Evernote Security Compromised 104
starburst writes "Another online company has had its security compromised. Today Evernote posted on their blog that they're issuing a service-wide password reset because of suspicious activity on their network. They say an unknown intruder gained access to usernames, email address, and encrypted passwords. Even though the passwords were hashed and salted, they're doing the password reset as a precautionary measure. Nevertheless, it's a good reminder to keep a close eye on who you keep your data with in the cloud. Nothing is totally secure; it's always a compromise between security and convenience."
Shocking... (Score:3, Interesting)
Re: (Score:1)
They took the time to properly salt and hash the passwords. I'm grateful to have that much security.
Re: (Score:1)
Consequence: when you want to send the user an email, now you can't because the email is stored as a non-reversible hash.
Re:Shocking... (Score:5, Interesting)
As entertaining as a finger pointing "these guys don't know what they're doing" exercise can be, with the best will in the world you're always just one mistake away from letting the bad guys in.
It sounds like they have a pretty good system in place (salted hashes, intrusion detection mechanisms and notification) and they aren't being coy about a problem.
At the very least their internal security team now gets a nice big stick to beat management with to stopping cutting certain corners.
Re:Shocking... (Score:5, Insightful)
Re: (Score:3)
Came here to post this exact thing. They REALLY screwed up the notification email.
Re: (Score:2)
I never got notification email. I also can't log in with any password, now that it's hit /. I know to hit their site for a heads up.
Evernote has my weakest throwaway passwords, and the only thing I use it for is grocery lists. Not too worried about this one.
Re: (Score:1)
Re:Shocking... (Score:5, Funny)
Re: (Score:2)
Re: (Score:3)
Not the worst breach I've ever seen, but a couple of stupid things still. Not least, the reset email linked you to http://links.evernote.mkt5371.com/ctt?kn=4&ms=NTcwNzMxMwS2&r=blahblahblah [mkt5371.com]. I actually presumed it was a high quality phishing attempt and flagged it as spam. Later down the same email they advised "Never click on 'reset password' requests in emails - instead go directly to the service"...
Yeah, I expect they had so many to notify they had to use a service, but if so why leave a link in the email?
I never even got notified by email, or if I did it was so spammy it got trapped and I'm too lazy to look.
My android app got an update, and the reason for the update was a security announcement. So I installed it, and it insisted I much change passwords, and took me to the web page to do so.
Re: (Score:1)
At least you got an email. I woke up this afternoon and I couldn't access Evernote on my ipad. So I tried my laptop, desktop, then web interface. I assumed I had screwed up my password somehow. Eventually, it stopped giving me an error and gave me a "reset your password" warning, instead. So I did. I've checked my email and though I've received advertising from Evernote on January 15th and then February 9th, 25th, and 26th -- I've received nothing regarding a breach or password reset (and I'm also a premium
Re: (Score:1)
Re: (Score:2)
Re:Shocking... (Score:5, Insightful)
Yeah I really have no problem with this. Everyone gets broken into eventually. Actually noticing that it happened, what precautions you've taken, and how you handle it with your customers, is how I judge your company and service.
Evernote seems to have done what you should do in a situation like this.
Re: (Score:1)
The more concerning thing is that, as I understand it, your data is not encrypted on Evernote. By design, presumably, so they can index and perform OCR and searches and other things on your data. If they can breach the server with user credentials, why couldn't they breach the servers containing your actual documents and everything?
Re: (Score:3)
It's a question of who they get broken into by though.
For example, Google has been hacked sure, but it's been by state actors (China) who don't give a shit about leaking everyone's personal and credit card details but are more interested in information and espionage.
No company should be allowing themselves to get hacked by a bunch of script kiddies though who do lose your details left and right like Sony was.
Further, I'm not even sure your assertion that everyone gets broken into eventually is true. In the
Re: (Score:1)
I can think of a number of companies such as banks that have simply never been hacked
Having worked for a couple of banks in my time and had the ear of some of the security chiefs, I can tell you that it does happen. Unless it's a particularly visible breach (multiple account details stolen, loss of funds with transfers), very little of it makes it to the media. For obvious reasons.
I can think of a number of companies such as banks that have simply never been hacked, but even outside of that has Amazon ever been hacked?
What makes you think you'd hear about it if happened? Most companies will only hold up their hands and admit problems when the evidence is undeniable. See Sony.
Re: (Score:2)
A breach with only an account or two stolen makes no sense. It's more likely explained by the account holder themselves. Either the hacker managed to get access to banking details or they didn't, it really makes no sense that they broke in but only got one set of details.
Which is precisely why we'd hear about it - when somewhere is really actually hacked, the fallout is big enough that it can't stay hidden.
