Cisco Webex vulnerabilities may enable attackers to covertly join meetings

Cisco Webex vulnerabilities

Cisco has fixed three bugs in its Cisco Webex video conferencing offering that may allow attackers to:

  • Join Webex meetings without appearing in the participant list (CVE-2020-3419)
  • Covertly maintain an audio connection to a Webex meeting after being expelled from it (CVE-2020-3471)
  • Gain access to information (name, email, IP address, device info) on meeting attendees without being admitted to the meeting (CVE-2020-3441)

About the Cisco Webex vulnerabilities

The three flaws were discovered by IBM researchers, after the company’s research department and the Office of the CISO decided to analyze their primary tool for remote meetings (i.e., Cisco Webex).

“These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants,” the researchers shared.

“These flaws affect both scheduled meetings with unique meeting URLs and Webex Personal Rooms. Personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner’s name and organization name. These technical vulnerabilities could be further exploited with a combination of social engineering, open source intelligence (OSINT) and cognitive overloading techniques.”

The vulnerabilities can all be exploited by unauthenticated, remote attackers, either by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site or by browsing the Webex roster.

More details about the possible attacks are available in this blog post, though details about the flaws will be limited until more users are able to implement the provided updates/patches.

Patches and security updates

The bugs affect both Cisco Webex Meetings sites (cloud-based) and Cisco Webex Meetings Server (on-premises).

Cisco addressed them in Cisco Webex Meetings sites a few days ago and no user action is required.

Users of Cisco Webex Meetings Server are advised to upgrade to 3.0MR3 Security Patch 5 or 4.0MR3 Security Patch 4, which contain the needed fixes.

CVE-2020-3419 also affects all Cisco Webex Meetings apps releases 40.10.9 and earlier for iOS and Android, so users are urged to implement the provided updates.

FTC orders Zoom to enhance security practices

Zoom Video Communications, the maker of the popular Zoom video conferencing solution, has agreed to settle allegations made by the US Federal Trade Commission (FTC) that it “engaged in a series of deceptive and unfair practices that undermined the security of its users.”

FTC Zoom

The settlement requires Zoom to – among other things – establish and implement a comprehensive security program and to not engage in further privacy and security misrepresentations.

The conditions put forth by the settlement

The FTC complaint said that:

  • Since at least 2016, the company misled users by touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security, i.e., it encrypted communications but stored the encryption keys on its servers
  • The company misled users by saying that recorded meetings that were stored on the company’s cloud storage were encrypted immediately after the meeting ended, which was untrue in some cases
  • In July 2018, the company compromised the security of some users when it secretly installed a hidden web server on Macs that helped with frictionless installation of the Zoom application

The settlement does not oblige Zoom to admit fault or pay a fine, but obligates it to:

  • Refrain from misrepresenting privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information
  • Implement a comprehensive information security program and obtain biennial assessments of its security program by an independent third party and notify the FTC if it experiences a data breach
  • Implement a vulnerability management program
  • Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks
  • Deploy safeguards such as MFA to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials
  • Review any software updates for security flaws and ensure the updates will not hamper third-party security features

Two of the FTC commissioners disagreed with the settlement

FTC commissioner Rohit Chopra pointed out that it provides no help for affected users, does nothing for small businesses that relied on Zoom’s data protection claims, and does not require Zoom to pay a fine. Also, that Zoom’s misrepresentation of its security practices allowed it to steal users from competing players in the video conferencing market, and to “cash in” on the pandemic.

“Zoom stands ready to emerge as a tech titan. But we should all be questioning whether Zoom and other tech titans expanded their empires through deception,” he added.

FTC Commissioner Rebecca Kelly Slaughter also stressed that many Zoom customers were left stranded.

“Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false. This failure of the proposed settlement does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case,” she said.

She also noted that Zoom should have been ordered regularly “engage in a review of the risks to consumer privacy presented by its products and services, to implement procedures to routinely review such risks, and to build in privacy-risk mitigation before implementing any new or modified product, service, or practice. ”

It remains to be seen if Zoom will fulfill and continue to fulfill the conditions of the settlement. Each violation of an FTC order may result in a civil penalty of up to $43,280, which is a negligible sum for a company that’s worth $35 billions.

UPDATE (November 10, 2020, 4:10 a.m. PT):

“The security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs,” a Zoom spokesperson told Help Net Security.

“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”

All Zoom users get end-to-end encryption (E2EE) option next week

Starting next week, Zoom users – both those who are on one of the paid plans and those who use it for free – will be able to try out the solution’s new end-to-end encryption (E2EE) option.

