Welcome to the LINK App Feature Roundup, where you can find information on new, enriching features of the LINK App.
You can learn more about these and other new features by visiting our Feature Roundup page, or by clicking the links to the Quick Tips noted below.
Import a Newly Created Document from a Microsoft Office App
Now you can create a new document in one of the Microsoft Office Apps (like Office M365, Word, Excel, or PowerPoint) and import that document to either LINK files or your DMS.
There are multiple ways you can check in a file shared in a Teams Channel to your DMS workspace. The simplest way allows you to do so from within the LINK app, saving you from having to open the Teams app separately.
There are multiple improvements to the look of the email UI. The most noticeable differences are a redesign of the address selector (when you are writing an email and selecting email addresses) and a redesign of the attachments overlay that pops up when you are attaching a file to an email.
With the new Attachment Overlay, easily navigate all available file repositories, including iManage, NetDocuments, OneDrive, Emails, Notes, and more. You can add multiple files at once by using the multi-select feature – simply tap the checkboxes next to the files you want to attach. You can also choose the format of each file you attach.
UI Enhancements for DMS
There are a few navigation improvements in our iManage app. First, we have added quick action buttons to send emails or edit a file in iManage. Second, we have added a button at the top-left that allows you to quickly bring up the root of the iManage work area so that you can switch from wherever you are browsing to Recent Docs, My Matters, etc. We’ve also added a list of recent items to the homepage of iManage and recent and favorite items to the homepage of NetDocuments.
Microsoft Outlook Configuration Features
Our LINK Email integrates with Microsoft Exchange and has many beneficial features, including the ability to open NRLs, establish predictive email filing to DMS, and more. Some law firms have opted for a configuration of LINK that instead uses the Microsoft Outlook app for email. In these cases, we implement the “open in hook” to connect the MS Outlook app to the LINK app. The following are common workflows that illustrate this configuration.
The LINK App is designed to make working easier for lawyers. This roundup is just a snapshot of the newest features to improve productivity and user experience. There are even more ways to use LINK to optimize your workflows.
Have you ever wondered what’s behind the unique and secure annotation capabilities in our LINK App? Read on to learn how one of our key partners helps us to offer this feature that has become so popular with our users.
If you’re familiar with LINK, you know that the technology we’ve developed allows lawyers to efficiently work on mobile devices like iPads and smartphones while maintaining the high security and privacy needed to manage sensitive legal documents. During development, we needed to integrate our app with existing document management systems to ensure seamless communication and data integrity across different platforms. We also needed to meet strict security standards to protect client confidentiality and avoid vulnerabilities that could occur when transferring documents between apps.
By incorporating Nutrient’s mobile SDKs for iOS and Android, we were able to allow lawyers to annotate documents directly within their existing DMS or email attachments. This eliminated the need for file transfers between applications, thus simplifying how user documents are managed and reducing the risk of errors. The integration also enhanced LINK’s security by keeping all documents and annotations within a secure, encrypted environment – critical for maintaining client trust and complying with legal data protection standards. To top it all off, the SDKs improved responsiveness, allowing our customers to work more efficiently and meet the fast-paced demands they encounter in their daily work.
Ultimately the SDK integration from Nutrient in our LINK App helps us to empower lawyers to work securely and effectively from mobile devices in any setting. And since our mission is to make it simple for lawyers to work securely from anywhere, we couldn’t have asked for a better fit.
Passwords remain a major risk to enterprises. This is true even though safe password practices have been widely promoted for a decade. Nearly half (49%) of incidents cited in Verizon’s 2023 Data Breach Investigations Report involved compromised passwords.
Enter NIST’s new Digital Identity Guidelines, SP 800-63-4. In the new report, NIST advocates for dropping onerous password requirements and focusing on the practices which are most effective. Let’s look at a few of the updated guidelines.
Do not require users to change passwords periodically, only mandate change when there is evidence of compromise.
