Zoom Video Communications, the maker of the popular Zoom video conferencing solution, has agreed to settle allegations made by the US Federal Trade Commission (FTC) that it “engaged in a series of deceptive and unfair practices that undermined the security of its users.”
The settlement requires Zoom to – among other things – establish and implement a comprehensive security program and to not engage in further privacy and security misrepresentations.
The conditions put forth by the settlement
The FTC complaint said that:
- Since at least 2016, the company misled users by touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security, i.e., it encrypted communications but stored the encryption keys on its servers
- The company misled users by saying that recorded meetings that were stored on the company’s cloud storage were encrypted immediately after the meeting ended, which was untrue in some cases
- In July 2018, the company compromised the security of some users when it secretly installed a hidden web server on Macs that helped with frictionless installation of the Zoom application
The settlement does not oblige Zoom to admit fault or pay a fine, but obligates it to:
- Refrain from misrepresenting privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information
- Implement a comprehensive information security program and obtain biennial assessments of its security program by an independent third party and notify the FTC if it experiences a data breach
- Implement a vulnerability management program
- Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks
- Deploy safeguards such as MFA to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials
- Review any software updates for security flaws and ensure the updates will not hamper third-party security features
Two of the FTC commissioners disagreed with the settlement
FTC commissioner Rohit Chopra pointed out that it provides no help for affected users, does nothing for small businesses that relied on Zoom’s data protection claims, and does not require Zoom to pay a fine. Also, that Zoom’s misrepresentation of its security practices allowed it to steal users from competing players in the video conferencing market, and to “cash in” on the pandemic.
“Zoom stands ready to emerge as a tech titan. But we should all be questioning whether Zoom and other tech titans expanded their empires through deception,” he added.
FTC Commissioner Rebecca Kelly Slaughter also stressed that many Zoom customers were left stranded.
“Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false. This failure of the proposed settlement does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case,” she said.
She also noted that Zoom should have been ordered regularly “engage in a review of the risks to consumer privacy presented by its products and services, to implement procedures to routinely review such risks, and to build in privacy-risk mitigation before implementing any new or modified product, service, or practice. ”
It remains to be seen if Zoom will fulfill and continue to fulfill the conditions of the settlement. Each violation of an FTC order may result in a civil penalty of up to $43,280, which is a negligible sum for a company that’s worth $35 billions.
UPDATE (November 10, 2020, 4:10 a.m. PT):
“The security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs,” a Zoom spokesperson told Help Net Security.
“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”
Zoom has agreed to upgrade its security practices in a tentative settlement with the Federal Trade Commission, which alleges that Zoom lied to users for years by claiming it offered end-to-end encryption.
“[S]ince at least 2016, Zoom misled users by touting that it offered ‘end-to-end, 256-bit encryption’ to secure users’ communications, when in fact it provided a lower level of security,” the FTC said today in the announcement of its complaint against Zoom and the tentative settlement. Despite promising end-to-end encryption, the FTC said that “Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised.”
The FTC complaint says that Zoom claimed it offers end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guides, which were intended for health-care industry users of the video conferencing service. Zoom also claimed it offered end-to-end encryption in a January 2019 white paper, in an April 2017 blog post, and in direct responses to inquiries from customers and potential customers, the complaint said.
“In fact, Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom’s ‘Connecter’ product (which are hosted on a customer’s own servers), because Zoom’s servers—including some located in China—maintain the cryptographic keys that would allow Zoom to access the content of its customers’ Zoom Meetings,” the FTC complaint said.
The FTC announcement said that Zoom also “misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.”
To settle the allegations, “Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic,” the FTC said. (The 10 million and 300 million figures refer to the number of daily participants in Zoom meetings.)
No compensation for affected users
The settlement is supported by the FTC’s Republican majority, but Democrats on the commission objected because the agreement doesn’t provide compensation to users.
“Today, the Federal Trade Commission has voted to propose a settlement with Zoom that follows an unfortunate FTC formula,” FTC Democratic Commissioner Rohit Chopra said. “The settlement provides no help for affected users. It does nothing for small businesses that relied on Zoom’s data protection claims. And it does not require Zoom to pay a dime. The Commission must change course.”