In this first rollout phase, all meeting participants:

  • Must join from the Zoom desktop client, mobile app, or Zoom Rooms
  • Must enable the E2EE option at the account level and then for each meeting they want to use E2EE for

Zoom E2EE

How does Zoom E2EE work?

“Zoom’s E2EE uses the same powerful GCM encryption you get now in a Zoom meeting. The only difference is where those encryption keys live,” the company explained.

“In typical meetings, Zoom’s cloud generates encryption keys and distributes them to meeting participants using Zoom apps as they join. With Zoom’s E2EE, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants. Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents.”

The option will be available as a technical preview and will work for meetings including up to 200 participants. In order to join such a meeting, they must have the E2EE setting enabled.

For the moment, though, enabling E2EE for a meeting means giving up on certain features: “join before host”, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions.

“Participants will also see the meeting leader’s security code that they can use to verify the secure connection. The host can read this code out loud, and all participants can check that their clients display the same code,” the company added.

Zoom E2EE

E2EE for everybody

In June 2020, Zoom CEO Eric Yuan announced the company’s intention to offer E2EE only to paying customers, but after a public outcry they decided to extend its benefits to customers with free accounts as well.

“Free/Basic users seeking access to E2EE will participate in a one-time verification process that will prompt the user for additional pieces of information, such as verifying a phone number via text message. Many leading companies perform similar steps to reduce the mass creation of abusive accounts,” the company reiterated again with this latest announcement.

Telehealth is the future of healthcare, but how secure is it?

54 percent of Americans have opted for virtual visits during pandemic, a CynergisTek survey reveals. Of those, more than 70 percent of respondents plan to continue to use telemedicine post-pandemic.

telehealth security

However, healthcare providers should note that privacy and protection of sensitive health data was a major concern for telemedicine users and breaches could prompt patients to switch doctors.

“The rapid growth of telehealth has accelerated to a level we wouldn’t have expected to see over a 10-year timeframe,” said Caleb Barlow, president and CEO of CynergisTek.

“However, major vulnerabilities are emerging around privacy and security standards for video conferencing and messaging apps when used for telehealth (such as consumer technologies like Zoom), which can be easily infiltrated – providing hackers with additional opportunities to breach highly-sensitive information.”

Delaying in-person visits, spurring rise of telehealth

During the pandemic, 56 percent of Americans have considered postponing non-emergency medical appointments until the COVID-19 pandemic ends. When put in a hypothetical situation where they would need medical care during the pandemic, the types of appointments Americans are postponing include:

  • Vaccines: 25 percent of Americans would postpone annual vaccines such as a flu shot until the pandemic was resolved.
  • Annual physicals: Nearly 40 percent are considering postponing physical exams for adults and child wellness exams.
  • Dental and vision exams: 45 percent of consumers said they would postpone their dental/orthodontics check-up amid the COVID-19 pandemic, followed by 43 percent postponing an eye exam.
  • Elective cosmetic procedures: More than 40 percent report considering putting off elective cosmetic services and surgeries (i.e. Botox, breast augmentation, etc).
  • Elective surgery: 35 percent report considering pushing out surgeries like hip and knee replacements until after the pandemic.

As Americans weigh their comfort level on what medical services require in-person visits with a physician or healthcare provider, telehealth options have skyrocketed as a popular alternative, providing convenience and access at a time when many are canceling appointments out of an abundance of caution.

According to the survey, while 39 percent of Americans opted for in-person visits, more than 54 percent of respondents opted for telehealth options with phone consultations and video visits being the two most popular. When examining consumers’ willingness to using telehealth post COVID-19, the survey found:

  • Of those who have used telehealth options during the COVID-19 pandemic, 73 percent report they will continue virtual visits after the pandemic passes.
  • 79 percent of male respondents who have used a telehealth solution during the COVID-19 pandemic will continue using them post-COVID, compared to 67 percent of females.
  • Millennials are statistically more likely than any other generation to continue using telehealth options after the pandemic has passed (81 percent), followed by Gen X (79 percent).
  • In a hypothetical situation where they needed medical care, 25 percent of Americans would not consider using a telehealth solution for any of the appointments or procedures types presented – this number is significantly higher among Baby Boomers (41 percent) and the Silent Generation (59 percent).

Embracing telehealth and balancing security needs to protect patients

While urgent visits require in-person consultation, Americans are looking to telehealth to fill in the gap for more routine types of care.

In a hypothetical situation where they’d need medical care or advice, nearly 30 percent of respondents would also look to telehealth for chronic care check-ups (29 percent) or annual physical and children’s wellness exams (27 percent).

