Operation “Night Dragon”: A Data Breach Illuminated

Slaw is Canada's online legal magazine

• CanCourts on Twitter

• Canadian blawgs
search

• TOROG

• Tjaden LLM Thesis

• Quick referrers

• CanLII bookmarklets

• Quix

• Canadian journals'
TOCs

March 24, 2011

Sharon D. Nelson and John W. Simek

Operation “Night Dragon”: A Data Breach Illuminated

Hackers and cybercriminals have been having a field day recently. Even big oil companies with expansive security budgets can’t keep the bad guys out. In an operation dubbed “Night Dragon” by security company McAfee, Chinese hackers have been targeting several global oil and energy companies since November of 2009, in an attempt to steal sensitive proprietary information about oil and gas field bids and operations. You would think that oil companies would have first class security and defense-in-depth. Apparently, not so.

Law firms should take these attacks against big oil as a warning – and should bear in mind the FBI’s advisory in late 2010 that law firms are increasingly the targets of hackers.

We read about data breaches daily online or hear about them on the evening news. Law firms aren’t immune, as we saw a record number of reported data breaches in 2010. Even the small law firms have become victims of data breaches.

There are a number of reasons hackers and cybercriminals target law firms – clientele, insider information having financial value, litigation tactical advantages – just to name a few. Law firms must understand the severity of this threat and be proactive in dealing with it.

Buried within the details of the “Night Dragon” report (we won’t bore you with the technical aspects) are the graceful steps, a work-of-black-art, which the hackers used to attack the big oil companies in a methodical and progressive manner. Knowing exactly how the bad guys successfully thwarted the defenses of the largest companies in the world can help to identify potential areas of weaknesses within a law firm’s security strategy –assuming they have one — and ultimately drive them to harden its defense – from threats both external and internal.

Naturally, just like any castle or fortified-defense, the security of a computer network (or stone building) is only as secure as the weakest link – end users. End users are often the problem. Whether it’s using simple or no passwords, or falling for a phishing attempt, end users can open the doors to a law firm’s most critical data in a matter of seconds. With the Internet, the bad guys are only milliseconds away, even if they’re attacking from across the globe.

End users were a primary target exploited by the hackers in operation “Night Dragon.” To help fortify these areas of weakness, law firms should:

(A) Require every employee to review and sign a computer and Internet usage policy
(B) Require user passwords to be a minimum length of 12 characters and contain both upper and lower-case characters, as well as numbers and symbols. Passwords should also be set to change frequently, usually every 30 days. Passwords should not be re-used.
(C) Educate end users on spam and phishing techniques. There are even phishing tests your users can take online – to grade their ability to detect fraudulent e-mails such as the one here:
http://www.washingtonpost.com/wp-srv/technology/articles/phishingtest.html
(D) Verify that antivirus and antispyware definitions are kept up-to-date, that client computers and servers are scanned on a periodic basis and are operating as configured.
(E) Laptops should only be used with hardware or software encryption. No encryption – no laptop – no exceptions.

Besides taking advantage of careless end users, hackers were also able to gain access to web servers that were connected to both the Internet and internal corporate networks. Once hackers had control of these systems, they were on the “inside.” Game Over. The hackers used Structure Query Language (SQL) injections to exploit these systems. If logging had been configured at a bare minimum, these actions should have been captured and triggered alerts. Whether logs were reviewed by a person or some program, the intrusions might have been detected during the initial stages of the operation – not after the fact.

If a law firm is facing a decision to host its own website, e-mail or other service on a computer system that is both accessible from the Internet and is on the local computer network, extreme prudence should be exercised to protect and monitor the system for suspicious activity that might signal or warn of an impending or ongoing attack. Ongoing monitoring (regardless of the type of system) should include the review of any antivirus or security software log files and alerts, system and security event logs, and any application specific or firewall logs.

