The recent hack of notetaking and archiving web service Evernote comes on the heels of several high-profile hacks on Facebook, Twitter, The New York Times, The Washington Post, Apple, Microsoft, Gawker, Sony and LinkedIn. The difference here is that Evernote’s main selling point is cloud–based security.
Ever since the goddess Aphrodite promised Helen of Troy’s love to Paris in exchange for a golden apple, leading in turn to a protracted war involving a giant wooden horse left outside the city gates, people have wondered how to avoid being suckerpunched owing to lax security.
And since the beginning of the internet, site hacks have become a fact of life for just about everyone. At some point, the weakest link in your chain is going to look at the giant wooden horse and shout, “It may bring us luck. Open the gates!” At which point, you’re finished.
On Saturday, Evernote, a California online file storage company with a reputation for tight security, announced to all its users that they should immediately reset their passwords owing to a hack, which by various accounts occurred as early as February 28th. Most Evernote users report getting an email from the company on March 3rd. Meanwhile, the story had been all over the news from March 1st. The company insists that there is “no evidence” that any user information has been compromised, and this is very likely true. However, optics are everything, and one can’t help but wonder about the state of Evernote’s reputation going forward in the face of such a well publicized hack.
Hackers obtained access to Evernote’s usernames, email addresses and passwords (although the passwords were encrypted, and so probably of no real use). The attack, which was described by Evernote as “coordinated”, comes on the heels of several high-profile hacks on Facebook, Twitter, The New York Times, The Washington Post, Apple, Microsoft, Gawker, Sony and LinkedIn. The difference is that Evernote’s primary selling point is security. Its users want to securely store notes, itineraries, videos, and what could be described as sensitive documents in the cloud.
Milan Vrekic, co-founder of Halifax data security specialists TitanFile, talked to Cantech Letter about the Evernote incident recently. ”Security of the public cloud is improving constantly and we see serious, enterprise-ready solutions pop up on an almost weekly basis, “ he said. “The days of the infancy of the cloud are over. Evernote managed to detect and patch the security hole in their product faster than many major enterprise players and that is a testament to viability of the cloud.”
This article is brought to you by Ackroo (TSXV:AKR). Ackroo enables small to medium sized businesses, independent merchants and business networks to increase profitability and build long-term customer relationships through customized loyalty and rewards programs. Click here for more information.
Questions will naturally arise as to the soundness of keeping private information in the cloud. But at this point, you might as well express concern over putting your money in a bank rather than a mattress. Our information is irrevocably connected and held in trust by institutions both large and small, online and offline. Using a computer that’s connected to the internet, running software like Adobe PDF or Flash, Java, Firefox or Internet Explorer exposes you to little exploits that hackers can probably access if they really wanted to. It’s only our confidence that IT security experts know how to protect us online better than we do ourselves that keeps our online life relatively hack free.
Most people use a service like Evernote first for convenience, and then for security, perhaps supplemented by password generation services like LastPass, 1Password, and KeePass, which are no doubt noticing significant upticks in traffic to their sites in the wake of the Evernote hack.
If you’re considering using a site like Evernote, should you be concerned? According to commentators who actually understand the technical details of what happened, yes, you should. It also doesn’t look good that Evernote, which has unequivocally advised users to “never click on ‘reset password’ requests in emails” and advising them to “instead go directly to the service,” is now providing clickable links to reset each password in the email alerting them to the hack. That said, Evernote has at least confronted the problem in strong terms. Having every user reset their password is probably overkill, but looks good on the company and reassures the user base that they’re taking the problem seriously.
Even for those who take Evernote at their word that no useful data was breached, the problem remains that each user has received a strong signal that this site may not be the best place to store their documents, which is Evernote’s bread and butter. Hackers are after all kinds of information, but obviously some targets are more lucrative than others. And in reality, finding someone’s banking information in a swarm of data the size of the Evernote hack is akin to finding an actual needle in an actual haystack.
What can you do? First, don’t use the same password for online services such as Evernote as you use to access your online banking or email. Second, consider using a password generator. LastPass, for example, is free for laptop and desktop computers, and costs $1 per month to upgrade to a premium account to cover your mobile devices. And there are several other password generators out there. Third, pray for the end of passwords in favour of some other form of security, the nature of which is not yet clear and has yet to find an agreed upon form.
But avoiding the cloud is not really an option. People who insist that the cloud isn’t safe is a bit like being told never to use public roads or sidewalks by a person who only travels by helicopter or canoe. Public infrastructure, like life, is inherently open to risk.