(Archived) Steve Gibson trashes Evernote's security

[jfkaess 28]

In his podcast episodes #394 and #395 security guru Steve Gibson trashes Evernote's 64 bit RC2 encryption as substandard and too easily compromised and he advises everyone to NOT keep confidential or personal information in Evernote. He says that at the very least Evernote should be using 128 bit or better yet 264 bit encryption, but that they have chosen to purposefully use substandard encryption because Evernote does not want to complete the paperwork necessary to get government approval to use good encryption.

Listen to his Security Now podcasts #394 and #395. It is mentioned in both podcasts (though it is just one of many security issues he speaks about in both podcasts). They are available on itunes.

[gazumped 11,666]

Haven't listened yet,  but what about information that's kept in local notebooks,  so not synced online;  and notes that contain encrypted or password-protected documents?  Most advice that I recall being given here says pretty much the same thing - the security of anything you put online is entirely your own responsibility.

[jfkaess 28]

From what i can tell, offline notebook security is not jeopordized by Evernote, but of course depends completely on how secure your computer is. I do not recall him saying anything definitive about note data which the user encrypts other than that this makes that data much less useable.

[BurgersNFries 2,407]

In his podcast episodes #394 and #395 security guru Steve Gibson trashes Evernote's 64 bit RC2 encryption as substandard and too easily compromised and he advises everyone to NOT keep confidential or personal information in Evernote. He says that at the very least Evernote should be using 128 bit or better yet 264 bit encryption, but that they have chosen to purposefully use substandard encryption because Evernote does not want to complete the paperwork necessary to get government approval to use good encryption.

Listen to his Security Now podcasts #394 and #395. It is mentioned in both podcasts (though it is just one of many security issues he speaks about in both podcasts). They are available on itunes.

 

From the parts I listened to, it seems they said nothing new, IMO.  In a nutshell, if you want to keep sensitive data secure, don't put it in Evernote.  Several of us have been saying that for years on the message board here, with the exception of adding "unless it's encrypted".  IMO, the only "new" info is that maybe you don't use EN's encryption.  Again, I know I have shied away from EN's encryption & use either PDF encryption, Truecrypt or true password managers (like Roboform or Lastpass). 

 

I would also like to point out the part in 394 where they praise Evernote's response to the hack. 

 

Leo: So Evernote really did everything they could do except, unfortunately, prevent the initial hack.

 

Steve:

Yes. And with any luck they, I mean, I guess I'm of a mind, yes, it's bad. Yes, it's hard to do this right. The larger your organization is, the bigger your systems and your network is, the more people have access, the more ways there are in. I mean, it's just it is so difficult to do this kind of security correctly. So I'm not of the mind that, if someone makes a mistake, you drop them and go somewhere else because I believe they can learn from these mistakes. I mean, they're probably more secure now than they were before, so that's more reason to stay with the people that have learned this can actually happen. And the fact that they were already using salted hashing says, okay, they understand the fundamentals. Yes, it's not SHA-1; but MD5 is fine, if it's salted and it's done right. And the evidence is it was all done right.

 

 

Full transcript is here:

 

http://www.grc.com/sn/sn-394.htm

[jfkaess 28]

Good point. The praise for how Evernote handled the attempted hack is well deserved. Evernote did that quickly, told us truthfully what happenned and took the proper steps to keep our accounts secure,

My frustration is with Evernote's intentional and deliberate failure to use good state of the art encryption on our data. It is not hard, it's really just a matter if them thinking it is necessary, and i hope my post and the comments by Steve Gibson and Leo LaPorte will nudge Evernote to finally improve the encryption security of our data.

[gazumped 11,666]

Well,  we've already been told that Evernote are conducting a security review -they'd be daft not to- and we're expecting more on 2fa.  They haven't indicated what might be the outcome though,  and despite some impassioned argument elsewhere there has been no official comment on what they might do.. so don't expect anything to happen,  and you might be pleasantly surprised when something does.

[jbenson2 2,147]

Last week Steve Gibson was surprised to learn about Evernote's weak crypto. "I thought there were no export restrictions on crypto now. I mean, everybody's doing 256-bit AES, which blows away [Evernote's] 64-bit RC2."

This week, after doing more research in the Evernote docs, he came on even stronger.
Evernote says they don't have enough staff members to get the certificate for strong crypto, so they're sticking with the ancient 64 bit.

He said, It's really not the security you want. Getting the information out of Evernote and into LastPass is the way to go.

With LastPass, you get Cloud sync (over multiple devices) and you get really strong crypto.
 

More information from arstechnica's risk assessment about Evernote's substandard crypto can be found here:
http://arstechnica.com/security/2013/03/critics-substandard-crypto-needlessly-puts-evernote-accounts-at-risk/