Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Evernote Breach: 7 Security Lessons

Both cloud service providers and users should heed the security takeaways from Evernote's breach and response.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Evernote Sunday informed its 50 million users via email that it had suffered a data breach and suspected that usernames, email addresses and encrypted passwords may have been stolen.

"Evernote's Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service," read the "Evernote Security Notice: Service-wide Password Reset" email sent to users, which was also posted as a blog and to the Evernote Facebook page. "As a precaution to protect your data, we have decided to implement a password reset [for all users]."

What lessons can be learned from Evernote's data breach, as well as the company's handing of the incident? Here are seven security takeaways:

1. Detail What Attackers Took. Kudos to Evernote for broadcasting a security warning -- across multiple channels -- that clearly stated what attackers apparently took, as well as how that data was protected. "The investigation has shown ... that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords," stated the company's email to users. "Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption."

[ For more on the Evernote security breach, see Evernote Resets Everyone's Passwords After Intrusion. ]

The good news for Evernote users is that the company had salted and hashed their passwords -- unlike LinkedIn, which only hashed its passwords, thus making them more susceptible to being brute-force cracked offline and in relatively little time after attackers hacked into LinkedIn last year. While hashing isn't foolproof, it likely bought Evernote -- and its users -- extra time to detect and then respond to the breach.

2. Exercise An Abundance Of Caution. Evernote opted to expire all passwords rather than attempting to first identify which usernames attackers may or may not have stolen. "While our password encryption measures are robust, we are taking steps to ensure your personal data remains secure," it said. "This means that in an abundance of caution, we are requiring all users to reset their Evernote account passwords."

More good news is that no Evernote user content appeared to have been stolen. "In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost," read the company's data breach notification. "We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed," referring to the 4% of Evernote's users -- as of June 2012 -- who are paying customers.

3. Lock Down Weak Points. How did attackers hack into Evernote? The company didn't disclose that information in its email to customers. But since Saturday, the service has released a flurry of application upgrades for its Windows, Mac, Android and iOS clients.

Some users Sunday reported difficulty resetting their passwords after receiving the breach notification, noting that the Evernote website wasn't recognizing their email address. Evernote VP of marketing Andrew Sinkov advised users, via the Evernote help forum, to first upgrade their software. "Make sure to update all versions of Evernote that you use," he said in a Sunday post. "We've released a number of updates in the past day. After that, go to evernote.com and set your new password."

4. Don't Include Website Links In Password Reset Emails. Businesses that have had users' email addresses stolen face a dilemma: The "reset your password" emails they send out are often mistaken by users for spam or spear-phishing attacks, because that's so often what they are.

Correctly, Evernote's Sunday email to all of its users does warn them that they should never click a "password reset" link in an email, but rather browse directly to the site itself. But Graham Cluley, senior technology consultant at Sophos, pointed out that those same emails include "password reset" links to the Evernote website, by way of third-party domain mkt5371.com.

"This was just carelessness on Evernote's part," Cluley said in a blog post. "mkt5371 is a domain owned by Silverpop, an email communications firm who Evernote has clearly employed to send emails to its 50 million or so affected users. The links in this case do end up taking you to Evernote's website -- but go silently via Silverpop's systems first. Presumably that's so Evernote can track and collect data on how successful the email campaign has been." Still, it's not ideal.

5. Users: Prepare To Be Spammed. The good news for Evernote's users is that attackers don't appear to have stolen any of their content, which is a big concern for a cloud service that's used as a note-taking tool by millions of people. The bad news, however, is that attackers may have what they came for: a list of 50 million working usernames and email addresses. What's the risk? For starters, they could send fake password-reset emails to every Evernote customer.

Expect the attackers to keep the information to hand for future spam campaigns. Indeed, Slashgear reported Saturday that some users of Dropbox -- which was hacked in July 2012 -- have been reporting a sudden influx of spam emails that appear to be from LinkedIn or PayPal, as well as undisguised offers from online gambling sites and casinos. Some users have also reported receiving the spam via email addresses they've set up solely to receive Dropbox communications.

Rather than the spam emails being the result a new hack, however, Dropbox officials told Slashgear that they suspect it's just a delayed effect from when the service was hacked. In other words, the Dropbox hackers have kept the stolen email addresses and are using them as they see fit. Evernote users can expect the same to happen to them.

6. Hack Attack Volume Not Diminishing. Evernote declined to say when it had been hacked. Likewise, its data breach notification email didn't tie its breach to any other specific attacks, noting only that "as recent events with other large services have demonstrated, this type of activity is becoming more common." But might the hack of Evernote have been the work of the same attackers who used watering-hole attacks to hack into Apple, Facebook, Microsoft and Twitter?

The Twitter data breach, which resulted in the compromise of 250,000 accounts, apparently occurred in late January. But tracing the attacks' source evidently took more time, as the moderator of the third-party iOS developer site iPhoneDevSDK that was surreptitiously used by attackers to launch drive-by attacks wasn't informed of the attacks until February 19. That would have given attackers a lengthy window to infect iOS developers at other businesses -- perhaps including Evernote.

7. Two-Factor Authentication Needed, Please. What should be done about the increased number of attacks against businesses such as Evernote and Twitter, and the resulting compromise of usernames, emails and passwords? For starters, when it comes to securing users' accounts, businesses must look beyond passwords. As noted by InformationWeek columnist Jonathan Feldman -- Evernote Breach: What It Means To Enterprise IT -- too few businesses have followed the security example set by game maker Blizzard, which offers its users a $6.50 two-factor authentication token, as well as a two-factor smartphone authenticator. Notably, two-factor authentication would have prevented the Evernote hackers from using any passwords they successfully decrypted.

If both Blizzard and Google can do it, what's stopping cloud services such as Twitter and Evernote from offering better security to their users? An Evernote spokeswoman didn't immediately respond to an email (sent out of normal working hours) about whether the company was evaluating or planning to roll out two-factor authentication for its users.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
pcbackup
50%
50%
pcbackup,
User Rank: Apprentice
3/4/2013 | 6:19:56 PM
re: Evernote Breach: 7 Security Lessons
Matthew, I think there's another important element to Lesson #5 that's worth considering...

As you stated, email addresses are nearly as valuable as account passwords, since they enable future attack opportunities, so why not apply the same level of protection to email addresses as for the passwords themselves? This one additional security measure could have rendered the stolen data far less valuable to the thieves!
pcbackup
50%
50%
pcbackup,
User Rank: Apprentice
3/4/2013 | 6:21:37 PM
re: Evernote Breach: 7 Security Lessons
Oops, I see now that it's Mathew with one "t", not two! Sorry, my bad.
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/8/2013 | 3:26:50 AM
re: Evernote Breach: 7 Security Lessons
Evernote seems to have responded well to the breach with a universal password reset for its users. It should also take a page from Bit9 and eventually explain how the breach actually occurred--sharing lessons learned helps everyone.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.