Sensitive Documents in Evernote

[mackid1993 775]

I want to preface with my Evernote password is 64 characters long, and incredibly random and I have TOTP 2FA enabled. Everything is in a password manager protected with an extremely long, high entropy password and 2FA. Obviously if my account isn't breached, a breach could occur on Evernote's side (I'm not sure if this has ever happened before).

Given this, how does everyone feel about using Evernote's document management capabilities to store sensitive documents-- tax returns, medical information et cetera. Right now I encrypt anything with my SSN on it before adding it to Evernote however that starts to get tedious and also nerfs search. I'm considering just going YOLO 😄 with this type of stuff due to the security practices I follow.

I'm curious how some of the more long term users around here approach this. 

[Sayre Ambrosio 520]

2 hours ago, mackid1993 said:

I want to preface with my Evernote password is 64 characters long, and incredibly random and I have TOTP 2FA enabled. Everything is in a password manager protected with an extremely long, high entropy password and 2FA. Obviously if my account isn't breached, a breach could occur on Evernote's side (I'm not sure if this has ever happened before).

Given this, how does everyone feel about using Evernote's document management capabilities to store sensitive documents-- tax returns, medical information et cetera. Right now I encrypt anything with my SSN on it before adding it to Evernote however that starts to get tedious and also nerfs search. I'm considering just going YOLO 😄 with this type of stuff due to the security practices I follow.

I'm curious how some of the more long term users around here approach this. 

I keep mine in there but I also keep two different backups. Just in case. Not because of security but because I want to make sure if EN is ever not around or I have an issue I can still get to them.

[ghon 78]

I have also a long password and 2FA enabled and store some sensitive information in EN (however, non of them are business related, that is my red line).

Since I am not Donald Trump or any other celebrity I guess the highly unprobable event of a breach would not ruin my life, so I am relatively relaxed right now.

[anfang 37]

Relevant discussion linked.

[PinkElephant 8,177]

The first question for me is what is a sensitive document. Tax return ? I wouldn‘t publish it, but sensitive ? Personal documents ? The same. Medical records - maybe, depending on the content. Business proceeds ? I am working as a Freelancer, and EN is my business driver. For sure there is business related information there, I couldn‘t work otherwise. So I have a Data Processing Agreement with EN, which is a legal requirement under GDRP. I think most of the data in a typical EN account is really sensitive, in the meaning of critically damaging if discovered.

The main issue is to keep account access secure: Long password plus 2 FA enabled.

Who wants more secure storage can store a encrypted container in a note, export it, open it, store whatever into it, close and encrypt it and store it back. It is a PITA, but really not much different to using such containers in another cloud service.

Given the situation with access by authorities to cloud storages, I would never entrust ANY service with storing confidential information that is holding the keys to it as well. It‘s the same reason why I don‘t store passwords AND the 2FA-keys in the same password manager.

In the end only a cold storage or wallet is really keeping your data completely safe - just don‘t loose it, or forget the keys.

[eric99 986]

 

Contrary to what some people claim, MacOs also appears to be vulnerable to serious virus attacks:

CVE-2023-50643 : An issue in Evernote for MacOS v.10.68.2 allows a remote attacker to execute arbitrary code, severity 9.8 !!!

So in this case, an attacker can gain access to even your most sensitive local files...

The good news is that it has been fixed in the latest release 🙂

 

Edited February 2 by eric99

[gazumped 11,702]

IMHO it's down to personal preference and your tolerance for risk.  If your information is online,  protected or not,  it is at somewhat more risk than if it is behind firewalls on a connected device,  and a lot more than with air-gapped storage or old fashioned paper.  My bank and medical details are (mostly) offline and some are on paper. 

Passwords are in a 'manager' app and the lock password for that app is only on paper.  I subscribe to various (and mostly free) 'dark web' monitors which will tell me if my details are being offered online,  and I lie about some of them (big reveal: I'm not actually named Gaz...) so anyone collating personal information can't easily and convincingly steal my ID - but with AI around most bets are now off.

Responsible companies will "of course" build in protections against misuse but there are tech-savvy bad actors out there who will try their best to take advantage,  and the 'good guys' will of course have to keep up so they can keep some semblance of control.

I would definitely not keep all my data in one place,  and I'd always make sure to include some attractive-looking nonsense in any vulnerable targets just to be mean.

 

[Boot17 1,467]

Don't forget about this thread too where my thoughts are the same.

Since you like Evernote and are also really focused on security, I'd suggest checking out Standard Notes if you haven't already. It's Evernote-like but has a greater focus on security. Your data is stored in the cloud and zero-knowledge encrypted. Some things may not be as convenient or as good as Evernote with it, but I suppose security and convenience will forever be a trade-off. Standard Notes was on my short list of Plan B, but I haven't gotten very far down the road with it. (Make sure you try out the live demo and not just the free version to get a feel for the features, since the free version only lets you do plain text.)

