LSSA Warns on XP and Security

March 12, 2014

Roger Jackson, Chair of the LSSA, has given law firms advice to counter cybercrime threats and the withdrawal of support for Microsoft Windows XP, which means continued use of Windows XP might not meet SRA data security requirements. 

Twice recently law firms have been the target of e-mails purporting to originate from the Solicitor’s Regulation Authority but which have not been the case. These ‘phishing’ e-mails look very convincing and, on a cursory glance, look genuine. These malicious e-mails often carry attachments with malware.

Julian Bryan, of LSSA member Company Quill, comments, ‘The recent e-mail scam purporting to be from the SRA and targeting law firms demonstrates the need for constant vigilance and risk assessment amongst legal practices.  The e-mail concerned carried a cleverly named attachment which had all the hallmarks of an embedded virus. This incident demonstrates the ongoing battle between Microsoft and potentially malicious individuals who create viruses, malware & Phishing scams.  Law firms in particular need to be sure that their Windows PCs and servers are constantly updated and protected from such issues.  This process is facilitated by Microsoft who provide security updates to their supported operating systems.  However, from 8 April 2014 – less than a month away – support for Windows XP will be withdrawn.  This means that Windows XP users will no longer be protected from new security threats, potentially creating risk for law firms.  Practices should audit their IT infrastructure and assess their exposure to such risk created by the ongoing use of Windows XP in their business.’

Microsoft is withdrawing support for Windows XP is recommending users to move towards new platforms such as Microsoft 365. Many law firms are still using Windows XP and are not going to migrate overnight to new systems; in many cases legacy software systems will need a lot of work to run on new systems, and continued use of Windows XP might not meet the SRA’s data security requirements.

Another LSSA member, Dominic Cullis of Easy Convey comments, ‘This is a major milestone because the versions of Windows and Office have been widely used in the workplace. Many firms have not adopted later releases from Microsoft.  One way forward is to subscribe to Microsoft 365. Subscribers receive future upgrades therefore ensuring out of date unsupported software becomes a thing of the past.  Another option is to move your software on to a virtual server with Windows and Office being provided by your legal software provider. With more and more solutions being delivered on a virtual server users are free to work wherever a computer has internet access, therefore enabling more flexible working options.’

The LSSA go on to remind law firms that phishing e-mails are not the only current cyber threat. They advise that lawyers be very careful when logging into any public WiFi  networks. You may not be logging in to the Starbucks or Costa Coffee network that you believe that you are connecting to. Hackers and cybercriminals have the capacity to create what is known as an ‘Evil Twin WiFi Hotspot’ which looks exactly like the bona fide WiFi that you are intending to connect to, with the same name and it is virtually impossible to distinguish that it is a fake network. So, by unwittingly using a rogue network instead of the genuine one, you are opening up your device, whether that be laptop, tablet or smartphone, to vulnerabilities from the criminal fraternity. To the user the fake network acts supposedly normally, but to the criminal it allows access to eavesdrop on your network traffic, keystroke logging, stealing of account names/passwords or redirecting you to phishing/malware sites, fake financial websites etc.

One way of protecting law firm data against an evil twin network is to use a Virtual Private Network (VPN). Historically their use has been limited to large corporates due to the costs involved, but now there are personal VPN services available on a monthly subscription basis. Another way of combatting a fake hotspot is only logging on to your e-mail and social networking sites using secure HTTPS encrypted pages.