1

Apple, Facebook and Twitter have all been the target of hackers recently, and now Evernote has admitted to a potential breach that has forced it to reset the passwords of approximately 50 million registered users. Evernote, a kind of web scrapbook that enables you to take notes, save web pages and web page content, sync files across devices and share ideas with friends and colleagues, did the right thing in notifying users and resetting passwords. However, it did the right thing in the wrong way; and here's why.

I received an email last night informing me that:

Evernote's Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

dwebevnote
This immediately sought to put my, and the 49,999,999 other people who were reading the communication, mind at rest by assuring me that Evernote was taking this seriously enough to implement an across the board password reset. This despite there being no evidence, as yet, that any of my Evernote content had been accessed, changed or stolen. Evernote also told me that no payment information for 'premium' or 'business' customers had been accessed. So far so good you may be thinking.

The bad news is that the breach investigation does reveal that the hackers were able to gain access to usernames and the emails associated with them (sound familiar yet folks?) and, yes, those all important passwords. Now, in the case of Evernote these passwords are hashed and salted, which makes them pretty robust, but once again Evernote was taking no chances and the email says:

"in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com."

Again, so far so much better, you are probably muttering and wondering what the 'farce' angle is. Well, if you examine the link in the email to reset your password (as you always should before clicking anything as scammers and cyber-criminals can be quite clever in their presentation of mis-information) you will see that it takes you to a page at:

http://links.evernote.mkt5371.com

That's not the full URL, the actual thing will be different for each user and there follows a whole bunch of meaningless characters. Meaningless to the casual observer that is. However, the point being this kind of URL looks remarkably similar to the obfuscated variety that phishers and their ilk use to fool users into clicking them: they start with something that includes the product or service name but actually isn't the product or service URL itself. So in this case the link text in the email states 'evernote.com' but actually points to 'links.evernote.mkt5371.com' which is a totally different kettle of fish and raises alarm bells with anyone who has been properly schooled in taking security seriously.

dwebevnote02

The real farce starts when you continue reading the email and discover that amongst the "several important steps that you can take to ensure that your data on any site, including Evernote, is secure" which the security team helpfully have provided there is, right there at number three on the list:

"Never click on 'reset password' requests in emails - instead go directly to the service"

dwebevnote03

Sorry Evernote, you get kudos for doing the right thing but I'm afraid that you have shot yourself in both feet for doing it in the wrong way. It's important that you eat your own dog food in the security business, that is you yourselves follow the advice that you give others, and in this case you didn't.

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2
Contributors
1
Reply
58
Views
4 Years
Discussion Span
Last Post by LastMitch
0

Thanks for sharing the info.

It's very detailed regarding about how they(hackers) used Evernote page and used it as their.

It really takes alot of planning to do something like this.

Every details is very important but they manage(not yet) to pull it off again.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.