Cisco has fixed three bugs in its Cisco Webex video conferencing offering that may allow attackers to:
- Join Webex meetings without appearing in the participant list (CVE-2020-3419)
- Covertly maintain an audio connection to a Webex meeting after being expelled from it (CVE-2020-3471)
- Gain access to information (name, email, IP address, device info) on meeting attendees without being admitted to the meeting (CVE-2020-3441)
About the Cisco Webex vulnerabilities
The three flaws were discovered by IBM researchers, after the company’s research department and the Office of the CISO decided to analyze their primary tool for remote meetings (i.e., Cisco Webex).
“These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants,” the researchers shared.
“These flaws affect both scheduled meetings with unique meeting URLs and Webex Personal Rooms. Personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner’s name and organization name. These technical vulnerabilities could be further exploited with a combination of social engineering, open source intelligence (OSINT) and cognitive overloading techniques.”
The vulnerabilities can all be exploited by unauthenticated, remote attackers, either by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site or by browsing the Webex roster.
More details about the possible attacks are available in this blog post, though details about the flaws will be limited until more users are able to implement the provided updates/patches.
Patches and security updates
The bugs affect both Cisco Webex Meetings sites (cloud-based) and Cisco Webex Meetings Server (on-premises).
Cisco addressed them in Cisco Webex Meetings sites a few days ago and no user action is required.
Users of Cisco Webex Meetings Server are advised to upgrade to 3.0MR3 Security Patch 5 or 4.0MR3 Security Patch 4, which contain the needed fixes.
CVE-2020-3419 also affects all Cisco Webex Meetings apps releases 40.10.9 and earlier for iOS and Android, so users are urged to implement the provided updates.
Zoom Video Communications, the maker of the popular Zoom video conferencing solution, has agreed to settle allegations made by the US Federal Trade Commission (FTC) that it “engaged in a series of deceptive and unfair practices that undermined the security of its users.”
The settlement requires Zoom to – among other things – establish and implement a comprehensive security program and to not engage in further privacy and security misrepresentations.
The conditions put forth by the settlement
The FTC complaint said that:
- Since at least 2016, the company misled users by touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security, i.e., it encrypted communications but stored the encryption keys on its servers
- The company misled users by saying that recorded meetings that were stored on the company’s cloud storage were encrypted immediately after the meeting ended, which was untrue in some cases
- In July 2018, the company compromised the security of some users when it secretly installed a hidden web server on Macs that helped with frictionless installation of the Zoom application
The settlement does not oblige Zoom to admit fault or pay a fine, but obligates it to:
- Refrain from misrepresenting privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information
- Implement a comprehensive information security program and obtain biennial assessments of its security program by an independent third party and notify the FTC if it experiences a data breach
- Implement a vulnerability management program
- Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks
- Deploy safeguards such as MFA to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials
- Review any software updates for security flaws and ensure the updates will not hamper third-party security features
Two of the FTC commissioners disagreed with the settlement
FTC commissioner Rohit Chopra pointed out that it provides no help for affected users, does nothing for small businesses that relied on Zoom’s data protection claims, and does not require Zoom to pay a fine. Also, that Zoom’s misrepresentation of its security practices allowed it to steal users from competing players in the video conferencing market, and to “cash in” on the pandemic.
“Zoom stands ready to emerge as a tech titan. But we should all be questioning whether Zoom and other tech titans expanded their empires through deception,” he added.
FTC Commissioner Rebecca Kelly Slaughter also stressed that many Zoom customers were left stranded.
“Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false. This failure of the proposed settlement does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case,” she said.
She also noted that Zoom should have been ordered regularly “engage in a review of the risks to consumer privacy presented by its products and services, to implement procedures to routinely review such risks, and to build in privacy-risk mitigation before implementing any new or modified product, service, or practice. ”
It remains to be seen if Zoom will fulfill and continue to fulfill the conditions of the settlement. Each violation of an FTC order may result in a civil penalty of up to $43,280, which is a negligible sum for a company that’s worth $35 billions.
UPDATE (November 10, 2020, 4:10 a.m. PT):
“The security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs,” a Zoom spokesperson told Help Net Security.
“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”
Starting next week, Zoom users – both those who are on one of the paid plans and those who use it for free – will be able to try out the solution’s new end-to-end encryption (E2EE) option.
In this first rollout phase, all meeting participants:
- Must join from the Zoom desktop client, mobile app, or Zoom Rooms
- Must enable the E2EE option at the account level and then for each meeting they want to use E2EE for
How does Zoom E2EE work?