Why have law firms become the darlings of the hacking community? Their systems tend to have a weak underbelly. Law firms are not generally very sophisticated about technology. Law firms hate change, which security requires constantly. Security costs money, and law firm are often pennywise and pound foolish, especially where the confidential data of clients is concerned. Complacent for years, and thinking they were not a target of hackers, law firms are just beginning to understand the extent of the dangers they face externally and internally. Every law firm should have a security assessment annually – and semi-annually is generally better. Lawyers have an ethical duty to take reasonable measure to protect their clients’ information – and the definition of ‘reasonable’ has certainly changed to require more of law firms than ever before.

Sharon D. Nelson, Esq. graduated from Georgetown University Law Center in 1978 and has been in private practice ever since. Her primary practice area is electronic evidence law. Ms. Nelson is the past President of the Fairfax Bar Association, a Director of the Fairfax Law Foundation, and past chair of the American Bar Association’s TECHSHOW Board. She is the former chair of the ABA Law Practice Management Publications Board and currently serves on the Governing Council of the ABA's Law Practice Management Section.-------------------------------------------------------------------------------------------------------------------------------- John W. Simek is the Vice President of Sensei Enterprises, Inc. He is an EnCase Certified Examiner (EnCE) and a nationally known testifying expert in the area of computer forensics. Mr. Simek holds a degree in engineering from the United States Merchant Marine Academy and an MBA in finance from Saint Joseph’s University.
[click on the author's name for more information]

Respond: make a comment

More columns on Columns: Legal Technology | from Sharon D. Nelson and John W. Simek

Make a comment:

Note that some comments may be moderated. If you have not had an approved comment here before, your comment will be held for approval. We are glad to publish comments that address issues raised in the post or other comments on it and that contribute to a fruitful discussion. We do not publish comments that seek to promote commercial products, that make personal attacks, or that seek personal legal advice.

Although we do not require it, we ask that in making a comment you use your full name. You must supply a valid email address, which will not appear with your comment.

searching comments Slawtips case summaries TalkLaw/ParLoi noted on Slaw categories SlawNET

the count:
8323 posts | 11560 comments

[get this search box for your site]

SlawTips

But for Those Darn Clients
Thursday, March 1

If you spend any time at all with practicing lawyers, you will invariably hear one or more complain that the practice of law would be wonderful “… if it were … »»

Practice

Researching Meeting Availability
Wednesday, February 29

I invite myself to meetings all the time, practice group meetings in particular. In our law firm we use Outlook scheduling, at least we try, to reduce the number of … »»

Research

Use F2 and Tab to Quickly Rename Lots of Files in Windows Explorer
Wednesday, February 29

Renaming a file in Windows Explorer is very easy: Just select the file with a single click and press F2. This allows you to edit the file name. When you … »»

Technology

noted on Slaw

Statistics Canada, The Daily, Women in Canada

Available online today are four new chapters of the publication Women in Canada: A Gender-based Statistical Report, which explores the socio-demographic and economic circumstances of Canadian women in general.
Library Boy: Library of Parliament Legislative Summary of Bill on Adding New House of Commons Seats

The bill amends the Constitution Act, 1867 by readjusting the number of members and the representation of the provinces in the House of Commons.
Judges out of touch on privacy issues, says Ontario privacy czar
Ars Technica: Law & Disorder: Startup hopes to hack the immigration system with a floating incubator

Blueseed plans to buy a ship and turn it into a floating incubator anchored in international waters off the coast of California.
An open letter to Canadian journalists - CAJ

Under Prime Minister Stephen Harper, the flow of information out of Ottawa has slowed to a trickle.
EXCESS COPYRIGHT: Fair Dealing Cases in the Supreme Court of Canada - December 6 and 7, 2011 - Links to Factums
Ontario Commissioner Issues Significant Order on Custody or Control of University Records « All About Information

"…the IPC has exclusive jurisdiction to decide whether a record is in the custody or control of a university in the context of an access request…"
Library Boy: Library of Parliament Legislative Summary of Bill To Abolish Firearms Registry
Federation of Law Societies of Canada

John J.L. Hunter, Q.C. of Vancouver has been elected President for 2011-2012
Results of BC CBA Survey on Supreme Court Civil Rules [PDF]

Detailed results from 321 members.

MLB Selected Case Summaries

These summaries of selected recent cases are provided each week to Slaw by Maritime Law Book.
More information.

