News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – should we be concerned about Zoom?

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – should we be concerned about Zoom?

    Viewing 29 reply threads
    • Author
      Posts
      • #2213574 Reply
        Susan Bradley
        AskWoody MVP

        I’ve seen several comments on various venues about the risk of Zoom meetings.  Some of them are valid, others are….. hang on … who in their RIGHT
        [See the full post at: Patch Lady – should we be concerned about Zoom?]

        Susan Bradley Patch Lady

        5 users thanked author for this post.
      • #2213618 Reply
        Alex5723
        AskWoody Plus

        Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links

        The Zoom Windows client is vulnerable to UNC path injection in the client’s chat feature that could allow attackers to steal the Windows credentials of users who click on the link.

        When using the Zoom client, meeting participants can communicate with each other by sending text messages through a chat interface.

        When sending a chat message, any URLs that are sent are converted into hyperlinks so that other members can click on them to open a web page in their default browser.

        The problem is that security researcher @_g0dmode discovered that the Zoom client will convert Windows networking UNC paths into a clickable link in the chat messages as well..

        https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-run-programs-via-unc-links/

        1 user thanked author for this post.
      • #2213633 Reply
        Alex5723
        AskWoody Plus

        Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers

        ..Popular video-conferencing Zoom is leaking personal information of at least thousands of users, including their email address and photo, and giving strangers the ability to attempt to start a video call with them through Zoom.

        The issue lies in Zoom’s “Company Directory” setting, which automatically adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company. But multiple Zoom users say they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another…

        https://www.vice.com/en_us/article/k7e95m/zoom-leaking-email-addresses-photos

        3 users thanked author for this post.
        • #2213744 Reply
          Susan Bradley
          AskWoody MVP

          I think that’s only in the paid version.  As that’s the only one I see where there’s a contact list.

          Susan Bradley Patch Lady

          2 users thanked author for this post.
      • #2213653 Reply
        Michael Austin
        AskWoody Plus

        The problem is that security researcher @_g0dmode discovered that the Zoom client will convert Windows networking UNC paths into a clickable link in the chat messages as well..

        As sometimes happens with any company, Zoom’s code got vulnerable. The challenge I see with this Zoom bug (to me) is that Zoom’s worse-than-abysmal support and this bug together show that they’re careless.

        Finance, social and tech founder. My new, planet-wide talk show, Casual Saints, is being readied for a May-ish 2020 😉 debut.

        1 user thanked author for this post.
      • #2213724 Reply
        Chris B
        AskWoody Plus

        Interesting. However, I have my own domain, but my wife and son, who both have Zoom accounts, emails on my domain, and have had meetings with me, have not shown up in this manner. i.e. they are not in my contacts on Zoom. Nor do I see a Company Directory setting anywhere.

        I am on the free version. Perhaps this is not an issue for the social, basic service, user?

        Chris
        Win 10 Pro x64 Group A

      • #2213749 Reply
        howardagoldberg
        AskWoody Plus

        Zoom released client version 4.6.9 early this afternoon, addressing the UNC issue.

        Also, and especially now with so many people using Zoom, I find it problematic that these issues are reported publicly (no one at fault here were everyone is just responding to the public reports – but in other media) before the vendor even has a chance to confirm and address the issue. Tech publications need to be part of the solution, not the problem.

        Ars Technica published an article at about the UNC bug at 12:40 p.m. yesterday. Zoom pushed out a patch within 24 hours. Report on the bug after adequate time has been allowed for the vendor to address it!

        Enough with the click bait that gives ‘bad actors’ a heads up. We need to be in this together :-).

        Again, this is not addressed to this forum or Susan – just a general rant because I am guessing we are going to see lots of ‘white hat hackers’ trying to make a name for themselves now, with certain websites only-too-happy to assist.

        2 users thanked author for this post.
      • #2213763 Reply
        Alex5723
        AskWoody Plus

        A Message from Zoom CEO :

        ….What we’re going to do
        Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes:

        Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
        Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
        Preparing a transparency report that details information related to requests for data, records, or content.
        Enhancing our current bug bounty program.
        Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
        Engaging a series of simultaneous white box penetration tests to further identify and address issues.
        Starting next week, I will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to our community…

        https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

        2 users thanked author for this post.
      • #2213767 Reply
        Susan Bradley
        AskWoody MVP

        https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

        Susan Bradley Patch Lady

        1 user thanked author for this post.
      • #2213769 Reply
        Cybertooth
        AskWoody Plus

        Heimdal Security provides some technical details of how this exploit is happening here.

