The Truth About Zoom

April 06, 2020 6 Comments

Did we think TikTok was bad? Man, oh man, it only gets worse from there. Enter stage left and we welcome Zoom onto the stage. If you hadn't heard of Zoom as of two weeks ago, I'm sure you have now. Schools are using it for distance learning, employees have started using zoom for work and for new-found virtual happy hours, friends are using it to introduce game night or trivia night, and families are using it to stay connected.

To put it bluntly, it is a security and privacy disaster. I first head of Zoom about two years ago when I did a security assessment on it for work. Even at that time, I did not feel like Zoom had a place with the workforce. I received a lot of frustrated comments on that one by the way. But I continued on and didn't use it in my personal life either. Now the FBI has come out to warn us of potential vulnerabilities and concerns for Zoom.

Fast forward and the majority of people I know are now using it, whether it be for work, for school, or for catching up with family. There have been reports of Zoombombing, where uninvited attendees break into and disrupt meetings. Then Zoom got called out for sharing user data with Facebook and on April 1, The Verge posted an article claiming Zoom was leaking personal information of "at least thousands of users, including their email address and photo, and giving strangers the ability to attempt to start a video call with them through Zoom." That wasn't an April Fools joke. Then Zoom told everyone that the platform was encrypted "end-to-end", but had decided to redefine the way they defined the encryption. All this in addition to a report on attackers stealing users' passwords and running malware, allowing attackers with local access to take over a Zoom user's Mac, tapping into device's webcam and microphone, and a generally sketchy privacy policy. Oh and it tended to turn on video by default.

But yet, Zoom is flourishing. It has gone from an average of 10 million daily users to 200 million daily users. As of early morning April 3, Zoom has become a top performing stock on the NASDAQ, showing up to 130% gains.

Who knows how long that will last with the latest string of troubles coming their way. Sure, they have taken steps to beef up their security and educate users, so maybe they are beginning to take this seriously.

Until then, there are still some seriously sloppy security practices to be aware of. This topic is constantly evolving, so what is in the news today is probably going to be outdated come mid-week. But if we don't have people talking about these concerns now, they have no reason to change.

Let's talk about the primary concerns.

Security
Privacy

There are very general buckets, I know. Let's get specific.

Security - Zoom claimed to implement end-to-end encryption, which is exactly as it sounds - communication is encrypted on both sides so it cannot be read or modified except by the intended sender and recipients. Unfortunately, Zoom seemed to be using its own definition of that term. A definition that allowed Zoom itself to access the unencrypted video and audio from meetings. Basically what happened is Zoom actually only offered transport encryption. Zoom uses TLS to protect its meetings, which is what web servers use to secure HTTPs websites. So the actual connection between Zoom on someone's computer or phone is encrypted in the same way between a web browser and a website, for instance, an article you are reading. What does this actually mean? The information will be protected from someone sniffing your WiFi network, but it won't stay private from the company. More on that below. True end-to-end encryption would mean that the data would be encrypted so that only that participants in the meetings will the ability to decrypt it. Zoom would only have access to the encrypted data, but would have no method of decrypting it. For example, secure messaging services like Signal or Wire.

I hate to say it again, but it gets worse. Citizen Lab reported that while Zoom claimed to use "AED-256" encryption, in reality it is only a single AES-128 key used in ECB mode by all participants to encrypt and decrypt audio and video. These keys appear to be generated by Zoom servers, and in many cases, through servers in China (even if there are no meeting participants in China). This Silicon Valley based company also owns three companies in China to do development work for Zoom's software. So, we have a company who has risen to the top very quickly, with strong Chinese ties. Could they potentially insert backdoors? Could they intercept potentially and decrypt traffic? Well…..

Last summer, security researchers found that there was a vulnerability in Zoom that would allow any website to forcibly join a user to a Zoom call, with the video camera activated, and without the user's permission. This has since been fixed, thankfully. But then, just a few days ago, we got more news that Zoom for Windows could be used to steal users' Windows credentials. The vulnerability that caused this bug has been frozen for the next 90 days so Zoom could focus on securing the features that are already in place.

Phew. That was a doozy. And that's only surface level. It's one thing to encrypt data, it's actually somewhat difficult to do for a group video conference service to do, but it's another for it to claim to do one thing, and to actually do another. And on top of that to have such strong Chinese ties? And all the bugs from the past? That is kind of sketchy when you put it all together. Now let's deal with the privacy issues.

Privacy - I think this is where Zoom has been in the news more often. Let's talk about the most visible problem first - Zoombombing, which would also be considered a security issue at the same time. It has been in the news lately for people hijacking video conferences and sharing pornographic images, doxxing participants, or taunting people with threats. It was as easy as looking for URLs that included "Zoom.us", or from finding links plastered all over social media channels, like your friends trivia night(?!). Clearly the dangers of this could be terrible for children if someone were to hijack a classroom or joined in on a family update. What if it were a sensitive work meeting? To be fair, Zoom is working on this issue. Starting April 5, Zoom will either require passwords to enter calls and it will enable virtual waiting rooms by default so the hosts has to manually admit attendees.

Zoom collects a significant amount of personal data about its users - username, email address, phone number, job information, Facebook profile information, computer/phone specs, IP address, and anything the user would create or upload. It went from going with a "depends what you mean by "sell"" mindset to then rewriting their privacy policy on March 29th, saying "we do not sell your personal data". The problem here is that Zoom considers its home pages a "marketing website", meaning it is still using third-party trackers and surveillance based advertising. You know, the thing where you are talking about buying something one second and the next time you log on to Facebook you're seeing ads for it?

Then there was the sharing of data with Facebook and we all know Facebook has it's own issues. It was recently reported that Zoom's iPhone application was sending its user data to Facebook, even if the user didn't have a Facebook account. Zoom's excuse was they use the Facebook SDK in order to provide their users with a convenient way to access the platform. So Facebook would get notified when a user opened the app, what kind of device they were using, the city and time zone they were in, the phone carrier, and a unique ID created by the user's device, which companies are able to use to target users with advertisements.

Got all that?

I'm struggling to keep this on the shorter side, too.

So let's talk about what we can do. Just this last week, Zoom implemented a feature freeze so they can focus on their current security issues. They say they are committed to fixing their issues, though I have a feeling this isn't the last we are going to hear.

Starting simple, make sure your systems are patched and updated. Use the waiting room feature, use random meeting IDs and set meeting passwords. Prevent screen sharing during the call, only allowing the host to control these features. Disable your video by default and turn it on only when you want it. Use a camera cover just in case another bug pops up that automatically turns video on.

I know a lot of us are using it to stay connected during this time. I can't, in good faith, recommend people not to use it; it is doing great things for people who live far away from friends and family, and I appreciate the connection that it provides. I just say be careful. Understand the potential downfalls of it, secure the settings you're able to secure, and be cognizant of the things you say when you are on a Zoom call or conference.

Originally posted at http://www.allymarie.net/the-truth-about-zoom/

6 Responses

Michael Raymond

October 11, 2024

I want to share my experience about how I got My Wife Back. After three years of a broken marriage, My Wife left me with our two kids. We were constantly quarreling and struggling, which ultimately led to a serious breakup. My wife packed her things and moved away. Despite this, I was determined to reunite with her. But I was told by a reliable source, a very close co-worker, that Dr Kachi is a very dedicated, gifted and talented person, Then I met Dr. Kachi, a remarkable spell caster, who assured me that my wife would return within 24 hours after he prepared a love spell. I’m thrilled to say that Dr. Kachi kept his word! My Wife came back home, fell to her knees, and begged for my forgiveness. Today, our family is back together, and we are happy, healthy, and living together again. Dr. Kachi made my dreams come true by helping us reunite. If you need his assistance, divorce issues in your relationship you can contact him Text or Call at +1 (209) 893-8075, or visit his website at https://drkachispellcaster.wixsite.com/my-site Email him at drkachispellcast@gmail.com

Queen

June 30, 2024

Hi guys, i don’t have much to say now now, Than to say thanks to Dr. Monday for rescuing me and my family from poverty, and for getting my husband and my Job back, i love playing lottery , but winning is my biggest problem, Ill never forget the day i come in contact with Dr Monday, whose lottery spell make me a winner, some million Dollars , after giving me a sure winning numbers within 3 days to play,my financial status is settled for good,now i have started to live my dream life after 12 years of playing the lottery A big thanks to Dr Monday, am grateful for all you have done for me and family, he can be reach on Via WhatsApp +234 705 993 7909

TAVARES WILLIAMS

June 21, 2024

MY CRYPTO RECOVERY EXPERIENCE 2024

WARNING: Scammers BEWARE! I’m about to share a jaw-dropping story of how I got scammed out of $64,000 in a cryptocurrency investment that promised me a return of $124,000… but then I found coinsrecoveryworldwide!. As a woman who was already recovering from kidney surgery, I was blindsided by the news that my investment was a scam. I was left feeling helpless, stressed, and worried about how I’d pay for my medical expenses. But then I stumbled upon coinsrecoveryworldwide, and they changed everything. With their expertise and determination, they worked tirelessly to recover not only my initial investment but also the promised profit. It’s been a game-changer for me, and I’m so grateful to have my money back. If you’re a victim of a scam or are struggling to recover your losses, don’t give up hope. coinsrecoveryworldwide is a team of dedicated professionals who will stop at nothing to get you back on track. Trust me, you won’t regret reaching out to them. They’re the real deal!”
CONTACT THEM VIA

EMAIL: COINSRECOVERYWORLDWIDE@GMAIL.COM

TELEGRAM:crypcoinss

#cryptocurrency #forex #fx #investment #etherium #bitcoins #wrong investments #how do i recover bitcoin? #victimofwronginvestmenthowdoiwithdrawmycoins? #cryptoscams

Vera Chekan

May 01, 2024

Read For Help With Lost Crypto Reach out Lost Recovery Masters

I must give special thanks to Lost Recovery Masters, Specialized hackers in Cryptocurrency Recovery and lost Bitcoin wallet tracing, My wife and I happened to be scammed by an online scammer who claimed to be professional and knowledgeable in the field of investments. My wife and I had agreed to invest our savings pounds worth $623,400 in the form of Crypto. This scammer persuaded us to invest in an online platform called Cryptos-seed.com.’ ’I was persuaded to deposit the funds to a platform that would generate us much profits on a daily basis. The profits generated significantly, but on asking about my withdrawal of the funds ,the swindler provided multiple excuses and was asking me to invest more funds. On search on how to recover The lost funds I came through Lost Recovery Masters who were able to recover a significant portion of the lost funds. Contact them through:
Whatsapp: +44(7537)-(105921)
Email (Support@lostrecoverymasters.com)
Website: https://lostrecoverymasters.com/

Merit Glitters

January 07, 2024

Do not invest in any trading platform, there is nothing such as get rich quick, it doesn’t always end well. I was also a victim to this kind of scam. An Asian girl introduced me to ibitminers and i got really deep into their shit and all i can say is these scammers are good at what they do. I was allowed to withdraw a little amount which i believed was to build my trust but they sucked me dried and i never got my capital after all was said and done. I lost a ton of asset and when i reported to local authorities i was told since crypto is untraceable, there is nothing they can do about it. I couldn’t get any help from them until i contracted the service of a professional ethical hacker. He hacked into the eth wallet address i made payment to and retrieved my stolen crypto and he showed me the transaction history of these scammers, I was in shock.
If you find yourself lost in the depths of lost Bitcoin, facebook and Whatsapp hacking to catch your cheating partner, let Osecybersailing’s team guide you towards the light of redemption.
Facebook page: Osecybersailing
Email: osecybersailing@cyberservices.com
Whatsapp: +4917617861530

Kerron Terry

June 22, 2023

TRACE AND RECOVER YOUR LOST CRYPTO THROUGH ULTIMATE HACKER JERRY.

Learn more;Web www.ultimateshackjerry.com

Last year I stumbled across a cryptocurrency platform Advertisement online and I felt compelled to watch them since I had little knowledge of how profitable cryptocurrency is. I was immediately intrigued by it and decided to invest with the investment firm., on my first trial, I deposited $113,000 to the platform.My profit had accumulated so quickly after 48hrs that I became more interested and decided to add $215,100 to my initial investment.on attaining my profit target I requested for withdrawals. This company then began asking for more funds to activate my withdrawals.This made me suspicious, so I decided to consult a Crypto Expert. I came across Ultimate Hacker Jerry who advised me that I had been scammed but was also an Expert in Crypto Recovery Services. This expert Ultimate Hacker Jerry was able to recover all my Crypto a total of $328,100.I must recommend this erpert to any Scam victim that has been defrauded and have your Crypto recovered back by Ultimate Hacker Jerry.

CONTACT;Mail Ultimatehackerjerry@seznam. cz \
Whatsapp +1(520)282-7151.