Merck Frosst Canada Ltd. v. Canada (Minister of Health) 2012 SCC 3

Crown - Examination of public documents - Freedom of information - Legislation - Disclosure - Confidential information supplied by third party

Health Canada received two access to information requests relating to a certain new drug submission (NDS) and supplementary new drug submission (SNDS) filed by pharmaceutical ...
Rainbow Concrete Industries Ltd. v. International Union of Operating Engineers, Local 793 et al. 2011 ONSC 5979

Labour Law - Labour relations boards and judicial review - Natural justice - Denial of - Bias

The union was affirmed as bargaining unit for the employer’s employees. These applications for judicial review challenged different aspects of two decisions (of the Ontario Labour Relations Board and ...
Kopp v. Kopp 2012 MBQB 41

Family Law - Husband and wife - Actions between husband and wife - Practice - Costs

Mr. Kopp sought to terminate spousal support six years post-separation, following his voluntary retirement at age 56.

The Manitoba Court of Queen’s Bench, Family Division, in a decision reported at ...
Board of Trustees of the City of Saint John Employee Pension Plan et al. v. Ferguson 2012 NBQB 46

Libel and Slander - Practice - General - Capacity to sue

The defendant was a Saint John City Councillor. Between April 2005 and July 2006, the defendant made presentations to Council critical of the management of the Saint John Employee Pension Plan. In addition, the defendant ...
R. v. Anderson (J.L.) 2012 NBQB 32

Criminal Law - Sentencing - Considerations on imposing sentence - Relationship of victim to accused

Anderson was convicted under s. 255(3.1) of the Criminal Code (blood alcohol level over legal limit, causing death). The victim was Anderson’s husband and the father of their two children. The ...

The re-development
of Slaw is assisted by
a grant from the
Law Foundation of Ontario

TalkLaw/ParLoi

This is a listing of a few upcoming events in Canada of interest to lawyers, law students, legal librarians, and others involved in the practice of law.

Clicking on any event in the list below will give you access to more information and to links allowing you to see the full entry and to add the event to your own calendar.

Click this link for a fuller version of the TalkLaw/ParLoi calendar of events and for instructions as to how to add events and calendars to your own calendar.

SlawNET

These are the great blogs run by our contributors. We recommend them to you.

Avoid A Claim Blog

Clio Blog

Connie Crosby

Connection | A Crosby Group Consulting Blog

eLegal Canton

First Reference Inc.

House of Butter

Law Firm Web Strategy

Law is Cool

Library Boy

Off the Shelf

Quebec Labour Law - Droit du travail au Québec

Thoughtful Legal Management

Vancouver Law Librarian Blog



Slaw is Canada's online legal magazine	• about Slaw • our contributors • our columnists • by date • by category • by author • CanCourts on Twitter • Canadian blawgs search • TOROG • Tjaden LLM Thesis • Quick referrers • CanLII bookmarklets • Quix • Canadian journals' TOCs

