Evernote has joined the growing list of companies whose cloud-based services have suffered a serious security breach, announcing over the weekend that it had implemented a service-wide password reset after attackers accessed user information. Happily, the company's announcement notes, the passwords accessed were salted hashes, …
Who cares about Evernote?
I'm convinced that the REAL threat of this kind of breach is that many people use the same passwords on many systems. The scammers and spammers have lots of stolen and correlated personal information, and they can mix and match to play games. Not sure it is helpful to note, but my primary countermeasure against this sort of thing is that my passwords are organized in layers. You might penetrate a 'soft layer' where I reuse the same password, but if you try to use it to hack into a deeper layer, the most likely outcome is to tip me off... (Yes, of course there are more wrinkles and wrinkles within the wrinkles, but I think I'm being pursued by the paranoids.)
The root of the problem is the money, as usual. As long as the scammers continue to profit, they will continue to try to new scams and make the Internet less valuable for ALL of us. I actually think that most of their proximate cash is coming from identity theft these days, but the primary vector mechanism for getting the suckers is still email spam, which is why I think there should be more focus on the vector. I really wish there was ONE email system that had some POWERFUL anti-spammer tools built into it. I'm talking about tools that would convince the spammers that this email system was not worth the risk. Any spam sent to that system would allow US to go after ALL of the spammers' accomplices, work to shut down ALL of the spammers' infrastructure, and to cut the spammers' away from ALL of their victims.
Re: Who cares about Evernote?
Slow there Shannon, Ein Volk, Ein Reich, Ein Führer.
Evernote needs to disclose if these were Macs that, once again, were compromised. The world needs to know when Cupertino's claims that its users don't need additional anti-malware protection are untrue.
Are you doing an Eadon on Macs or something? How is this even remotely relevant?
Anyone with half a working braincell will use decent security (and virus checking) on their Mac because statements from marketing people mean exactly nothing, and I have as yet to come across a system that didn't became vulnerable if you got behind on patching. For example, Apple has been patching the evil brew from Oracle called Java twice in a row, and using products from Adobe and Microsoft have also been found to introduce risks for which patches have been issued.
Furthermore, gaining access to that depth of production data from a desktop would raise a lot more questions that just which platform was compromised.
So, did you fail to catch up with the real world, or are you a non Mac user sniping from the sidelines?
The attack and intrusion was against the Evernote servers, I figured that out from reading the article. So, unless Evernote have a warehouse full of networked Macs, running some kind of distributed server, then the intrusion was not due to a vulnerability in Macs.
>"For example, Apple has been patching the evil brew from Oracle called Java twice in a row"
The whole point is that Apple has been taking 3 weeks to a month to push the Java patches out to its users, leaving them vulnerable. Have you not been reading about the recent hacks referred to in TFA - at Apple, Facebook, Twitter and Microsoft? Those were hacks to Mac systems. I'm just saying that Evernote should announce what type of systems were compromised.
You "red" it here first, me old China.
... This was a managerial fuck up or a technical one.
One place I worked at refused to let us shut down a Windows 2K box because they didn't want to fork out the $300 for an upgrade on software that it ran (we had a spare fully patched W2K8 box but the software needed an upgrade to run on it)
Yeah - they were right pleased themselves until the Russians got in. Hate to imagine how much they spent afterwards in mitigation & cleanup costs, but it had to have been an easy quarter mill.
Hackers liked credit card data... Who knew?
(For the record, nope they didn't get to lift the data but did come damn close)
Salts - one or many?
Can someone tell me - does each password get its own salt or is there a global salt that's used?
Re: Salts - one or many?
AFAIK global, which ties it to the physical system.
Re: Salts - one or many?
So common passwords (e.g. 'password') would look the same encrypted?
Could they have also get hold of the salt? If so, this would presumably allow them to encrypt various common passwords and then see which accounts had a match?
Re: Salts - one or many?
One salt is significantly less secure than a unique one for each hash.
If the single salt can be found out then a rainbow table can be easily generated that will reveal many passwords.
The best practice is to use a different salt for each, stored along with the hash. This means that an interested party would have to generate a rainbow table for each salt, which is likely to be regarded as too much effort for the reward.
PASSWORD RESET: Dumping the burden on users' shoulders
Those institutions from whose systems users’ passwords have been leaked might be able to claim that they have done what they should have done by declaring the password reset. But it is not the end of the event. As more and more leaks continue, such password resetting will only shift the burden from their shoulders to those of users who can remember and recall no more than 5 passwords and will now have to
- reuse the limited number of remembered passwords across more of the different accounts, or
- carry around a memo with more of the passwords written on it, or
- put more of the eggs in a basket in case SSO/ID federation is involved
It reads “The usual suggestion, that users choose strong passwords that they don't re-use, will no doubt be ignored by a small-but-significant number of Evernote's customers”. It will certainly be ignored by many, who will perhaps keep grumbling indefinitely without seriously thinking about the practicable alternative to alphanumeric passwords.
Re: PASSWORD RESET: Dumping the burden on users' shoulders
"It will certainly be ignored by many, who will perhaps keep grumbling indefinitely without seriously thinking about the practicable alternative to alphanumeric passwords."
What alternative are you speaking of there? As much as you and I may like the idea of a long string the fact is that the vast majority of sites won't allow longer than about 16 characters. A great deal of those sites will also restrict you to alphanumeric while rejecting all others. You can only blame users for so long before you have to look at the sites and what they allow.
Now some hackers somewhere have a partially built list of things I might like for Christmas and a couple of pages of scathingly witty retorts I wish I'd thought up at the time.
That's my boxing day f%*ked
Re: Damn it!
That's nothing. They also have my list of favourite menus and several notes saying Testing 123. They may not know where I live, but they know what I eat!
Re: Damn it!
Not to mention all the books on my "To Read" list! How will I handle the loss!
10x worse than the PSN hack
But will get 1/10th of of hate coverage from the press, because Microsoft aren't behind the scenes poking the media with a stick.
"The usual suggestion, that users choose strong passwords that they don't re-use, will no doubt be ignored..."
Evernote could easily use the authentication mechanism of the user's choice: Facebook, OpenID, and so on. There's a big number. But they choose not to, as they want to "own" the customer. That is not the user's fault, but the result of corporate strategy.
...is anyone getting the message yet?
Getting hacked does not look good but : -
They came clean quickly
They stored passwords as salted hashes (with what I hope would be individual salt for each password)
They got their users to reset passwords
Other organistaions have handled the same situation far worse.