topic Re: Is Zoom conferencing safe to use or not? in Industry News

Is Zoom conferencing safe to use or not?

Caute_cautim — Mon, 09 Oct 2023 09:29:10 GMT

Hi All

According to "The Intercept" Zoom has some issues, which can result in data leakage, privacy and apparently has encryption issues.

Does it have issues, during this crisis, as it is being actively used even by New Zealand Government agencies too for updates:

https://theintercept.com/2020/03/31/zoom-meeting-encryption/

https://www.businessinsider.com.au/zoom-privacy-issues-fbi-facebook-data-sharing-2020-3?r=US&IR=T

https://arstechnica.com/tech-policy/2020/03/zooms-privacy-problems-are-growing-as-platform-explodes-in-popularity/

Or does someone have an agenda against the company?

Regards

Caute_cautim

Re: Is Zoom conferencing safe to use or not?

AppDefects — Wed, 01 Apr 2020 02:20:37 GMT

There's always room for a good conspiracy theory isn't there? But, the IPO has passed and we are living with a deflated stock. Zoom software has always had some serious software defects that have been discussed in public for years. Did they ever fix them? No. Did anyone have the need to use their software? No. Times have changed. Now, they need to go back and re-engineer their product if they care about their reputation and stock price. Want more conspiracy? Just look at the 49 CVEs on record here. Btw those are just the published ones...

Re: Is Zoom conferencing safe to use or not?

Caute_cautim — Wed, 01 Apr 2020 03:13:38 GMT

@AppDefects Thanks for the information - interesting that lots of new Zoom domains are being created actively every day: https://securityaffairs.co/wordpress/100752/cyber-crime/coronavirus-zoom-campaign.html

During this current worldwide situation. Seems they need to do a lot of work.

Regards

Caute_cautim

Re: Is Zoom conferencing safe to use or not?

Caute_cautim — Wed, 01 Apr 2020 03:30:16 GMT

How long is this story going to run? https://www.theverge.com/2020/3/31/21201234/zoom-end-to-end-encryption-video-chats-meetings

Regards

Caute_cautim

Re: Is Zoom conferencing safe to use or not?

Caute_cautim — Wed, 01 Apr 2020 03:32:43 GMT

@AppDefectsYes, add another CVE against Zoom: They have some work to do:

https://www.itnews.com.au/news/zoom-for-windows-leaks-network-credentials-runs-code-remotely-545883?eid=3&edate=20200401&utm_source=20200401_PM&utm_medium=newsletter&utm_campaign=daily_newsletter

Regards

Caute_cautim

Re: Is Zoom conferencing safe to use or not?

mgorman — Wed, 01 Apr 2020 11:55:40 GMT

We use it, and I don't think it is a big problem. Like a lot of companies, they have been thrust into the limelight due to Corona, and some issues are showing up. The privacy policy thing I'd like to understand, did they make changes to practices, or just clarify their policy language? That is, were they selling a bunch of information, then stopped when they got caught, or did they have very permissive language originally, but better practices, then trued up to the practices. I see a lot of complaints about people being able to crash meetings. OK, so enable your meeting passwords, which they have recently changed to as a default because of this. Maybe they should have had that as default for a while, but they offered it, for users to use to protect their meetings, and if they weren't used, are they to blame? Lastly, the encryption thing. To me it depends on what you consider and end. In a one on one call, the ends could be seen as the users. However, in a group conference call, the ends include the conferencing server, as they have to. You couldn't scale to a 100 users with 99^2 encrypted streams between them. Slightly overzealous marketing? Sure. That said, heavy on the slightly. Their definition of E2E encryption is far less concerning to me than a lot of things I see every day.

The iOS SDK thing, I'll give them poor monitoring practice marks, but the fact that it was only iOS to Facebook seems to indicate that is what it was, poor development practices that allowed something to be enabled. If they were serious about monetizing that information, they would have done it with a lot more client types.

In the end, I think they are generally a good company and product. There are certainly risks associated, as always, but one can minimize them, and in the balance of what they provide, I think it is a net gain.

Re: Is Zoom conferencing safe to use or not?

mgorman — Wed, 01 Apr 2020 14:14:04 GMT

I just saw this one, and have to update my comments to say that I think they have more quality issues than I thought. Some of the articles seem to be piling on, but things like this one show that they have poor practices from a security standpoint, so the balance is tipping in risk/reward.

Re: Is Zoom conferencing safe to use or not?

rslade — Wed, 01 Apr 2020 17:55:54 GMT

There are a significant number of security issues with Zoom, but, overall, it seems to be a possible tool, if you know, and accept, the specific risks.

At the moment, the major one seems to be the popularity. As previously noted, at the moment everyone wants to get on the Zoom/teleconferencing bandwagon, and everyone is trying to download the app. (The fact that the Apple App Store, the Google/Android Play Store, and the Microsoft Store all have apps called zoom that have nothing to do with teleconferencing doesn't make things any easier.) Just to be clear, we are talking about zoom.us, and if you download something from some other zoom domain you may be in (malware) trouble.

A lot of hackers seem to be having fun with the conference number guessing. Since conferences are identified and managed via a nine digit number, hackers can "join" your conference if they guess the right number. At the moment, this seems to be more of a game where they "share" pr0n (drat you, dreaded "community" pr0n filter) in the middle of family calls, and other such annoyances (and sometimes more than annoyances). At the moment there doesn't seem to be too much in the way of targetted attacks. You can use a "password" to "protect" you call, but, since it is only a (six digit?) number, I'm not sure how much protection there is against automated password sequencing.