“Zoom’s E2EE uses the same powerful GCM encryption you get now in a Zoom meeting. The only difference is where those encryption keys live,” the company explained.
“In typical meetings, Zoom’s cloud generates encryption keys and distributes them to meeting participants using Zoom apps as they join. With Zoom’s E2EE, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants. Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents.”
The option will be available as a technical preview and will work for meetings including up to 200 participants. In order to join such a meeting, they must have the E2EE setting enabled.
For the moment, though, enabling E2EE for a meeting means giving up on certain features: “join before host”, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions.
“Participants will also see the meeting leader’s security code that they can use to verify the secure connection. The host can read this code out loud, and all participants can check that their clients display the same code,” the company added.
E2EE for everybody
In June 2020, Zoom CEO Eric Yuan announced the company’s intention to offer E2EE only to paying customers, but after a public outcry they decided to extend its benefits to customers with free accounts as well.
“Free/Basic users seeking access to E2EE will participate in a one-time verification process that will prompt the user for additional pieces of information, such as verifying a phone number via text message. Many leading companies perform similar steps to reduce the mass creation of abusive accounts,” the company reiterated again with this latest announcement.
Video conferencing platform Zoom is finally offering all users the option to enable two-factor authentication (2FA) to secure their accounts against credential stuffing attacks and attacks leveraging phished login credentials.
How to enable Zoom 2FA on a Pro, Business, Education, or Enterprise account
Zoom gives the choice between two modes of delivery of the second authentication factor (a 6-digit code):
- Via a 2FA app that supports Time-based One-Time Password (TOTP) protocol – e.g., Google Authentication, Microsoft Authenticator, or FreeOTP
- Via SMS (text message)
Account owners/admins can enable the option at the account-level by:
1. Singing in to the Zoom Dashboard.
2. In the navigation menu, clicking Advanced, then Security.
3. Enabling the Sign in with Two-Factor Authentication option.
4. Specifying users to enable 2FA for:
- All users in the account
- Users with specific roles
- Users belonging to specific groups
5. Clicking Save.
Once that’s done, they can inform the users about the option and provide instructions on how to take advantage of it.
As it’s usual with these things, once users set up the option, they are also provided with backup codes to use in case they misplace their phone, uninstall their 2FA app or remove Zoom from the 2FA app by mistake. If they lose those, there’s always the option to ask their admin to reset their 2FA setup.
How to enable Zoom 2FA on a (free) Basic account
Users who have opted for a Basic account can set up 2FA by:
- Signing in to their account via the Zoom web portal
- In the navigation menu, clicking Profile, then enabling Two-Factor Authentication by clicking Turn on
- Entering their password into the pop-up box
- Opting for one of the options and setting it up:
Once they’ve set up 2FA, they can make changes at the same “place” (the Profile tab):
Zoom and security
Since its popularity and user base skyrocketed in the wake of the Covid-19 pandemic, Zoom has been working on fixing many security and privacy issues.
More recently, Zoom Video Communications announced that it is working on providing end-to-end encryption (E2EE) to both paying Zoom customers and those with free (Basic) accounts.
54 percent of Americans have opted for virtual visits during pandemic, a CynergisTek survey reveals. Of those, more than 70 percent of respondents plan to continue to use telemedicine post-pandemic.
However, healthcare providers should note that privacy and protection of sensitive health data was a major concern for telemedicine users and breaches could prompt patients to switch doctors.
“The rapid growth of telehealth has accelerated to a level we wouldn’t have expected to see over a 10-year timeframe,” said Caleb Barlow, president and CEO of CynergisTek.
“However, major vulnerabilities are emerging around privacy and security standards for video conferencing and messaging apps when used for telehealth (such as consumer technologies like Zoom), which can be easily infiltrated – providing hackers with additional opportunities to breach highly-sensitive information.”
Delaying in-person visits, spurring rise of telehealth
During the pandemic, 56 percent of Americans have considered postponing non-emergency medical appointments until the COVID-19 pandemic ends. When put in a hypothetical situation where they would need medical care during the pandemic, the types of appointments Americans are postponing include:
- Vaccines: 25 percent of Americans would postpone annual vaccines such as a flu shot until the pandemic was resolved.
- Annual physicals: Nearly 40 percent are considering postponing physical exams for adults and child wellness exams.
- Dental and vision exams: 45 percent of consumers said they would postpone their dental/orthodontics check-up amid the COVID-19 pandemic, followed by 43 percent postponing an eye exam.