Under the settlement, “Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false,” Democratic Commissioner Rebecca Kelly Slaughter said. “This failure of the proposed settlement does a disservice to Zoom’s customers, and substantially limits the deterrence value of the case.” While the settlement imposes security obligations, Slaughter said it includes no requirements that directly protect user privacy.
The Zoom/FTC settlement doesn’t actually mandate end-to-end encryption, but Zoom last month announced it is rolling out end-to-end encryption in a technical preview to get feedback from users. The settlement does require Zoom to implement measures “(a) requiring Users to secure their accounts with strong, unique passwords; (b) using automated tools to identify non-human login attempts; (c) rate-limiting login attempts to minimize the risk of a brute force attack; and (d) implementing password resets for known compromised Credentials.”
FTC calls ZoomOpener unfair and deceptive
The FTC complaint and settlement also cover Zoom’s controversial deployment of the ZoomOpener Web server that bypassed Apple security protocols on Mac computers. Zoom “secretly installed” the software as part of an update to Zoom for Mac in July 2018, the FTC said.
“The ZoomOpener Web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware,” the FTC said. “Without the ZoomOpener Web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app.”
The software “increased users’ risk of remote video surveillance by strangers” and “remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app—without any user action—in certain circumstances,” the FTC said. The FTC alleged that Zoom’s deployment of the software without adequate notice or user consent violated US law banning unfair and deceptive business practices.
Amid controversy in July 2019, Zoom issued an update to completely remove the Web server from its Mac application, as we reported at the time.
Zoom agrees to security monitoring
The proposed settlement is subject to public comment for 30 days, after which the FTC will vote on whether to make it final. The 30-day comment period will begin once the settlement is published in the Federal Register. The FTC case and the relevant documents can be viewed here.
The FTC announcement said Zoom agreed to take the following steps:
- Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
- Implement a vulnerability management program; and
- Deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.
The data deletion part of the settlement requires that all copies of data identified for deletion be deleted within 31 days.
Zoom will have to notify the FTC of any data breaches and will be prohibited “from making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information,” the FTC announcement said.
Zoom will have to review all software updates for security flaws and make sure that updates don’t hamper third-party security features. The company will also have to get third-party assessments of its security program once the settlement is finalized and once every two years after that. That requirement lasts for 20 years.
Zoom issued the following statement about today’s settlement:
The security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs. We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.
Qualys announced Container Runtime Security, which provides runtime defense capabilities for containerized applications. Qualys Runtime Container Security This new approach instruments an extremely lightweight snippet of Qualys code into the container image, enabling policy-driven monitoring, detection and blocking of container behavior at runtime. This capability eliminates the need for cumbersome management of sidecar and privileged containers by security solutions that are difficult to manage and administer on host nodes and don’t work in container-as-a-service environments. … More
The post Qualys Container Runtime Security: Defense for containerized applications appeared first on Help Net Security.
Starting next week, Zoom users – both those who are on one of the paid plans and those who use it for free – will be able to try out the solution’s new end-to-end encryption (E2EE) option.
In this first rollout phase, all meeting participants:
- Must join from the Zoom desktop client, mobile app, or Zoom Rooms
- Must enable the E2EE option at the account level and then for each meeting they want to use E2EE for
How does Zoom E2EE work?
“Zoom’s E2EE uses the same powerful GCM encryption you get now in a Zoom meeting. The only difference is where those encryption keys live,” the company explained.
“In typical meetings, Zoom’s cloud generates encryption keys and distributes them to meeting participants using Zoom apps as they join. With Zoom’s E2EE, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants. Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents.”
The option will be available as a technical preview and will work for meetings including up to 200 participants. In order to join such a meeting, they must have the E2EE setting enabled.
For the moment, though, enabling E2EE for a meeting means giving up on certain features: “join before host”, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions.
“Participants will also see the meeting leader’s security code that they can use to verify the secure connection. The host can read this code out loud, and all participants can check that their clients display the same code,” the company added.
