Another day, another security breach.
This time, if you’re out of the loop, it was Evernote, one of those services that holds a lot of people’s very personal data. They claim the only thing the hackers got away with was usernames, e-mail addresses, and encrypted passwords.  It’s the latest in a string of high-profile hacks into large, data-rich companies like Apple, Facebook, and Microsoft. Evernote handled it well. They’ve reset everybody’s passwords, pushed out application updates to help users with the job, and were up front and honest. Though I don’t use Evernote for much, I’m comfortable maintaining my relationship with the company.
It does however, have me thinking a bit more about my data and protecting it. Mat Honan’s hack is hopefully still fresh in everybody’s memory, but it’s the sort of thing that’s unlikely to happen to an individual. What’s more likely are hacks designed to just pull a lot of aggregate data about people. That’s where the money is. After that, the database just needs to be shopped to the highest bidder, who can then decide how to use the data. The attacks can then begin on high value targets which occupy a neat intersection between “easy” and “lucrative.” Most of us need not worry about that, but that’s not a reason to put our guard down.
Think about this: you doesn’t even need to decrypt a password from an encrypted databases. You can just compare the hashes to lists of known passwords and their hashes. Find a match, and you’re off to the races, able to log in anywhere that person used the same password. It’s like buying a bunch of combination locks for your home, all set to the same combination. Crack one, and you’ve cracked them all. If you’re lazy enough to use a password like “abcde12345” for your Evernote account, your gMail, and your bank, you’re in trouble—and were in trouble before the hack happened too.
We understand physical security well enough, but the paradigms behind it don’t work as well in the digital space. Computer security is still in its infancy. It’s hard to copy a real key. It’s easy to look up the hash of a password. There was a time when data security meant having two floppy disks with the same file on it. If one went, you still had the other. If you were really paranoid, you could encrypt it, or use a password. The most sophisticated forms of computer security in common use rely on a physical token. For example, I use two-factor authentication with my Google account. Logging in on a new machine, I have to not only input my (huge, complicated, 1Password-generated) password, but also provide a number from the Google Authenticator app on my iPhone. It’s an extra layer of security, only bypassable if someone has my phone, as well as my Google password.
Ultimately, I don’t think our data is any less safe now than it was before we started living “in the cloud,” it’s more that the nature of the dangers has changed. We’ve given up worrying about losing data for the worry that data will be in the wrong person’s hands. It’s up to us to decide if that’s a tradeoff we want to make, and it’s a decision that will have to be based on both the companies we trust to hold and secure our data, and also what data we ask them to secure. I don’t know if most of us put a lot of thought into what data we put out there, but it’s something we all should think about more.