- Elective cosmetic procedures: More than 40 percent report considering putting off elective cosmetic services and surgeries (i.e. Botox, breast augmentation, etc).
- Elective surgery: 35 percent report considering pushing out surgeries like hip and knee replacements until after the pandemic.
As Americans weigh their comfort level on what medical services require in-person visits with a physician or healthcare provider, telehealth options have skyrocketed as a popular alternative, providing convenience and access at a time when many are canceling appointments out of an abundance of caution.
According to the survey, while 39 percent of Americans opted for in-person visits, more than 54 percent of respondents opted for telehealth options with phone consultations and video visits being the two most popular. When examining consumers’ willingness to using telehealth post COVID-19, the survey found:
- Of those who have used telehealth options during the COVID-19 pandemic, 73 percent report they will continue virtual visits after the pandemic passes.
- 79 percent of male respondents who have used a telehealth solution during the COVID-19 pandemic will continue using them post-COVID, compared to 67 percent of females.
- Millennials are statistically more likely than any other generation to continue using telehealth options after the pandemic has passed (81 percent), followed by Gen X (79 percent).
- In a hypothetical situation where they needed medical care, 25 percent of Americans would not consider using a telehealth solution for any of the appointments or procedures types presented – this number is significantly higher among Baby Boomers (41 percent) and the Silent Generation (59 percent).
Embracing telehealth and balancing security needs to protect patients
While urgent visits require in-person consultation, Americans are looking to telehealth to fill in the gap for more routine types of care.
In a hypothetical situation where they’d need medical care or advice, nearly 30 percent of respondents would also look to telehealth for chronic care check-ups (29 percent) or annual physical and children’s wellness exams (27 percent).
While patients are embracing telehealth, providers must prioritize security when rolling out phone and virtual services or else they risk potential breaches of sensitive patient data.
A recent report found an increase in nefarious attacks targeting video conferencing tools like Zoom, reinforcing the need for healthcare providers to reassess their security posture and fortify their defenses to reflect this new reality, potentially losing their patients’ trust and business.
48 percent of respondents said they would be unlikely to use telehealth solutions again if their personal health data was hacked due to a telemedicine-related breach.
- Women are more unlikely than males to use telehealth solutions again if their health information was involved in a telemedicine-related breach (54 percent of women vs. 41 percent of men).
- Baby Boomers and the Silent Generation are the two groups most unlikely to return to telehealth solutions if their data was involved in a telehealth-related breach (62 and 65 percent respectively).
“We find ourselves in a very unique scenario, where consumers had to almost accept telehealth overnight,” said Russ Branzell, CEO of the College of Healthcare Information Management Executives.
“The progress has been amazing to see in creating easier access to care while reducing the burden on both providers and patients. However, we must remain vigilant in our efforts to protect and secure telehealth and other digital health technologies.
“With the opportunities of digital health also come inherent security risks – but digital health’s risks are manageable. It is important for healthcare providers to take data privacy and security seriously in order to ensure that digital health platforms like telehealth remain an essential part of the future of patient care.”
“We appreciate that this is a new development and healthcare providers are balancing all the new demands the pandemic has created,” said David Finn, Executive Vice President of Strategic Innovation of CynergisTek.
“However, the first step is to assess how the data is encrypted and who is authorized to access this data. From there, IT teams should work closely with leadership to fill in the security gaps on telehealth solutions that protect patients while also providing the convenience.”
Among those surveyed, the percentage working from home had abruptly jumped from 28 percent prior to the pandemic to 71 percent during the outbreak. The survey included more than 200 IT executives in the U.S. across various industries.
Manage remote work: High productivity, effectiveness and morale
IT professionals identified many challenges in their response to COVID-19, but felt that their productivity, effectiveness and morale remained high. Eighty-four percent of respondents believed that the “survival” of their companies depended on “providing a stable work environment” during and after the pandemic.
Seventy-eight percent said that technical support requests had also increased. Even so, 49 percent indicated that their volume of work “stayed the same” with another 32 percent noting that it was “higher than usual.”
Most IT professionals surveyed believe they were “very effective” (57 percent) or “somewhat effective” (40 percent) at solving urgent problems that arose during the pandemic. Only 3 percent believed their response was “not effective.”
Seventy nine percent said it took up to 3 weeks to establish a stable work environment, but only 41 percent were confident they had sufficient VPN capacity.