Re: (Score:1)
A breach with only an account or two stolen makes no sense.
I'm afraid the real world has a few more shades of grey than hacked or not hacked.
The bad guys get caught with varying levels of "in" in the DMZ. High value single account targets are of interest to the bad guys too. A shotgun approach of attack can set off alarm bells where a surgical strike can go unnoticed for a bit longer.
Banks in particular have improved over the last few years with two factor auth and dropping the "smart client" (java / flash) mess, but the bad guys are just as inventive - social engi
Re: (Score:2)
Yes, I understand people can penetrate to different levels of a network, but what is black or white is whether they penetrated and got anything of value or not.
The fact is, you don't penetrate deep enough into a bank to get information of value and then only get one account's details, it just makes no sense.
If anyone has breached deep enough to be of any real matter or value, we'd hear about it, that's the point.
If you're going to risk hacking into a bank, you're going to come out with something of value wh
Re: (Score:2)
I have to agree. You can't build a system that isn't ever going to be hacked. You can build a system using the best available practices that is very difficult to hack and put the most effective system possible in place to detect hacking attempts as early as possible. To a large extent, it seems that they did a respectable job in both respects. I'm sure that they can make improvements and will learn lessons from this. They are a well capitalized company and it is absolutely vital that they maintain credibili
Re: (Score:2)
> with the best will in the world you're always just one mistake away from letting the bad guys in.
Not at all. With a bad security model you are only one step away from being owned. If you have a proper security model, you have several layers, and just a single one. So there should be no single point of failure. Combine this with decent testing etc, and you have a reasonable amount of security.
Re: (Score:1)
I don't think being trendy has anything to do with it. It simply is another piece of evidence that demonstrates an industry-wide problem of security seeming to be very nebulous. Apple, Microsoft, Sony, Valve, Facebook, Twitter, EA, Pinterest, Tumblr, LastPass, NYT, Evernote, and countless other places in the last couple of years (800 breaches of business, government, and medical institutions in just the past year according to privacyrights.org). Hell, wasn't kernel.org even compromised in the past year?
It s
Re: (Score:1)
Keep it in the cloud (Score:2)
Re: (Score:1)
Because your home system with a standard consumer router is so secure and impenetrable and the same government that could demand direct access to a full live stream of cloud data couldn't demand the major OS developers include a backdoor to them and access your home machine.
Control the encryption layer (Score:3)
Re: (Score:2)
The last I checked with Owncloud (~2-3 months ago), their system would update the entire encrypted file rather than just the parts that changed. This might work for a relatively small TrueCrypt file but it becomes impractical if you have a large file. Dropbox updates only the changed parts, which is handy.
Re:Control the encryption layer (Score:5, Insightful)
If you work under the assumption cloud == public then you will do no wrong.
To whoever cracked Evernote:
Now that you have my groceries lists you could do the decent thing and go to the shops. Also bring beer. Cheers, mate.
Re: (Score:2)
It isn't access to your Evernote account you should be worried about, it is access to all the other accounts you used the same email address, user name and password for. Okay, from the sound if it you probably don't do that, but the majority of people do.
Resetting all Evernote passwords isn't going to help them much. If their email account is vulnerable then they are pretty much screwed, because everything else seems to rely on being able to send password reset messages to that account and assumes it is sec
Re: (Score:2)
I do use a password generator and a keystore for my important things, tho.
If His Flying Noodlyness hadn't intended us to use throwaway email accounts for throwaway online services he wouldn't have given us Hotmail.
Right to be deleted (Score:5, Insightful)
Re: (Score:1)
You don't even have a right to self-terminate. What makes you think you have a right to delete your account?
Re: (Score:2)
Your right to disappear from a service is already granted. The caveat is that it is nullified when you sign up. If you don't want to have troubles deactivating accounts, don't create them.
You're borrowing their hardware, they're borrowing your content. They want you to come back, and they want you to sign up your friends for the service. This is the carrot, this is the stick.
If your content is never deleted it also makes account reactivations and complying with court orders a breeze.
Re: (Score:2)
What the fuck are you talking about, you dumb fuck?
Evernote Premium users pay $40 per year. I'm not borrowing anything.
Re: (Score:2)
I just deleted my account, and had to reset my password first - no problem.
Re:Right to be deleted (Score:5, Insightful)
Re: (Score:2)
This
Re: (Score:2)
Even if that does happen, wouldn't companies still have back ups?
Re: (Score:2)
That's a lousy reason and a lame excuse not to offer the big "DELETE PLX" button.
And by deleted I mean deleted. Not flagged as deleted.