E2EE for everybody
In June 2020, Zoom CEO Eric Yuan announced the company’s intention to offer E2EE only to paying customers, but after a public outcry they decided to extend its benefits to customers with free accounts as well.
“Free/Basic users seeking access to E2EE will participate in a one-time verification process that will prompt the user for additional pieces of information, such as verifying a phone number via text message. Many leading companies perform similar steps to reduce the mass creation of abusive accounts,” the company reiterated again with this latest announcement.
Video conferencing platform Zoom is finally offering all users the option to enable two-factor authentication (2FA) to secure their accounts against credential stuffing attacks and attacks leveraging phished login credentials.
How to enable Zoom 2FA on a Pro, Business, Education, or Enterprise account
Zoom gives the choice between two modes of delivery of the second authentication factor (a 6-digit code):
- Via a 2FA app that supports Time-based One-Time Password (TOTP) protocol – e.g., Google Authentication, Microsoft Authenticator, or FreeOTP
- Via SMS (text message)
Account owners/admins can enable the option at the account-level by:
1. Singing in to the Zoom Dashboard.
2. In the navigation menu, clicking Advanced, then Security.
3. Enabling the Sign in with Two-Factor Authentication option.
4. Specifying users to enable 2FA for:
- All users in the account
- Users with specific roles
- Users belonging to specific groups
5. Clicking Save.
Once that’s done, they can inform the users about the option and provide instructions on how to take advantage of it.
As it’s usual with these things, once users set up the option, they are also provided with backup codes to use in case they misplace their phone, uninstall their 2FA app or remove Zoom from the 2FA app by mistake. If they lose those, there’s always the option to ask their admin to reset their 2FA setup.
How to enable Zoom 2FA on a (free) Basic account
Users who have opted for a Basic account can set up 2FA by:
- Signing in to their account via the Zoom web portal
- In the navigation menu, clicking Profile, then enabling Two-Factor Authentication by clicking Turn on
- Entering their password into the pop-up box
- Opting for one of the options and setting it up:
Once they’ve set up 2FA, they can make changes at the same “place” (the Profile tab):
Zoom and security
Since its popularity and user base skyrocketed in the wake of the Covid-19 pandemic, Zoom has been working on fixing many security and privacy issues.
More recently, Zoom Video Communications announced that it is working on providing end-to-end encryption (E2EE) to both paying Zoom customers and those with free (Basic) accounts.
Zoom Video Communications announced Zoom for Home, a new category of software experiences and hardware devices to support remote work use cases. In a time where employers are grappling with what the new normal of work will look like, Zoom for Home elevates employee experiences to connect remotely and be productive.
The future of knowledge work will be a hybrid of virtual and in-person experience. In a recent study by IBM, 81% of respondents—up from 75% in April—indicated they want to continue working remotely at least some of the time. 61% would like this to become their primary way of working.
Major corporations around the globe have already indicated that they do not foresee a return to pre-COVID ways of working. Additionally, according to a recent study by Morning Consult, almost half of adults who are able to work remotely believe that virtual meetings are at least as effective as in-person meetings.
Zoom partnered with DTEN to create an immersive and productive workspace. Features for the all-in-one 27-inch device include: three built-in wide-angle cameras for high-resolution video; an 8-microphone array for crystal-clear audio in meetings and phone calls; and, an ultra-responsive touch display for interactive screen sharing, whiteboarding, annotating, and ideation.
Zoom for Home is also compatible with all Zoom Rooms Appliances, including other hardware solutions from Neat and Poly, allowing users to select the hardware they need to create the perfect work-from-home communications experience across spaces such as living rooms and mounted displays.
Zoom for Home top features:
- Enhances the Zoom experience – Log in to a Zoom for Home compatible device with a Zoom user account to create immersive office experiences without additional licenses (Zoom for Home is available with all Zoom Meeting licenses, including Basic.)
- Always ready – Easily start ad-hoc or scheduled meetings, take and receive phone calls, and virtually collaborate with content sharing and annotation.
- Personalization – Syncs with the user’s calendar, status, meeting settings and phone for an integrated video-first unified communications experience.