Video conferencing as the most effective tool
As part of the initial “work from home” response, video conferencing topped the list as the most effective tool (66 percent), followed by cloud storage (59 percent), device management (49 percent) and collaboration (47 percent), according to respondents.
“Businesses capably managed the rapid transition to remote work in response to the COVID-19 pandemic,” said Gautam Goswami, CMO at TeamViewer. “But it’s critical that IT professionals remain focused on strengthening their infrastructure to guarantee business continuity by putting a range of secure remote connectivity solutions in place.”
“Work from home” concerns
Respondents also identified other concerns as they continue to manage through the pandemic’s extended “work from home” arrangements.
- Planning for a new normal: On average, IT executives expect that it will take more than seven months to return to “business as usual.” As businesses fortify their infrastructure, 85 percent “agree” or “strongly agree” that their organization will be prepared to manage a future coronavirus outbreak.
- Security is a top priority: Security remains a top priority for 57 percent of the IT executives surveyed, particularly in response to employees using their own devices and moving from private company networks to the public internet with more access points and increased vulnerabilities.
- Remote work will continue to trend: Eighty percent of IT leaders say they expect more employees to permanently work remotely, but only 38 percent are sure they have the training needed to handle the rise in remote work.
- Budget increases: Sixty-nine percent of organizations channelled new funds to IT in the wake of the pandemic, and 80 percent expect say they need additional budget during the next year.
Video conference users should not post screen images of Zoom and other video conference sessions on social media, according to Ben-Gurion University of the Negev researchers, who easily identified people from public screenshots of video meetings on Zoom, Microsoft Teams and Google Meet.
Zoom image collage with detected information, along with extracted features of gender, age, face, and username
With the worldwide pandemic, millions of people of all ages have replaced face-to-face contact with video conferencing platforms to collaborate, educate and celebrate with co-workers, family and friends. In April 2020, nearly 500 million people were using these online systems. While there have been many privacy issues associated with video conferencing, the BGU researchers looked at what types of information they could extract from video collage images that were posted online or via social media.
“The findings in our paper indicate that it is relatively easy to collect thousands of publicly available images of video conference meetings and extract personal information about the participants, including their face images, age, gender, and full names,” says Dr. Michael Fire, BGU Department of Software and Information Systems Engineering (SISE). “This type of extracted data can vastly and easily jeopardize people’s security and privacy, affecting adults as well as young children and the elderly.”
The researchers report that is it possible to extract private information from collage images of meeting participants posted on Instagram and Twitter. They used image processing text recognition tools as well as social network analysis to explore the dataset of more than 15,700 collage images and more than 142,000 face images of meeting participants.
Artificial intelligence-based image-processing algorithms helped identify the same individual’s participation at different meetings by simply using either face recognition or other extracted user features like the image background.
The researchers were able to spot faces 80% of the time as well as detect gender and estimate age. Free web-based text recognition libraries allowed the BGU researchers to correctly determine nearly two-thirds of usernames from screenshots.
The researchers identified 1,153 people likely appeared in more than one meeting, as well as networks of Zoom users in which all the participants were coworkers. “This proves that the privacy and security of individuals and companies are at risk from data exposed on video conference meetings,” according to the research team which also includes BGU SISE researchers Dima Kagan and Dr. Galit Fuhrmann Alpert.
Cross-referencing facial image data with social network data may cause greater privacy risk as it is possible to identify a user that appears in several video conference meetings and maliciously aggregate different information sources about the targeted individual.
Data extraction process
The research team offers a number of recommendations to prevent privacy and security intrusions. These include not posting video conference images online, or sharing videos; using generic pseudonyms like “iZoom” or “iPhone” rather than a unique username or real name; and using a virtual background vs. a real background since it can help fingerprint a user account across several meetings.
Additionally, the team advises video conferencing operators to augment their platforms with a privacy mode such as filters or Gaussian noise to an image, which can disrupt facial recognition while keeping the face still recognizable.
“Since organizations are relying on video conferencing to enable their employees to work from home and conduct meetings, they need to better educate and monitor a new set of security and privacy threats,” Fire says. “Parents and children of the elderly also need to be vigilant, as video conferencing is no different than other online activity.”
Zoom Video Communications has decided to extend the benefits of end-to-end encryption (E2EE) not only to paying Zoom customers, but to those who create free accounts, as well.
The decision was reached after much public outcry by privacy-minded users and privacy advocates. As famed cryptographer and privacy specialist Bruce Schneier noted, “we are learning – in so many areas – the power of continued public pressure to change corporate behavior.”