While patients are embracing telehealth, providers must prioritize security when rolling out phone and virtual services or else they risk potential breaches of sensitive patient data.

A recent report found an increase in nefarious attacks targeting video conferencing tools like Zoom, reinforcing the need for healthcare providers to reassess their security posture and fortify their defenses to reflect this new reality, potentially losing their patients’ trust and business.

48 percent of respondents said they would be unlikely to use telehealth solutions again if their personal health data was hacked due to a telemedicine-related breach.

  • Women are more unlikely than males to use telehealth solutions again if their health information was involved in a telemedicine-related breach (54 percent of women vs. 41 percent of men).
  • Baby Boomers and the Silent Generation are the two groups most unlikely to return to telehealth solutions if their data was involved in a telehealth-related breach (62 and 65 percent respectively).

“We find ourselves in a very unique scenario, where consumers had to almost accept telehealth overnight,” said Russ Branzell, CEO of the College of Healthcare Information Management Executives.

“The progress has been amazing to see in creating easier access to care while reducing the burden on both providers and patients. However, we must remain vigilant in our efforts to protect and secure telehealth and other digital health technologies.

“With the opportunities of digital health also come inherent security risks – but digital health’s risks are manageable. It is important for healthcare providers to take data privacy and security seriously in order to ensure that digital health platforms like telehealth remain an essential part of the future of patient care.”

“We appreciate that this is a new development and healthcare providers are balancing all the new demands the pandemic has created,” said David Finn, Executive Vice President of Strategic Innovation of CynergisTek.

“However, the first step is to assess how the data is encrypted and who is authorized to access this data. From there, IT teams should work closely with leadership to fill in the security gaps on telehealth solutions that protect patients while also providing the convenience.”

Businesses prioritize security and collaboration tools to manage sustained remote work environments

77 percent of IT professionals believe they were prepared to manage the rapid shift to remote work during the COVID-19 outbreak, according to TeamViewer.

manage remote work

Among those surveyed, the percentage working from home had abruptly jumped from 28 percent prior to the pandemic to 71 percent during the outbreak. The survey included more than 200 IT executives in the U.S. across various industries.

Manage remote work: High productivity, effectiveness and morale

IT professionals identified many challenges in their response to COVID-19, but felt that their productivity, effectiveness and morale remained high. Eighty-four percent of respondents believed that the “survival” of their companies depended on “providing a stable work environment” during and after the pandemic.

Seventy-eight percent said that technical support requests had also increased. Even so, 49 percent indicated that their volume of work “stayed the same” with another 32 percent noting that it was “higher than usual.”

Most IT professionals surveyed believe they were “very effective” (57 percent) or “somewhat effective” (40 percent) at solving urgent problems that arose during the pandemic. Only 3 percent believed their response was “not effective.”

Seventy nine percent said it took up to 3 weeks to establish a stable work environment, but only 41 percent were confident they had sufficient VPN capacity.

Video conferencing as the most effective tool

As part of the initial “work from home” response, video conferencing topped the list as the most effective tool (66 percent), followed by cloud storage (59 percent), device management (49 percent) and collaboration (47 percent), according to respondents.

“Businesses capably managed the rapid transition to remote work in response to the COVID-19 pandemic,” said Gautam Goswami, CMO at TeamViewer. “But it’s critical that IT professionals remain focused on strengthening their infrastructure to guarantee business continuity by putting a range of secure remote connectivity solutions in place.”

“Work from home” concerns

Respondents also identified other concerns as they continue to manage through the pandemic’s extended “work from home” arrangements.

  • Planning for a new normal: On average, IT executives expect that it will take more than seven months to return to “business as usual.” As businesses fortify their infrastructure, 85 percent “agree” or “strongly agree” that their organization will be prepared to manage a future coronavirus outbreak.
  • Security is a top priority: Security remains a top priority for 57 percent of the IT executives surveyed, particularly in response to employees using their own devices and moving from private company networks to the public internet with more access points and increased vulnerabilities.
  • Remote work will continue to trend: Eighty percent of IT leaders say they expect more employees to permanently work remotely, but only 38 percent are sure they have the training needed to handle the rise in remote work.
  • Budget increases: Sixty-nine percent of organizations channelled new funds to IT in the wake of the pandemic, and 80 percent expect say they need additional budget during the next year.