- Flexible management options – Zoom for Home devices can be set up to be IT-managed remotely through the Admin Portal or self-managed by the end-user.
- Zoom for Home design – Ensures hardware is a purpose-built solution and is accessibly priced for a home office setup.
“After experiencing remote work ourselves for the past several months, it was clear that we needed to innovate a new category dedicated to remote workers,” said Eric S. Yuan, Zoom CEO. “I’m so proud of the team for continuing to think outside the box and prove why Zoom is the best unified communications platform that can meet the needs of all types of users.”
“With employers and employees working through what the future of work will look like, it is important that people feel set up for success,” said Rich Costello, Senior Research Analyst, IDC. “Three months ago, it was making sure employees had the right ergonomic setup.
“We’ve now moved to the phase of making sure employees have the right devices to enable productivity. The Zoom from Home category is a powerful way for the company to reach a work-from-home audience that craves tools to help with engagement, connection and collaboration.”
Video conference users should not post screen images of Zoom and other video conference sessions on social media, according to Ben-Gurion University of the Negev researchers, who easily identified people from public screenshots of video meetings on Zoom, Microsoft Teams and Google Meet.
Zoom image collage with detected information, along with extracted features of gender, age, face, and username
With the worldwide pandemic, millions of people of all ages have replaced face-to-face contact with video conferencing platforms to collaborate, educate and celebrate with co-workers, family and friends. In April 2020, nearly 500 million people were using these online systems. While there have been many privacy issues associated with video conferencing, the BGU researchers looked at what types of information they could extract from video collage images that were posted online or via social media.
“The findings in our paper indicate that it is relatively easy to collect thousands of publicly available images of video conference meetings and extract personal information about the participants, including their face images, age, gender, and full names,” says Dr. Michael Fire, BGU Department of Software and Information Systems Engineering (SISE). “This type of extracted data can vastly and easily jeopardize people’s security and privacy, affecting adults as well as young children and the elderly.”
The researchers report that is it possible to extract private information from collage images of meeting participants posted on Instagram and Twitter. They used image processing text recognition tools as well as social network analysis to explore the dataset of more than 15,700 collage images and more than 142,000 face images of meeting participants.
Artificial intelligence-based image-processing algorithms helped identify the same individual’s participation at different meetings by simply using either face recognition or other extracted user features like the image background.
The researchers were able to spot faces 80% of the time as well as detect gender and estimate age. Free web-based text recognition libraries allowed the BGU researchers to correctly determine nearly two-thirds of usernames from screenshots.
The researchers identified 1,153 people likely appeared in more than one meeting, as well as networks of Zoom users in which all the participants were coworkers. “This proves that the privacy and security of individuals and companies are at risk from data exposed on video conference meetings,” according to the research team which also includes BGU SISE researchers Dima Kagan and Dr. Galit Fuhrmann Alpert.
Cross-referencing facial image data with social network data may cause greater privacy risk as it is possible to identify a user that appears in several video conference meetings and maliciously aggregate different information sources about the targeted individual.
Data extraction process
The research team offers a number of recommendations to prevent privacy and security intrusions. These include not posting video conference images online, or sharing videos; using generic pseudonyms like “iZoom” or “iPhone” rather than a unique username or real name; and using a virtual background vs. a real background since it can help fingerprint a user account across several meetings.
Additionally, the team advises video conferencing operators to augment their platforms with a privacy mode such as filters or Gaussian noise to an image, which can disrupt facial recognition while keeping the face still recognizable.
“Since organizations are relying on video conferencing to enable their employees to work from home and conduct meetings, they need to better educate and monitor a new set of security and privacy threats,” Fire says. “Parents and children of the elderly also need to be vigilant, as video conferencing is no different than other online activity.”
A zero-day vulnerability in Zoom for Windows may be exploited by an attacker to execute arbitrary code on a victim’s computer. The attack doesn’t trigger a security warning and can be pulled off by getting the victim to perform a typical action such as opening a received document file.
Acros Security, the creators of 0patch, have pushed out a micropatch that will close the security hole until Zoom Video Communications delivers a fix.