Canadian Journals' Tables of Contents «« older newer »» AODA Era Part III: Information and Communication Standard March 24, 2011 Sharon D. Nelson and John W. Simek Operation “Night Dragon”: A Data Breach Illuminated Hackers and cybercriminals have been having a field day recently. Even big oil companies with expansive security budgets can’t keep the bad guys out. In an operation dubbed “Night Dragon” by security company McAfee, Chinese hackers have been targeting several global oil and energy companies since November of 2009, in an attempt to steal sensitive proprietary information about oil and gas field bids and operations. You would think that oil companies would have first class security and defense-in-depth. Apparently, not so. Law firms should take these attacks against big oil as a warning – and should bear in mind the FBI’s advisory in late 2010 that law firms are increasingly the targets of hackers. We read about data breaches daily online or hear about them on the evening news. Law firms aren’t immune, as we saw a record number of reported data breaches in 2010. Even the small law firms have become victims of data breaches. There are a number of reasons hackers and cybercriminals target law firms – clientele, insider information having financial value, litigation tactical advantages – just to name a few. Law firms must understand the severity of this threat and be proactive in dealing with it. Buried within the details of the “Night Dragon” report (we won’t bore you with the technical aspects) are the graceful steps, a work-of-black-art, which the hackers used to attack the big oil companies in a methodical and progressive manner. Knowing exactly how the bad guys successfully thwarted the defenses of the largest companies in the world can help to identify potential areas of weaknesses within a law firm’s security strategy –assuming they have one — and ultimately drive them to harden its defense – from threats both external and internal. Naturally, just like any castle or fortified-defense, the security of a computer network (or stone building) is only as secure as the weakest link – end users. End users are often the problem. Whether it’s using simple or no passwords, or falling for a phishing attempt, end users can open the doors to a law firm’s most critical data in a matter of seconds. With the Internet, the bad guys are only milliseconds away, even if they’re attacking from across the globe. End users were a primary target exploited by the hackers in operation “Night Dragon.” To help fortify these areas of weakness, law firms should: (A) Require every employee to review and sign a computer and Internet usage policy (B) Require user passwords to be a minimum length of 12 characters and contain both upper and lower-case characters, as well as numbers and symbols. Passwords should also be set to change frequently, usually every 30 days. Passwords should not be re-used. (C) Educate end users on spam and phishing techniques. There are even phishing tests your users can take online – to grade their ability to detect fraudulent e-mails such as the one here: http://www.washingtonpost.com/wp-srv/technology/articles/phishingtest.html (D) Verify that antivirus and antispyware definitions are kept up-to-date, that client computers and servers are scanned on a periodic basis and are operating as configured. (E) Laptops should only be used with hardware or software encryption. No encryption – no laptop – no exceptions. Besides taking advantage of careless end users, hackers were also able to gain access to web servers that were connected to both the Internet and internal corporate networks. Once hackers had control of these systems, they were on the “inside.” Game Over. The hackers used Structure Query Language (SQL) injections to exploit these systems. If logging had been configured at a bare minimum, these actions should have been captured and triggered alerts. Whether logs were reviewed by a person or some program, the intrusions might have been detected during the initial stages of the operation – not after the fact. If a law firm is facing a decision to host its own website, e-mail or other service on a computer system that is both accessible from the Internet and is on the local computer network, extreme prudence should be exercised to protect and monitor the system for suspicious activity that might signal or warn of an impending or ongoing attack. Ongoing monitoring (regardless of the type of system) should include the review of any antivirus or security software log files and alerts, system and security event logs, and any application specific or firewall logs. Why have law firms become the darlings of the hacking community? Their systems tend to have a weak underbelly. Law firms are not generally very sophisticated about technology. Law firms hate change, which security requires constantly. Security costs money, and law firm are often pennywise and pound foolish, especially where the confidential data of clients is concerned. Complacent for years, and thinking they were not a target of hackers, law firms are just beginning to understand the extent of the dangers they face externally and internally. Every law firm should have a security assessment annually – and semi-annually is generally better. Lawyers have an ethical duty to take reasonable measure to protect their clients’ information – and the definition of ‘reasonable’ has certainly changed to require more of law firms than ever before. Sharon D. Nelson, Esq. graduated from Georgetown University Law Center in 1978 and has been in private practice ever since. Her primary practice area is electronic evidence law. Ms. Nelson is the past President of the Fairfax Bar Association, a Director of the Fairfax Law Foundation, and past chair of the American Bar Association’s TECHSHOW Board. She is the former chair of the ABA Law Practice Management Publications Board and currently serves on the Governing Council of the ABA's Law Practice Management Section.