{"id":791,"date":"2020-04-12T13:35:04","date_gmt":"2020-04-12T12:35:04","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=791"},"modified":"2020-04-18T07:32:33","modified_gmt":"2020-04-18T06:32:33","slug":"zoom-caught-cybersecurity-need-know","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/zoom-caught-cybersecurity-need-know\/","title":{"rendered":"Zoom Caught in Cybersecurity Debate Here&#8217;s Everything You Need To Know"},"content":{"rendered":"<div dir=\"ltr\">\n<p>Cybersecurity Over the past few weeks, the use of Zoom video conferencing software has exploded ever since it emerged the<\/p>\n<p>the platform of choice to host everything from cabinet meetings to yoga classes amidst the ongoing coronavirus outbreak and work from home became the new normal.<\/p>\n<h5>The app has skyrocketed to\u00a0200 million daily users\u00a0from an average of 10 million in December<\/h5>\n<p>\u2014 along with a 535 percent increase in daily traffic to its download page in the last month<\/p>\n<p>\u2014 but it&#8217;s also seen a massive uptick in Zoom&#8217;s problems, all of which stem from sloppy design practices and security implementations.<\/p>\n<p>Zoom may never have designed its product beyond enterprise chat initially,<\/p>\n<p>but with the app now being used in a myriad number of ways and by regular consumers,<\/p>\n<p>the company&#8217;s full scope of gaffes have come into sharp focus<\/p>\n<h4>\u2014 something it was able to avoid all this time.<\/h4>\n<p>But if this public scrutiny can make it a more secure product, it can only be a good thing in the long run.<\/p>\n<h5><\/h5>\n<h5>Cybersecurity: A Laundry List of Issues<\/h5>\n<p>Zoom&#8217;s rapid sudden ascendance as a critical communications service has led to it drowning in a sea of privacy and security flaws.<\/p>\n<h5>But is Zoom a malware? Cybersecurity<\/h5>\n<p>As the Guardian\u00a0<a href=\"https:\/\/www.theguardian.com\/technology\/2020\/apr\/02\/zoom-technology-security-coronavirus-video-conferencing\" target=\"_blank\" rel=\"noopener noreferrer\">reported<\/a>, some experts believe so. But no, Zoom is not malware.<\/p>\n<p>Rather, it&#8217;s a piece of legitimate software that&#8217;s, unfortunately, just full of security vulnerabilities<\/p>\n<p>and we&#8217;re just now getting to know about it as the app was never scrutinized this thoroughly before \u2014<\/p>\n<ul>\n<li>Zoom&#8217;s\u00a0<a href=\"https:\/\/blogs.harvard.edu\/doc\/2020\/03\/27\/zoom\/\" target=\"_blank\" rel=\"noopener noreferrer\">privacy policy<\/a>\u00a0came under criticism for making it possible to collect extensive data about its users<\/li>\n<li>\u2014 like videos, transcripts, and shared notes \u2014 and share it with third-parties for personal profit.<\/li>\n<li>On March 29, Zoom tightened its privacy policy to state that it doesn&#8217;t use data from meetings for any advertising.<\/li>\n<li>But it does use the data when people visit its marketing websites, including its home pages zoom.us and zoom.com.<\/li>\n<li>Security researcher\u00a0Felix Seele\u00a0found that Zoom uses a &#8220;shady&#8221; technique to install its Mac app without user interaction using<\/li>\n<li>On April 2, Zoom issued a fix to resolve the bug.<\/li>\n<li>Researchers discovered a flaw in\u00a0Zoom&#8217;s Windows app\u00a0that made it vulnerable to UNC path injection&#8217; vulnerability<\/li>\n<li>that could allow remote attackers to steal victims&#8217; Windows login credentials and even execute arbitrary commands on their systems.<\/li>\n<li>gain root privileges and access the mic and camera on macOS, thereby allowing for a way to record Zoom meetings. Cybersecurity<\/li>\n<li>they were able to access the LinkedIn profiles of other participants in their Zoom meetings without those users&#8217; knowledge or consent.<\/li>\n<li>In response, Zoom has disabled the feature.<\/li>\n<li>Vice revealed that Zoom is leaking\u00a0thousands of users&#8217; email addresses and photos, and letting strangers try to initiate calls with each other.<\/li>\n<li>That&#8217;s because users with the same domain name in their email address<\/li>\n<li>Zoom blacklisted these domains. Cybersecurity<\/li>\n<li>On April 3, 2020, the\u00a0Washington Post\u00a0reported that it was trivial to find video recordings made in Zoom by searching the common file-naming pattern that Zoom applies automatically.<\/li>\n<li>These videos were found on publicly accessible Amazon storage buckets.<\/li>\n<li>Researchers created a new tool called &#8220;zWarDial&#8221; that searches for open Zoom meeting IDs,<\/li>\n<li>\u2014 video, audio, screen sharing, and chat<\/li>\n<li>which it currently maintains in the cloud. This also makes it easy for &#8220;hackers or a government intelligence agency to obtain access to those keys,&#8221;<\/li>\n<li>security expert\u00a0Matthew Green\u00a0said.