Yes, Zoom seems to have a pretty cavalier attitude towards security and privacy. It may become the "Facebook" of teleconferencing. Be aware of the various threats, attacks, and vulnerabilities, but, particularly in the midst of this crisis, it may be an acceptable risk for the communications benefit. We, in the Vancouver Chapter, are trying to set up a virtual meeting and presentation, likely around April 17th. (In fact, I'm running a practice test, for those interested in Zoom meetings, in less than an hour:

Topic: Security SIG test meeting
Time: Apr 1, 2020 11:00 AM Vancouver

Join Zoom Meeting
https://us04web.zoom.us/j/679324276

Meeting ID: 679 324 276 )

Re: Is Zoom conferencing safe to use or not?

Caute_cautim — Wed, 01 Apr 2020 19:43:25 GMT

HI All

Apologies if this upsets anyone: https://www.theregister.co.uk/2020/04/01/zoom_spotlight/

It's just a headline from the Register UK source.

Even the Prime Minister of UK was caught using Zoom - crazy people.

Regards

Caute_cautim

Re: Is Zoom conferencing safe to use or not?

kpinkham — Wed, 01 Apr 2020 20:51:36 GMT

Tech Crunch created a summary page of recent concerns.

https://techcrunch.com/2020/03/31/zoom-at-your-own-risk/

Re: Is Zoom conferencing safe to use or not?

Caute_cautim — Wed, 01 Apr 2020 21:39:55 GMT

And more comes out of the woodwork: Apparently NZ Government stated one could use Zoom up to the level of RESTRICTED - given the circumstances, I think there is a case for the Privacy Commissioner to step in purely on the protection of PII given the current circumstances. They should stop using it immediately.

https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/

Regards

Caute_cautim

Re: Is Zoom conferencing safe to use or not?

Caute_cautim — Wed, 01 Apr 2020 23:24:23 GMT

@kpinkhamThere an item called Zoom Bombing as well. Found this piece on how to protect yourselves, should you wish to carry on using Zoom. https://www.linkedin.com/pulse/3-ways-protect-your-zoom-meetings-jason-little/?trackingId=wiZMBiHJSv2NxRGbQiTWvA%3D%3D

Regards

Caute_cautim

Re: Is Zoom conferencing safe to use or not?

kpinkham — Thu, 02 Apr 2020 16:51:00 GMT

90 day feature freeze to "clean up security and privacy".

https://www.theverge.com/2020/4/2/21204018/zoom-security-privacy-feature-freeze-200-million-daily-users

Re: Is Zoom conferencing safe to use or not?

Caute_cautim — Thu, 02 Apr 2020 21:58:29 GMT

Interesting: https://www.securityweek.com/zooms-security-and-privacy-woes-violated-gdpr-expert-says

Could be a case of GDPR issues as well. I wonder what CCPA would make of this too?

Regards

Caute_cautim

Re: Is Zoom conferencing safe to use or not?

rslade — Fri, 03 Apr 2020 18:46:00 GMT

Well, a few more issues with encryption. Plus some interesting points about Zoom's relationship with China.

https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to-china-researchers-discover/

And the quick (really quick!) and dirty attitude to development. Particularly in regard to crypto.

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

But, also, some advice on making Zoom safer. (OK, I said "safer." Not completely safe. And China is probably still going to be able to listen in on every conversation. If they want to ...)

(The advice to update is probably important. Zoom does seem to be making some effort here: Yesterday the client I have on a Windows machine asked me to update, and today, at the end of a call/meeting, the Mac client asked me to update. An old (really old) Android device tells me to update, but won't install the update. My newer Android phone hasn't said anything, but I suspect it's updated by itself.)

Re: Is Zoom conferencing safe to use or not?

rslade — Fri, 03 Apr 2020 18:48:17 GMT

If you want to avoid Zoom, there's always Jitsi Meet. I have zero experience with it, but I'm dying to try it out ...

Re: Is Zoom conferencing safe to use or not?

Caute_cautim — Fri, 03 Apr 2020 22:52:39 GMT

@rsladeand all: Here is a very good report on Zoom, which many should find very useful in determining their best course of action: https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

And the best thing is - it is Canadian......

Regards

Caute_cautim

Re: Is Zoom conferencing safe to use or not?

AppDefects — Sat, 04 Apr 2020 02:17:09 GMT

The founder and CEO of Zoom has apologized to the video conferencing app's millions of users after coming under fire for a host of privacy issues at a time when it has emerged as a vital social and professional lifeline for many.

"We recognize that we have fallen short of the community's -- and our own -- privacy and security expectations," Eric Yuan said in a blog post on Wednesday. "For that, I am deeply sorry."

Zoom will stop adding new features for the next 90 days and instead focus solely on addressing privacy issues, Yuan said. The company will also release a transparency report, similar to the ones periodically shared by tech giants, which details requests for data or content from government authorities.

Re: Is Zoom conferencing safe to use or not?

Caute_cautim — Sat, 04 Apr 2020 03:08:05 GMT

@AppDefectsThe founder may have apologies and promised updates, but when they send the encryption keys to a server in China - I certainly will not be using them for hosting conferences.

https://www.securityweek.com/keys-used-encrypt-zoom-meetings-sent-china-researchers

And certainly not for discussions involving PII or Government discussions like the Prime Ministers of UK and Nw Zealand recently did on numerous occasions.

Regards

Caute_Cautim

Re: Is Zoom conferencing safe to use or not?

kpinkham — Sat, 04 Apr 2020 16:00:34 GMT

Wondering how Zoom was Fedramp approved by the US government after reading all this.

https://marketplace.fedramp.gov/#/product/zoom-for-government?sort=productName&productNameSearch=zoom