Require passwords with a minimum of eight characters. The recommended length is minimum 15 characters.
Do not impose other composition rules, e.g., requiring mixtures of different character types.
Do not prompt users to use knowledge-based authentication, e.g., “What was the name of your first pet?”
Mandatory password changes are ingrained in enterprises. But NIST considers mandated changes to be outdated. Research has found that frequent password changes lead people to make minor changes which fit into a pattern, e.g., MinnVikings56 is followed by MinnVikings57. These patterns are often quickly cracked by algorithms. NIST recommends changing passwords only when there is evidence of compromise.
To make passwords safer, NIST recommends long passwords, at least 15 characters. A 12-character password takes 62 trillion times longer to crack than a six-character password.
Per NIST, passwords should consist of random characters or phrases.
There is an inherent challenge with requiring passwords to be long and strong. Long and strong passwords are difficult for humans to remember. To accommodate our limited memories, people devise hack-able workarounds. LastPass reported in 2022 that 65% of those surveyed use mostly the same password or a variation.
NIST has a recommendation for humans and our fallible memories.
Verifiers SHALL allow the use of password managers. Password managers have been shown to increase the likelihood that users will choose stronger passwords, particularly if the password managers include password generators.
Leading password managers include LastPass, 1Password, and Dashlane. In volume, the highest-rated password managers cost four or five dollars per user, per month.
You can improve your company’s security posture by starting with these two NIST recommendations:
Adopt the counter-intuitive practice of not mandating password changes.
Provide password managers to help employees use long and strong passwords.
And please, don’t ask me for the name of my first pet.
-Maureen
Maureen Blando is the President and COO of Mobile Helix, makers of the LINK App for lawyers.
NIST Definitions
Authenticator: Something that the subscriber possesses and controls (e.g., a cryptographic module or password) and that is used to authenticate a claimant’s identity. See authenticator type and multi-factor authenticator.
Shall: The terms “shall” and “shall not” indicate requirements to be strictly followed in order to conform to the publication and from which no deviation is permitted.
Should: The terms “should” and “should not” indicate that among several possibilities, one is recommended as particularly suitable without mentioning or excluding others, that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited.
Subscriber: An individual enrolled in the CSP identity service.
Verifier: An entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or more authenticators using an authentication protocol. To do this, the verifier needs to confirm the binding of the authenticators with the subscriber account and check that the subscriber account is active.
Recently, I came across a LinkedIn post from a friend who was #Hiring for a cybersecurity role. It got me thinking – just how challenging is it to find and crucially, to retain, experienced cybersecurity staff? According to my friend, it is very challenging. Intrigued, I decided to take a dive into the numbers.
World Economic Forum
71% of organizations are currently unable to fill cybersecurity positions, leading to a concerning skills gap in the workforce. This issue has been highlighted by The World Economic Forum, which warns of the potential impact on infrastructure and society as a whole.
2023 Global Cybersecurity Workforce Gap – ISC2
Globally, there is an estimated 4 million person cybersecurity workforce gap. According to ISC2, the shortfall in the United States alone amounts to half a million roles.
Per Fortinet’s 2023 Cybersecurity Skills Gap Report, 68% of leaders agree that cybersecurity skills shortages create cyber risks for their organization.
An overwhelming 90% of leaders show a strong preference for hiring individuals with technology-focused certifications per the Fortinet report. Their study also brings encouraging news that 90% of leaders are willing to invest in their employees by covering the costs of certification. In alignment with this, the World Economic Forum advocates for the crucial processes of “reskilling and upskilling,” emphasizing the importance of narrowing the cybersecurity skills gap.
So, the next question is, what does it take to obtain an affordable cybersecurity certificate? This option seems promising: Google offers a Cybersecurity Certificate through Coursera suitable for these roles:
Cybersecurity analyst
Security analyst
SOC analyst
Information security analyst
IT security analyst
Cyber defense analyst
According to Google, this course can be finished in six months with less than 10 hours of part-time study per week. After a free 7-day trial, Coursera charges a monthly fee of $49, resulting in a total cost of just under $300 for the certificate.