Zoom does an about-face on E2EE
Zoom CEO Eric Yuan announced their decision to bring E2EE to paid users only in early June. He explained that they want to be able to help law enforcement in investigations and that people who use Zoom to disrupt online meetings and to engage in criminal acts and facilitate horrible abuse generally use free (quasi-anonymous) accounts.
In the meantime, though, they’ve found a solution that will allow them to offer E2EE as an advanced add-on feature for all users while maintaining the ability to prevent and fight abuse.
“To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message,” Yuan explained this Wednesday.
“Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”
E2EE for everyone
The decision was welcomed by the Electronic Frontier Foundation, though they pointed out that phone numbers were never designed to be persistent all-purpose individual identifiers, and using them as such creates new risks for users.
“In different contexts, Signal, Facebook, and Twitter have all encountered disclosure and abuse problems with user phone numbers. At the very least, the phone numbers that users give Zoom should be used only for authentication, and only by Zoom. Zoom should not use these phone numbers for any other purpose, and should never require users to reveal them to other parties,” they noted.
An early beta of the E2EE feature is scheduled to be introduced by Zoom in July 2020. The feature will be optional because it limits some meeting functionality, and account administrators will be able to switch it on or off at the account and group level.
“Companies have a prerogative to charge more money for an advanced product, but best-practice privacy and security features should not be restricted to users who can afford to pay a premium,” they added.
The EFF has called on other companies that provide communication tools to provide E2EE encryption to both users who pay for their services and those who don’t.
As Zoom continues on its path to bring end-to-end encryption (E2EE) to users, the big news is that only paid users will have access to the option.
“Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Zoom CEO Eric Yuan said on a company earnings call on Tuesday.
Zoom encryption and end-to-end encryption
- All users – whether using free or paid accounts – now have the option of using AES 256-bit GCM encryption for their Zoom meetings and webinars. To take advantage of it, they have to upgrade their Zoom client (mobile or desktop app) to v5.0 or any of the later ones
- The company has released a draft design of their end-to-end encryption capability on GitHub and is hosting discussions with cryptographic experts, nonprofits, advocacy groups, customers, and others to solicit feedback for the final design.
- The company plans to add add multi-factor authentication options for free and Pro users in the future (near or far, they didn’t specify).
“Our top priority is to focus on building effective end-to-end encryption for our meeting product first, where it will be most useful. We are considering end-to-end encryption options for Zoom Chat, Zoom Phone, and Zoom Video Webinars down the road,” the company stated.
E2EE just for those who pay for an account
Encrypted communications can be decrypted by the service provider if law enforcement demands it because they have the encryption key. With E2EE, the encryption keys are created and remain on the devices of the people involved in the communication.
Yuan’s explanation of why end-to-end encryption would not be available to free accounts has been fleshed out by Alex Stamos, former Facebook CISO and current adjunct professor at Stanford University’s Center for International Security and Cooperation, who’s now also a security and privacy adviser to Zoom.
Some facts on Zoom’s current plans for E2E encryption, which are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues.
The E2E design is available here:https://t.co/beLdeAwMSM
— Alex Stamos (@alexstamos) June 3, 2020
In short, Zoom’s decision is motivated by the need to find a way to deal, in conjunction with law enforcement, with people who disrupt meetings (often repeat offenders).
“The other safety issue is related to hosts creating meetings that are meant to facilitate really horrible abuse. These hosts mostly come in from VPNs, using throwaway email addresses, create self-service orgs and host a handful of meetings before creating a new identity,” Stamos explained.
He concedes that not offering E2EE to free tier users will not eliminate all abuse, but that “since the vast majority of harm comes from self-service users with fake identities this will create friction and reduce harm.”
Privacy and digital rights advocates have argued that this decision will also ultimately hurt vulnerable groups such as activists, journalists, nonprofits, domestic violence victims – groups that desperately need E2EE but might not have the resources to splurge for a paid plan.
Zoom’s decision comes at a time when a new piece of legislation (the EARN IT Act) is being pushed through the US Congress that is expected to ultimately force/incentivize tech and internet companies to abandon plans to offer end-to-end encryption to users.
Phishers are using fake Microsoft Teams notification emails to trick users into sharing their Microsoft Teams and Office 365 login credentials.
“Should the recipient fall victim to this attack, this user’s credentials would be compromised. Additionally, since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user’s Microsoft credentials via single-sign on,” Abnormal Security warns.
