|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
I’ve seen several comments on various venues about the risk of Zoom meetings. Some of them are valid, others are….. hang on … who in their RIGHT
[See the full post at: Patch Lady – should we be concerned about Zoom?]
Susan Bradley Patch Lady/Prudent patcher
Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links
The Zoom Windows client is vulnerable to UNC path injection in the client’s chat feature that could allow attackers to steal the Windows credentials of users who click on the link.
When using the Zoom client, meeting participants can communicate with each other by sending text messages through a chat interface.
When sending a chat message, any URLs that are sent are converted into hyperlinks so that other members can click on them to open a web page in their default browser.
The problem is that security researcher @_g0dmode discovered that the Zoom client will convert Windows networking UNC paths into a clickable link in the chat messages as well..
Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers
..Popular video-conferencing Zoom is leaking personal information of at least thousands of users, including their email address and photo, and giving strangers the ability to attempt to start a video call with them through Zoom.
The issue lies in Zoom’s “Company Directory” setting, which automatically adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company. But multiple Zoom users say they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another…
https://www.vice.com/en_us/article/k7e95m/zoom-leaking-email-addresses-photos
I think that’s only in the paid version. As that’s the only one I see where there’s a contact list.
Susan Bradley Patch Lady/Prudent patcher
The problem is that security researcher @_g0dmode discovered that the Zoom client will convert Windows networking UNC paths into a clickable link in the chat messages as well..
As sometimes happens with any company, Zoom’s code got vulnerable. The challenge I see with this Zoom bug (to me) is that Zoom’s worse-than-abysmal support and this bug together show that they’re careless.
Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster
Zoom released client version 4.6.9 early this afternoon, addressing the UNC issue.
Also, and especially now with so many people using Zoom, I find it problematic that these issues are reported publicly (no one at fault here were everyone is just responding to the public reports – but in other media) before the vendor even has a chance to confirm and address the issue. Tech publications need to be part of the solution, not the problem.
Ars Technica published an article at about the UNC bug at 12:40 p.m. yesterday. Zoom pushed out a patch within 24 hours. Report on the bug after adequate time has been allowed for the vendor to address it!
Enough with the click bait that gives ‘bad actors’ a heads up. We need to be in this together :-).
Again, this is not addressed to this forum or Susan – just a general rant because I am guessing we are going to see lots of ‘white hat hackers’ trying to make a name for themselves now, with certain websites only-too-happy to assist.
A Message from Zoom CEO :
….What we’re going to do
Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes:Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
Preparing a transparency report that details information related to requests for data, records, or content.
Enhancing our current bug bounty program.
Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
Engaging a series of simultaneous white box penetration tests to further identify and address issues.
Starting next week, I will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to our community…
https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/
Susan Bradley Patch Lady/Prudent patcher
should we be concerned about Zoom?
There are some who are, like Elon Musk, NASA.. :
Elon Musk’s SpaceX bans Zoom over privacy concerns -memo
Elon Musk’s rocket company SpaceX has banned its employees from using video conferencing app Zoom, citing “significant privacy and security concerns,” according to a memo seen by Reuters, days after U.S. law enforcement warned users about the security of the popular app.
NASA, one of SpaceX’s biggest customers, also prohibits its employees from using Zoom, said Stephanie Schierholz, a spokeswoman for the U.S. space agency…
Zoom’s e-mail of just today:
We’re always striving to continue to deliver you a secure virtual meeting environment. Based on feedback from our community, we’ve chosen to enable passwords on your meetings and turn on Waiting Rooms by default starting April 5th, as additional security enhancements to protect your privacy.
Dear Valued Customer,
We’re always striving to deliver you a secure virtual meeting environment. Starting April 5th, we’ve chosen to enable passwords on your meetings and turn on Waiting Rooms by default as additional security enhancements to protect your privacy.
Meeting Passwords Enabled “On”
Going forward, your previously scheduled meetings (including those scheduled via your Personal Meeting ID) will have passwords enabled. If your attendees are joining via a meeting link, there will be no change to their joining experience. For attendees who join meetings by manually entering a Meeting ID, they will need to enter a password to access the meeting.
For attendees joining manually, we highly recommend re-sharing the updated meeting invitation before your workweek begins. Here’s how you can do that:
Log in to your account, visit your Meetings tab, select your upcoming meeting by name, and copy the new meeting invitation to share with your attendees. For step-by-step instructions, please watch this 2-minute video or read this FAQ.
For meetings scheduled moving forward, the meeting password can be found in the invitation. For instant meetings, the password will be displayed in the Zoom client. The password can also be found in the meeting join URL.