If you’re considering a career change, be encouraged by the fact that the demand for cybersecurity professionals is high. There are even relatively low cost ways to achieve a Cybersecurity Certificate.
Yes! LINK is in production for Android smartphones and tablets.
Now you can use LINK’s workflows including annotation, comparison, and Word app editing with Manage Work® 10 on Android. NetDocuments and eDocs are supported, too! LINK is an encrypted container app therefore your files are separate from device access.
It looks fantastic, if I do say so myself. 🤩
Take a look at this brief video to see the LINK App’s easy workflows with DMS, Outlook, and web resources.🔽
LINK App for Android Video – 3 minutes
Let me know if you want to see a demo or to do a trial including Android, iOS, and iPadOS
Kaseya VSA is used by IT organizations and many Managed Service Providers (MSPs) to track IT assets and to deliver software installations and patches to a network of endpoint nodes.
Over the 4th of July weekend, a ransomware attack perpetrated by the REvil gang and its affiliates was delivered through the Kaseya VSA remote management software.
Each Windows node on the network runs a Kaseya agent, which is responsible for downloading and installing patches and software packages from the VSA server. It is common practice for an MSP to use a single VSA server to manage all of the MSP’s client networks, meaning that one compromised VSA server can create a downstream impact on hundreds of individual businesses.
1,500 businesses may be effected.
The fascinating anatomy of the hack
REvil’s successful hack began with an SQL injection attack against the VSA server. The attacked VSA servers were exposed to the Internet, presumably to allow for remote access to the VSA server by an MSP’s employees. An SQL injection attack was crafted by the hackers to (a) bypass authentication, (b) upload a file, and (c) inject a command to distribute a malicious software patch. This software patch was then dutifully downloaded by Kaseya agents installed on Windows endpoints attached to the compromised VSA server. The technical details of how this was accomplished are explained quite clearly in this article by Sophos.
The hack itself is fascinating from a technical perspective in multiple ways. First, an authentication bypass renders an entire stack of security technology (authentication providers and MFA) entirely irrelevant. There is no password guessing or credential stealing involved in this attack. Second, the MSP model where client networks are intermingled in a single VSA instance is inherently dangerous in that a single compromised server (whether it be a via a 0-day exploit or a more traditional stolen credential) can spread malicious software across many disparate organizations, geographies, and networks. Third, it is perturbing that a piece of software like the VSA server was directly exposed to the Internet. The lack of any intervening, independent authentication (e.g., a VPN or IIS authentication using certificates or Kerberos) places an inordinate amount of trust in the security architecture of a single piece of software (the VSA server).
In general, the best way to mitigate hacks of all varieties is to apply a few principles:
Keep independent networks as separate as possible, and always require authentication to move between them.
Authenticate users and devices in layers that rely on disparate software stacks. Software is built by humans, and humans make mistakes that cause security vulnerabilities. Using independent software stacks to layer together multiple forms of authentication ensures that a hacker has to find multiple, independent mistakes that are exploitable in conjunction.
Because there is still no perfect way to prevent endpoint attacks from happening, effective endpoint protection is essential. The Kaseya exploit relied on anti-virus exceptions on the endpoint to allow a malicious file to be downloaded, decoded into an executable, and run via a shell command. This malicious executable then executed a side loading attack to actually launch the encryption process. Effective anomaly detection could have shut down the encrypting process before it got too far, and an alternative approach to using an anti-virus exception would have stopped the attack when it tried to execute the downloaded executable.
