LITIGATION SUPPORT TIP OF THE NIGHT

NIST has updated its password guidelines, indicating a preference for phrases, over alphanumeric codes which include special characters. As the Wall Street Journal has reported, a four word phrase can be harder to crack than a word that substitutes special characters in place of letters. The phrase, "correct horse battery staple" would take 550 years to crack, but the password, "Tr0ub4dor&3" would only take three days.

The June 2017 NIST Special Publication 800-63-3, "Digital Identity Guidelines" , makes clear that it's not entirely random alphanumeric sequences which are vulnerable, but the predictable, shorter passcodes chosen by users. ". . . users attempting to choose memorable passwords will often select from a very small subset of the possible passwords of a given length, and many will choose very similar values. As such, whereas cryptographic keys are typically long enough to make network-based guessing attacks untenable,user-chosen passwords may be vulnerable, especially if no defenses are in place."

The guidelines specify that Multifactor authentication should consist of 2 of 3 factors:

1. Something you know (e.g., a password)

2. Something you have (e.g., an ID badge or cryptographic key).

3. Something you are (e.g., biometric data)

Additional information on how to set passwords is given in NIST Special Publication 800-63B. It specifies that passwords should not be permitted which:

1. Passwords obtained from previous breaches.

2. Passwords with repetitive characters (e.g., aaa222)

3. Dictionary words

4. Context specific words (e.g, a variation on the user name).

NIST also specifically recommends making a password meter available to the user, so she or he can check the strength of a password.

Importantly, NIST does NOT recommend users be forced to change their passwords after a fixed interval. "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

A user should be given permission to paste in passwords, but composition rules (e.g. prohibiting consecutive characters) are not favored.

As you can see, the authoritative guide specifies practices which differ from those implemented in many different systems.

The National Institute of Standards and Technology has an online 'National Vulnerability Database' at https://nvd.nist.gov/ .

On the home page you'll see a link to the vulnerability search engine.

When we search for the popular document management system WorkSite we see that version 8.2 had serious vulnerabilities. Commands to open multiple .nrl links could be used in a denial of service attack and insecure .cab files can be exploited to run Java scripts that reset sever settings.

Jason Shore and Coinabul, LLC v. Johnson & Bell, Ltd., No. 16-4363 (N.D. Ill.) is a suit filed by a client against a law firm for its failure to keep client data secure on systems that allow for remote online access to its email and document management system

Johnson & Bell's motion to dismiss was denied as moot when the parties agreed to arbitration this past February. It is however very interesting to review the complaint and the innovative claims brought by the plaintiffs, which are made in the absence of any actual data breach.

The causes of action listed in the complaint are breach of contract for legal malpractice; a negligence claim also based on malpractice; unjust enrichment; and breach of fiduciary duty. In addition to damages, the plaintiffs sought motion to compel the defendants to secure client data; let a third party conduct a security audit, and notify other clients of the vulnerability of their data.

The system the complaint alleges is inadequate was developed by Rippe & Kingston and uses a 'webtime' server. See this screen grab from the compliant:

The system was more than 10 years old and security updates had not been installed. The version in use at J&B dated from 2005. This JBoss system is listed in a NIST national vulnerability database as allowing for unauthorized access to networks.There have been many documented attacks by hackers against unpatched JBoss servers.

The complaint also criticized J&B's virtual private network for failing to protect against man in the middle attacks. J&B's email system used SSL 2 [secure socket layer - a cyrtographic protocol for transferring data over a network] which was vulnerable to attacks aimed at overcoming RSA encryption. It further alleged that a time record system which did not use password protected accounts would lead to phishing attacks since hackers would be able to access up-to-date information about the nature of attorneys' representation of various clients. All of this was while Johnson & Bell marketed itself to clients as an expert in data security..