Researchers extract personal data from video conference screenshots

Video conference users should not post screen images of Zoom and other video conference sessions on social media, according to Ben-Gurion University of the Negev researchers, who easily identified people from public screenshots of video meetings on Zoom, Microsoft Teams and Google Meet.

personal data video conference

Zoom image collage with detected information, along with extracted features of gender, age, face, and username

With the worldwide pandemic, millions of people of all ages have replaced face-to-face contact with video conferencing platforms to collaborate, educate and celebrate with co-workers, family and friends. In April 2020, nearly 500 million people were using these online systems. While there have been many privacy issues associated with video conferencing, the BGU researchers looked at what types of information they could extract from video collage images that were posted online or via social media.

“The findings in our paper indicate that it is relatively easy to collect thousands of publicly available images of video conference meetings and extract personal information about the participants, including their face images, age, gender, and full names,” says Dr. Michael Fire, BGU Department of Software and Information Systems Engineering (SISE). “This type of extracted data can vastly and easily jeopardize people’s security and privacy, affecting adults as well as young children and the elderly.”

The researchers report that is it possible to extract private information from collage images of meeting participants posted on Instagram and Twitter. They used image processing text recognition tools as well as social network analysis to explore the dataset of more than 15,700 collage images and more than 142,000 face images of meeting participants.

Artificial intelligence-based image-processing algorithms helped identify the same individual’s participation at different meetings by simply using either face recognition or other extracted user features like the image background.

The researchers were able to spot faces 80% of the time as well as detect gender and estimate age. Free web-based text recognition libraries allowed the BGU researchers to correctly determine nearly two-thirds of usernames from screenshots.

The researchers identified 1,153 people likely appeared in more than one meeting, as well as networks of Zoom users in which all the participants were coworkers. “This proves that the privacy and security of individuals and companies are at risk from data exposed on video conference meetings,” according to the research team which also includes BGU SISE researchers Dima Kagan and Dr. Galit Fuhrmann Alpert.

Cross-referencing facial image data with social network data may cause greater privacy risk as it is possible to identify a user that appears in several video conference meetings and maliciously aggregate different information sources about the targeted individual.

personal data video conference

Data extraction process

The research team offers a number of recommendations to prevent privacy and security intrusions. These include not posting video conference images online, or sharing videos; using generic pseudonyms like “iZoom” or “iPhone” rather than a unique username or real name; and using a virtual background vs. a real background since it can help fingerprint a user account across several meetings.

Additionally, the team advises video conferencing operators to augment their platforms with a privacy mode such as filters or Gaussian noise to an image, which can disrupt facial recognition while keeping the face still recognizable.

“Since organizations are relying on video conferencing to enable their employees to work from home and conduct meetings, they need to better educate and monitor a new set of security and privacy threats,” Fire says. “Parents and children of the elderly also need to be vigilant, as video conferencing is no different than other online activity.”

End-to-end encryption will be offered to all Zoom users

Zoom Video Communications has decided to extend the benefits of end-to-end encryption (E2EE) not only to paying Zoom customers, but to those who create free accounts, as well.

Zoom end-to-end encryption free

The decision was reached after much public outcry by privacy-minded users and privacy advocates. As famed cryptographer and privacy specialist Bruce Schneier noted, “we are learning – in so many areas – the power of continued public pressure to change corporate behavior.”

Zoom does an about-face on E2EE

Zoom CEO Eric Yuan announced their decision to bring E2EE to paid users only in early June. He explained that they want to be able to help law enforcement in investigations and that people who use Zoom to disrupt online meetings and to engage in criminal acts and facilitate horrible abuse generally use free (quasi-anonymous) accounts.

In the meantime, though, they’ve found a solution that will allow them to offer E2EE as an advanced add-on feature for all users while maintaining the ability to prevent and fight abuse.

“To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message,” Yuan explained this Wednesday.

“Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”

E2EE for everyone

The decision was welcomed by the Electronic Frontier Foundation, though they pointed out that phone numbers were never designed to be persistent all-purpose individual identifiers, and using them as such creates new risks for users.

“In different contexts, Signal, Facebook, and Twitter have all encountered disclosure and abuse problems with user phone numbers. At the very least, the phone numbers that users give Zoom should be used only for authentication, and only by Zoom. Zoom should not use these phone numbers for any other purpose, and should never require users to reveal them to other parties,” they noted.

An early beta of the E2EE feature is scheduled to be introduced by Zoom in July 2020. The feature will be optional because it limits some meeting functionality, and account administrators will be able to switch it on or off at the account and group level.

“Companies have a prerogative to charge more money for an advanced product, but best-practice privacy and security features should not be restricted to users who can afford to pay a premium,” they added.

