1. How to manage your client’s data responsibly
Protect your clients from fraud, identity theft and confidential information
Jeremiah Cruz
Nick Kavadias
Gabor Szathmari
Marbury Chambers
CryptoAUSTRALIA
2/11/2018

2. Who is CryptoAUSTRALIA
A not-for-profit started by security and privacy enthusiasts.
We have nothing to do with BitCoin, so please stop asking.
We are for finding practical ways of dealing with the modern privacy and security challenges.
We are looking for sponsors in order to continue our work and research.
This may be a new concept to lawyers, but we are running these events for free*.
* This presentation does not constitute cybersecurity advice.

3. Who is Marbury Chambers

4. Tonight’s speakers: Jeremy – Network Security Expert
Self Promotion..
Tonight’s speakers:
Jeremy – Network Security Expert
Nick – Solicitor and Technologist
Gabor – Cybersecurity Expert

5. We know how to internet…
Interact with us in the digital world…
@CryptoAustralia
#cryptoaus

6. What we are covering tonight…
Phishing and BEC Fraud
Password Security (2FA and Password reuse)
100 point checks & ID verification
Document conversion practices
Secure document sharing practices
Data Disposal & Physical security (dos and don’ts)
Metadata in documents
What to do post-breach 🙏

7. Phishing and Business Email Compromise
They go hand in hand

8. What is BEC fraud? Social Engineering / Spear Phishing:
“I am the CFO, pay this invoice urgently”
Display name spoofing – real name, but not
address spoofing – real name, . Different Reply-To address
account compromise – real account is broken into (data breach credentials or spear phishing)
Impersonation:
“Our payment details have changed, use this bank account instead”
One of your staff’s mailbox is compromised
One of your vendor’s mailbox is compromised
Display name spoofing – same name as CFO, but from a free webmail account
address spoofing – same name and as CFO, but different Reply-To address
account compromise – real account is broken into (data breach credentials or spear phishing)

9. How does BEC affect my practice?
Financial loss – direct & indirect loss. Could be enough to put you out of business? Litigation, insurance premiums, system remediation, investigation
Notifiable Data Breach – if account compromise - incident reportable to OAIC, fines?
Reputational damage – Negative media coverage & Twitter rage
We should say PI / PL insurance won’t protect your business from financial losses

10. The biggest cyber security threats in 2018
Ransomware
Good security practices reduce the risk of multiple threats.
For a generic list of threat mitigation, refer to the ASD Essential 8
Phishing
Business Compromise (BEC)*
Data breach
Do not want to go into detailed discussion, these are indepth topics in their own right. Just know they are the threats good cybersecurity practices are aimed at minimising
Phishing – social engineering attacks by . Entice users to click on malware, or go to fake login pages to give away credentials
Ransomware – malware which encrypts files and holds to random. Can get onto your devices by phishing, or by spreading through infected systems if you have a system which is unpatched
Business Compromise fraud – This is cybercriminals using social engineering techniques with the goal of redirecting payment instructions either to or from a client into fraudsters money mule bank account.
Data breaches – stolen usernames/passwords, financial data, identity data, confidential documents, sold on darkweb $$
Identity theft
*9 Billion dollar industry in

11. Secret: “hackers” log into your webmail

12. Password hygiene Websites get hacked.
People reuse same and password across multiple online accounts. D’oh!

13. Haveibeenpwned
Do you have leaked passwords?

14. Meanwhile on SpyCloud

15. Secret: “hackers” log into your webmail

16. Solution: Use Two-factor authentication
If you only do one thing to improve your cybersecurity posture, it should be to turn on 2FA for your
Authenticator apps are better than SMS
Yubi key is even better
Advice evolves with threats & as criminals become more sophisticated.
e.g. 2FA via SMS can be attacked with SIM swapping

17. Two-factor authentication
Most powerful defence from:
Crappy passwords (Letmein1)
Stolen passwords (phishing)
Leaked passwords (reuse)

18. Two-factor authentication

19. Why we have just a few passwords?
Problems:
Too many passwords to remember
Has my password leaked in a data breach?
Password managers solve both

20. Password hygiene – Wallets
Remember a single password only
LastPass
1Password
Dashlane
RoboForm

21. 1Password has partnered up with haveibeenpwned
1Password has partnered up with haveibeenpwned. You will be notified by 1Password if any of your stored passwords are exposed in a future data breach.
1Password

22. 100 Point ID Checks

23. Personal Information and Verification of Identity (VOI)
DATA LEAKS EVERWHERE!
Personal Information and Verification of Identity (VOI)
100 points ID checks VOI required by NSW conveyancing rules since 2016
Scan-to- devices (bonus: unencrypted traffic)
Images stored on copier HDD
Documents sent/received over s
Asking clients to you ID for a
100 point check
100 point ID check laws came in the 1980s. Not the connected world we live into today.
Copies of IDs kept are safer in filing cabinets on paper.
VOI required for NSW conveyancing in NSWLRS rules:

24. Bad practices - VOI checks
Don’t ask for scanned documents to be sent over s!
Mailbox Compromise – Notifiable Data Breach
Many scan to office devices also insecure
Rely on VOI providers instead
Secure smartphone app and web portal

25. Bad practices

26. Document Conversion

27. Manage client data responsibly: Document conversion?
DOCX =>PDF
PDF =>DOCX
OCR?

28. Bad practices - Online document conversion
Online2PDF.com, freepdfconvert.com...
They provide a convenient service to convert documents to PDF

30. Bad practices - Online document conversion
Online2PDF.com, freepdfconvert.com...
Who’s behind the service?
What happens to your documents?
Why would you upload sensitive documents to random strangers?

