Heartbleed and Passwords: What Lawyers Need to Know

Heartbleed (a cooler name for a computer bug was never found!) has blown our sense of Internet security. Not only did it leave a wee backdoor open on nearly any site using OpenSSL, giving hackers potential open season on collecting your passwords to many of the sites you use regularly, but it potentially made your clients’ information vulnerable as well — especially if you use the same passwords on multiple sites.

What Heartbleed looks for is temporary memory. That means anything that you accessed while you worked or played on the computer: passwords, sites visited, cookies downloaded, and files opened.

According to a Lawyerist post on Heartbleed, low security level sites do not require logins and generally do not encrypt files. They are not affected by Heartbleed. High security sites (like financial institutions and credit card companies) have higher standards of security and are generally not impacted by Heartbleed. The ones to be concerned about this time are the medium security sites that do require logins or process payments and use OpenSSL as their security protocol. About two-thirds of the Internet is medium security level, and therefore potentially vulnerable to Heartbleed. (But don’t hold that against them. It could be another bug or virus affecting another security level any day. The real question is how fast they respond and patch, and how successful the patch is.)

What should you do?

1. Make a list of all the sites you access with passwords. Check it against a website list or apps list of those affected by Heartbleed if it is a major product. Determine if a patch has been created and implemented yet. If you cannot tell, check if the site is vulnerable. Note: myWSBA was not affected. 
2. If a patch has been implemented, change your password. Don’t change it to the same things you always use. Start using weird passwords that are different from each other. But you will need to use different passwords for every site and change them frequently. Yes, random ones are harder to remember. (See number 4.)
3. Even if it is an unaffected site, change your password if it matches any of the passwords you used on an affected site.
4. Sign up for a password manager. Sites like these generate strong passwords for each of your sites and store them for you in an encrypted file that has one master password. LastPass, 1Password, and Dashlane come highly recommended, but the choices are wide and varied in price and offerings.
5. If you are like me, you may find yourself still worried someone could hack the Password Manager site (yes, most of my ultra-techy friends tell me this is impossible, and that it would never happen. But isn’t that what they said about that little lock that indicated my login was secure?). Look into two-factor authentication for a solution. Many of the products in this blog can work with two-factor authentication.
6. Encrypt like crazy.
   1. First, encrypt your hard drive with a few simple steps. That encrypts your hard drive when you are not logged on.
   2. Second, encrypt your email. Whether you use Outlook, Mac, Gmail, or webmail will determine your encryption method. There are plug-in products that will enhance your security as well, such as Comodo, PDF Postman, Symantec, and GPg4win.
   3. Third, encrypt attachments to your email.
   4. Fourth, encrypt your files in the cloud. Dropbox has its own encryption, but realize that they possess the key and can decrypt at will. BoxCryptor, Viivo, cloudfogger, SafeMonk, and Safebox are companies to look at, though the last two do not have password recovery — so if you lose that key, you are out of luck.
7. Reach out to small businesses that have your secure data to ensure your information is safe, and keep a careful eye on your bank statements and the like.
8. Check sites out before you use them and stay abreast of what is happening. Clio, Mycase, Dropbox, and Netflix were vulnerable and are now patched. So armor up and be ready for the next security breech.

And finally the disclaimer: All of these products are powerful tools that need to be fully researched and implemented carefully. Talk to an information technology specialist first. If you need a referral, the Law Office Management Assistance Program can help. Give us a call at 206-733-5914 or send us an email at lomap@wsba.org.