         

      • #2213771 Reply
        Alex5723
        AskWoody Plus

        should we be concerned about Zoom?

        There are some who are, like Elon Musk, NASA.. :

        Elon Musk’s SpaceX bans Zoom over privacy concerns -memo

        Elon Musk’s rocket company SpaceX has banned its employees from using video conferencing app Zoom, citing “significant privacy and security concerns,” according to a memo seen by Reuters, days after U.S. law enforcement warned users about the security of the popular app.

        NASA, one of SpaceX’s biggest customers, also prohibits its employees from using Zoom, said Stephanie Schierholz, a spokeswoman for the U.S. space agency…

        https://www.reuters.com/article/us-spacex-zoom-video-commn/elon-musks-spacex-bans-zoom-over-privacy-concerns-memo-idUSKBN21J71H

        2 users thanked author for this post.
      • #2214157 Reply
        Michael Austin
        AskWoody Plus

        Zoom’s e-mail of just today:

        We’re always striving to continue to deliver you a secure virtual meeting environment. Based on feedback from our community, we’ve chosen to enable passwords on your meetings and turn on Waiting Rooms by default starting April 5th,  as additional security enhancements to protect your privacy.

        Dear Valued Customer,

        We’re always striving to deliver you a secure virtual meeting environment. Starting April 5th, we’ve chosen to enable passwords on your meetings and turn on Waiting Rooms by default as additional security enhancements to protect your privacy.

        Meeting Passwords Enabled “On”
        Going forward, your previously scheduled meetings (including those scheduled via your Personal Meeting ID) will have passwords enabled. If your attendees are joining via a meeting link, there will be no change to their joining experience. For attendees who join meetings by manually entering a Meeting ID, they will need to enter a password to access the meeting.

        For attendees joining manually, we highly recommend re-sharing the updated meeting invitation before your workweek begins. Here’s how you can do that:

        Log in to your account, visit your Meetings tab, select your upcoming meeting by name, and copy the new meeting invitation to share with your attendees. For step-by-step instructions, please watch this 2-minute video or read this FAQ.

        For meetings scheduled moving forward, the meeting password can be found in the invitation. For instant meetings, the password will be displayed in the Zoom client. The password can also be found in the meeting join URL.

        Virtual Waiting Room Turned on by Default
        Going forward, the virtual waiting room feature will be automatically turned on by default. The Waiting Room is just like it sounds: It’s a virtual staging area that prevents people from joining a meeting until the host is ready.

        How do I admit participants into my meeting?
        It’s simple. As the host, once you’ve joined, you’ll begin to see the number of participants in your waiting room within the Manage Participants icon. Select Manage Participants to view the full list of participants, then, you’ll have the option to admit individually by selecting the blue Admit button or all at once with the Admit All option on the top right-hand side of your screen.  For step-by-step instructions, please watch this 2-minute video.

        Check out these resources to learn How to Manage Your Waiting Room and Secure Your Meetings with Virtual Waiting Rooms.

        For more information on how to leverage passwords and Waiting Rooms to secure your meetings, please visit our Knowledge Center, attend a daily live demo, or visit our Blog.

        Please reach out to our Support Team if you have any questions at support@zoom.us.

        Thank You!
        Team Zoom

        Moderator note: Edit to remove HTML. Please use the “Text” tab in the entry box when you copy/paste.

        Finance, social and tech founder. My new, planet-wide talk show, Casual Saints, is being readied for a May-ish 2020 😉 debut.

        2 users thanked author for this post.
      • #2223249 Reply
        MWmC
        AskWoody Plus

        Good morning. There’s an interesting article in the FT (only for subscribers i’m afraid), but the gist of it is that Zoom has been routing data through Chinese servers … after specifically having denied such routing.

        I think this goes beyond the details of how and under what circumstances intrusions can happen. I have blocked access to Zoom on our platforms and told our partners they need to find another way to communicate with us … if they want our business.

        Trust is trust, and Zoom has proven they don’t deserve it.

      • #2223250 Reply
        anonymous
        Guest

        I don’t have the Zoom app installed on my computer. When my classes require it, I only use the browser version. Should I still be concerned?

        1 user thanked author for this post.
        • #2223768 Reply
          rc primak
          AskWoody_MVP

          Yes. Many of these concerns have to do with how Zoom does and does not encrypt sessions. (They do not use end to end encryption in either version.) Zoom has also never said they would stop using personal information and selling it to advertisers.

