Evernote User Accounts Compromised

Evernote, today, reported that they detected and blocked suspicious activity on their network. As a precaution, they say, they’ve implemented a password reset for all users. When I first read about this, it sounded as if they had already reset your password and you would need to have it emailed to you. Instead, an email sent out instructed users to log in and change their passwords upon login.

What Happened?

Anything I say here would be purely speculation. However, attacks are often as simple as a SQL injection. This usually happens when a website takes user input (like a contact form or blog comment form) and does not properly run it through the ringer before adding it to a database. It’s more common than you think. For anyone interested in a more technical view of security vulnerabilities, check out OWASP’s Top 10 Project. In reality, any number of things could have let in a hacker and it’s too early to say for sure.

Should I Worry?

This is a two-part answer. First, your Evernote account is fine. According to Evernote, no data stored was lost or accessed (other than your credentials, of course). Just reset your password and you should be OK. Your other accounts, may not be, however. Take a look at the most important part of Evernote’s statement:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

This tells me that my username, email and encrypted password are out there in the hands of a hacker and because Evernote is a large service, it wouldn’t surprise me if a torrent file of this information shows up for download by anyone with an internet connection. “hashed and salted” means that, like they said, it’s one-way encryption. A hacker can try to encrypt a word using the same methods and see if it matches the blob of characters next to your username, but they can’t directly decrypt your password. This is important, but if your password was cracked, the hackers would now have a username/email/password combination to try on many other services. If I were that hacker, I would start with other cloud services, namely Apple’s. If you use the same username and password anywhere else, you should change your password there, too.

How To Protect Yourself

While websites and online services have legal and ethical obligations when it comes to storing your information, you should have some rules of your own.

Use a secure password that you can remember. The word “password” is sadly not only the most insecure password, but also the most popular. If it was easy for you to come up with and type in, it’s likely easier to crack. Don’t use your birthday, any word that can be found in a dictionary, or anything someone could guess with a little information about you.

Don’t write it down if you can help it. If I was in your house and wanted to get into your computer, the first place I would look is under your computer. Shockingly often, people just put their password on a sticky note and stick it to their monitor. The password is only as good as the user. Protect it like you’re protecting what it gets access to. If you wouldn’t leave your life’s savings on your desk, don’t put your password to it there, either.

Split up your passwords. This is a hard pill to swallow, but you absolutely should use a different password for each site. The cost is convenience, but the reward is not having every account you have hacked just because one site let your password get out. If this is too hard for you, use individual passwords for any site with finances, or sensitive information and another “global” password for the 150 other sites that are less critical.

Don’t just stick to one rule, either. I know from experience that thinking you’re doing so awesome with one rule (like having an incredibly hard to crack password) excuses you from the other rules is a good way to get hacked.

Gawker Media Hack Is A Password Reminder

Over the weekend, Gawker Media was hacked, providing an encrypted password list (among other things) to the hackers. A group calling themselves Gnosis has taken credit for the hack and released a package full of server information, notes on the hack, Gawker Media site source code and worst, everyone’s passwords.

Gnosis hack on Gawker Media

Judging by the statement made by the hackers, it looks like someone at Gawker pissed them off. I was actually planning another post about web security before this happened, but that will wait for another day as it has to do with different perils of having online accounts.

Here’s the email Gawker Media sent out today:

This weekend we discovered that Gawker Media’s servers were compromised,
resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel,
io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
and password associated with your comment account were released on the
internet. If you’re a commenter on any of our sites, you probably have
several questions.

We understand how important trust is on the internet, and we’re deeply
sorry for and embarrassed about this breach of security. Right now we
are working around the clock to improve security moving forward. We’re
also committed to communicating openly and frequently with you to make
sure you understand what has happened, how it may or may not affect you,
and what we’re doing to fix things.

This is what you should do immediately: Try to change your password in
the Gawker Media Commenting System. If you used your Gawker Media
password on any other web site, you should change the password on those
sites as well, particularly if you used the same username or email with
that site. To be safe, however, you should change the password on those
accounts whether or not you were using the same username.

