Cloud company Evernote hacked,50 millions passwords resets

Evernote is an online service that provides the ability to store pictures, musics, videos and text on the internet and access those from any devices. Its users can edit their notes from anywhere. The company has acknowledged that it has suffered from a data breach. According to the statements released after the intrusion,there was no evidence that the contents stored in Evernote were accessed, payment information related to Evernote premium or Evernote Business customers were not accessed either.

Evernote Security Notice
Evernote Security Notice

Congratulations , passwords stored by Evernote are hashed and salted.

As an Incident response measure, Evernote is sending email notifications to all its customers, urging them to reset their passwords. Indeed , hackers could use those emails addresses to send unsolicited messages like spam. By enforcing the use of strong passwords, Evernote aims at reducing the attack surface of its online service. To be sure that your data is safe in a cloud based service:Do not use passwords based on dictionary words,Do not use the same passwords on multiple sites and services , never click on ”passwords reset emails” but instead go to the web page.

Cloud Computing Security

National Institute of standard and technology has defined Cloud computing as  ”a model for enabling ubiquitous,convenient,on-demand network access to a shared pool of configurable computing resources(e.g. networks,servers,storage,applications and services.) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. The service model consists of Infrastructure as a service (Iaas),Platform as a service (Paas), and Software as a service (Saas). Those services are deployed over four deployment models ; Public Cloud, Private Cloud,Hybrid Cloud and community Cloud. The originality of cloud computing is virtualization. The hypervisor is the software that renders a physical servers to a virtual server, thus allowing the creation of virtual machines. VmWare ESX/ESXi, Kernel virtual machine (KVM),Microsoft hyperV and Citrix XenServer are products used to create virtual computing environment. These innovative technologies have softwares and applications with vulnerabilities attracting hackers, malware (Worm, virus,Trojan Horse,Adware). Security professionals have introduced different approaches to securing the Cloud Computing.

Confidentiality, integrity and availability are in the hearth of any information security program. There are many security standards that have evolved over the past year to help cloud computing providers and  customers to reduce the attack surface in their virtual environment. Among those International Standard Organisation 27001 audit standard for Information security management program, National institute of standard and Technology special publication 800-53 Information security, Payment card data security standards (PCI DSS) encryption of credit card records, Health Insurance Portability And Accounting Act (HIPAA) protect  health care records.

Operational security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of critical information”.[1] Using this approach in the Virtual environment consist of : data at rest and in motion must be encrypted in the cloud (asymmetric or symmetric encryption), hypervisors and virtual machines vulnerabilities have to be managed and avoided,web applications are tested based on the Open web application security project (OWASP) testing guide, each virtual machines and each  vitual network are isolated from the others, Host Based Intrusion Detection System(HIDS) installed in virtual instances, virtual network based Intrusion Detection System(IDS) and virtual firewall installed to monitor and allow only authorized traffic in the cloud, and  all the logs have to be kept for a successful Incident response.

[1] http://en.wikipedia.org/wiki/Operations_security