[PinkElephant 8,177]

4 hours ago, eric99 said:

 

Contrary to what some people claim, MacOs also appears to be vulnerable to serious virus attacks:

CVE-2023-50643 : An issue in Evernote for MacOS v.10.68.2 allows a remote attacker to execute arbitrary code, severity 9.8 !!!

So in this case, an attacker can gain access to even your most sensitive local files...

The good news is that it has been fixed in the latest release 🙂

 

The main differences to Windows are that most software is notarized, and the OS is more closely controlled by Apple. Apple is more rigid in removing old software as well, like stopping all 32bit apps a few years ago. Windows is often cracked from outdated, but still present software (remember the exploit using the SYLK format a few years ago ?).

I doubt that malware will ever find such an open inroad into MacOS like it has in Windows. The rest is some reasonable caution, and the occasional scan with Malwarebytes.

[mackid1993 775]

Thanks for the feedback everyone. I take weekly backups of my Evernote database and export enex files for each notebook using evernote-backup. This gets backed up proper 3-2-1 every week. So I'm not too worried about losing any data. As for hackers, it's probably a bigger problem if Evernote themselves gets hacked like LastPass was. My account follows best practices for security so I'm going to take this in stride.  

[eric99 986]

7 hours ago, PinkElephant said:

 So I have a Data Processing Agreement with EN, which is a legal requirement under GDRP.

You mean the standard EN contract we all have or do you have an additional one ?

[PinkElephant 8,177]

An additional one  - Auftragsdatenverarbeitungsvertrag DSGVO. You get it free of charge through support.

Furthermore the use of EN must be disclosed, for example on your website in the privacy declaration in the Datenschutzerklärung.

[VincentC 272]

There have been a few reports here from folks claiming to suffered large financial losses because their accounts were allegedly hacked and their bitcoin tokens stolen.  So there's that.

I am also occasionally amazed to see here requests for help from medical practitioners, possibly practicing in the US, asking for help recovering patient data.  No, no, no! Evernote is not HIPPA compliant!

I myself avoid storing documents with social security numbers.  For non-US readers, once a bad actor has a social security number, it gets a lot easier to steal their identity.  It's not worth the risk to me; others calculate the risk differently.

Vinnie

[gazumped 11,702]

43 minutes ago, VincentC said:

There have been a few reports here from folks claiming to suffered large financial losses because their accounts were allegedly hacked and their bitcoin tokens stolen.  So there's that.

Really?  Links please...  I must have missed those.

[PinkElephant 8,177]

Yes, there have been postings. All were related in reusing passwords that were used on other services as well, and not having 2FA enabled.

This is bad practice regarding any account security.

Furthermore EN is not build to keep financial information that can be used to actively move money around, like banking keys, secrets to access crypto wallets or the wallets themselves. Wallets stored in any type of connected storage including cloud services are "hot" wallets, not protected and easy to steal. The only "good" wallets are "cold" wallets, separate from any computer and kept in air gapped storage.

Any information like passwords, private keys and wallets must not be stored in EN.

But this is not what this thread is about.

[mackid1993 775]

3 hours ago, VincentC said:

There have been a few reports here from folks claiming to suffered large financial losses because their accounts were allegedly hacked and their bitcoin tokens stolen.  So there's that.

I am also occasionally amazed to see here requests for help from medical practitioners, possibly practicing in the US, asking for help recovering patient data.  No, no, no! Evernote is not HIPPA compliant!

I myself avoid storing documents with social security numbers.  For non-US readers, once a bad actor has a social security number, it gets a lot easier to steal their identity.  It's not worth the risk to me; others calculate the risk differently.

Vinnie

I mean the way I look at it if I went far back enough through my email I could probably find my SSN on something. With a long high entropy unique password and TOTP 2FA I'm not too worried.

[PinkElephant 8,177]

9 hours ago, VincentC said:

I myself avoid storing documents with social security numbers.  For non-US readers, once a bad actor has a social security number, it gets a lot easier to steal their identity.  It's not worth the risk to me; others calculate the risk differently.

Well, in the civilized world we have ID cards. Our German ID has a build in NFC chip that serves as online ID. Not too many applications yet, but it’s growing year by year.

Knowing a number doesn’t do much for anybody.

[mackid1993 775]

6 hours ago, PinkElephant said:

Well, in the civilized world we have ID cards. Our German ID has a build in NFC chip that serves as online ID. Not too many applications yet, but it’s growing year by year.

Knowing a number doesn’t do much for anybody.

Social security numbers in the US are a mess. It's a series of 9 numbers assigned at birth to every citizen and it's used for everything from filing your taxes to applying for a loan or credit or renting an apartment. Ideally you wouldn't want a bad actor to know yours because they could easily impersonate you. 

It's a terrible system and wasn't designed for what it is being used for.