Thursday, February 25, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

Zoom Caught in Cybersecurity Debate — Here’s Everything You Need To Know

April 6, 2020
in Internet Privacy
Zoom Caught in Cybersecurity Debate — Here’s Everything You Need To Know
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Over the past few weeks, the use of Zoom video conferencing software has exploded ever since it emerged the platform of choice to host everything from cabinet meetings to yoga classes amidst the ongoing coronavirus outbreak and work from home became the new normal.

The app has skyrocketed to 200 million daily users from an average of 10 million in December — along with a 535 percent increase in daily traffic to its download page in the last month — but it’s also seen a massive uptick in Zoom’s problems, all of which stem from sloppy design practices and security implementations.

You might also like

Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks

Critical RCE Flaws Affect VMware ESXi and vSphere Client — Patch Now

Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs

Zoom may never have designed its product beyond enterprise chat initially, but with the app now being used in a myriad number of ways and by regular consumers, the company’s full scope of gaffes have come into sharp focus — something it was able to avoid all this time.

But if this public scrutiny can make it a more secure product, it can only be a good thing in the long run.

A Laundry List of Issues

Zoom’s rapid sudden ascendance as a critical communications service has led to it drowning in a sea of privacy and security flaws.

But is Zoom a malware?

As the Guardian reported, some experts believe so. But no, Zoom is not malware. Rather, it’s a piece of legitimate software that’s, unfortunately, just full of security vulnerabilities and we’re just now getting to know about it as the app was never scrutinized this thoroughly before —

  • Zoom’s privacy policy came under criticism for making it possible to collect extensive data about its users — like videos, transcripts, and shared notes — and share it with third-parties for personal profit. On March 29, Zoom tightened its privacy policy to state that it doesn’t use data from meetings for any advertising. But it does use the data when people visit its marketing websites, including its home pages zoom.us and zoom.com.
  • Zoom’s iOS app, like many apps using Facebook SDK, was found sending analytics data to the social network even if the user doesn’t have a linked Facebook account. Later, it removed the feature.
  • Zoom came under the lens for its “attendee tracking” feature, which, when enabled, lets a host check if participants are clicking away from the main Zoom window during a call. On April 2, it permanently removed the attendee attention tracker function. A host of a Zoom meeting can, likewise, read private text messages sent during the call if it’s recorded locally.
  • Security researcher Felix Seele found that Zoom uses a “shady” technique to install its Mac app without user interaction using “the same tricks that are being used by macOS malware,” thus allowing the app to be installed without users providing final consent. On April 2, Zoom issued a fix to resolve the bug.
  • Researchers discovered a flaw in Zoom’s Windows app that made it vulnerable to UNC path injection’ vulnerability that could allow remote attackers to steal victims’ Windows login credentials and even execute arbitrary commands on their systems. A patch was issued on April 2 to address this flaw and two other bugs reported by Patrick Wardle that allows bad actors to gain root privileges and access the mic and camera on macOS, thereby allowing for a way to record Zoom meetings.
  • Zoom was found using an undisclosed data mining feature that automatically matched users’ names and email addresses to their LinkedIn profiles when they signed in — even if they were anonymous or using a pseudonym on their call. If another user in their meeting was subscribed to a service called LinkedIn Sales Navigator, they were able to access the LinkedIn profiles of other participants in their Zoom meetings without those users’ knowledge or consent. In response, Zoom has disabled the feature.
  • Vice revealed that Zoom is leaking thousands of users’ email addresses and photos, and letting strangers try to initiate calls with each other. That’s because users with the same domain name in their email address (non-standard email providers that are not Gmail, Outlook, Hotmail, or Yahoo!) are being grouped together as if they work for the same company. Zoom blacklisted these domains.
  • On April 3, 2020, the Washington Post reported that it was trivial to find video recordings made in Zoom by searching the common file-naming pattern that Zoom applies automatically. These videos were found on publicly accessible Amazon storage buckets.
  • Researchers created a new tool called “zWarDial” that searches for open Zoom meeting IDs, finding around 100 meetings per hour that aren’t protected by any password.
  • Zoom’s claims that it uses end-to-end encryption to secure communications were proven to be misleading. The company stated that in a meeting where every participant is using a Zoom client and which is not being recorded, all sorts of content — video, audio, screen sharing, and chat — is encrypted at the client-side and is never decrypted until it reaches the other receivers. But if one of the value-add services, such as cloud recording or dial-in telephony, is enabled, Zoom has access to the decryption keys, which it currently maintains in the cloud. This also makes it easy for “hackers or a government intelligence agency to obtain access to those keys,” security expert Matthew Green said.
  • Subsequent research by Citizen Lab found that they were also vague about the type of encryption used, with the keys generated for cryptographic operations “delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.” The audio and video in each Zoom meeting is encrypted and decrypted with a single AES-128 used in ECB mode that’s shared among all the participants. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
  • Zoom CEO Eric S. Yuan responded to Citizen Lab’s findings, stating given the period of high traffic, they were forced to add server capacity quickly, and “in our haste, we mistakenly added our two Chinese datacenters to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them.”
  • Then there’s Zoombombing, where trolls take advantage of open or unprotected meetings and poor default configurations to take over screen-sharing and broadcast porn or other explicit material. The FBI issued a warning, urging users to adjust their settings to avoid hijacking of video calls. Effective April 4, Zoom began enabling the Waiting Room feature (which allows the host to control when a participant joins the meeting) and requiring users to enter a meeting password to prevent rampant abuse.