The email phishing campaigns
The company has spotted two slightly different campaigns, both consisting of fake Microsoft Teams notification emails:
“Given the current situation, people have become accustomed to notifications and invitations from collaboration software providers. Because of this, recipients might not look further to investigate the message,” they noted.
The imagery in the emails is copied from actual Microsoft Teams notifications and emails, and the phishing pages to which the emails direct potential victims look identical to the legitimate Microsoft Office 365 and Microsoft Teams login pages.
Those lucky enough to notice that the pages’ URLs have nothing to do with Microsoft Teams or Office might think twice about providing their login credentials.
A massive user base makes for a great target
In March 2020, Microsoft Teams had hit 44 million daily users. In April 2020, during the company’s earnings conference call, Microsoft CEO Satya Nadella said that the number has surpassed 75 million, fueled by companies’ need to keep in (video) touch with their employees who are working from home due to the COVID-19 pandemic.
Just as criminals go where the money is, phishers go where the majority of users are – and a user base of 75+ million active users is a very big pond for them to go phishing in.
Google Cloud today announced it’s making Google Meet, Google’s premium video-conferencing solution, free for everyone with availability rolling out over the coming weeks.
Starting in early May, anyone with an email address can sign up for Meet and enjoy many of the same features available to G Suite’s business and education users, such as simple scheduling and screen sharing, real-time captions, and layouts that adapt to your preference, including the expanded tiled view.
“With the lines blurred between work and home, Google Meet can offer the polish needed for a work meeting, a tiled view for your online birthday party and the security needed for a video call with your doctor,” said Javier Soltero, VP of G Suite. “We’re in the middle of a significant worldwide shift impacting communication from the workplace to schools to the home. People want familiar, secure tools that they can use across all facets of their lives.”
Google has invested years in making Meet a secure and reliable video conferencing solution that’s trusted by schools, governments and enterprises around the world, and in recent months has accelerated the release of top-requested features to make it even more helpful.
Whether it’s hospitals supporting patients via telehealth, banks working with loan applicants, retailers assisting customers remotely, or manufacturers interacting safely with warehouse technicians, businesses across every industry are using Meet to stay connected.
Google Meet: Built on a secure foundation
Meet is designed, built and operated to be secure at scale. Meet is hosting 3 billion minutes of video meetings and adding roughly 3 million new users every day. And as of last week, Meet’s daily meeting participants surpassed 100 million.
Privacy and security are paramount, no matter if it’s a doctor sharing confidential health information with a patient, a financial advisor hosting a client meeting, or people virtually connecting with each other for graduations, holidays, and happy hours.
Google’s approach to security is simple: make products safe by default. Meet was designed to operate on a secure foundation, providing the protections needed to keep users safe, their data secure, and their information private.
Here are just a few of the default-on safety measures:
- A strong set of host controls such as the ability to admit or deny entry to a meeting, and mute or remove participants, if needed.
- Anonymous users are not allowed to join meetings created by individual accounts.
- Meet meeting codes are complex by default and therefore resilient to brute-force “guessing.”
- Meet video meetings are encrypted in transit, and all recordings stored in Google Drive are encrypted in transit and at rest.
- The service does not require plugins to use Meet on the web. It works entirely in Chrome and other modern browsers, so it’s less vulnerable to security threats.
- Meet users can enroll their account in Google’s Advanced Protection Program.
- Google Cloud undergoes regular rigorous security and privacy audits for all its services.
- Your Meet data is not used for advertising, and Google doesn’t sell your data to third parties.
- Google operates a highly secure and resilient private network that encircles the globe and connects their data centers to each other—ensuring that your data stays safe.
To help individuals and organizations choose video call apps that suit their needs and their risk appetite, Mozilla has released a new “Privacy Not Included” report that focuses on video call apps.
The report includes the following popular offerings:
- Zoom’s Zoom app
- Google’s Duo, Hangouts, and Meet
- Apple’s FaceTime
- Microsoft’s Skype and Teams
- Facebook’s Messenger, Messenger Kids, and WhatsApp
- Epic Games’ Houseparty
- Discord’s Discord app
- 8×8’s Jitsi Meet
- Signal Technology Foundation’s Signal
- Verizon’s BlueJeans
- LogMeIn’s GoToMeeting
- Cisco’s WebEx
- Doxy.me’s Doxy.me telemedicine app
The report is based on Mozilla’s researchers reviewing the app’s privacy policies and specifications, which user controls it offers, etc.
Each app is given an overall security rating, based on five things:
- Whether it uses encryption (and what kind of encryption)
- Whether it requires the use of strong passwords
- Whether it provides automatic security updates
- Whether the developers manage security vulnerabilities using tools like bug bounty programs and clear points of contact for reporting vulnerabilities.