Re: (Score:2)
So go in, delete everything you've entered, then empty the trash and deactivate your account.
Like everybody else, they probably have off-line backup, and your account may dwell on some
tape media somewhere until that cycles out of existence.
Good luck getting something like that passed into law, since it runs directly contrary to what your government (every government) wants.
Re: (Score:2)
Re: (Score:3)
And if someone hacks your account and deletes it you'll be yelling at them to restore everything you had there.
Re:And Evernote Is? (Score:5, Insightful)
If you don't know what it is, then you probably don't need to worry that it's been compromised. But if you absolutely must know, then it's literally the first page of hits on Google.
Re: (Score:1)
I only bring it up because Slashdot at least used to call itself a news site, and putting useful information like that in the summary is generally a good thing to do for a news site. "News" is often about things a person might not have a direct interest in. From a news point of view it's good to answer the basic questions of who, what, when, where, etc.
From the point of view of a site trying to derive revenue from ads, it's dumb to force people off the site to get that kind of basic information.
When peopl
Re:And Evernote Is? (Score:5, Insightful)
It also used to be a "geek" site...
If you don't know what Evernote is, and if you can't use google, well maybe /. isn't the problem.
Re: (Score:1)
It's ok to write "Today Twitter had ..." instead of "Today the popular microblogging platform Twitter had ...", it's not ok to do that for every Web 2.0 start up out there.
Following your logic to the very end, every article on /. can be simply replaced with lone headline reading "Some kinda stuff happened at $company". What, can't you just use Google to search for "what happened at $company?" if you want to know more? We could even add summaries consisting of LMGTFY links for those who can't.
Re: (Score:2)
Yes - I've been on slashdot for many years, so I know what kind of site it's been.
I've been plugged into things of a geek nature for quite a long time and with a fair amount of breadth and this was the first I'd heard of Evernote. Nobody can keep up with every fly-by-night web service that pops up and then has security problems.
I'm just suggesting that if you're writing about something that is not as well known as Microsoft, Twitter, etc., and if your goal is to be a good news site, then it's probably wort
Re: (Score:2)
If you don't know what it is, then you probably don't need to worry that it's been compromised.
It's nothing to do with who needs to worry and who doesn't. It's the difference between this:
Giorgio Napolitano has appealed to political leaders for "realism, a sense of responsibility" in resolving their post-election deadlock.
and this:
Italian President Giorgio Napolitano has appealed to political leaders for "realism, a sense of responsibility" in resolving their post-election deadlock.
on what is ostensibly a news site.
Re: (Score:1)
Re: (Score:2)
Evernote makes it easy to synchronize text among all your computers and your phone too. I have things like my shopping list on there, so I can edit on either a desktop or while I'm out with the phone. It also allows some amount of formatting that's a pain get consistent in a simple text editor. I could use Markdown or something like that to do the same thing, but this is easier, and again the formatting also works on the phone.
Re: (Score:2)
There I was standing in front of a shelf in a shop. I noticed I forgot to put something onto my list. And I proceeded to append my Evernote list with the item I forgot to put on it.
The sane thing to do would of course have been to SIMPLY GRAB THE STUFF FROM THE SHELF and not bother with Evernote at all.
Therefore Evernote == insanity. And I'm better now.
Re: (Score:2)
You can edit a text snippet on your smartphone and it will automagically synch it with your tablet that's a couple of feet away. It also does images. So the picture you took of your genital warts with your phone will instantly appear on your laptop. Nifty, huh?
Re: (Score:2)
And here I was saying just last night how I wish there was an easier way to get picture of my genitals, warts and all, up into the cloud and back onto all my computers (and apparently everyone else's now).
And people say the era of specialization is over!
Re: (Score:2)
Re: (Score:2)
Because if you haven't figured it out people are on average stupid idiots.
Take email encryption. After 20+ years there still isn't an easy to use way to send encrypted emails to anyone and get the appropriate security keys.
that means everyone is using plain text email still.
Re: (Score:2)
No, we're using Dropbox, Evernote, Google Drive and email with Truecrypt files. I tend to not use email for secure comms now; just edit a text file in a folder dropbox is configured to watch and as soon as you unmount the file it gets synced up and the recipient notified. I'd use Drive except it doesn't understand the concept of only syncing the part of the Truecrypt file which has changed, uploading instead the whole Truecrypt file. Even that would work for small files though.
Re: (Score:3)
What keys are you speaking about?
From TFA
In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.
The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords.
Evernote has passwords, like just about every site. What you put on evernote is your business, but without additional layers of encryption most people don't put anything up there that is super secret. Most people use if for notes and stuff they need for quick reference on the go. Its a tool of convenience not a bank vault.