31. Manage client data responsibly: Document conversion?
Who’s behind the service?
What happens to your documents?
Why would you upload sensitive documents to random strangers?
Source:

32. Online document conversion
Convert documents offline with Adobe Professional

33. Secure document sharing practices

34. Bad practices - Document sharing over emails
Problem statement:
Your file attachments and embedder download links remain in your ‘Sent’ folder forever, waiting for a hacker to login and download them

35. Bad practices - Document sharing over cloud-based file storage services
File sharing with Dropbox, OneDrive, random service:
Download links are valid forever
Mailbox gets hacked → Links are still live

36. Transferring sensitive documents securely
Send web links instead of file attachments where appropriate
Use expiring web links
Services: Google Drive, Sync.com, Tresorit...

37. Bad practices

38. Transferring sensitive documents securely
(currently in pilot)
Password protect
Link expires after 1 to 20 d/l
Or 24 hrs (you pick)

39. Transferring documents securely

40. Storing documents securely
Cloud file storage – Who is your adversary?
Hackers? - Dropbox, G Drive, OneDrive + Two-factor authentication turned on
Government? - End-to-end encrypted service: Sync.com, Tresorit
Encrypt your disks, USB flash drives and smartphones
BitLocker - Windows 10 Professional
FileVault – Mac
Android supports disk encryption
On iOS disk encryption is turned on by default

41. Data disposal

42. Prudent data disposal practices
Laptops, computers:
Magnetic disks: overwrite
DBAN (
SSD: Physical destruction
USB flash drives: Physical destruction

43. Prudent data disposal practices (cont’d)
iPhone: Factory reset
Android*:
Encrypt device
Remove storage and SIM cards
Factory reset
Remove from Google account
Phones (SD card): Physical destruction *

44. Physical security (dos and don’ts)

45. Physical security (dos and don’ts)
Shredding documents
Diamond cut shredder
Secure document disposal service
Can secure dispose digital media for you
Digital certificates (e.g. PEXA key)
Leave them unplugged when not in use
Cut the built-in smart card in half to dispose

46. Good document management practices
Metadata issues
Good document management practices

47. Metadata in Documents: What can go wrong?
1. Disclosure of instructions
Comments, tracked changes
2. Identification of personnel:
Disclosure of author or commentator who wishes to be anonymous
Metadata from multiple authors, silent partners

48. What can go wrong? (cont’d)
3. Disclosure of former or existing clients
Everyone is using templates – Recycled documents
4. Embarrassment
Nasty comments left in the document that was supposed to be private

49. Recent decision where metadata was the turning point:
Wadler v Bio-Rad Laboratories
Sanford Wadler general counsel – his employment was terminated for whistleblowing
Employer claimed erratic work and workplace outbursts
Employer introduced a piece of evidence of an unfavourable performance review (a document)
The document established the performance review was created one month after the employee was terminated.
Jury awarded $8 + $5m in damages

50. Metadata in legal documents
Office documents
Track changes
Comments
Hidden content

51. Removing metadata - Tooling
Adobe’s Redact Tools
Windows Explorer’s – File Properties
Workshare Secure - integrates with MS Exchange
Payne Group Metadata Assistant 5.0 – Compatible with MS Office and Windows. Integrates with document management systems and clients – thepaynegroup.com
cleanDocs – Removes Word, Excel, PDF – docscorp.com
BEC MetaReveal – MS Office and MS Outlook – beclegal.com
Litera Microsystems Metadact

52. Removing metadata – More information
Law Society Journal – 2018 March – page 76
Helen Brown: Why it’s time to wise up about metadata

53. What to do when you get hacked 🙏
Disconnect your computer from the Internet and stop using it
Contact your MSP and have cloud account passwords reset
Notify Lawcover - They have an incident response team
Checklist: ncil/images/cyber/CP-What-to- Do.pdf

54. Summary Use 2FA and don’t reuse your password
Use a VOI provider for identity checks
Share documents with expiring links
Dispose data securely
Shred documents & protect digital certificates
Remove metadata as appropriate
Notify Lawcover when the house is on fire

55. Where to get help
Law Council of Australia Cyber Precedent, great learning resource
Law Council cyber-attack checklist
Lawcover crisis management team can help you clean up the mess.
Victim of identity theft, you should contact IDCARE, NFP helping people
Have a conversation with your IT Service Provider, or staff. Use these slides as a talking point!

56. “You don't have to run faster than the bear to get away
“You don't have to run faster than the bear to get away. You just have to run faster than the guy next to you.”

57. Get updates:
Next workshop:
@CryptoAustralia
#cryptoaus