The EFF has called on other companies that provide communication tools to provide E2EE encryption to both users who pay for their services and those who don’t.

Zoom to offer end-to-end encryption only to paying customers

As Zoom continues on its path to bring end-to-end encryption (E2EE) to users, the big news is that only paid users will have access to the option.

Zoom end-to-end encryption

“Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Zoom CEO Eric Yuan said on a company earnings call on Tuesday.

Zoom encryption and end-to-end encryption

According to the last few updates of Zoom’s 90-Day Security Plan, started in early April to work on the solution’s trust, safety, and privacy issues:

  • All users – whether using free or paid accounts – now have the option of using AES 256-bit GCM encryption for their Zoom meetings and webinars. To take advantage of it, they have to upgrade their Zoom client (mobile or desktop app) to v5.0 or any of the later ones
  • The company has released a draft design of their end-to-end encryption capability on GitHub and is hosting discussions with cryptographic experts, nonprofits, advocacy groups, customers, and others to solicit feedback for the final design.
  • The company plans to add add multi-factor authentication options for free and Pro users in the future (near or far, they didn’t specify).

“Our top priority is to focus on building effective end-to-end encryption for our meeting product first, where it will be most useful. We are considering end-to-end encryption options for Zoom Chat, Zoom Phone, and Zoom Video Webinars down the road,” the company stated.

E2EE just for those who pay for an account

Encrypted communications can be decrypted by the service provider if law enforcement demands it because they have the encryption key. With E2EE, the encryption keys are created and remain on the devices of the people involved in the communication.

Yuan’s explanation of why end-to-end encryption would not be available to free accounts has been fleshed out by Alex Stamos, former Facebook CISO and current adjunct professor at Stanford University’s Center for International Security and Cooperation, who’s now also a security and privacy adviser to Zoom.

In short, Zoom’s decision is motivated by the need to find a way to deal, in conjunction with law enforcement, with people who disrupt meetings (often repeat offenders).

“The other safety issue is related to hosts creating meetings that are meant to facilitate really horrible abuse. These hosts mostly come in from VPNs, using throwaway email addresses, create self-service orgs and host a handful of meetings before creating a new identity,” Stamos explained.

He concedes that not offering E2EE to free tier users will not eliminate all abuse, but that “since the vast majority of harm comes from self-service users with fake identities this will create friction and reduce harm.”

Privacy and digital rights advocates have argued that this decision will also ultimately hurt vulnerable groups such as activists, journalists, nonprofits, domestic violence victims – groups that desperately need E2EE but might not have the resources to splurge for a paid plan.

Zoom’s decision comes at a time when a new piece of legislation (the EARN IT Act) is being pushed through the US Congress that is expected to ultimately force/incentivize tech and internet companies to abandon plans to offer end-to-end encryption to users.

Fake Microsoft Teams notification emails are hitting inboxes

Phishers are using fake Microsoft Teams notification emails to trick users into sharing their Microsoft Teams and Office 365 login credentials.

“Should the recipient fall victim to this attack, this user’s credentials would be compromised. Additionally, since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user’s Microsoft credentials via single-sign on,” Abnormal Security warns.

The email phishing campaigns

The company has spotted two slightly different campaigns, both consisting of fake Microsoft Teams notification emails:

Fake Microsoft Teams notification

Fake Microsoft Teams notification

“Given the current situation, people have become accustomed to notifications and invitations from collaboration software providers. Because of this, recipients might not look further to investigate the message,” they noted.

The imagery in the emails is copied from actual Microsoft Teams notifications and emails, and the phishing pages to which the emails direct potential victims look identical to the legitimate Microsoft Office 365 and Microsoft Teams login pages.

Those lucky enough to notice that the pages’ URLs have nothing to do with Microsoft Teams or Office might think twice about providing their login credentials.

A massive user base makes for a great target

In March 2020, Microsoft Teams had hit 44 million daily users. In April 2020, during the company’s earnings conference call, Microsoft CEO Satya Nadella said that the number has surpassed 75 million, fueled by companies’ need to keep in (video) touch with their employees who are working from home due to the COVID-19 pandemic.

Just as criminals go where the money is, phishers go where the majority of users are – and a user base of 75+ million active users is a very big pond for them to go phishing in.

Google Meet: Video meetings built on a secure foundation, soon free for everyone

Google Cloud today announced it’s making Google Meet, Google’s premium video-conferencing solution, free for everyone with availability rolling out over the coming weeks.