Virtual Waiting Room Turned on by Default
Going forward, the virtual waiting room feature will be automatically turned on by default. The Waiting Room is just like it sounds: It’s a virtual staging area that prevents people from joining a meeting until the host is ready.
How do I admit participants into my meeting?
It’s simple. As the host, once you’ve joined, you’ll begin to see the number of participants in your waiting room within the Manage Participants icon. Select Manage Participants to view the full list of participants, then, you’ll have the option to admit individually by selecting the blue Admit button or all at once with the Admit All option on the top right-hand side of your screen. For step-by-step instructions, please watch this 2-minute video.
Check out these resources to learn How to Manage Your Waiting Room and Secure Your Meetings with Virtual Waiting Rooms.
For more information on how to leverage passwords and Waiting Rooms to secure your meetings, please visit our Knowledge Center, attend a daily live demo, or visit our Blog.
Please reach out to our Support Team if you have any questions at support@zoom.us.
Thank You!
Team Zoom
Moderator note: Edit to remove HTML. Please use the “Text” tab in the entry box when you copy/paste.
Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster
I don’t have the Zoom app installed on my computer. When my classes require it, I only use the browser version. Should I still be concerned?
Yes. Many of these concerns have to do with how Zoom does and does not encrypt sessions. (They do not use end to end encryption in either version.) Zoom has also never said they would stop using personal information and selling it to advertisers.
But the worst unaddressed issues have to do with Zoom’s overall security issues. Outside security auditing has been done. And Zoom has failed these audits. The Company gives replies like the ones linked in this thread. Frankly, it’s mostly Bafflegab with no actual promises to make meaningful changes. The Company’s responses so far show a flagrant disregard for user security and especially privacy.
For a Company which provides telemedicine services to health care providers, I don’t see how Zoom can possibly justify saying their services are HIPAA compliant. My own Doctor used Zoom for a telemed visit with me before I found out the full extent of Zoom’s issues. I now regret accepting that invitation.
-- rc primak
I guess it depends on how much club members value their privacy. I belong to two computer user groups. One says they can live with the risks, but has incorporated password security into future sessions. The other, which is open-source oriented, refuses to deal with Zoom. They had a hard time finding alternatives, but ultimately went with jit.si meet, an open-source service which is limited to 16 live participants, plus live-streaming capabilities.
-- rc primak
I was going to ask you who you would use, but you have just answered that! We have taken the first option – always use passwords. I’ll have a look at you alternative, though. Thanks
Chris
Win 10 Pro x64 Group A
Zoom route some calls and encryption decryption keys through China
A US Company with a Chinese Heart?
This report examines the encryption that protects meetings in the popular Zoom teleconference app. We find that Zoom has “rolled their own” encryption scheme, which has significant weaknesses. In addition, we identify potential areas of concern in Zoom’s infrastructure, including observing the transmission of meeting encryption keys through China…
Zoom Self Help Center by WalkMe
A walk-through for newbies with Zoom
Make Zoom simple and easy to use in seconds.
Need assistance setting up Zoom? WalkMe’s world renowned guidance solution will help you through any process on Zoom and will guide you step by step exactly with the instructions you need, when you need them…..
https://chrome.google.com/webstore/detail/zoom-self-help-center-by/jgbogkmcdglemabaihcffddgimmpoiha
NYC forbids schools from using Zoom for remote learning due to privacy and security concerns
New York City has banned the video conferencing platform Zoom in city schools weeks after thousands of teachers and students began using it for remote learning.
The education department received reports of issues that impact the security and privacy of the platform during the credentialing process, according to a document shared with principals that was obtained by Chalkbeat. “Based on the DOE’s review of those documented concerns, the DOE will no longer permit the use of Zoom at this time,” the memo said.
Instead, the guidance says, schools should switch to Microsoft Teams “as soon as possible,” which the education department suggests has similar functionality and is more secure. ..
Thousands of Zoom video calls left exposed on open Web
Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people’s homes.
Thousands of personal Zoom videos have been left viewable on the open Web, highlighting the privacy risks to millions of Americans as they shift many of their personal interactions to video calls in an age of social distancing.
Videos viewed by The Washington Post included one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people’s names and phone numbers; small-business meetings that included private company financial statements; and elementary school classes, in which children’s faces, voices and personal details were exposed…
The FT article @MWmC pointed us to is a report of the Citizenlab report that @Alex5723 helpfully linked to.
I look at this from the point of view of the social user, of which there are a couple or three new ones where I live (the UK). Those of you who use video for commercial reasons may have different views for very good reasons.
The Citizenlab report makes clear that its concerns are for those who have confidential matters to protect, as quoted below:
“As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality, including:
For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning.”