Should You Use Zoom or Not?

To give credit where it’s due, Zoom largely responded to these disclosures swiftly and transparently, and it has already patched a number of issues highlighted by the security community.

In addition, the company has announced a 90-day freeze on releasing new features to “better identify, address, and fix issues proactively.” It also aims to conduct a comprehensive review with third-party experts and release a transparency report that details information related to law enforcement requests for data, records, or content.

Ultimately, it all boils down to this: should you be continuing to use Zoom? It would be easy to look at all of these flaws and say that people should simply stay away from Zoom. But it’s not that simple.

Interestingly, for the very first time, we are witnessing different opinions from experts in the cybersecurity community. Some say it’s wrong to criticize Zoom at this critical phase of time when the software is helping people do their work remotely, while others believe it’s best to abandon the platform for other alternatives.

However, some also took a neutral stance, concluding that choosing Zoom totally depends upon an individual’s threat model.

The fact that Zoom has designed and implemented its own encryption is a major red flag, as custom schemes don’t undergo the same scrutiny and peer review as the encryption standards we all use today are subjected to.

“The most prominent security issues with Zoom surround deliberate features designed to reduce friction in meetings, which also, by design, reduce privacy or security,” Citizen Lab wrote in its report.

The most important takeaway for regular users is simply to think carefully about their security and privacy needs for each call they make. Zoom’s security is likely sufficient if it’s just for casual conversations or to hold social events and organize lectures.

For everything else that requires sharing sensitive information, there are more secure options like Jitsi Meet and Signal.

Citizen Lab, which has identified a severe security issue with Zoom’s Waiting Room feature, has encouraged users to use the password feature for a “higher level of confidentiality than waiting rooms.”

So if you are worried about being Zoombombed, set a meeting password, and lock a meeting once everyone who needs to join has joined. For more tips on how to make Zoom calls secure, you can read EFF’s handy guide here.


Credit: The Hacker News By: noreply@blogger.com (Ravie Lakshmanan)

Previous Post

The virus that kills: #coronavirus

Next Post

Zoom vs Skype: Microsoft pushes its Meet Now feature for 'hassle-free' video calls

Related Posts

Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks
Internet Privacy

Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks

February 24, 2021
Critical RCE Flaws Affect VMware ESXi and vSphere Client — Patch Now
Internet Privacy

Critical RCE Flaws Affect VMware ESXi and vSphere Client — Patch Now

February 24, 2021
Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs
Internet Privacy

Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs

February 24, 2021
Experts Find a Way to Learn What You’re Typing During Video Calls
Internet Privacy

Experts Find a Way to Learn What You’re Typing During Video Calls

February 23, 2021
5 Security Lessons for Small Security Teams for the Post COVID19 Era
Internet Privacy

5 Security Lessons for Small Security Teams for the Post COVID19 Era

February 23, 2021
Next Post
Zoom vs Skype: Microsoft pushes its Meet Now feature for ‘hassle-free’ video calls

Zoom vs Skype: Microsoft pushes its Meet Now feature for 'hassle-free' video calls

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Want to pass on your old PCs to good causes? Here’s how to do it while staying secure
Internet Security

Want to pass on your old PCs to good causes? Here’s how to do it while staying secure

February 24, 2021
Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks
Internet Privacy

Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks

February 24, 2021
Cutting-edge Katana Graph scores $28.5 million Series A Led by Intel Capital
Big Data

Cutting-edge Katana Graph scores $28.5 million Series A Led by Intel Capital

February 24, 2021
Assessing the rise of DeFi – and how data will drive fintech in 2021
Blockchain

Assessing the rise of DeFi – and how data will drive fintech in 2021

February 24, 2021
Zorroa Launches Boon AI; No-code Machine Learning for Media-driven Organizations
Machine Learning

Zorroa Launches Boon AI; No-code Machine Learning for Media-driven Organizations

February 24, 2021
Red Hat closes StackRox Kubernetes security acquisition
Internet Security

Red Hat closes StackRox Kubernetes security acquisition

February 24, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Want to pass on your old PCs to good causes? Here’s how to do it while staying secure February 24, 2021
  • Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks February 24, 2021
  • Cutting-edge Katana Graph scores $28.5 million Series A Led by Intel Capital February 24, 2021
  • Assessing the rise of DeFi – and how data will drive fintech in 2021 February 24, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates