cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Is Zoom conferencing safe to use or not?

Hi All

 

According to "The Intercept" Zoom has some issues, which can result in data leakage, privacy and apparently has encryption issues.

 

Does it have issues, during this crisis, as it is being actively used even by New Zealand Government agencies too for updates: 

 

https://theintercept.com/2020/03/31/zoom-meeting-encryption/

 

https://www.businessinsider.com.au/zoom-privacy-issues-fbi-facebook-data-sharing-2020-3?r=US&IR=T

 

https://arstechnica.com/tech-policy/2020/03/zooms-privacy-problems-are-growing-as-platform-explodes-...

 

Or does someone have an agenda against the company?

 

Regards

 

Caute_cautim

49 Replies
rslade
Influencer II

Apparently Zoom is safe.  Or it will be. If you pay ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

 

5310f449ab6a01809839dec2dbf18b74

 


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

@rslade    Most of the world looks like the Muppets at the present time....

 

 

Regards

 

Caute_Cautim

Caute_cautim
Community Champion
Shannon
Community Champion

 


@Caute_cautim wrote:

@rslade    Most of the world looks like the Muppets at the present time....

 

a8d98c14-0217-45e2-a695-066184f6c290.jpg

 

This is probably one of the muppets recovering from COVID-19 --- after the quarantine of Sesame street.  Man Wink

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Baechle
Advocate I

I’ve always looked like a muppet. Mnamna.
CraginS
Defender I

Bruce Schneier is now a lot less happy with Zoom, due to the pay for privacy feature.

See his new (6/4/20, or for our EU patrons 4/6/20) blog post, 

Zoom's Commitment to User Security Depends on Whether you Pay It or Not

In that post he does call them out for the subtle double-talk of how they describe e2e or not and other aspects of marketing language to fool the average potential customer.

Subsequent comments on Schneier's post are worth revising, too.

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
rslade
Influencer II

Right.  Although, as a security person, I may hate to admit it, the Vancouver Chapter is using Zoom for its June 12th virtual/remote meeting.  As part of the testing for holding it, we tried to figure out whether you actually need a Zoom account or have Zoom installed to "attend."  The answer seems to be "no," but with some caveats.

 

Right, this is complicated. And I'm not sure that I am able to test a complete "no-install" situation, since my machines all appear to be contaminated with Zoom.  (More on that later.) (I'm pulling up the old Android tablet right now to try and remove Zoom from it (it was a pre-5 version anyway: 4.4.5391.0520) and see if I can test that.)  (But it never did cooperate.)

 

On my main desktop, I have never installed Zoom (since I don't have a Webcam on it), but I have done some work on my rslade@gmail.com account (via the Avast browser), and have used the Chrome browser with a Zoom install on the same account. I seldom use Edge, so I don't think I have anything installed on the Edge browser, but the install via Chrome seems to have "contaminated" my desktop Win10 machine in its entirety.

 

So, Fred set up a test meeting, and, on the Edge browser, I entered the URL and got the screen that shows as

 

zoom no install reg 6.PNG

 

Figure: zoom no install reg 6.PNG
I registered using my rmslade@shaw.ca address, which I have never before used for a Zoom meeting. This resulted in

 

zoom no install reg 5.PNG

 

Figure: zoom no install reg 5.PNG
I clicked on the link (the lo-o-o-ng URL) provided, and got

 

zoom no install reg 4.PNG

 

Figure: zoom no install reg 4.PNG

 

Now, at this point, I have to strongly note that I did not click on the "download & run Zoom" link. I did click on the "join from your browser" link. This, unfortunately, brought up

 

zoom no install reg 3.PNG

 

Figure: zoom no install reg 3.PNG
which was definitely not in my browser. Any of them. It was Zoom.

 

At this point, looking back at my browser, I took a screenshot of

 

zoom no install reg 1.PNG

 

Figure: zoom no install reg 1.PNG


There are two things to note. The first is that I definitely did not click on the "download Zoom" link. The second is to note the bottom message on the screen about Zoom_[hex numbers].exe. I did not either run or save it. As previously noted, the fact that Zoom came up was from a previous install via a different browser. At this point, I probably don't have any machines in the house that are uncontaminated by Zoom.

 

So, Zoom is very "helpful" about getting onto your machine. As a malware researcher, I'm not sure how I feel about that. On the one hand, we can probably offer the meeting to anyone with a browser, regardless of whether they have a Zoom account or have ever used Zoom. On the other hand, as a drive-by download, it works great, and I'm not really thrilled aobut having stuff installed on my machine with lots of access that I never gave it.

 

Anyone is welcome to join our meeting, of course, but anyone who has not used Zoom is particularly welcome, and we'd love to hear about your experiences.  The registration for the meeting is here.  It starts at 2 pm, Pacific time, but Fred and I will be on from 1:30 pm, and, if you want to do some testing from a "cold" machine and see how easy or hard it is to get on, we'd be grateful.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
luriep
Viewer III

As a long time employee in the voice & video collab space, I was going to write a nice long response on this thread.  Only to find out a blog post just dropped that hit on many of my key themes: 

 

Ease of Use vs. Security: The Zoom Conundrum  by Phil Edholm

https://www.nojitter.com/video-collaboration-av/ease-use-vs-security-zoom-conundrum

... "As part of making that experience easier, Zoom calibrated the settings knobs to simplicity, often eschewing potential security considerations in the process." 

[...]

"As the initial market for Zoom wasn’t the Fortune 100 IT departments, but rather SMBs and individual users ... Users didn’t need to learn complex controls to have the customer share something; it just worked. In fact, that has been the biggest compliment to Zoom — it just works." 

 

 

It's worth the 4 minute read, no installation of self-downloading tools required.

kpinkham
Newcomer II

How did the Chinese government even know that this call was taking place and what "local laws" were complied with?

 

https://www.bbc.com/news/world-asia-53003688