Tag Archives: Zoom

Zoom Panic – Steps You Should Take to Reduce your ‘Zoom-Risk’

This is really a ‘dogpile’ event.  As Zoom usage has grown from 10 million users a day in January to 200 million users a day now, they are just trying to keep the wheels on the bus.  And everyone says that they found some new problem.

In fairness, they didn’t seem to be as security conscious as some of the other paid conferencing vendors until recently, but equally fairly, much of it is user error.  Many of their accounts were and are free accounts and it is not fair to expect the same level of confidentiality as you get from a paid corporate account.

Here are some tips to make your Zoom world safer.

1. If you care who joins your Zoom call, do not post the Zoom conference information on social media.  Apparently people do that and are surprised when uninvited guests show up.

2. Do not post screen shots of Zoom meetings on the Internet.  The meeting ID (until this week’s patch is installed) shows up in  the screen shot, allowing anyone who sees it to try and join your meeting.

3. Don’t create meetings without passwords.  That is really hard now that Zoom is forcing meeting passwords, but forcing passwords is recent (like two weeks ago).  Don’t delete the password either.  Don’t use a password of 123456 either.

4. Use the Zoom waiting room feature – again, I think they turned it on by default this week, but up until then it was turned off by default.  With this feature on, the host has to individually let people into the meeting.  Don’t turn the feature off.  This feature makes it virtually impossible for someone to luck out into a meeting.

5. Use the Zoom room lock feature – this stops anyone from joining the meeting after the meeting has been going on for 10 minutes.

6. Make sure that you install Zoom updates.  When a meeting ends, it gives you the CHOICE to install updates.  If you don’t do the install, you are vulnerable.  Lately, every time I use the app it says there is an update.

7. Don’t use a personal meeting ID.  This is a feature that allows you to reuse the same meeting ID over and over.  It is convenient.  For you AND ALSO FOR ANYONE WHO EVER HAD THAT ID information.

For more information, see this article at CNet.

None of the above items are Zoom’s fault.

But there are issues which are Zoom’s fault —

a. They were routing some traffic (and encryption keys) through China.  That happened as they tried to deal with a 2000% usage increase.  Once that was pointed out, it was fixed in days.

b. Allow people to pick what countries your call can be processed in – this is a new feature for all paid accounts – implemented within a week of discovering (a) above.

c. Do better security testing.  This really was a weakness on their part.  They have very rapidly enhanced this and hired some very well known security people such as Alex Stamos (formerly CISO of Facebook and currently a professor at Stanford).

d.They have about 700 developers in China.  **IF** they have good code review procedures in place, this is not a problem.  If they did not, Alex will absolutely fix this one.

e. Implement a better bug bounty program.  They have had one, but it wasn’t very good.  They just announced a new one today and new firm to manage it.  Fund it aggressively.

f. . End to end encryption – I give them a pile of poop for saying that they had end to end encryption.  They don’t.  They prefer to say that they don’t have end to end encryption in the generally understood definition of that word.  The generally understood definition of end to end is, well, end to end.  Its not hard to understand.  Its not confusing.  DON’T LIE.  You are likely to get caught at it.  Tell the truth.  ANY CLOUD BASED VIDEO CONFERENCING SERVICE THAT OFFERS TO RECORD YOUR CALLS (LIKE GO TO MEETING AND WEBEX, FOR EXAMPLE) DOES NOT OFFER END TO END ENCRYPTION.  What is important is to tell the truth.

So, while people are making a big deal out of this, in large part the problem resides between the keyboard and the chair, so to speak.

Security News for the Week Ending April 3, 2020

DoD Concerned Covid Will Cause US IP Loss

In an interesting analysis, Ellen Lord, DoD’s top acquisition official, is concerned that foreign interests (including unfriendly foreign interests) will buy or invest in small U.S. defense subs and steal our tech.  In theory CFIUS and FRRMA should make that harder as the government has the right to nix buyouts if they think they will hurt us, but first they have to know about it.  With Covid potentially impacting the stability of these small companies, the government has its work cut out for it.  Source: Defense Systems

Violating a Web Site’s Terms of Service: Hacking or Not?

The Computer Fraud and Abuse Act (CFAA) was written long before the Internet, but leave it to aggressive prosecutors and companies to use it in a way that was never intended.  But the various federal courts can’t seem to figure out how to interpret it.  The DC federal court has just ruled that using a web site with a legally obtained user account in a way that may violate the web site owner’s terms of service is not hacking and cannot be prosecuted under the CFAA.  Since about half of the federal courts have ruled in each direction on this issue, it is likely to make it up to the Supremes.  This is important both for web site operators and security researchers. Source: Ars Technica

Zoom Does Not Support End to End Encryption, Despite Claims that it Does

In some of Zoom’s documentation, as well as in the client, Zoom says that it supports end to end encryption, but in fact, it does not, at least when video is involved.  I am sure now that it has come out that they lied on their web site, they will likely get sued.  If you think about it, given that they have the ability to record your call, there is no way that it can be end to end encrypted.  The video is encrypted between their data center and you, which is probably good enough for 99% of the planet.  This also means that the fuzz can listen into your call.  Moral of the story, if you are doing something illegal. Or classified.  Don’t discuss it on a public video conference (or audio) service.  There are ways to really do end to end encryption and I have set them up before, but they are neither cheap nor simple.  Source: The Intercept

DoJ Inspector General Says FISA Court Requests Are Suspect

The Department of Justice’s Inspector General says that the FBI has not followed the rules when applying for secret FISA warrants over the last five years.  Given that the whole process is secret, it is not surprising that it is flawed.  Any time the government operates outside the light of day, the opportunity for abuse is there and now, the DoJ IG is questioning 700 warrant requests made over the last 5 years.  The court is basically a rubber stamp since there is no “other side” to any request.  This came to light when Carter Page, a Trump campaign advisor, was the subject of a FISA court wiretap.  This is also at the core of the fight between the House and Senate over the renewal of certain parts of FISA that expired last month.  Source: The Register

California AG Revises CCPA Regulations Again

As the deadline set by the legislature for the enforcement of CCPA lurches closer (July 1), the AG has revised the proposed regulations again.  Among the changes are a re-expansion of the definition of personal information, privacy notice guidance, instructions on responding to data subject requests, clarification/restriction of service provider use of information and a minor clarification of the definition of financial incentives.   See the assessment from law firm ReedSmith here and a copy of the again revised regs here.