About the vulnerability
The vulnerability was discovered by an unnamed researcher and reported to Acros Security, who reported it to Zoom earlier today.
Is is present in all supported versions of the Zoom client for Windows, and the 0patch team created a micropatch for all (starting with v5.0.3 and all up to the latest one – v5.1.2).
The flaw is only exploitable if the client is installed on Windows 7 and older Windows systems, due to a specific system property.
“The flaw is likely also exploitable on Windows Server 2008 R2 and earlier though we didn’t test that; either way, our micropatch will protect you wherever you’re using the Zoom client,” Acros Security CEO Mitja Kolsek told Help Net Security.
“While Microsoft’s official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life with Microsoft’s Extended Security Updates or with 0patch,” he noted.
He also says that the flaw can be exploited through several attack scenarios, but they will refrain from publishing more detailed information and the PoC exploit until Zoom fixes the issue or decides not to fix it.
Options available to users
Until Zoom pushes out a fix, the options for users who wish to stay safe are as follows:
- Temporarily stop using Zoom
- Update Windows to a newer version
- Implement the micropatch.
“We were able to quickly create a micropatch that removes the vulnerability in four different places in the [software’s] code,” Kolsek noted. The micropatches are available for free to all 0patch users until a fix is released.
“0patch is designed such that when a vulnerable executable module is replaced by a new version, any micropatches that were made for that vulnerable module automatically stop applying (because the cryptographic hash of the module changes). When Zoom issues an updated Client for Windows and you install it on your computer, our micropatch will become obsolete,” he explained.
“In case this updated Zoom Client does not fix this vulnerability, we’ll port the micropatch and make it available for free as quickly as possible.”
Zoom Video Communications has decided to extend the benefits of end-to-end encryption (E2EE) not only to paying Zoom customers, but to those who create free accounts, as well.
The decision was reached after much public outcry by privacy-minded users and privacy advocates. As famed cryptographer and privacy specialist Bruce Schneier noted, “we are learning – in so many areas – the power of continued public pressure to change corporate behavior.”
Zoom does an about-face on E2EE
Zoom CEO Eric Yuan announced their decision to bring E2EE to paid users only in early June. He explained that they want to be able to help law enforcement in investigations and that people who use Zoom to disrupt online meetings and to engage in criminal acts and facilitate horrible abuse generally use free (quasi-anonymous) accounts.
In the meantime, though, they’ve found a solution that will allow them to offer E2EE as an advanced add-on feature for all users while maintaining the ability to prevent and fight abuse.
“To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message,” Yuan explained this Wednesday.
“Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”
E2EE for everyone
The decision was welcomed by the Electronic Frontier Foundation, though they pointed out that phone numbers were never designed to be persistent all-purpose individual identifiers, and using them as such creates new risks for users.
“In different contexts, Signal, Facebook, and Twitter have all encountered disclosure and abuse problems with user phone numbers. At the very least, the phone numbers that users give Zoom should be used only for authentication, and only by Zoom. Zoom should not use these phone numbers for any other purpose, and should never require users to reveal them to other parties,” they noted.
An early beta of the E2EE feature is scheduled to be introduced by Zoom in July 2020. The feature will be optional because it limits some meeting functionality, and account administrators will be able to switch it on or off at the account and group level.
“Companies have a prerogative to charge more money for an advanced product, but best-practice privacy and security features should not be restricted to users who can afford to pay a premium,” they added.
The EFF has called on other companies that provide communication tools to provide E2EE encryption to both users who pay for their services and those who don’t.
As Zoom continues on its path to bring end-to-end encryption (E2EE) to users, the big news is that only paid users will have access to the option.
“Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Zoom CEO Eric Yuan said on a company earnings call on Tuesday.
Zoom encryption and end-to-end encryption
- All users – whether using free or paid accounts – now have the option of using AES 256-bit GCM encryption for their Zoom meetings and webinars. To take advantage of it, they have to upgrade their Zoom client (mobile or desktop app) to v5.0 or any of the later ones
- The company has released a draft design of their end-to-end encryption capability on GitHub and is hosting discussions with cryptographic experts, nonprofits, advocacy groups, customers, and others to solicit feedback for the final design.
