Once More Into the Data Breach
Another day, another security breach.
This time, if youâ€™re out of the loop, it was Evernote, one of those services that holds a lot of peopleâ€™s very personal data. They claim the only thing the hackers got away with was usernames, e-mail addresses, and encrypted passwords.  Itâ€™s the latest in a string of high-profile hacks into large, data-rich companies like Apple, Facebook, and Microsoft. Evernote handled it well. Theyâ€™ve reset everybodyâ€™s passwords, pushed out application updates to help users with the job, and were up front and honest. Though I donâ€™t use Evernote for much, Iâ€™m comfortable maintaining my relationship with the company.
It does however, have me thinking a bit more about my data and protecting it. Mat Honanâ€™s hack is hopefully still fresh in everybodyâ€™s memory, but itâ€™s the sort of thing thatâ€™s unlikely to happen to an individual. Whatâ€™s more likely are hacks designed to just pull a lot of aggregate data about people. Thatâ€™s where the money is. After that, the database just needs to be shopped to the highest bidder, who can then decide how to use the data. The attacks can then begin on high value targets which occupy a neat intersection between â€œeasyâ€ and â€œlucrative.â€ Most of us need not worry about that, but thatâ€™s not a reason to put our guard down.
Think about this: you doesnâ€™t even need to decrypt a password from an encrypted databases. You can just compare the hashes to lists of known passwords and their hashes. Find a match, and youâ€™re off to the races, able to log in anywhere that person used the same password. Itâ€™s like buying a bunch of combination locks for your home, all set to the same combination. Crack one, and youâ€™ve cracked them all. If youâ€™re lazy enough to use a password like â€œabcde12345â€ for your Evernote account, your gMail, and your bank, youâ€™re in trouble—and were in trouble before the hack happened too.
We understand physical security well enough, but the paradigms behind it donâ€™t work as well in the digital space. Computer security is still in its infancy. Itâ€™s hard to copy a real key. Itâ€™s easy to look up the hash of a password. There was a time when data security meant having two floppy disks with the same file on it. If one went, you still had the other. If you were really paranoid, you could encrypt it, or use a password. The most sophisticated forms of computer security in common use rely on a physical token. For example, I use two-factor authentication with my Google account. Logging in on a new machine, I have to not only input my (huge, complicated, 1Password-generated) password, but also provide a number from the Google Authenticator app on my iPhone. Itâ€™s an extra layer of security, only bypassable if someone has my phone, as well as my Google password.
Ultimately, I donâ€™t think our data is any less safe now than it was before we started living â€œin the cloud,â€ itâ€™s more that the nature of the dangers has changed. Weâ€™ve given up worrying about losing data for the worry that data will be in the wrong personâ€™s hands. Itâ€™s up to us to decide if thatâ€™s a tradeoff we want to make, and itâ€™s a decision that will have to be based on both the companies we trust to hold and secure our data, and also what data we ask them to secure. I donâ€™t know if most of us put a lot of thought into what data we put out there, but it’s something we all should think about more.