Google Meet

Starting in early May, anyone with an email address can sign up for Meet and enjoy many of the same features available to G Suite’s business and education users, such as simple scheduling and screen sharing, real-time captions, and layouts that adapt to your preference, including the expanded tiled view.

“With the lines blurred between work and home, Google Meet can offer the polish needed for a work meeting, a tiled view for your online birthday party and the security needed for a video call with your doctor,” said Javier Soltero, VP of G Suite. “We’re in the middle of a significant worldwide shift impacting communication from the workplace to schools to the home. People want familiar, secure tools that they can use across all facets of their lives.”

Google has invested years in making Meet a secure and reliable video conferencing solution that’s trusted by schools, governments and enterprises around the world, and in recent months has accelerated the release of top-requested features to make it even more helpful.

Whether it’s hospitals supporting patients via telehealth, banks working with loan applicants, retailers assisting customers remotely, or manufacturers interacting safely with warehouse technicians, businesses across every industry are using Meet to stay connected.

Google Meet: Built on a secure foundation

Meet is designed, built and operated to be secure at scale. Meet is hosting 3 billion minutes of video meetings and adding roughly 3 million new users every day. And as of last week, Meet’s daily meeting participants surpassed 100 million.

Privacy and security are paramount, no matter if it’s a doctor sharing confidential health information with a patient, a financial advisor hosting a client meeting, or people virtually connecting with each other for graduations, holidays, and happy hours.

Google’s approach to security is simple: make products safe by default. Meet was designed to operate on a secure foundation, providing the protections needed to keep users safe, their data secure, and their information private.

Safety measures

Here are just a few of the default-on safety measures:

  • A strong set of host controls such as the ability to admit or deny entry to a meeting, and mute or remove participants, if needed.
  • Anonymous users are not allowed to join meetings created by individual accounts.
  • Meet meeting codes are complex by default and therefore resilient to brute-force “guessing.”
  • Meet video meetings are encrypted in transit, and all recordings stored in Google Drive are encrypted in transit and at rest.
  • The service does not require plugins to use Meet on the web. It works entirely in Chrome and other modern browsers, so it’s less vulnerable to security threats.
  • Meet users can enroll their account in Google’s Advanced Protection Program.
  • Google Cloud undergoes regular rigorous security and privacy audits for all its services.
  • Your Meet data is not used for advertising, and Google doesn’t sell your data to third parties.
  • Google operates a highly secure and resilient private network that encircles the globe and connects their data centers to each other—ensuring that your data stays safe.

Which video call apps should you use if you care about privacy?

To help individuals and organizations choose video call apps that suit their needs and their risk appetite, Mozilla has released a new “Privacy Not Included” report that focuses on video call apps.

video call apps

The report includes the following popular offerings:

  • Zoom’s Zoom app
  • Google’s Duo, Hangouts, and Meet
  • Apple’s FaceTime
  • Microsoft’s Skype and Teams
  • Facebook’s Messenger, Messenger Kids, and WhatsApp
  • Epic Games’ Houseparty
  • Discord’s Discord app
  • 8×8’s Jitsi Meet
  • Signal Technology Foundation’s Signal
  • Verizon’s BlueJeans
  • LogMeIn’s GoToMeeting
  • Cisco’s WebEx
  • Doxy.me’s Doxy.me telemedicine app

Report findings

The report is based on Mozilla’s researchers reviewing the app’s privacy policies and specifications, which user controls it offers, etc.

Each app is given an overall security rating, based on five things:

  • Whether it has a clear privacy policy
  • Whether it uses encryption (and what kind of encryption)
  • Whether it requires the use of strong passwords
  • Whether it provides automatic security updates
  • Whether the developers manage security vulnerabilities using tools like bug bounty programs and clear points of contact for reporting vulnerabilities.

Three of the evaluated apps have failed to meet Mozilla’s Minimum Security Standards, but that doesn’t mean that they should not be used. Different users have different needs and wants, and that includes those related to security and privacy.

For example: Discord collects information on the user’s contacts if they link their social media accounts, and that’s something that might not bother some users. Another example: Houseparty collects a lot of personal data and its privacy policy clearly explains that. Again, some users might be ok with that.

Mozilla noted that many of the apps provide admirable privacy and security features and that all apps use some form of encryption (though not all encryption is end-to-end). Still, some apps – like Doxy.me – offer inadequate protection, especially when you consider the extremenly sensitive health information that is usually shared through it.

Making a choice

Consumers and organizations should review Mozilla’s findings and decide for themselves which solution is right for them. I would also advise checking similar research reports and mentions, which may include additional offerings and point out other qualities that one may search for in a solution (e.g., whether it supports self-hosting) or traits one may avoid.