- The company plans to add add multi-factor authentication options for free and Pro users in the future (near or far, they didn’t specify).
“Our top priority is to focus on building effective end-to-end encryption for our meeting product first, where it will be most useful. We are considering end-to-end encryption options for Zoom Chat, Zoom Phone, and Zoom Video Webinars down the road,” the company stated.
E2EE just for those who pay for an account
Encrypted communications can be decrypted by the service provider if law enforcement demands it because they have the encryption key. With E2EE, the encryption keys are created and remain on the devices of the people involved in the communication.
Yuan’s explanation of why end-to-end encryption would not be available to free accounts has been fleshed out by Alex Stamos, former Facebook CISO and current adjunct professor at Stanford University’s Center for International Security and Cooperation, who’s now also a security and privacy adviser to Zoom.
Some facts on Zoom’s current plans for E2E encryption, which are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues.
The E2E design is available here:https://t.co/beLdeAwMSM
— Alex Stamos (@alexstamos) June 3, 2020
In short, Zoom’s decision is motivated by the need to find a way to deal, in conjunction with law enforcement, with people who disrupt meetings (often repeat offenders).
“The other safety issue is related to hosts creating meetings that are meant to facilitate really horrible abuse. These hosts mostly come in from VPNs, using throwaway email addresses, create self-service orgs and host a handful of meetings before creating a new identity,” Stamos explained.
He concedes that not offering E2EE to free tier users will not eliminate all abuse, but that “since the vast majority of harm comes from self-service users with fake identities this will create friction and reduce harm.”
Privacy and digital rights advocates have argued that this decision will also ultimately hurt vulnerable groups such as activists, journalists, nonprofits, domestic violence victims – groups that desperately need E2EE but might not have the resources to splurge for a paid plan.
Zoom’s decision comes at a time when a new piece of legislation (the EARN IT Act) is being pushed through the US Congress that is expected to ultimately force/incentivize tech and internet companies to abandon plans to offer end-to-end encryption to users.
Zoom has acquired Keybase, a secure messaging and file-sharing service. The acquisition of this exceptional team of security and encryption engineers will accelerate Zoom’s plan to build end-to-end encryption that can reach current Zoom scalability. The terms of the transaction were not disclosed.
“There are end-to-end encrypted communications platforms. There are communications platforms with easily deployable security. There are enterprise-scale communications platforms. We believe that no current platform offers all of these. This is what Zoom plans to build, giving our users security, ease of use, and scale, all at once,” said Eric S. Yuan, CEO of Zoom.
“The first step is getting the right team together. Keybase brings deep encryption and security expertise to Zoom, and we’re thrilled to welcome Max and his team. Bringing on a cohesive group of security engineers like this significantly advances our 90-day plan to enhance our security efforts.”
“Keybase is thrilled to join Team Zoom!” said Max Krohn, Keybase.io co-founder and developer. “Our team is passionate about security and privacy, and it is an honor to be able to bring our encryption expertise to a platform used by hundreds of millions of participants a day.”
As members of Zoom’s security engineering function, the Keybase team will provide important contributions to Zoom’s 90-day plan to proactively identify, address, and enhance the security and privacy capabilities of its platform. Krohn will lead the Zoom security engineering team, reporting directly to Yuan. Leaders from Zoom and Keybase will work together to determine the future of the Keybase product.
Obsidian Security announced protection for Zoom, enabling organizations to safely embrace the leading video communications service as a business-critical application.
Using Obsidian, Zoom customers have enterprise-level monitoring, detection, and response capabilities from a security, compliance, and risk perspective. This is the latest addition to a set of rich integrations that Obsidian has built with SaaS-based collaboration products such as G Suite, Office 365, Salesforce, Slack, Box, Dropbox, and GitHub to enable secure collaboration in a cloud-first world.
“Board meetings, medical appointments, and critical customer calls are all occurring over Zoom. Security teams are grappling with how to prevent account misuse and ensure that only the right people are in these meetings,” said Glenn Chisholm, CEO of Obsidian. “Understanding who joined the meeting, from where and when, as well as whether they recorded the meeting is critical. Obsidian helps customers tackle this challenge with continuous monitoring and automated detection.”