-------------------------------------------------------------------------------------------------------------------------------- John W. Simek is the Vice President of Sensei Enterprises, Inc. He is an EnCase Certified Examiner (EnCE) and a nationally known testifying expert in the area of computer forensics. Mr. Simek holds a degree in engineering from the United States Merchant Marine Academy and an MBA in finance from Saint Joseph’s University. [click on the author's name for more information] Respond: make a comment Share: Email \| Save as PDF \| Print \| Bookmark & Share \| \| More columns on Columns: Legal Technology \| from Sharon D. Nelson and John W. Simek Make a comment: Note that some comments may be moderated. If you have not had an approved comment here before, your comment will be held for approval. We are glad to publish comments that address issues raised in the post or other comments on it and that contribute to a fruitful discussion. We do not publish comments that seek to promote commercial products, that make personal attacks, or that seek personal legal advice. Although we do not require it, we ask that in making a comment you use your full name. You must supply a valid email address, which will not appear with your comment. Click here to cancel reply. Name (required) Mail (will not be published) (required)		searching comments Slawtips case summaries TalkLaw/ParLoi noted on Slaw categories SlawNET search Slaw: the count: 8323 posts \| 11560 comments Slaw's canadian law blogs search: [get this search box for your site] recent comments Connie Crosby on New Social Media Darling Pinterest and Copyright Law Emily Vella on New Social Media Darling Pinterest and Copyright Law Verna Milner on The Context of Legal Information Louise Hamel on Connected Bulletin on Impact of New Media in the Courts Carlos Fernandez on The Trouble With Acronyms Ruth Bird on Trends in Academic Law Libraries: What Are the Implications for Private Law Libraries? Kevin OKeefe on Connected Bulletin on Impact of New Media in the Courts Nate Russell on Twitter in the Court! Twitter in the Court! David Cheifetz on Moonraker or Lost in Space? David Cheifetz on Moonraker or Lost in Space? David Cheifetz on Case Comment: Durnin and Fisher v. Victoria Hospital, 2012 ONSC 320 Connie Crosby on New Social Media Darling Pinterest and Copyright Law Connie Crosby on Twitter in the Court! Twitter in the Court! David Singer on Twitter in the Court! Twitter in the Court! Simon Fodden on Twitter in the Court! Twitter in the Court! SlawTips But for Those Darn Clients Thursday, March 1 If you spend any time at all with practicing lawyers, you will invariably hear one or more complain that the practice of law would be wonderful “… if it were … »» Practice Researching Meeting Availability Wednesday, February 29 I invite myself to meetings all the time, practice group meetings in particular. In our law firm we use Outlook scheduling, at least we try, to reduce the number of … »» Research Use F2 and Tab to Quickly Rename Lots of Files in Windows Explorer Wednesday, February 29 Renaming a file in Windows Explorer is very easy: Just select the file with a single click and press F2. This allows you to edit the file name. When you … »» Technology noted on Slaw Statistics Canada, The Daily, Women in Canada Available online today are four new chapters of the publication Women in Canada: A Gender-based Statistical Report, which explores the socio-demographic and economic circumstances of Canadian women in general. Library Boy: Library of Parliament Legislative Summary of Bill on Adding New House of Commons Seats The bill amends the Constitution Act, 1867 by readjusting the number of members and the representation of the provinces in the House of Commons. Judges out of touch on privacy issues, says Ontario privacy czar Ars Technica: Law & Disorder: Startup hopes to hack the immigration system with a floating incubator Blueseed plans to buy a ship and turn it into a floating incubator anchored in international waters off the coast of California. An open letter to Canadian journalists - CAJ Under Prime Minister Stephen Harper, the flow of information out of Ottawa has slowed to a trickle. EXCESS COPYRIGHT: Fair Dealing Cases in the Supreme Court of Canada - December 6 and 7, 2011 - Links to Factums Ontario Commissioner Issues Significant Order on Custody or Control of University Records « All About Information "…the IPC has exclusive