Re: (Score:2)
They are log in keys. You already have those keys. They are your login passwords.
Re: (Score:3)
You apparently don't know how most cloud storage systems work.
And you apparently don't have a clue about Evernote. Its not a "cloud storage" system.
Run along now sonny. I've got work to do.
Is a password reset really appropriate? (Score:2)
I am all for them going public with what they found. But sometimes you really need to have enough confidence in your own protec
Re: (Score:2)
Yes, thank you for saying this. I'm so sick of forced password resets. I can't remember all the passwords I use, and for some sites that I might actually need to remember them for, having to make a new one means I no longer remember the password for that site! It means I'm more likely to choose a weak password which is easier to remember and easier to crack.
Thus my theory that forced password resets actually decrease security.
Re: (Score:2)
I've been using KeePassX for years. You missed the point.
Re: (Score:1)
If you can't comprehend what I said, you need to get off the Internet or you're doing something wrong.
Re: (Score:1)
With the passwords being salted and hashed, they are not easy to brute force. This means for any user who has chosen a reasonably strong password in the first place, a leak of the hashed password is not an issue at all. Those users could go on using the same password without being exposed to any additional risk. So why force them to change their strong password to something else?
My guess would be the salt was either not unique per account, or was part of the compromised data. Either way it would make it (somewhat) easier to brute-force.
Re: (Score:2)
There is only one salt per account, so of course it is unique per account. But that is probably not what you meant. Could it be that the salt is not unique? It could be, but once you are doing any salting in the first place, it is trivial to make it unique. All you have to do is let the salt be a sufficiently long string of random characters, and the probability of collisions will be negligible.
Salts are stored t
Re: (Score:1)
There is only one salt per account, so of course it is unique per account. But that is probably not what you meant.
No, it is exactly what I meant. How do you know the salt is unique? Did you write the code? It's easier to use the same salt for every account rather than making it unique, since it can be hard-coded and doesn't need to be persisted with the hash.
See here [crackstation.net] for a more thorough explanation.
But don't worry. Salts are designed such that they don't need to be kept secret.
Of course, but as I said, if you're using the same salt for all your hashes then it becomes less secure.
Re: (Score:2)
I did not say that I know the salt is unique. I said the salt is unique per account, which is a tautology because there is only one salt per account.
Of course. If you are using the same salt for every account, you are not salting at all. You'd be reducing the salted hash down to simply an unsalted but non-standard hash function. That would not require mu
Re: (Score:2)
The sync is the point though, otherwise you might as well just use a local note app.
I use it for random technical notes, pointers to useful howtos, command line snippets I want to remember, ideas for my blog... nothing that requires much in the way of security. I like that I can write the notes at work and have them on my home PC, or jot an idea on my phone while I'm out and expand on it when I'm front of the keyboard. I was looking for a note app that let me organise notes into folders with a bit of markup
Re: (Score:2)
The sync is the point though, otherwise you might as well just use a local note app.
A truly local note app is exactly what I want on my phone, for exactly the kind of security reason as this article highlights. I don't want my notes anywhere but in my pocket. That's why they're notes, not shared documents.
But no. Most note apps out there automatically sync my private notes to some "cloud service" whether I want to or not. So far the best option I've found has been to install an app which wants to sync to a service I don't have an account on. But that's a dumb workaround to a dumber misfeat
And how do they know no content was accessed? (Score:2)
So the attackers were able to get what sounds like direct access to the user database, or best case a backup copy, and yet we're expected to believe that the attackers couldn't gain access to the content database? (assuming it's even a different database) Or at least crack some really weak passwords within the two days before this was reported to users?
In this kind of attack, the baddies are after the content. The user accounts themselves are mostly worthless -- can't really use them for spam or phishing. B
OneNote (Score:2)
I considered using EverNote at one point, but my concern was offline availability (for personal use on my laptop) and security (for use at work). I didn't think management would be happy with me storing proprietary/confidential data on someone else's remote server, so I stuck with OneNote. (I also didn't realistically think they'd get broken into, to be honest, just thought it would be frowned upon. Sometimes paranoia works for you.)
I have looked into several open source alternate note-taking programs, but
Re: (Score:2)
While formatting options make something like EverNote look interesting, I haven't yet found a must-have feature for me that negates the loss of control I feel over my info. I do like Pinboard for bookmarks, which I don't really treat as private, but most of the rest ends up in plain-text files that I can read anywhere. Combined with an encrypted file sync service like Wuala or SpiderOak, I feel 90% of the way there. I might end up adding Tiddlywiki in the same sync folders for items which need a bit more fo