The Obsidian cloud detection and response platform aggregates, normalizes, and enriches data around user access and activity from an organization’s SaaS applications. Obsidian has built deep integrations with leading SaaS-based communication and collaboration platforms that organizations are increasingly relying on to get remote work done.
Security teams can monitor user activity and get timely alerts to protect against accidental oversharing and insider threat, and to detect and respond to account compromise and data breaches.
Obsidian’s Zoom integration lets security teams not only monitor who is using the service, but how they are using it. Obsidian generates insights and alerts related to a variety of risks and threats:
- Application misconfigurations that violate security best practices
- Risky user behavior that exposes accounts to takeover and misuse
- Account compromise, data breaches, and insider threat
Support for Zoom in the Obsidian platform is available today to customers. Zoom customers can get started in minutes by connecting their organization’s Zoom account to the Obsidian service. Obsidian offers a free, no-obligation two-week trial.
A few days ago, we outlined several phishing campaigns going after Zoom and WebEx credentials of employees. Two new ones are trying to exploit their (at the moment very rational) fears by delivering fake “Zoom meeting about termination” emails and fake notifications about COVID-19 stimulation/payroll processing.
Phishing for Zoom credentials
Spotted by Abnormal Security, one phishing campaign comes in the form of emails seemingly coming from the organization’s Human Resources department, urging the recipient to attend a Zoom meeting scheduled to start in a few minutes:
The purported topic of the meeting? The employee’s termination.
The provided link takes the victim to a spoofed Zoom login page hosted on zoom-emergency.myftp.org.
“The email looks and is formatted like a legitimate meeting reminder commonly used by Zoom. The landing page is also a carbon copy of the Zoom login page; except the only functionality on the phishing page are the login fields used to steal credentials. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials,” the company notes.
“Frequent Zoom users would look at the login page, think their session has expired, and attempt to sign in again. They would be more likely to input their login credentials without checking the abnormalities in the phishing page such as the URL or non functioning links.”
Phishing to deliver malware
The second phishing campaign is made to look like an email from an outsourced HR contractor informing employees of additional stimulus being provided to them and asking recipients to view the latest Payroll Report:
The email contains a link to a fake payroll report hosted on Google Docs, which contains another link inside it.
“The document claims that the report cannot be viewed on mobile devices, and that it can only be viewed via corporation desktop computers. However, this second link leads to a malware download,” the company shared.
“This attack utilizes growing concerns regarding employee payroll during the COVID-19 pandemic. Users are likely to read this message, and rush to claim their supposed stimulus while ignoring obvious red flags along the way. Whether this is a result of greed or desperation, attackers are able to manipulate users into downloading harmful files.”
Opening a single email with a malicious URL or attachment can threaten your organization. In this interview, Liron Barak, CEO at BitDam, discusses the cybersecurity issue related to remote work, the inadequate security of collaboration tools, and more.
Working remotely is now a reality for most global organizations. What cybersecurity issues do you expect companies to encounter in the months ahead due to this change?
There are many security issues in working remotely. In addition to the technical risks associated with working from a location other than the organization’s facilities (perhaps not using their corporate computer or not using a proper VPN), organizations nowadays face a new challenge – the enormous increase in the use of IM and collaboration tools such as MS Teams, Zoom, Google Hangouts and others as well as cloud drives like Box, Google Drive or OneDrive which are not as secure as one may think.
This dramatic growth in the usage of such tools in general is a fertile ground for cyberattacks. Bad actors use these platforms to send malicious files or links and use this for phishing too. Employees are not always deeply familiar with all business collaboration tools and may be fooled, especially since these tools are typically not secured by Advanced Threat Protection (ATP).
In addition to that, we see a general increase in hacker’s activity around the COVID-19 crisis. Attackers take advantage of the fact that people are less focused, and mainly scared about anything related to this new reality that all of us experience. They send malicious or phishing emails, impersonating official bodies or someone who is trying to help, get the victims’ trust and thus lure them to click something or provide their personal details.
