De-Automate Your Destruction

[Originally published on Slaw.ca, May 2d, 2016]

An Internet connection can automate damage to your law practice and reputation. A lawyer can’t practice without the Internet but there are ways to reduce the opportunities to be attacked. There are common applications that have become so problematic as attack points that lawyers may want to uninstall or at least wall off this software. I’m talking in particular about Adobe’s Flash and Oracle’s Java apps.

There are lots of bugaboos on the Internet but let’s focus on these two. You could throw in PDFs as well, if you like. Cisco’s annual threat report shows that these three make up a significant source of attacks.

Cisco Security Research 2015 report on attack vectors included Flash, Java, and PDF

Cisco Security Research 2015 report on attack vectors included Flash, Java, and PDF

I’ll give PDFs a bit of a pass, if only because the legal profession is so reliant on them. If you haven’t already, change your PDF reader settings (I use Nitro but many people use Adobe Reader) so that a PDF can’t automatically run Javascript. Also, some Web browsers like Mozilla Firefox and Google Chrome have simple PDF readers built-in for online viewing.

A Patch a Day

Adobe Flash had a pretty amazing run. It enabled powerful multimedia capabilities for Web sites. It let you enjoy streaming video, audio, and interactive online games. For a short period, it also was used for Web site navigation menus.

The problem with Flash was that it quickly became a way for you to be attacked. In order to watch streaming media or play that game, you needed an add-on for your Web browser. Your Web browser would then see that there was a Flash resource on the Web page, and open up the Flash Player to play it. Unfortunately, the Flash Player was full of security holes. Adobe’s frequent patching of the player has become a monthly, sometimes weekly activity.

A chart showing the number of patches Adobe issued for each version of Adobe Flash Player over the last 12 months

A chart showing the number of patches Adobe issued for each version of Adobe Flash Player over the last 12 months

The thing about Web browser add-ons is that you don’t activate them, the Web site does. I’d encourage anyone with a bit of time and who uses Mozilla’s Firefox or Google’s Chrome Web browsers to try out one of the many privacy extensions. It’s hard to picture how many things are happening behind the scenes until Disconnect, NoScript, or Privacy Badger starts identifying them. We’re seeing a slow trend – Youtube and Google’s ads are examples – where Flash is no longer being supported. Alternatives using HTML5 are being tested out as replacements for Flash content.

An example of sites making the switch from Flash to HTML5. This one prompts you to try the Beta since Flash support wasn't detected.

An example of sites making the switch from Flash to HTML5. This one prompts you to try the Beta since Flash support wasn’t detected.

I’d recommend uninstalling the Flash Player from your computer. If you use Google Chrome, uninstall the Player from your computer because Chrome has a version built-in that is updated and patched automatically. I prefer Firefox, but I keep Chrome installed for those times when I absolutely can’t use a site without Flash, often when trying to use a data dashboard. If you can’t do without it, use something that stops it from working (like NoScript) until you activate it yourself.

Slow Java Drip

Java was the run everywhere software solution for the Internet. That had its upsides and downside. The downsides being that, if you hit a Web site that had an attack written using Java, it could run, well, anywhere. Unfortunately, it is common to find Windows-based software that uses Java and it is likely that you have a version of it running somewhere in your law firm. That’s not a problem; it’s the browser plugin that comes along with it that is your gateway to trouble.

That’s what happened to me. I expunged Java from my computer only to find out that one utility I use, albeit infrequently, relied on it. I downloaded Java again but this time I turned off its ability to run in Firefox.

What the screen looks like when you disable the Java plugin in Firefox

What the screen looks like when you disable the Java plugin in Firefox

In Firefox, you can deactivate it under your Add-Ons > Plugins. In Chrome, type chrome://plugins in your location bar (where you’d type a Web address) and scroll down to where the Java plugin is listed, clicking on disable next to it.

You’re Still the Problem

As Duncan Watts says, everything is obvious once you know the answer. It makes sense, when you think about it, that disabling and uninstalling software that you don’t use is a safe thing to do. I’m not suggesting that you regularly monitor US-CERT’s top vulnerabilities list; still yet more things to juggle with your day job of trying to run a law practice.

However. US-CERT does have some mitigation strategies and these are things that you can easily turn into habits without doing much.

4 mitigation strategies that any law firm can adopt.

4 mitigation strategies that any law firm can adopt.

In this chart from US-CERT, 2 of them are to keep your software patched. That’s it. Get rid of software you can’t use or patch, and update software you do use. The other two can be automated within Windows. Hit your Windows key and type “user account control settings”. This is a prompt that pops up when a program tries to install; slide it to one of the top two notches if it’s not already there. Recent Windows operating systems force you to run as Administrator so that you normally don’t.

By tightening up your software and using the built-in functionality of Windows, you can practice more safely.