three charts from the survey.
Microsoft Surface Pro – Making a Run for It
Is it a bird, is it a plane? Is a Surface Pro a tablet or a notebook PC? Whatever you call it, the Surface Pro is on the radar in Legal now.