We’re continually updating an FAQ (http://lifehac.kr/eUBjVf) with more
information and will continue to do so in the coming days and weeks.

Gawker Media

How Does This Affect You?

If you’ve never commented on a web property in the Gawker Media network, you may not have anything to worry about. If you have, on the other hand, your password on that site has been compromised and you should think about where else you used that password and change it on all sites. In the quoted text above, Gawker points us to a post on Life Hacker full of answers. Of course, to minimize the effects of future hacks on Gawker or any site, it’s best to have a strong password (see below) and use different passwords for different sites. As an example, you wouldn’t want to use the same password on Gawker that you use for online banking.

Is Your Password Strong Enough

Surprisingly, too many people have passwords that are easy enough to crack or even just guessable. Without a doubt, the absolutely worst password you can use for any account is the word, “password”. Regardless, of the nearly 1.3 million accounts compromised, 1,959 had “password” as their passwords. Even if it’s not guessed by a hacker, the simplest brute force attack can crack this password in no time. So how do you know if your password is strong enough?

Is my Password Strong

I built a quick and easy password strength test site to help you test your password. This may be helpful but you can also get by with some quick password tips. To understand them, you should know a little about how a brute force attack works. Typically a script runs that tries one password after another until one works. A simple script might first try every word in a dictionary file. This is just a file full of known real words like “gamer”, “puppy”, or maybe, “password”. Failing that, it would start going through every character combination from aaa, aab, aac, for example, through to larger guesses like 9999999. A more time-consuming attack might make use of characters like $%!, etc. but this takes far longer. Having to check for upper vs lower case takes a lot longer as well. From this, we can assume that you can make your password stronger by making it longer and including numbers, mixed case, and special characters. By this logic, “Chr1Stm@s!!%” is a far more secure password than “christmas”.

Even if you were not affected directly by this, take this as a reminder to audit your password habits and make changes if needed. A little effort now can save you a lot of future headache.

A Little April Fools Day Fun

It’s April 1st. Of course, that means there will be all kinds of pranks being played all over the place, on and off the web. If you stopped by the site or happen to be subscribed to my feed, then you probably saw something like the image below.

JoeTech.com wasn’t hacked
I wasn’t hacked, but I sure fooled a couple people into thinking I was. I actually had another prank in mind, but today snuck up on me, so I decided at the last minute to hold that one for next year. Here’s what JoeTech.com looked like earlier today:

JoeTech.com Hacked
(image courtesy of http://www.i-tong.com/)

JoeTech.com Widget WarningAt least one person thought that my prank was in poor taste, while others didn’t seem as bothered. This is due, largely, to the fact that dozens (hundreds? I haven’t counted) of people have my Entrecard Slots and Ad Slots widgets on their blogs. I honestly hadn’t thought of that, but the widgets were loaded over 300,000 times in March, so I should have. In any case, it was all in good fun and I wasn’t hacked. I’m sorry if I scared a few people.

Others had some fun, too
John Chow ColaI wasn’t the only one playing devious little pranks today. They ranged from brilliant marketing like Ades going RSS only to fake marketing like ShoeMoney’s post about how to make $1,000 in an hour and ProBlogger’s PayPerTweet Launch, to some more fun and creative ones like John Chow Cola. Don’t take my word for it. There’s a whole list of the top 40 April Fools pranks of 2008.

Where is the line drawn?
My prank and the mixed reaction to it leaves me asking where the line should be drawn. Had I anticipated the notion that it was in bad taste, I might have come up with something different and not just copied John Cow’s 2007 prank. I wonder, though. What about all the other pranks. Is it OK for TechCrunch to claim they’re suing Facebook for $25 million? I assume companies like Coca-Cola and FaceBook who are named in these pranks take it in stride because it’s clearly a joke, but what about those who believe it? Chime in, people.