Evernote servers and ransomware

[davidtderrick 55]

Since major corporations and utilities are routinely attacked by ransomware hackers, should we worry about Evernote? I'm not thinking of individual accounts so much as the entire database.

[gazumped 12,078]

Individual devices are far more likely to suffer a ransomware attack than Evernote's servers,  and I'd think Evernote is the best protected of all note taking services.  Don't see there's much to worry about here...

[davidtderrick 55]

Glad to hear it. Because it would be an unbelievably tempting target, as many store sensitive data there. I'd advise anyone to encrypt the most sensitive stuff.

[mackid1993 1,312]

1 hour ago, davidtderrick said:

I'd advise anyone to encrypt the most sensitive stuff.

Ransomware will take care of that.

[gazumped 12,078]

I tend to keep my plans for World Domination on paper anyway - anything that's online is at risk;  it's down to individual judgement (or lack of it) as to how you protect your interests...

[PinkElephant 8,846]

EN used to host the data on Google server farms, with copies in different locations (this means really in another data center, not just in the next rack). With all the changes, I am not sure this is still where the accounts are hosted. This can only be answered by EN staff (which we are not).

The second answer to ransomware are backups. I think that the server is backed up, with safe backup strategies like immutable Snapshots.

If you want to be sure, get the Evernote Backup project from GitHub, install it and run it frequently. It will create a full local copy of your EN database on your local computer. You can export to ENEX if needed, and move or reinstall your data, worst case.

https://github.com/vzhd1701/evernote-backup

[thefryhole 98]

There are note platforms that support E2EE across all data, not just a subset. Some don't run without it. EN doesn't fall into either camp.

Reliably assessing EN's security posture from the information on the website presents a challenge, because as of today it still says they're in the middle of a migration to GCP that began 8 years ago. That isn't the case, is it? Probably not, but hey, maybe. Knowing there is likely some outdated or conflicting information out there, it's difficult to be certain where EN data is stored or how (or how well) it's protected.

We hope EN is doing all the right things, but making assumptions based on what may be old information can lead to bad outcomes, no matter how much we want it to be true. Backups are a good hedge against uncertainty if data loss is your primary concern. Thank you, PE, for posting the GitHub link.

[PinkElephant 8,846]

E2E does not help at all about the question posted. If hypothetically a ransomware attack would succeed, the encrypted content would simply be encrypted a second time, but this time using the malicious key of the ransom gang. This turns the data into a mash of 0s and 1s.

EN operates since the acquisition by Bendings Spoons under GDRP legislation. This would not technically stop a hacker - but it puts requirements on the safety of the data storage and handling, and heavy fines on violations. The existing descriptions of what EN does to protect the stored data may not be updated. But it still describes the security measures, by transport layer encryption during the communication between client and server, and the full encryption of all user data while stored.

From what we see the new management team does more than before to secure our accounts. They have abandoned SMS codes (which have known insecurities) and forced users with weak or compromised passwords to reset them.

Who is handling very sensitive data (like those with a government classification or HIPAA relevant documents) should not use ANY cloud service.

[thefryhole 98]

3 hours ago, PinkElephant said:

E2E does not help at all about the question posted. If hypothetically a ransomware attack would succeed, the encrypted content would simply be encrypted a second time, but this time using the malicious key of the ransom gang. This turns the data into a mash of 0s and 1s.

True enough. This is good clarification for those thinking about a lack of access to their data due to a ransomware attack. As the OP added a comment about encryption, it's worth noting that some platforms apply it more broadly or use a more robust methodology than EN does.

[Jon/t 1,667]

They have a security team and work on security all the time but obviously don't publicise what they do.

This page has a bunch of info. 

https://evernote.com/security

[davidtderrick 55]

PinkElephant, Thank you for the Github link. Downloading the Mac OS version, I get quote “evernote-backup” cannot be opened because it is from an unidentified developer. ... Can anyone remember how to get round this? Does this app allow one-click backup of all notebooks? It would be wonderful if it did, as I believe exporting can usually only be done one notebook at a time.

[PinkElephant 8,846]

It is a while ago, but it recommended to install via Homebrew. You install Homebrew first, and then using the „brew install“ command line you fetch the package.

Look up the install guide on GitHub, it is really well documented (Kudos to the dev).

[davidtderrick 55]

Does this app allow one-click backup of all notebooks? It would be wonderful if it did, as I believe exporting can usually only be done one notebook at a time.

[PinkElephant 8,846]

It works in 3 steps:

1. First you authenticate access through the API to your account.
2. Second it downloads all content to a local database written in Python. The first download takes quite a while, because it downloads all. From the second time onwards it will only download changes and new notes - the advantage is this is incremental, whereas EN always exports everything.
3. The third process creates ENEX-files from that database, one file per notebook. You don't need to run the ENEX step, because the backup is already done by writing to the local database.