It is also the case that, if you use the default settings in Zoom, some of the issues, such as no passwords and Waiting Room, go away – indeed Zoom have disabled password free meetings in the update released over the weekend.
For social uses in this Covid-19 dominated world there is a real need for a cheap videolink tool, and there are very few options. While Microsoft Team may be an attractive and better tool for business, it costs £60/seat per year. My club has 72 members, which is 4,320 mouth-watering pounds of revenue to Microsoft per year. That is never going to happen.
Furthermore, it seems to me that Zoom have been responding pretty quickly to the issues being raised, and the responsible commentators have been raising them first with Zoom and not in the press. I think Zoom deserve credit for that.
My club did quite a bit of research to find the right tool to keep in touch and came to the conclusion Zoom is the best – just as did Lincoln Spectre in today’s newsletter. I still think that is the right decision, but I stress that I am talking only for the social user. The rest of you can make your own decisions, as I am sure you will!
Chris
Win 10 Pro x64 Group A
The use of Zoom or the choice of an alternative is up to each user’s risk tolerance and desire for privacy. In healthcare settings, this is not a choice. I would never trust Zoom for telemedicine, including therapy sessions (if anyone does those via video conferencing, not revealing any personal info about myself). Some companies might be concerned about espionage as well.
-- rc primak
Frankly, it’s mostly Bafflegab with no actual promises to make meaningful changes. The Company’s responses so far show a flagrant disregard for user security and especially privacy.
Yup. And I dig the word bafflegab 😉
From just a little while I ago I offer this:
“Zoom CEO: ‘I really messed up’
By Jake Perez, Editor at LinkedIn
Updated 21 hours ago
Zoom, the video-conferencing platform that’s seen a surge in usage during the coronavirus pandemic, has become the target of organized trolling. The New York Times found 153 Instagram accounts, dozens of Twitter accounts and private chats, and 4Chan message boards where so-called ‘Zoom raiders’ were sharing meeting passwords and planning harassment. In response, Zoom now defaults to passwords and waiting rooms for basic users and CEO Eric Yuan admits he ‘really messed up’ on the platform’s security. He told The Wall Street Journal an end-to-end encryption option should be available in several months.”
Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster
Taiwan government blocked the usage of Zoom
..In response to changing developments surrounding the COVID-19 outbreak, many organizations have the option to use remote video conferencing technology to coordinate with separate or distant offices as a means of minimizing business disruptions. The Executive Yuan’s Department of Cyber Security (DCS) today formally issued an advisory to all government organizations and specific non-government agencies that should it become operationally necessary to engage in video conferencing, the underlying video software to be used should not have associated security or privacy concerns, such as the Zoom video communication service…
https://english.ey.gov.tw/Page/61BF20C3E89B856/849887da-0aa7-4b84-8fba-1b6b1183843f
Google Told Its Workers That They Can’t Use Zoom On Their Laptops Anymore
..Google has banned the popular videoconferencing software Zoom from its employees’ devices, BuzzFeed News has learned. Zoom, a competitor to Google’s own Meet app, has seen an explosion of people using it to work and socialize from home and has become a cultural touchstone during the coronavirus pandemic.
Last week, Google sent an email to employees whose work laptops had the Zoom app installed that cited its “security vulnerabilities” and warned that the videoconferencing software on employee laptops would stop working starting this week…
https://www.buzzfeednews.com/article/pranavdixit/google-bans-zoom
Stolen Zoom passwords and meeting IDs are already being shared on the dark web
As Zoom confronts numerous security issues amid a spike in use of the service during the coronavirus pandemic, yet another problem for the video conferencing platform has entered the stage, thanks to the dark web.
Cybersecurity firm Sixgill recently discovered a collection of 352 Zoom accounts that had been compromised. The accounts were shared by a user on a popular dark web forum; information included each account’s connected email address, password, meeting ID, host key, and host name. ..
https://mashable.com/article/stolen-zoom-passwords-dark-web/
US Senate tells members not to use Zoom
https://www.ft.com/content/dac7d60b-54fa-402b-8469-70f85aaace76
352 Zoom accounts
Such a low number suggests they are just guessed from credential re-use.
cheers, Paul
Or they can be 352 Zoom accounts of the biggest world’s enterprises 🙂
Singapore stops teachers using Zoom app after ‘very serious incidents’
Singapore has suspended the use of video-conferencing tool Zoom by teachers, its education ministry said on Friday, after “very serious incidents” occurred in the first week of a coronavirus lockdown that has seen schools move to home-based learning…
This taken from MalwareBytes Labs.
May be of some use to some.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
