Q & A for a Q & A website: Quora, what happened?

By Richard Arneson

Think back to the first time you hopped on the Internet. If you’re under the age of thirty-years-old, it might have been a “meh” moment, if it even registered at all. It was probably lost among the other technological advancements that surrounded your crib. But if you’re older—especially if you’re over 50—you may mark your first day of Internet access as a milestone. You probably remember the first thing you Googled (What is the airspeed velocity of an unladen swallow?), then sat back in amazement as a wealth of information popped up about the subject. Fact-checking didn’t cross your mind; you just couldn’t believe everything, or so it seemed, was  just a few keystrokes away.

While Quora doesn’t merit the same level of technological wonderment, it’s shocking when you first discover how much Q & A info is posted on their site. Yes, a lot of it is nonsensical (“What is the most cringeworthy thing you’ve seen at a bachelor party?”), but much of it is informative. Content aside, it’s very popular—research from 2016 had them logging over 100 million unique visitors each month. I’m not sure I was even aware of Quora in 2016. In other words, that figure is far larger today. And while we’re on the subject of 100 million, that’s also how many Quora users’ data was lifted just six (6) days ago. Yes, I buried the lead.

This is why we can’t have nice things

We learned this at a young age—there’s always somebody or something to spoil all the fun. And in Quora’s case, the wet blanket came in the form of hackers who accessed registered users’ account information, including, among other less spectacular items, passwords and any data that authorized users imported from linked networks. It might be a blip on the cyber security radar screen considering credit card info, social security numbers, bank accounts, etc., weren’t stolen (Quora doesn’t request this type of user info), but it’s another reminder that digital evil is always lurking. Sadly, it always will be. The cat and mouse game continues.

The affected users were promptly notified by Quora and asked to re-set their passwords. They have secured the services of several digital forensics and security companies to conduct thorough investigations, but to date the perpetrator(s) have flown under the radar screen. While it’s not something Quora has mentioned or admitted to, many security analysts suspect they may have cut corners regarding encryption and associated hash functions. While Quora has stated that all passwords were encrypted and hashed with a salt that varies for each user, they didn’t provide additional details about the type of hash function.

According to Dan Goodin, a security analyst at Ars Technica, a technology news website, “The specific hash function matters greatly. If it’s one that uses fewer than 10,000 iterations of a fast algorithm such as MD5 with no cryptographic salt, hackers using off-the-shelf hardware and publicly available word lists can crack as many as 80 percent of the password hashes in a day or two. A function such as bcrypt, by contrast, can prevent a large percentage of hashes from ever being converted into plaintext.”

The takeaway

Please stop using the same password for multiple sites and accounts. If it makes you feel any better, yes, I’ve done this. I’ve ignored and violated this widely publicized, oft-mentioned digital security tip. And there’s really no excuse for it. With the spate of password management tools available, you can create the craziest combination of words, numbers and symbols you’d like. That’s not to say it’s a security panacea, but it can greatly reduce  password-related issues. If I’ve done it, you can, too. Now I can safely login to Quora and submit this gem: “Do you use Miracle Whip or mayonnaise when making tuna salad?”

Security Concerns?

To find out how to secure your organization’s network, contact GDT’s tenured and talented engineers and security analysts at SOC@GDT.com. From their Security and Network Operations Centers, they manage, monitor and protect the networks of companies of all sizes, including those for some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.

 

Read more about network security here:

They were discovered on Google Play, but this is no game

And in this corner…

Elections are in, but there’s one (1) tally that remains to be counted

Hiring A Hacker Probably Shouldn’t Be Part of Your Business Plan

Gen V

Sexy, yes, but potentially dangerous

Tetration—you should know its meaning

It’s in their DNA

When SOC plays second fiddle to NOC, you could be in for an expensive tune

How to protect against Ransomware