          But the worst unaddressed issues have to do with Zoom’s overall security issues. Outside security auditing has been done. And Zoom has failed these audits. The Company gives replies like the ones linked in this thread. Frankly, it’s mostly Bafflegab with no actual promises to make meaningful changes. The Company’s responses so far show a flagrant disregard for user security and especially privacy.

          For a Company which provides telemedicine services to health care providers, I don’t see how Zoom can possibly justify saying their services are HIPAA compliant. My own Doctor used Zoom for a telemed visit with me before I found out the full extent of Zoom’s issues. I now regret accepting that invitation.

          -- rc primak

          • This reply was modified 1 month, 4 weeks ago by rc primak.
          3 users thanked author for this post.
      • #2223256 Reply
        Chris B
        AskWoody Plus

        @MWmC thanks – I’ll pick the article up in the newspaper on Monday.

        However, perhaps we should be segmenting this discussion. There are many who are using Zoom for business purposes and have confidential content. For them, all these points are probably valid concerns.

        But my usage is different. I have just joined Zoom and moved my social club over to the platform, so far as we can. It is  a new platform for me and for all the rest of us. We are all older guys, pretty much all over 70 (aka old gits) and are using the platform to carry on some of our social activities, albeit not the lunches, when we are all confined to our homes and getting pretty bored. For us, I can see no reason to get concerned by these issues. We don’t discuss state secrets, because we don’t know any, nor anything more inflammatory than personal opinions.

        So, while I am watching the developments, I see no reason to get concerned for our usage, and I suspect that is the case for a vast number of the new users of Zoom. Susan – if there is anything I am missing, please put me right.

        Chris
        Win 10 Pro x64 Group A

        • #2223770 Reply
          rc primak
          AskWoody_MVP

          I guess it depends on how much club members value their privacy. I belong to two computer user groups. One says they can live with the risks, but has incorporated password security into future sessions. The other, which is open-source oriented, refuses to deal with Zoom. They had a hard time finding alternatives, but ultimately went with jit.si meet, an open-source service which is limited to 16 live participants, plus live-streaming capabilities.

          -- rc primak

          1 user thanked author for this post.
          • #2223772 Reply
            Chris B
            AskWoody Plus

            I was going to ask you who you would use, but you have just answered that! We have taken the first option – always use passwords. I’ll have a look at you alternative, though. Thanks

            Chris
            Win 10 Pro x64 Group A

            1 user thanked author for this post.
      • #2223263 Reply
        Paul T
        AskWoody MVP

        article in the FT

        You could give us a 3 line precis and a link – I’m sure the FT won’t mind.

        cheers, Paul

      • #2223309 Reply
        Alex5723
        AskWoody Plus

        Zoom route some calls and encryption decryption keys through China

        A US Company with a Chinese Heart?

        This report examines the encryption that protects meetings in the popular Zoom teleconference app. We find that Zoom has “rolled their own” encryption scheme, which has significant weaknesses. In addition, we identify potential areas of concern in Zoom’s infrastructure, including observing the transmission of meeting encryption keys through China…

        Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings

        4 users thanked author for this post.
      • #2223430 Reply
        Alex5723
        AskWoody Plus

        Zoom Self Help Center by WalkMe

        A walk-through for newbies with Zoom

        Make Zoom simple and easy to use in seconds.
        Need assistance setting up Zoom? WalkMe’s world renowned guidance solution will help you through any process on Zoom and will guide you step by step exactly with the instructions you need, when you need them…..

        https://chrome.google.com/webstore/detail/zoom-self-help-center-by/jgbogkmcdglemabaihcffddgimmpoiha

        1 user thanked author for this post.
      • #2223518 Reply
        Alex5723
        AskWoody Plus

        NYC forbids schools from using Zoom for remote learning due to privacy and security concerns

        New York City has banned the video conferencing platform Zoom in city schools weeks after thousands of teachers and students began using it for remote learning.

        The education department received reports of issues that impact the security and privacy of the platform during the credentialing process, according to a document shared with principals that was obtained by Chalkbeat. “Based on the DOE’s review of those documented concerns, the DOE will no longer permit the use of Zoom at this time,” the memo said.

        Instead, the guidance says, schools should switch to Microsoft Teams “as soon as possible,” which the education department suggests has similar functionality and is more secure. ..