A collective reconsideration of how we protect networks and endpoints is overdue
This latest attack from REvil confirms the obvious – the business of ransomware is here to stay. Whether it is REvil, a spinoff from REvil, or an entirely new organization that is inspired by REvil’s success, a collective reconsideration of how we protect networks and endpoints is overdue. It has become standard practice to disable security software in order to enable functionality, rather than demanding the opposite – that software declare its intended behaviors in order to enable security software to detect anomalous behavior.
A system of specific access vs. access to the entire network
Our LINK system is architected with this last principle in mind. Rather than assume that all mobile devices need access to the company network (e.g., via VPN), LINK assumes that only a small number of applications and data repositories should be mobilized. To configure LINK, IT specifies exactly what intranet applications, email servers, and file repositories (Document Management Systems, One Drive, SMB shares, etc.) should be accessible from a mobile device, and this specification is role-based so that IT can take a pessimistic approach to mobile access (i.e., you can’t access anything unless permission is explicitly granted to you). LINK also uses multiple, independent layers of authentication – SSL certificates to authenticate the device, then traditional password-based authentication if the SSL authentication succeeds. Finally, each LINK installation acts as its own certificate authority for the purposes of SSL authentication. Hence, stealing a certificate for one installation does not grant access to any other installations.
As we expand LINK beyond mobile, our goal is to promote a different approach to endpoint computing. This approach starts with the idea that users, applications and data need to be integrated explicitly, rather than implicitly. This creates a work environment that is easily encapsulated, encrypted, and protected with limited entry points and exit points to move data in and out of this environment. While no approach is perfect, the more explicit we are about how users, applications, and data interact, the better chance we have to stop the ransomware business before it expands any further.
iOS has solid encryption, there is no backdoor, hence, your firm’s data is safe under lock and key, correct? Not necessarily. Enlightening new research by cryptographers at Johns Hopkins University (1) has surfaced weaknesses in the iOS and Android encryption schemes. Ironically, in the case of iOS, part of the weakness is related to a security hierarchy which is often unused.
“Apple provides interfaces to enable encryption in both first-party and third-party software, using the iOS Data Protection API. Within this package, Apple specifies several encryption “protection classes” that application developers can select when creating new data files and objects. These classes allow developers to specify the security properties of each piece of encrypted data, including whether the keys corresponding to that data will be evicted from memory after the phone is locked (“Complete Protection” or CP) or shut down (“After First Unlock” or AFU) …
… the selection of protection class makes an enormous practical difference in the security afforded by Apple’s file encryption. Since in practice, users reboot their phones only rarely, many phones are routinely carried in a locked-but-authenticated state (AFU). This means that for protection classes other than CP, decryption keys remain available in the device’s memory. Analysis of forensic tools shows that to an attacker who obtains a phone in this state, encryption provides only a modest additional protection over the software security and authentication measures described above.” (JHU – bold is our addition)
The reality is that most of our iPhones are commonly in “After First Unlock” state because we rarely reboot our phones. To achieve maximum security, we would have to power down our iPhones and authenticate after each use. That is, scores or hundreds of times per day. Otherwise, all data in the AFU state is vulnerable to law enforcement agencies or criminals with the right forensic tools. As the Hopkins researchers noted, “Law enforcement agencies, including local departments, can unlock devices with Advanced Services for as cheap as $2,000 USD per phone, and even less in bulk, and commonly do so.”
“There’s great crypto available, but it’s not necessarily in use all the time,” says Maximilian Zinkus, Johns Hopkins University. The Hopkins researchers also extended their analysis to include the vulnerability of iCloud services and device backups:
Device owners may take actions to ensure greater security. Apple Insider cites a few user actions including: Use SOS mode; use the setting which locks iOS devices after 10 failed login attempts; and don’t use iCloud back-ups. But these user-optional mitigations are not adequate for enterprise security, and they don’t address the forensic techniques used to steal data in the AFU state. Enterprises need systematic approaches across all firm-managed devices.