Mozilla’s researchers also pointed out that different apps have very different set of video chat features, making some more fitting for enterprise use and other a more natural choice for consumers. Business users who want a fuller set of features and a higher level of security and have money to pay should look to business-focused apps, they noted.

Ashley Boyd, Mozilla’s Vice President, Advocacy, pointed out that, with a record number of people using video call apps to conduct business, teach classes, and catch up with friends, it’s more important than ever that this technology be trustworthy.

We have witnessed how Zoom moved to quickly patch security flaws reported by researchers and how the addition of new, helpful features has been copied by competitors (e.g., Zoom and Google Hangouts offered one-click links to get into meetings, and Skype recently followed suit).

“The good news is that the boom in usage has put pressure on these companies to improve their privacy and security for all users, which should be a wake-up call for the rest of the tech industry,” Boyd concluded.

Phishers exploit Zoom, WebEx brands to target businesses

Proofpoint researchers have spotted and documented email phishing campaigns targeting US companies in a variety of industries with emails impersonating Zoom and Cisco (WebEx).

phishing Zoom WebEx

Phishing emails impersonating Zoom and WebEx

“Video conferencing has become very popular very quickly. Attackers have noticed and moved to capitalize on that popularity and brand strength,” noted Sherrod DeGrippo, Proofpoint’s Senior Director of Threat Research at Proofpoint.

“Not only are attackers using video conferencing brands as a lure for malware, but they’re using it for credential phishing, in particular to steal Zoom and WebEx credentials.”

Some of the lures are not particularly original, but will surely fool some of the targets. For example, an email that welcomes users to their new Zoom account and requests them to activate their account, or an email that claims that the user has missed a scheduled Zoom conference meeting (see above).

In both cases, the attackers are after account credentials, either for Zoom or for the target’s email account.

The fake emails purportedly coming from Cisco are a mishmash of unconnected visual elements and subject lines that command attention (e.g., “Critical Update!” or “Alert!”):

phishing Zoom WebEx

Many targets will spot the malicious nature of the email almost immediately, as it warns about an old vulnerability in a software that has nothing to do with Cisco WebEx (apart from the fact that both are developed by Cisco.) But there’s always some recipients who panic or are inattentive enough at the moment of perusal and will end up entering their login credentials.

The value of compromised video conferencing accounts is obvious. “Stolen account credentials could be used to login to corporate video conferencing accounts and violate confidentiality. They also could likely be sold on the black market or used to gain further information about potential targets for launching additional attacks,” DeGrippo noted.

Malware delivery campaign

The researchers have also spotted a email malware delivery campaign that does not impersonate the aforementioned developers of video conferencing solutions, but does exploit their widespread use.

The emails are made to look like they are coming from a potential client who asked for a quote, says they are available for a call via Zoom, and contain a booby-trapped Excel file in the attachment, supposedly containing the sender’s schedule.

To view the contents, the recipient is asked to enable macros. If they do, the macros execute a script that, unbeknownst to the victim, installs a legitimate remote control application, which the attackers then use to access files and information on the compromised system.

Users are warned to be on the lookout for these and similar lures, and to keep in mind that phishers love nothing more than (ab)using popular brands as social engineering lures. These specific campaigns were directed at employees in US companies in the technology, accounting, aerospace, energy, healthcare, telecommunications, transportation, government, and manufacturing sectors.

Will Zoom manage to retain security-conscious customers?

While Zoom Video Communications is trying to change the public’s rightful perception that, at least until a few weeks ago, Zoom security and privacy were low on their list of priorities, some users are already abandoning the ship.

Working on the security and privacy issues

The company initially concentrated their efforts into breaking into the enterprise market and, I believe, Zoom’s recent popularity explosion took even them by surprise.

While they are trying to quickly scale their offering to meet the rising demand, the fact that they’ve concentrated their efforts on usability and made unsavoury trade-offs that affect the product’s security and users’ privacy is coming back to bite them.

To their credit, the company and its CEO threw themselves into full and meaningful crisis management, announcing a temporary moratorium on new features and a shift of all their engineering resources to focus on trust, safety, and privacy issues.

They also quickly fixed most of the issues discovered by users and security researchers and exploited by attackers, announced concrete measures, added more to the list, and continue to add more still.

For example, they say that they are working on implementing more privacy-friendly encryption and that, later this week, every paid Zoom customer will have the option to opt in or out of a specific data center region (except the default), in order to prevent the unneeded (and questionable) routing of their meeting traffic through servers in China.

