Skip to main content

Lessons from the Evernote hack: Passwords and perimeters not strong enough

As if we needed confirmation, the weekend again proved that no organisation is immune from a data breach, as popular web service Evernote suffered a hack serious enough to force each of its 50 million-plus users to immediately reset their passwords.

Evernote has received broad approval from the security industry for the manner in which it has dealt with the incident, with its swift decision to co-ordinate the password change drawing praise. But the hack nevertheless exposed the reliance Evernote and so many others have on security measures that are becoming increasingly fallible in the modern cyber sphere.

Specifically, placing too much trust in both perimeter- and password-based strategies has been criticised. These somewhat one-dimensional approaches are offering less resistance than ever to hackers, and calls are growing for organisations to impose more sophisticated measures - not only reduce the chances of an initial breach, but to limit damage and data loss once the hack has occurred.

Recognising the weaknesses of the perimeter in a network is the key lesson that should be taken from the Evernote hack says Mark Bower, VP of Product Management at security firm Voltage. Bower claims the incident again proves that “what was once considered the impenetrable barrier, the enterprise perimeter,…[is] just a semi permeable membrane only as good as the weakest link.”

Malware providers supplying hackers with an arsenal of weaponry is enabling relatively easy breaches of the outer layer, Bower says. As such, he argues that “a breach has to be assumed to be an anticipated corporate event and the fallout needs to be mitigated when it happens [because] it’s practically unpreventable.”

“The only logical conclusion that has to be drawn is that something different needs to be done to protect sensitive data assets,” Bower continues, “[and] that boils down to requiring a different approach to protection - data-centric security.” When Evernote was breached, usernames, passwords and email addresses were all readily available to the hackers. Bower believes a strategy that brings protection closer to the data itself would make the repercussions of such a breach far less severe for both the organisation and its customers.

Today we learned that Evernote has taken further action to shore up user security by fast-tracking plans to roll out two-factor authentication to members’ accounts. Somewhat agonisingly, the rollout had been planned for later in 2013, but with the attack striking before its implementation could take place, the company says “those plans have now been accelerated.”

In self-explanatory fashion, two-factor authentication requires two forms of user identification when they are signing into an account, such as a password and an additional code sent by SMS or email. Security expert Tony Bradley writes on PC World that such a measure is vital in an age when standalone passwords are frequently cracked.

“The real lesson of the Evernote hack… is that passwords don’t offer very good protection for your data,” he says. “Unique passwords that are complex offer better protection than using your dog’s name or no password at all, but ultimately all passwords can be cracked or guessed, given enough time and effort.”

Recognising the issue, the likes of Dropbox, Facebook, Google, PayPal and Amazon have already adopted two-factor authentication measures, and though the horse may have bolted for Evernote after the weekend’s events, Bradley believes the company deserves praise for fast-forwarding plans to improve its defences.

“There are many other options aside from phone-based authentication, such as access tokens, smartcards and email verification. The exact method varies widely. No matter the implementation, two-factor authentication provides an extra layer of protection, and Evernote should be commended for offering it,” he says.

This latest high-profile breach is more than likely to prompt other organisations to follow suit and impose more rigorous security measures, but Voltage’s Bower believes a general lack of appreciation of threats in the cloud will see an increase rather than decrease of such problems.

“I suspect that in 2013 we will see more breaches of this type – the more sinister “wildfire” cloud specific breaches," he predicts. “Cloud application adopters who have assumed that the cloud infrastructure or firewall is sufficient to protect data are likely in for a few surprises and may need to rethink their data security strategy very quickly.”