Why Secure Containers Are Needed
Sophisticated attackers and government agencies have a variety of available tools at their disposable to extract sensitive data from a seized or stolen device. The preponderance of evidence shows that law enforcement is largely successful in cracking open a device and extracting sensitive information as needed. Evidence further suggests that these techniques are ported to even the latest iOS versions and devices (take a close look at https://www.grayshift.com/ – they offer the state-of-the-art in device forensics). What can you do to truly protect sensitive data? The built-in capabilities of the operating system are not sufficient.
Secure containers provide an additional layer of encryption by implementing an entirely independent encryption mechanism to protect data. To examine the protection offered by secure contain apps, we will refer to our LINK app in this discussion. LINK not only uses its own, independent encryption scheme, Link also uses its own built-in encryption technology. In other words, the LINK encryption software stands entirely independent from the operating system, regardless of whether that operating system is intact or compromised. As long as encryption keys are protected well, then secure containers can provide the kind of locked-down encryption that law firms want to protect email and documents, which encapsulate a large majority of a firm’s most sensitive data.
LINK’s data protection exceeds iOS in a few significant ways:
LINK is an app, and iOS apps are routinely removed from memory. Hence, while LINK does necessarily keep encryption keys in memory when the app is active, once the app is removed from memory its encryption keys are too. This stands in contrast to iOS’ “AFU” encryption.
LINK allows IT to identify data that is only accessible when the device is online. This makes it awfully difficult to get the encryption keys for that data, especially once the device has been identified as lost or stolen and flagged for a remote wipe.
LINK’s online encryption keys are really hard to guess. Offline keys are hard to guess too, as long as your organization uses complex A-D passwords. Online keys are not derived from a user’s passcode or even a user’s A-D password. LINK’s encryption keys are derived from randomized 32-character strings that are generated on the LINK servers using entropy available on the server. Brute-forcing the key derivation is unlikely to work, which means an attacker would have to compromise the LINK Controller that sits safely inside our customers’ networks, then break the encryption scheme protecting sensitive data stored in our Controller database. Getting LINK data is a lot more complicated than stealing or seizing a mobile device.
LINK aggressively limits the amount of data available on the device, online or offline. We do so by simply expiring away data that sits unused on the device. This is a really simple way to limit exposure without much practical impact on a user. Users can always go back to their email (via search) or to the document management system to find what they were working on. There is no practical reason to store lots of old, unused data on a device that is easy to steal and, as it turns out, compromise once stolen.
LINK’s data is useless when obtained from an iCloud backup or a local backup to a Mac device. LINK’s encryption keys are never backed up. An attacker’s best hope is to brute force both the iOS device passcode and the user’s A-D password before IT notices that the device is lost or stolen. This is incredibly difficult to accomplish given Apple’s built-in protections against brute-forcing passcode and given a reasonably complex, hard-to-guess A-D password.
The JHU research simply reminds us that Apple’s interests diverge widely from those of an individual law firm. Apple has to balance the needs of law enforcement and users to make data accessible while still providing a reasonable degree of protection. Law firms’ best interests lie in maximally protecting data against unauthorized access. In order to achieve this latter goal, Apple’s built-in technology simply won’t suffice.
-Seth Hallem
Seth Hallem is the CEO, Chief Architect, and Co-Founder of Mobile Helix, makers of the LINK App. With LINK professionals can review, annotate, compare, and email files, as well as use the firm intranet, using a single secure container app. www.mobilehelix.com
No. I’m not referring to the now infamous GoDaddy employee $650 holiday bonus email. Employees who responded to the email with the requested information were later informed that they had failed the company phishing test. If you have not yet read that dispiriting story, it’s here.
I am referring to this charming email which I received this morning.
Presumably, that would be warning enough for your employees to hit the “Delete” button posthaste.
If not that, then maybe those over-sized blue bands which overlap the line below would be a tip-off.
(I have obscured the recipient’s email address.)
This is a very good opportunity for me to show you a security feature in our LINK App. When you open an email in LINK you will always see the alias and below it the sender’s email address. You don’t have to tap or do anything else to display the email address. It’s there.