<\/li>\n<li>Subsequent research by\u00a0Citizen Lab\u00a0found that they were also vague about the type of encryption used,<\/li>\n<li>with the keys generated for cryptographic operations &#8220;delivered to participants in a Zoom meeting through servers in China,<\/li>\n<li>even when all meeting participants, and the Zoom subscriber&#8217;s company, are outside of China.<\/li>\n<li>Zoom CEO Eric S. Yuan responded to\u00a0Citizen Lab&#8217;s findings, stating given the period of high traffic,<\/li>\n<li>we mistakenly added our two Chinese datacenters to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to<\/li>\n<li>\u2014 under extremely limited circumstances \u2014 connect to them.&#8221;<\/li>\n<li>Then there&#8217;s\u00a0Zoombombing, where trolls take advantage of open or unprotected meetings and poor default configurations to take over screen-sharing and broadcast porn or other explicit material.<\/li>\n<li>The FBI issued a warning, urging users to adjust their settings to avoid hijacking of video calls.<\/li>\n<li>Effective April 4, Zoom began enabling the\u00a0Waiting Room feature (which allows the host to control when a participant joins the meeting) and requiring users to enter a meeting password to prevent rampant abuse.<\/li>\n<\/ul>\n<h3>Should You Use Zoom or Not? Cybersecurity<\/h3>\n<p>In addition, the company has announced a\u00a0<a href=\"https:\/\/blog.zoom.us\/wordpress\/2020\/04\/01\/a-message-to-our-users\/\" target=\"_blank\" rel=\"noopener noreferrer\">90-day freeze<\/a>\u00a0on releasing new features to &#8220;better identify, address, and fix issues proactively.&#8221;<\/p>\n<p>It also aims to conduct a comprehensive review with third-party experts and release a transparency report that details information related to law enforcement requests for data, records, or content.<\/p>\n<p>Ultimately, it all boils down to this: should you be continuing to use Zoom? It would be easy to look at all of these flaws and say that people should simply stay away from Zoom.<\/p>\n<h5>But it&#8217;s not that simple. Cybersecurity<\/h5>\n<p>Interestingly, for the very first time, we are witnessing different opinions from experts in the cybersecurity community.<\/p>\n<p>Some say it&#8217;s wrong to\u00a0<a href=\"https:\/\/twitter.com\/wbm312\/status\/1245902315111903234\" target=\"_blank\" rel=\"noopener noreferrer\">criticize Zoom<\/a>\u00a0at this critical phase of time when the software is helping people do their work remotely, while others believe it&#8217;s best to abandon the platform for\u00a0<a href=\"https:\/\/twitter.com\/kennwhite\/status\/1245133977654104073\" target=\"_blank\" rel=\"noopener noreferrer\">other alternatives<\/a>.<\/p>\n<p>However, some also took a neutral stance, concluding that choosing Zoom totally depends upon an individual&#8217;s\u00a0<a href=\"https:\/\/twitter.com\/ErrataRob\/status\/1246541188255154177\" target=\"_blank\" rel=\"noopener noreferrer\">threat model<\/a>.<\/p>\n<p>&#8220;The most prominent security issues with Zoom surround deliberate features designed to reduce friction in meetings, which also, by design, reduce privacy or security,&#8221;\u00a0Citizen Lab\u00a0wrote in its report.<\/p>\n<p>The most important takeaway for regular users is simply to think carefully about their security and privacy needs for each call they make.<\/p>\n<p>Zoom&#8217;s security is likely sufficient if it&#8217;s just for casual conversations or to hold social events and organize lectures. Cybersecurity<\/p>\n<p>&nbsp;<\/p>\n<p>Citizen Lab, which has identified a severe security issue with Zoom&#8217;s Waiting Room feature,<\/p>\n<p>has encouraged users to use the password feature for a &#8220;higher level of confidentiality than waiting rooms.&#8221;<\/p>\n<p>For more tips on how to make Zoom calls secure, you can read EFF&#8217;s handy guide here.<\/p>\n<\/div>\n<div class=\"cf note-b\"><a href=\"http:\/\/zerothcode.com\/blog\/wi-fi-vulnerability-affects-billion\/\">http:\/\/zerothcode.com\/blog\/wi-fi-vulnerability-affects-billion\/<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity Over the past few weeks, the use of Zoom video conferencing software has exploded ever since it emerged the<\/p>\n","protected":false},"author":1,"featured_media":792,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[495,1039,1021,865,171,1032,1022,1031,1037,1023,1028,260,170,1036,1027,1018,1017,1019,1024,1030],"class_list":["post-791","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/791","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=791"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/791\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/792"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=791"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}