Three of the evaluated apps have failed to meet Mozilla’s Minimum Security Standards, but that doesn’t mean that they should not be used. Different users have different needs and wants, and that includes those related to security and privacy.
Mozilla noted that many of the apps provide admirable privacy and security features and that all apps use some form of encryption (though not all encryption is end-to-end). Still, some apps – like Doxy.me – offer inadequate protection, especially when you consider the extremenly sensitive health information that is usually shared through it.
Making a choice
Consumers and organizations should review Mozilla’s findings and decide for themselves which solution is right for them. I would also advise checking similar research reports and mentions, which may include additional offerings and point out other qualities that one may search for in a solution (e.g., whether it supports self-hosting) or traits one may avoid.
Mozilla’s researchers also pointed out that different apps have very different set of video chat features, making some more fitting for enterprise use and other a more natural choice for consumers. Business users who want a fuller set of features and a higher level of security and have money to pay should look to business-focused apps, they noted.
Ashley Boyd, Mozilla’s Vice President, Advocacy, pointed out that, with a record number of people using video call apps to conduct business, teach classes, and catch up with friends, it’s more important than ever that this technology be trustworthy.
We have witnessed how Zoom moved to quickly patch security flaws reported by researchers and how the addition of new, helpful features has been copied by competitors (e.g., Zoom and Google Hangouts offered one-click links to get into meetings, and Skype recently followed suit).
“The good news is that the boom in usage has put pressure on these companies to improve their privacy and security for all users, which should be a wake-up call for the rest of the tech industry,” Boyd concluded.
Phishing emails impersonating Zoom and WebEx
“Video conferencing has become very popular very quickly. Attackers have noticed and moved to capitalize on that popularity and brand strength,” noted Sherrod DeGrippo, Proofpoint’s Senior Director of Threat Research at Proofpoint.
“Not only are attackers using video conferencing brands as a lure for malware, but they’re using it for credential phishing, in particular to steal Zoom and WebEx credentials.”
Some of the lures are not particularly original, but will surely fool some of the targets. For example, an email that welcomes users to their new Zoom account and requests them to activate their account, or an email that claims that the user has missed a scheduled Zoom conference meeting (see above).
In both cases, the attackers are after account credentials, either for Zoom or for the target’s email account.
The fake emails purportedly coming from Cisco are a mishmash of unconnected visual elements and subject lines that command attention (e.g., “Critical Update!” or “Alert!”):
Many targets will spot the malicious nature of the email almost immediately, as it warns about an old vulnerability in a software that has nothing to do with Cisco WebEx (apart from the fact that both are developed by Cisco.) But there’s always some recipients who panic or are inattentive enough at the moment of perusal and will end up entering their login credentials.
The value of compromised video conferencing accounts is obvious. “Stolen account credentials could be used to login to corporate video conferencing accounts and violate confidentiality. They also could likely be sold on the black market or used to gain further information about potential targets for launching additional attacks,” DeGrippo noted.
Malware delivery campaign
The researchers have also spotted a email malware delivery campaign that does not impersonate the aforementioned developers of video conferencing solutions, but does exploit their widespread use.
The emails are made to look like they are coming from a potential client who asked for a quote, says they are available for a call via Zoom, and contain a booby-trapped Excel file in the attachment, supposedly containing the sender’s schedule.
To view the contents, the recipient is asked to enable macros. If they do, the macros execute a script that, unbeknownst to the victim, installs a legitimate remote control application, which the attackers then use to access files and information on the compromised system.
Users are warned to be on the lookout for these and similar lures, and to keep in mind that phishers love nothing more than (ab)using popular brands as social engineering lures. These specific campaigns were directed at employees in US companies in the technology, accounting, aerospace, energy, healthcare, telecommunications, transportation, government, and manufacturing sectors.
While Zoom Video Communications is trying to change the public’s rightful perception that, at least until a few weeks ago, Zoom security and privacy were low on their list of priorities, some users are already abandoning the ship.
Working on the security and privacy issues
The company initially concentrated their efforts into breaking into the enterprise market and, I believe, Zoom’s recent popularity explosion took even them by surprise.
While they are trying to quickly scale their offering to meet the rising demand, the fact that they’ve concentrated their efforts on usability and made unsavoury trade-offs that affect the product’s security and users’ privacy is coming back to bite them.