In this case the alias is the aforementioned, “Mobilehelix passwordexpiration.”
If your employee were uncertain as to whether to hit that “Delete” button, I think that seeing that the email is from “[email protected]” would be the icing on the cake. This email is definitely not from the company IT department. Delete.
We are serious about security at Mobile Helix. Much of what we build into the LINK system, such as certificate-based device registration in the new user registration process, is behind the scenes. It’s invisible to your employee and works in the background.
But this security feature is a designed to help your employees to be watchdogs for senders with devious intentions. 90% of organizations experienced targeted phishing attacks in 2019. Humans are the weakest link. This is one simple tool to help all of us to be vigilant.
-Maureen
Originally published in LinkedIn on December 28, 2020
We are receiving more and more requests to Send-and-File to iManage and NetDocuments. Our LINK app has done this for years.
Filing email to DMS is becoming important from a governance perspective. Not only do law firms want emails to be accessible in DMS with the Matter. But some law firms want to reduce the risk of years of email in Outlook. One of our law firm customers deletes all email at the 90-day mark. Truly. Another firm archives all email after 90 days. Retrieving email from the archive is possible but time-consuming. Therefore, filing to DMS becomes more attractive to attorneys.
Even without such law firm email policies, filing email to the Matter is increasing. The key is that is filing to DMS needs to be easy.
But Send-and-File on mobile devices is rare. It requires a tight integration of DMS and Email, as well as comprehensive security to protect confidential client data. LINK provides both the easy workflow and the security. Draft the email, tap Send, then tap a Recommended, Recent, or DMS folder to file.
LINK has predictive filing, too. LINK learns where you file a certain correspondent’s email and will show you Recommended, Recent, and DMS folders. In many cases you can file to one of these folders with a single tap.
New in LINK, the attorney can now go to the LINK email settings to turn Send-and-File on or off by default. The attorney can also toggle Send-and-File off and on, per individual email by tapping the envelope icon in draft email. When the envelope is green, Send-and-File is on.
Watch this brief video to see all of LINK’s Send-and-File features.
Here is a great new feature in LINK which I use several times a day. When you open a web page in the LINK app using LINK’s browser, you can now tap the familiar Safari button to open the page in the device’s Safari browser.
You can open a link in an email, or in a document, or from an application page, then tap the Safari button to open the page outside of LINK. Here is an example.
Tap on link in Email
Opens in LINK’s browser Tap Safari Button
Opens in Safari Tap on “Link” to return to LINK app
I use the Safari button when I receive a link to an uncommon video conference or signature service (we test the popular ones in the LINK browser), or when a page is not rendering correctly. I also use the Safari button when I want to read something, but not now. I open it in Safari. It stays open in Safari. Then I can go back to LINK and continue working.
Sound good? Here are other benefits of the Safari button:
Safari is where you do your personal browsing. If you are logged in to nytimes.com, for example, those cookies are cached in Safari. If you click a hyperlink in Link, your cookies/password manager are not available to you. Better to just browse in Safari.
The LINK browser routes all traffic through your office network. The Safari button allows you to move all personal web browsing into your personal browser. This (a) keeps your work network safe, and (b) prevents web proxies that your company establishes from intercepting and monitoring your traffic. It is a simple matter of employee privacy – you should always have the ability to keep your personal business personal.
Native Safari has special capabilities that LINK does not. In particular, Safari has knowledge of all the apps on your device and many sites will use this capability to automatically launch a mobile app, rather than continuing to view a website in the browser. Safari also has a few important features that are not implemented in LINK’s browser. Chief amongst them is WebRTC, which is a protocol for real-time applications like in-browser video conferencing.
IT can control when Link automatically pushes hyperlinks clicked in email to the native Safari browser. For example, IT can configure Facebook links to automatically open in Safari outside of the LINK container.
