The attack on Evernote that was reported last weekend could be deemed to be a new stage in the battle of man v password.
According to the blog post issued by the cloud-based data storage application, it suffered a "coordinated attempt to access secure areas of the Evernote Service", forcing it to reset 50 million passwords after suspicious activity was detected and blocked on its network.
While it said that no information or payment data was accessed, it is a knock for cloud-based applications, less than a year after Dropbox suffered similar problems.
According to a post by security blogger Brian Krebs, Evernote didn't say which scheme it was using to hash passwords "but the industry standard is a fairly weak approach in which a majority of passwords can be cracked in the blink of an eye with today's off-the-shelf hardware".
Phil Lieberman, president of Lieberman Software, said: “The reality of the situation is that the loss of the encrypted password file is probably a non-event since the ability to figure out the actual passwords is pretty much impractical. I believe that the company figured that the decision to ask users to change their passwords was in actuality a real abundance of caution and a potential protection against a lawsuit.”
Password security is as old as the internet, at least it feels that way, as the situations go around and around and we end up at the same old problem – how to tell users not to re-use passwords and use something more secure and memorable.
Intego's Lysa Myers said that password reset notices from breached vendors is becoming a weekly occurrence. “The attackers made off with only email, usernames, and password information, but the passwords were salted and hashed and thus not as useful for malicious purposes,” she said.
Jody Allen, consultant at Information Risk Management, said: “The Evernote security breach is the latest in a recent succession of attempts by hackers to circumvent corporate security procedures to gain access to their data as well as our own.
“For the common user, the releases that followed would do nothing to reassure them that they have little to worry about. Talk of hashes and salts being compromised rather than actual passwords will frankly be overlooked - the overarching point being that 'my details were compromised'.
“As we move into the future of cloud computing, with users putting more of their everyday life into unknown online storage, maybe others should be heeding these examples as Evernote moves towards new ideas. That is not to say the process of two-factor authentication is new, just a new ‘concept' for end-user products. After all, it has been well implemented for quite some time within corporate work places.”
Aside from the angle of the password issue, is this more a case of the security of cloud-based applications such as Evernote and Dropbox? I spoke to Luis Corrons, technical director of PandaLabs, who said that no one can raise their hand and say they can prevent something like this happening.
He said: “Even more after the last cases we have seen (Twitter, Facebook, Apple, Microsoft) there is not a 100 per cent safe place. However that cannot be used as an excuse to not be aware of what is happening in your internal network.
“From a user perspective, it is true this kind of cases can cause them fear. Which is not a bad thing for a number of reasons: danger is out there, attacks are happening all the time and it is very important to be aware of that; and users will demand their providers to ensure they are taking serious security measures.
“We thought 2012 was a bad year, with lots of attacks happening everywhere. Well, it looks like 2013 is going to be even more interesting in this field, in the first two months of 2013 we are learning how any company, no matter which size, can be a victim of these attacks. And we still have ten months left of this year to enjoy.”
Lieberman said that as systems become bigger and populated with ever more valuable resources, these type of flaws become harder and harder to find and the value of discovering a flaw becomes higher.
Mark Bower, vice president of product management at Voltage, said that in the cloud, an attack can topple many systems like dominoes.
“So, if Evernote was following best practices as it seems, how did the attackers get in? Very likely there was a Java or zero-day exploit leading to system penetration. Maybe an insider opened a malicious email from spear phishing. We may never know, but once again it shows that what was once considered the impenetrable barrier, the enterprise perimeter, we really now have just a semi-permeable membrane only as good as the weakest link,” he said
Bower, like Corrons, predicted that we will see more breaches of this type in 2013, saying that cloud application adopters who have assumed that the cloud infrastructure or firewall is sufficient to protect data are likely in for a few surprises and may need to rethink their data security strategy very quickly.
The key themes of this attack – application security, cloud security, passwords, zero-day vulnerabilities – have been covered over and over, but this does not make it any less important, especially in a case when it combines all of these factors.