BY BILL KAMMER
TECHNOLOGY
T
Technology Gumbo Recent events serve up cautionary reminders here have been many recent developments deserving mention, but singling out one for full-column treatment doesn’t make sense. Better to give each a brief mention. For instance, in mid-May, the FBI warned of a compromise that involved Russian malware inserted into home and small office routers. Perhaps 900,000 units were affected, and they include ones manufactured by prominent companies such as Linksys and Netgear. The malware can collect information by reading all internet activity on the network including login credentials. The FBI and security firms urgently recommend owners reboot their routers to avoid problems. Although Apple products do not appear to be implicated, good advice would probably be for everyone to reboot their routers now, ensure all updates are installed, and effective passwords are being used.
T
Similarly, security firms recently reported that they had found malware in the firmware of 141 low-cost Android smartphones and tablets. Though these crooks appear to be interested in generating click-revenue by inserting ads, still the malware is a problem to be dealt with. Many attorneys and staff members have network access to confidential information, and at least some may have low-cost phones that could be infected. This is another threat to our obligation to keep secret the sensitive and confidential information we possess and store. Passwords remain a continuing problem because users still prefer simple, easy-toremember passwords. The popularity of
passwords such as “123456” and “password” itself has declined, but many still continue to use them. There have been many compromises of substantial databases of confidential information that now reside on the dark internet. haveibeenpawned.com is the recommended check for the compromise of your email address, but now its author, Troy Hunt, has launched a companion site to determine whether a password has ever been compromised, regardless of who was using it. The website, haveibeenpawned. com/passwords, operates against a base of over 500 million pwned passwords. The National Institute of Standards and Technology (NIST), the federal agency, recommends that network owners check all passwords of staff and employees against that database. If a password in current use is in that database, the owners should insist on a change. None will provide a perfect defense, and we should use a layered security barrier. Most recommend password managers, VPN’s such as TunnelBear, and two-factor authentication. The most popular password managers remain LastPass and 1Password. 2FA is mandatory in many law offices and on many financial websites. You login with your password and request a code sent to your mobile device or dongle. Subsequent entry of that code at the visited website allows full access to the sensitive and financial information located there. You may have noticed recent, frequent requests to update your mobile device applications and to respond to messages requesting confirmation of your email subscriptions and preferences. Most of us
routinely accept the terms and conditions we are presented with. However, these recent requests result from the May 25 effective date of the GDPR, the European mandate for protecting private information and to ensure its judicious collection and storage. Any company such as Facebook or Twitter with worldwide operations is requesting permission and updating applications from all their worldwide users. Although the primary emphasis of GDPR is the protection of the information of European citizens, slowly but surely, its provisions will affect internet, storage, and mailing list protocols in the U.S. Moreover, after the Facebook debacle, there is already renewed American interest for the establishment of data protection protocols, providing us all with the privacy of information we probably expected but never received. Commentators advise us to read carefully the content of the recent permission requests. Careful review may make you wonder why a flashlight app wants access to your address book or calendar information. We’ve discussed before the Internet of Things, the internet linking of devices such as baby cams, Ring doorbells, Nest thermostats, home speakers, and voiceactivated assistants such as Amazon’s Echo. Several weeks ago, an Oregon couple was shocked to learn that their Alexa device had recorded their private conversations and then emailed a transcript to a third-party contact. Closer to home, SDG&E recently reported that government agencies had subpoenaed smart-meter data from 480 homes and businesses. Continued on page 42 May/June 2018 SAN DIEGO LAWYER 13