        NYC forbids schools from using Zoom for remote learning due to privacy and security concerns

        4 users thanked author for this post.
      • #2223550 Reply
        Alex5723
        AskWoody Plus

        Thousands of Zoom video calls left exposed on open Web

        Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people’s homes.

        Thousands of personal Zoom videos have been left viewable on the open Web, highlighting the privacy risks to millions of Americans as they shift many of their personal interactions to video calls in an age of social distancing.

        Videos viewed by The Washington Post included one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people’s names and phone numbers; small-business meetings that included private company financial statements; and elementary school classes, in which children’s faces, voices and personal details were exposed…

        https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/

        5 users thanked author for this post.
      • #2223708 Reply
        Chris B
        AskWoody Plus

        The FT article @MWmC pointed us to is a report of the Citizenlab report that @Alex5723 helpfully linked to.

        I look at this from the point of view of the social user, of which there are a couple or three new ones where I live (the UK). Those of you who use video for commercial reasons may have different views for very good reasons.

        The Citizenlab report makes clear that its concerns are for those who have confidential matters to protect, as quoted below:

        “As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality, including:

        • Governments worried about espionage
        • Businesses concerned about cybercrime and industrial espionage
        • Healthcare providers handling sensitive patient information
        • Activists, lawyers, and journalists working on sensitive topics

        For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning.”

        It is also the case that, if you use the default settings in Zoom, some of the issues, such as no passwords and Waiting Room, go away – indeed Zoom have disabled password free meetings in the update released over the weekend.

        For social uses in this Covid-19 dominated world there is a real need for a cheap videolink tool, and there are very few options. While Microsoft Team may be an attractive and better tool for business, it costs £60/seat per year. My club has 72 members, which is 4,320 mouth-watering pounds of revenue to Microsoft per year. That is never going to happen.

        Furthermore, it seems to me that Zoom have been responding pretty quickly to the issues being raised, and the responsible commentators have been raising them first with Zoom and not in the press. I think Zoom deserve credit for that.

        My club did quite a bit of research to find the right tool to keep in touch and came to the conclusion Zoom is the best – just as did Lincoln Spectre in today’s newsletter. I still think that is the right decision, but I stress that I am talking only for the social user. The rest of you can make your own decisions, as I am sure you will!

         

        Chris
        Win 10 Pro x64 Group A

        3 users thanked author for this post.
        • #2223773 Reply
          rc primak
          AskWoody_MVP

          The use of Zoom or the choice of an alternative is up to each user’s risk tolerance and desire for privacy. In healthcare settings, this is not a choice. I would never trust Zoom for telemedicine, including therapy sessions (if anyone does those via video conferencing, not revealing any personal info about myself). Some companies might be concerned about espionage as well.

          -- rc primak

          1 user thanked author for this post.
      • #2223780 Reply
        rc primak
        AskWoody_MVP

        If looking into alternatives, or if unfamiliar with Zoom, it is a good idea to set up with group leaders a few limited test sessions, just to make sure at least presenters and key participants know how to use the controls and the basic features. And to sort out any connection issues in advance. Also, be prepared to walk participants through first-time user issues, so start the meeting early if at all possible.

        -- rc primak

        • #2223781 Reply
          Chris B
          AskWoody Plus

          Yes -that is exactly what we have done.

          Chris
          Win 10 Pro x64 Group A

      • #2223790 Reply
        Michael Austin
        AskWoody Plus

        Frankly, it’s mostly Bafflegab with no actual promises to make meaningful changes. The Company’s responses so far show a flagrant disregard for user security and especially privacy.

        Yup. And I dig the word bafflegab 😉

        From just a little while I ago I offer this:

        “Zoom CEO: ‘I really messed up’
        By Jake Perez, Editor at LinkedIn
        Updated 21 hours ago

        Zoom, the video-conferencing platform that’s seen a surge in usage during the coronavirus pandemic, has become the target of organized trolling. The New York Times found 153 Instagram accounts, dozens of Twitter accounts and private chats, and 4Chan message boards where so-called ‘Zoom raiders’ were sharing meeting passwords and planning harassment. In response, Zoom now defaults to passwords and ​waiting rooms for basic users and CEO Eric Yuan admits he ‘really messed up’ on the platform’s security. He told The Wall Street Journal an end-to-end encryption option should be available in several months.”

        Finance, social and tech founder. My new, planet-wide talk show, Casual Saints, is being readied for a May-ish 2020 😉 debut.

