You’ve heard by now that Evernote had a major security breach and is forcing its customers to reset passwords… 50 million accounts.
What you may not have realized is that Evernote’s email announcing the problem – a much more transparent and prompt response to the issue than most of the tech giants who preceded them down this path – included what looked like a spoofed link to a password-reset page.
I learned about this Saturday when a tech friend provided a heads-up re the discrepancy. I wondered out loud if someone was already using the outage as a phishing attack.
But no, the odd link came from Evernote’s email marketing firm.
One way to make it harder for bad guys to access your online accounts is to require more than a username and password to access an account.
Google uses a two-step verification process tied to account credentials and your mobile phone. So does Facebook.
And as Alex Howard points out, security has always been important but events are conspiring to suggest just how important.
Learn how to set up two-step verification on your Facebook account. Important for anyone, the higher your public profile, the more important.
This means journalists, professors engaged in public scholarship (especially when controversial), celebrities (authors, musicians, actors, directors, models, athletes ….), politicians (of all stripes, elected or candidate), political appointees, judges and high profile lawyers … anyone who manages a Facebook page for someone else … the list goes on.
Looking For A New Host
The WordPress installation at motogrrl.com/blog was infected with malware from http://oeooea.com on Friday. The Media Temple support page (WordPress redirect exploit) has not been updated to reflect this new vector, even though Sucuri.net posted an alert on 3 September 2010 and another Media Temple customer used Twitter to alert the public to the problem on 31 August 2010.
The WordPress sites that I have hosted at MediaTemple have been hacked. (Not WiredPen, it’s still on WordPress.com.)
Based on what I’m reading in the WordPress blogosphere, and Media Temple’s insistence that it is not at fault, I guess I’m going to be looking for another host. Again. Boy this is tiresome! Continue reading
Update: AT&T Collapses On iPhone4 Debut
I was annoyed at the headlines last week that blamed Apple for AT&T’s lax web security regarding iPad owner emails.
I was even more annoyed Sunday when I read AT&T’s “explanation” to customers, where it not only disavowed responsibility for the exploit, reported Wednesday, but said that the really bad guys were the people who identified their security hole. Here’s what AT&T wrote (emphasis added):
… unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster … deliberately went to great efforts … Now, the authentication page log-in screen requires the user to enter both their email address and their password.
A malicious exploit would not have been reported. It would have just been used.
A malicious exploiter wouldn’t advise companies of security issues. They’d simply use them.
Class action suit against AT&T, anyone? I can’t imagine the stockholders or board of directors demanding that the company get its act together. Hit ‘em where it hurts: the pocketbook. It’s the only thing they care about.