To their credit, the company and its CEO threw themselves into full and meaningful crisis management, announcing a temporary moratorium on new features and a shift of all their engineering resources to focus on trust, safety, and privacy issues.
They also quickly fixed most of the issues discovered by users and security researchers and exploited by attackers, announced concrete measures, added more to the list, and continue to add more still.
For example, they say that they are working on implementing more privacy-friendly encryption and that, later this week, every paid Zoom customer will have the option to opt in or out of a specific data center region (except the default), in order to prevent the unneeded (and questionable) routing of their meeting traffic through servers in China.
The company is also working with Luta Security, a consultancy founded and headed by
vulnerability disclosure / bug bounty program pioneer Katie Moussouris, on reexamining their bug bounty program.
Some users are done with Zoom
In the meantime, several governments and prominent companies (Tesla, Google) have prohibited staff and employees from using Zoom for work.
According to Blind, who polled 4,392 professionals from various big US companies, 12% of professionals have completely stopped using Zoom due to security issues, and 9% are using Zoom less.
Another thing that can end up pushing some consumers off the Zoom wagon is the fact that criminals are actively phishing for Zoom user credentials and compromising them via credential stuffing attacks, then selling the accounts on hacker forums.
Finally, the fact that Zoom now presents a big target for hackers who are aiming to sell bugs they discover to the highest bidder might cool many a user’s love for the popular video conferencing solution.
Though some claim that this forced “work from home” situation has shown that many of the discussions that previously required office meetings can actually be expedited simply by exchanging a few emails, there’s no doubt that, for some tasks, face-to-face meetings – even if over the internet – are a must.
Which video conferencing solution should teams (organizations) use, and which consumers?
Zoom Video Communications, the creators of the Zoom remote conferencing service, have benefited the most from this sudden surge of demand for video conferencing solutions. The number of Zoom users has exploded and the name became a synonym of face-to-face online chatting seemingly overnight.
Though the sudden popularity shone a harsh light on solution’s many privacy and security issues, the company recently pledged to do better and outlined their plan. The most recent developments of that plan include the official formation of a CISO Council and Advisory Board and welcoming former Facbook CSO Alex Stamos as an outside advisor.
Nevertheless, the jury is still out on whether or not the service is secure enough for enterprise use (i.e., use where confidentiality is paramount). In fact, many say it’s not, particularly after Citizen Lab researchers revealed that “Zoom uses non-industry-standard encryption for securing meetings, and that there are discrepancies between security claims in Zoom documentation and how the platform actually works.”
For all of those reasons, Google has banned Zoom from corporate computers, though they can continue use it through a web browser or via mobile.
The feature was introduced late last year, but is now being touted as the perfect videoconferencing solution for consumers, who don’t have to have a Skype account or download an application to use it. They can simply create a link and send it to friends and family as an invitation to participate in the video call. The participants open the link in Microsoft Edge or Google Chrome, and they are “in” the call.
Microsoft Teams, the company’s unified communication and collaboration platform aimed at enterprise users, offers video conferencing inside the client software.
“Google Meet’s security controls are turned on by default, so that in most cases, organizations and users won’t have to do a thing to ensure the right protections are in place,” the company noted.
The solution employs anti-hijacking measures for both web meetings and dial-ins and makes it difficult to brute force meeting IDs (a problem Zoom has).
“We limit the ability of external participants to join a meeting more than 15 minutes in advance, reducing the window in which a brute force attack can even be attempted. External participants cannot join meetings unless they’re on the calendar invite or have been invited by in-domain participants. Otherwise, they must request to join the meeting, and their request must be accepted by a member of the host organization,” the company added.
Several new features make it impossible for participants to remove or mute meeting creators or allow external (not officially invited) participants to join via video.
Additional security advantages of using Google Meet include:
- It works with Google accounts (which can be secured with 2FA)
- All data is encrypted in transit by default. “For every person and for every meeting, Meet generates a unique encryption key, which only lives as long as the meeting, is never stored to disk, and is transmitted in an encrypted and secured RPC (remote procedure call) during the meeting setup,” Google says.
- A secure-by-design infrastructure
- Compliance controls, and more
There are other options
The solutions outlined here the only options for one-on-one video conferencing or video conferencing for teams, just those most widely used at the moment. There’s also GoToMeeting, Adobe Connect, Jitsi Meet (an open source solution), Samepage, TeamViewer, join.me, and many others.
We are, by no means, advising for the use of one solution instead of another. It’s on users and enterprises to evaluate which solution is the right for them based on their requirements and risk model/appetite.