        1 user thanked author for this post.
      • #2232057 Reply
        Alex5723
        AskWoody Plus

        Taiwan government blocked the usage of Zoom

        ..In response to changing developments surrounding the COVID-19 outbreak, many organizations have the option to use remote video conferencing technology to coordinate with separate or distant offices as a means of minimizing business disruptions. The Executive Yuan’s Department of Cyber Security (DCS) today formally issued an advisory to all government organizations and specific non-government agencies that should it become operationally necessary to engage in video conferencing, the underlying video software to be used should not have associated security or privacy concerns, such as the Zoom video communication service

        https://english.ey.gov.tw/Page/61BF20C3E89B856/849887da-0aa7-4b84-8fba-1b6b1183843f

        2 users thanked author for this post.
      • #2232058 Reply
        Alex5723
        AskWoody Plus

        Google Told Its Workers That They Can’t Use Zoom On Their Laptops Anymore

        ..Google has banned the popular videoconferencing software Zoom from its employees’ devices, BuzzFeed News has learned. Zoom, a competitor to Google’s own Meet app, has seen an explosion of people using it to work and socialize from home and has become a cultural touchstone during the coronavirus pandemic.

        Last week, Google sent an email to employees whose work laptops had the Zoom app installed that cited its “security vulnerabilities” and warned that the videoconferencing software on employee laptops would stop working starting this week…

        https://www.buzzfeednews.com/article/pranavdixit/google-bans-zoom

        1 user thanked author for this post.
      • #2232060 Reply
        Alex5723
        AskWoody Plus

        Stolen Zoom passwords and meeting IDs are already being shared on the dark web

        As Zoom confronts numerous security issues amid a spike in use of the service during the coronavirus pandemic, yet another problem for the video conferencing platform has entered the stage, thanks to the dark web.

        Cybersecurity firm Sixgill recently discovered a collection of 352 Zoom accounts that had been compromised. The accounts were shared by a user on a popular dark web forum; information included each account’s connected email address, password, meeting ID, host key, and host name. ..

        https://mashable.com/article/stolen-zoom-passwords-dark-web/

        1 user thanked author for this post.
        • #2232442 Reply
          Paul T
          AskWoody MVP

          352 Zoom accounts

          Such a low number suggests they are just guessed from credential re-use.

          cheers, Paul

      • #2232159 Reply
        Alex5723
        AskWoody Plus

        US Senate tells members not to use Zoom

        https://www.ft.com/content/dac7d60b-54fa-402b-8469-70f85aaace76

        2 users thanked author for this post.
      • #2232448 Reply
        Alex5723
        AskWoody Plus

        352 Zoom accounts

        Such a low number suggests they are just guessed from credential re-use.

        cheers, Paul

        Or they can be 352 Zoom accounts of the biggest world’s enterprises 🙂

        1 user thanked author for this post.
      • #2232811 Reply
        Alex5723
        AskWoody Plus

        Singapore stops teachers using Zoom app after ‘very serious incidents’

        Singapore has suspended the use of video-conferencing tool Zoom by teachers, its education ministry said on Friday, after “very serious incidents” occurred in the first week of a coronavirus lockdown that has seen schools move to home-based learning…

        https://www.reuters.com/article/us-zoom-video-comm-privacy-singapore/singapore-stops-teachers-using-zoom-app-after-very-serious-incidents-idUSKCN21S0AH?feedType=RSS&feedName=technologyNews&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+reuters%2FtechnologyNews+%28Reuters+Technology+News%29

        1 user thanked author for this post.
      • #2241744 Reply
        Alex5723
        AskWoody Plus

        352 Zoom accounts

        Such a low number suggests they are just guessed from credential re-use.

        cheers, Paul

        Here is your answer

        Over 500,000 Zoom accounts sold on hacker forums, the dark web

        Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.

        These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.

        Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each…

        • #2241785 Reply
          Paul T
          AskWoody MVP

          “Guessed from credential reuse” is not “Zoom being insecure”, no matter how many there are.

          cheers, Paul

          • This reply was modified 1 month, 2 weeks ago by Paul T.
          1 user thanked author for this post.
      • #2241752 Reply
        Pierre77
        AskWoody Plus

        This taken from MalwareBytes Labs.

        Keep Zoombombing cybercriminals from dropping a load on your meetings

        May be of some use to some.

        1 user thanked author for this post.
    Viewing 29 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – should we be concerned about Zoom?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.