It is technically speaking not one click, but one command for each step, issued through the terminal app on your computer.

You can automize it by entering the command line into the task manager on your computer, and run it with a certain frequency, for example weekly.

And since it doesn't require a local client, it can be installed everywhere, even as a Docker instance on a home server like a NAS.

[mackid1993 1,312]

On a mac this could be automated with a bash script and a crontab entry. I don't have a Mac in front of me to help though but a search of the forums will show many times where I've covered automation on Windows.

[PinkElephant 8,846]

As a unixoide OS you can use bash and cron on a Mac if you like.

However Apple proposes the use of launchd instead of crond to execute scripts automatically.

[thefryhole 98]

15 hours ago, Jon/t said:

They have a security team and work on security all the time but obviously don't publicise what they do.

This page has a bunch of info. 

https://evernote.com/security

Anyone reviewing that page should be aware that at least some of the information is likely out of date and possibly inaccurate as a result. Unfortunately, while we can surmise they are not really still in the middle of an 8-year-long migration to GCP, we don't know which other facts on that page might also be obsolete.

If someone wants to assume that's just a silly technicality, that's their prerogative. But if a company posts a web page dedicated to security on its site and allows poor quality information to populate it, then any criticism of the data provided is valid.

[mackid1993 1,312]

They do have an active bug bounty program which is very good.

https://hackerone.com/evernote?view_policy=true

It paid researchers $5000 in the last 90 days.

[mackid1993 1,312]

22 minutes ago, thefryhole said:

Anyone reviewing that page should be aware that at least some of the information is likely out of date and possibly inaccurate as a result. Unfortunately, while we can surmise they are not really still in the middle of an 8-year-long migration to GCP, we don't know which other facts on that page might also be obsolete.

If someone wants to assume that's just a silly technicality, that's their prerogative. But if a company posts a web page dedicated to security on its site and allows poor quality information to populate it, then any criticism of the data provided is valid.

I didn't see anything on that page about an 8 year GCP migration. It was all standard best practice stuff that every vendor should do.

They even go a step further and check everyone's passwords against HaveIBeenPwned database and if there is a match they lock your account and force a reset. I don't see many companies go to these lengths. It's things like this that make me ❤️ Evernote.

I'm at the point where I'm trying to ignore the haters and just enjoy this excellent service. 😊

[thefryhole 98]

Here is a screen cap of a portion of that page taken just now:

By stating that they began migrating data to GCP, one would expect to also find either a forecasted completion date or an end date when the migration was complete. There is nothing in the language that either estimates or confirms completion. Is EN data split between two different infrastructures, or isn't it?

By stating that data stored in GCP "will be protected," the implication is that there's still some future event to occur. So is my data stored in GCP, and thus protected by the features listed on the site, or isn't it?

Simply stating where data is stored and how that cloud service protects it would go a long way to removing the ambiguity here. Those pieces of information aren't some big state secret.

As I said, if someone chooses to overlook or interpret the information given in this section of the EN website in a different way, that's on them. But pretending the language says anything other than what it actually says could lead to some unwelcome outcomes. I'm curious why you wouldn't want someone to apply critical thinking when making a decision. Hey, I read that section and I still use EN. Yet somehow I'm a hater? Ooohhhhkaaaay...

[PinkElephant 8,846]

In late 2016 ...

What did we use in 2016 ? 8 years ago !

In fact I doubt this article is still completely up to date. EN was taken over by a new owner, moved to a different continent, operated by a new team. We know they did some extensive work on the server backend (the "monolith" how they called it in the blog), changed login procedures to safer methods, forced password resets on users with weak passwords, and so on.

All this while continuing on a server structure erected in 2016, with 2016 methods ? We can't know for the lack of information, but I sincerely hope the answer is "No".

[mackid1993 1,312]

53 minutes ago, PinkElephant said:

In late 2016 ...

What did we use in 2016 ? 8 years ago !

In fact I doubt this article is still completely up to date. EN was taken over by a new owner, moved to a different continent, operated by a new team. We know they did some extensive work on the server backend (the "monolith" how they called it in the blog), changed login procedures to safer methods, forced password resets on users with weak passwords, and so on.

All this while continuing on a server structure erected in 2016, with 2016 methods ? We can't know for the lack of information, but I sincerely hope the answer is "No".

It's just another page on the website that needs to be rewritten. They've be slowly updating things.

They've been so focused on improving that app that inherited stuff like this hasn't been updated likely because all of the changes that they have planned have not been completed. I will say all of my open connections from Evernote.exe are hitting Google endpoints.