A zooming week at zoom
Tricky times at the video conferencing giant
A week is a long time when public perception is negative and the press doesn’t help you, especially when many organisations are relying upon the stability of your service. Zoom is a company that are experiencing this ecstasy and agony right now, and while some reports claim the company is in crisis, their service still seems to be trundling along nicely.
Obviously the exceptional circumstances we are living through at the moment, with the Coronavirus pandemic, have forced many organisations to adopt technologies that would normally be used fairly sparsely. Some have turned to old favourites, like Google Hangouts or Talk, Skype and Microsoft Teams. But, Zoom has been the platform that seems to have attracted many, but come under the most fire.
Let’s take a look at the reports and sort out the weak from the chaff…
So, Zoom-bombing, as it’s been called, is still prevalent. Malwarebytes dropped an in-depth blog post of the situation on Monday, 13th April. Neatly covered in the piece is all the detail you’ll need about why this happens. Zoom have produced best practice guidance to secure meetings and keep the unwanted baddies out.
However, despite the warnings the message isn’t being received. This is likely due to overworked and underpaid infosec and compliance dudes not being able to respond or have higher priorities right now. As communication is key it’d be useful for governance types to send out clear guidance, but we still hear about the bad news.
Dark Web Bonanza!
Tuesday saw reports of large numbers of compromised Zoom accounts on sale at dark web bazaars. Hackread picked up this baton, expanding the bloat with tales of verified login details that could be used for Zoom bombing. Let’s try to set this straight, regardless of whether you have a verified account, you still can’t invade another person’s meeting if they configure the security settings correctly.
The real danger of this type of sale is potential sharing of credential details across various sites. As a user, I would always recommend two things here:
- Never use the same password for multiple sites or services;
- Where possible utilise a MFA token or service, like Microsoft Authenticator, Google Authenticator or Authy, but many other exist.
As a infosec bod working for a product-based company I know the importance of both security-by-design and privacy-by-design, however I also feel the pain because both of these things are secondary or even tertiary thoughts to many developers. How many security managers have been here:
We’re ready to release our new product… Can you approve it for security and privacy?any product manager anywhere
So, I feel no sadness at all when I see Zoom going feeling the pain of a problem of their own making. Why? Because they neglected security for so long as an afterthought. What!? People actually want secure software services! People want to keep control of their own private and personal data! Where’s Tim Berners-Lee when you need him.
On Wednesday HelpHetSecurity chimed in on this subject, claiming Zoom are in crisis, and are piling all available resources into bolstering up those forgotten and dusty security and privacy features.
This obviously stirred Zoom into action, because the very next day Security Week reported about the new raft of security and privacy features that Zoom have rolled out. These features include:
- The ability to route your data through one of Zoom’s many regional datacentres – That’ll probably help with GDPR concerns, right?
- The introduction of a new Bug bounty. They also managed to conjure up an entire article on this one.
- A feature to detect credential stuffing attempt, which sounds like they may be implementing a system similar to Fail2Ban.
- Additional security features on a new toolbar, for the “Security Conscious” Zoom host, if such a thing exists. [I’m talking to you BoJo!]
Obviously Zoom has a target on it now and this has led to the price for an alleged zero-day RCE being plumped up to a cool half million smackers, according to Graham Cluley. I’m sure Zerodium probably have a few in their back catalogue.
The trouble is: if you had a zero-day, would you want to use it at a time like this? Zoom is now so heavily used that utilising a zero-day could render it useless very quickly if the vulnerability is detected and patched. The use of zero-days like this is probably going to be by nation state actors and they will have their own way to get into that infrastructure.
This leads on the last report of the week:
Zoom – for the bods only.
Many government are ditching Zoom so fast, the exit door is about the fall off the hinges. This week Security Week rocked up with a story about the Indian Government abandoning ship.
But, you’ll really know its going down when the rats start deserting! Keep safe out there!