jurisdiction to decide whether a record is in the custody or control of a university in the context of an access request…" Library Boy: Library of Parliament Legislative Summary of Bill To Abolish Firearms Registry Federation of Law Societies of Canada John J.L. Hunter, Q.C. of Vancouver has been elected President for 2011-2012 Results of BC CBA Survey on Supreme Court Civil Rules [PDF] Detailed results from 321 members. MLB Selected Case Summaries These summaries of selected recent cases are provided each week to Slaw by Maritime Law Book. More information. Merck Frosst Canada Ltd. v. Canada (Minister of Health) 2012 SCC 3 Crown - Examination of public documents - Freedom of information - Legislation - Disclosure - Confidential information supplied by third party Health Canada received two access to information requests relating to a certain new drug submission (NDS) and supplementary new drug submission (SNDS) filed by pharmaceutical ... Rainbow Concrete Industries Ltd. v. International Union of Operating Engineers, Local 793 et al. 2011 ONSC 5979 Labour Law - Labour relations boards and judicial review - Natural justice - Denial of - Bias The union was affirmed as bargaining unit for the employer’s employees. These applications for judicial review challenged different aspects of two decisions (of the Ontario Labour Relations Board and ... Kopp v. Kopp 2012 MBQB 41 Family Law - Husband and wife - Actions between husband and wife - Practice - Costs Mr. Kopp sought to terminate spousal support six years post-separation, following his voluntary retirement at age 56. The Manitoba Court of Queen’s Bench, Family Division, in a decision reported at ... Board of Trustees of the City of Saint John Employee Pension Plan et al. v. Ferguson 2012 NBQB 46 Libel and Slander - Practice - General - Capacity to sue The defendant was a Saint John City Councillor. Between April 2005 and July 2006, the defendant made presentations to Council critical of the management of the Saint John Employee Pension Plan. In addition, the defendant ... R. v. Anderson (J.L.) 2012 NBQB 32 Criminal Law - Sentencing - Considerations on imposing sentence - Relationship of victim to accused Anderson was convicted under s. 255(3.1) of the Criminal Code (blood alcohol level over legal limit, causing death). The victim was Anderson’s husband and the father of their two children. The ... The re-development of Slaw is assisted by a grant from the Law Foundation of Ontario TalkLaw/ParLoi This is a listing of a few upcoming events in Canada of interest to lawyers, law students, legal librarians, and others involved in the practice of law. Clicking on any event in the list below will give you access to more information and to links allowing you to see the full entry and to add the event to your own calendar. Click this link for a fuller version of the TalkLaw/ParLoi calendar of events and for instructions as to how to add events and calendars to your own calendar. categories Administration of Slaw Announcements Case Comment Columns: Book Review Columns: Dispute Resolution Columns: e-Discovery Columns: Justice Issues Columns: Legal Information Columns: Legal Marketing Columns: Legal Publishing Columns: Legal Technology Columns: Outsourcing Columns: Practice of Law Education & Training Education & Training: CLE/PD Education & Training: Law Schools Firm Guest Blogger Hot on CanLII Legal Information Legal Information: Information Management Legal Information: Libraries & Research Legal Information: Publishing Miscellaneous Practice of Law Practice of Law: Future of Practice Practice of Law: Marketing Practice of Law: Practice Management Reading Reading: Recommended Reading: You might like… Slaw Retweets Slaw RSS Site News Substantive Law Substantive Law: Foreign Law Substantive Law: Judicial Decisions Substantive Law: Legislation Technology Technology: Internet Technology: Office Technology ulc_ecomm_list SlawNET These are the great blogs run by our contributors. We recommend them to you. Avoid A Claim Blog Clio Blog Connie Crosby Connection \| A Crosby Group Consulting Blog eLegal Canton First Reference Inc. House of Butter Law Firm Web Strategy Law is Cool Library Boy Off the Shelf Quebec Labour Law - Droit du travail au Québec Thoughtful Legal Management Vancouver Law Librarian Blog
more columns on: · e-discovery · justice issues · legal information · legal marketing · legal publishing · legal technology · outsourcing · practice of law	· about Slaw · about our contributors · about our columnists · archives by date · archives by category · archives by author · contact us · subscribe with RSS · subscribe by email · subscribe by topic/author · follow us on twitter © copyright information · 15 prior posts · 30 prior posts · 50 prior posts	member login

Operation “Night Dragon”: A Data Breach Illuminated

Make a comment:

SlawTips

But for Those Darn Clients Thursday, March 1

Researching Meeting Availability Wednesday, February 29

Use F2 and Tab to Quickly Rename Lots of Files in Windows Explorer Wednesday, February 29

But for Those Darn Clients
Thursday, March 1

Researching Meeting Availability
Wednesday, February 29

Use F2 and Tab to Quickly Rename Lots of Files in Windows Explorer
Wednesday, February 29