The company is also working with Luta Security, a consultancy founded and headed by
vulnerability disclosure / bug bounty program pioneer Katie Moussouris, on reexamining their bug bounty program.

Some users are done with Zoom

In the meantime, several governments and prominent companies (Tesla, Google) have prohibited staff and employees from using Zoom for work.

According to Blind, who polled 4,392 professionals from various big US companies, 12% of professionals have completely stopped using Zoom due to security issues, and 9% are using Zoom less.

Zoom security and privacy

Another thing that can end up pushing some consumers off the Zoom wagon is the fact that criminals are actively phishing for Zoom user credentials and compromising them via credential stuffing attacks, then selling the accounts on hacker forums.

Finally, the fact that Zoom now presents a big target for hackers who are aiming to sell bugs they discover to the highest bidder might cool many a user’s love for the popular video conferencing solution.

Video conferencing for teams and consumers: What is the right choice for you?

Though some claim that this forced “work from home” situation has shown that many of the discussions that previously required office meetings can actually be expedited simply by exchanging a few emails, there’s no doubt that, for some tasks, face-to-face meetings – even if over the internet – are a must.

video conferencing teams

Which video conferencing solution should teams (organizations) use, and which consumers?

Zoom

Zoom Video Communications, the creators of the Zoom remote conferencing service, have benefited the most from this sudden surge of demand for video conferencing solutions. The number of Zoom users has exploded and the name became a synonym of face-to-face online chatting seemingly overnight.

Though the sudden popularity shone a harsh light on solution’s many privacy and security issues, the company recently pledged to do better and outlined their plan. The most recent developments of that plan include the official formation of a CISO Council and Advisory Board and welcoming former Facbook CSO Alex Stamos as an outside advisor.

The company is also making a point of quickly fixing security and privacy vulnerabilities reported to them.

Nevertheless, the jury is still out on whether or not the service is secure enough for enterprise use (i.e., use where confidentiality is paramount). In fact, many say it’s not, particularly after Citizen Lab researchers revealed that “Zoom uses non-industry-standard encryption for securing meetings, and that there are discrepancies between security claims in Zoom documentation and how the platform actually works.”

For all of those reasons, Google has banned Zoom from corporate computers, though they can continue use it through a web browser or via mobile.

Microsoft’s offerings

A few days ago, Microsoft-owned Skype pointed out again that it now offers Meet Now, “a simple, hassle-free way to connect with the important people in your life on Skype.”

The feature was introduced late last year, but is now being touted as the perfect videoconferencing solution for consumers, who don’t have to have a Skype account or download an application to use it. They can simply create a link and send it to friends and family as an invitation to participate in the video call. The participants open the link in Microsoft Edge or Google Chrome, and they are “in” the call.

Microsoft Teams, the company’s unified communication and collaboration platform aimed at enterprise users, offers video conferencing inside the client software.

Google’s offerings

Not to be outshined, Google explained again on Tuesday that its Google Hangouts Meet video communication service is a secure option for enterprises.

“Google Meet’s security controls are turned on by default, so that in most cases, organizations and users won’t have to do a thing to ensure the right protections are in place,” the company noted.

The solution employs anti-hijacking measures for both web meetings and dial-ins and makes it difficult to brute force meeting IDs (a problem Zoom has).

“We limit the ability of external participants to join a meeting more than 15 minutes in advance, reducing the window in which a brute force attack can even be attempted. External participants cannot join meetings unless they’re on the calendar invite or have been invited by in-domain participants. Otherwise, they must request to join the meeting, and their request must be accepted by a member of the host organization,” the company added.

Several new features make it impossible for participants to remove or mute meeting creators or allow external (not officially invited) participants to join via video.

video conferencing teams

Additional security advantages of using Google Meet include:

  • It works with Google accounts (which can be secured with 2FA)
  • All data is encrypted in transit by default. “For every person and for every meeting, Meet generates a unique encryption key, which only lives as long as the meeting, is never stored to disk, and is transmitted in an encrypted and secured RPC (remote procedure call) during the meeting setup,” Google says.
  • A secure-by-design infrastructure
  • Compliance controls, and more

There are other options

The solutions outlined here the only options for one-on-one video conferencing or video conferencing for teams, just those most widely used at the moment. There’s also GoToMeeting, Adobe Connect, Jitsi Meet (an open source solution), Samepage, TeamViewer, join.me, and many others.

We are, by no means, advising for the use of one solution instead of another. It’s on users and enterprises to evaluate which solution is the right for them based on their requirements and risk model/appetite.