How can the inadequate security of some collaboration tools impact an organization? What can they do about it?
This can have devastating affect on organizations. The data breaches that we occasionally hear about, huge ransomware incidents, phishing attacks and other types of cyberattacks usually start with some kind of content-based malware. Or in other words, a malicious file or a link, sent to an innocent employee who opens it. It doesn’t really matter how this malware is sent. It could be through email, in a file shared on Google Drive, sent as a link on Zoom or delivered as an attachment using MS Teams. For the attacker, this really doesn’t make any difference.
As someone who used to be at “the other side of the fence”, I can spend hours talking about hackers’ strategies in how to deliver malware. To make it short, I will just say that they normally choose either the weakest link in the chain as the delivery method, or attack vector, if you will. Or, they will select the most common channel, and spray the attack assuming that if they send it to a large number of people, someone will be fooled. The latest is the reason that 92% of malware is sent via email.
However, attackers are agile and they are likely to take advantage of the current situation (in fact, they already started doing so). Since suddenly, a much larger number of people use VC and IM platforms, and since these tools are known for their lack in security (and for sure being less secure than email), it’s just a matter of time until we will all hear about the cyberattacks that started in platforms like Zoom or Teams.
Organizations should be proactive about this and deploy security solutions that are dedicated for these collaboration platforms. It was ok not to focus the organization’s security strategy on these channels in the past, but now, things are different. As traffic on these channels grows – and we see it every day at our customers’ environments – security leaders should refer to these platforms as potential penetration points and secure them accordingly.
What advice would you give to the security team of an organization that finds hundreds of its employees suddenly working remotely?
In a normal situation, I would say “combine training and education with technological tools to protect the business as well as your employees”. But let’s be fair. In this crazy crisis and level of uncertainty, we can’t really expect employees that struggle to keep working as expected, to focus on IT security training. Therefore, I would advice security teams to act quickly, and adopt a security solution that would protect against malware across the collaboration tools used by their organization.
This doesn’t have to be a hassle and doesn’t necessarily involve a long deployment or overhead to IT teams. There are cloud-based solutions that can be deployed within a few clicks. Some of them are even offered for a discount or free these days, as vendors are trying to support the global problem.
Email is still widely used in the corporate environment. Unfortunately, we see malicious files regularly bypass leading email security products. What can explain the shortcoming of these products?
As I mentioned, email is still the preferred attack vector by hackers. Why? Because it is working for them. It is true that most organizations have some kind of Secure Email Gateway, and many of them even have advanced security layers for their emails such as Office ATP or Proofpoint TAP. Unfortunately, a recent study shows that some attacks penetrate even those advanced security solutions. In fact, on average, between 25% to 35% of the unknown threats, that emerge every day, bypass them. The reason is quite simple. All these solutions are data-driven, meaning that they rely on knowledge of cyberattacks that they’ve encountered in the past in order to detect new attacks, which are similar to the old ones in one way or another.
The problem is that cyber attackers are sophisticated and they found ways to bypass this mechanism easily. They do so by using automation to generate large numbers of variants of the same attacks very quickly. The variants are slightly different from each other. Different enough to go below the radar of the security solutions. By the time the email security solution identifies a new variant as a threat (which takes hours or even days), there is a newer variant in place.
As long as email security continue to base on data, this problem will remain. A different approach is needed in order to detect attacks at first encounter.
BitDam’s Advanced Threat Protection (ATP) is threat-agnostic. Can you tell us more about its features and how it integrates with an existing security infrastructure?
BitDam is focused on protecting organizations from content-borne attacks, or in other words, ensuring that every content – file or link – that reaches the employees will be safe. BitDam’s ATP solution is not data driven and thus is threat-agnostic. We don’t collect data about threats. Therefore we are able to automatically protect against new variants of known threats when we first encounter those.
Instead of focusing on the malicious behavior and our familiarity with the threat, we focus on the legitimate behavior of business applications such as MS Word, PowerPoint, Safari and Adobe Reader, which attackers use to deliver their attack to end-users. We use a whitelisting approach on these applications, allowing us to detect malicious activities of any type.
This scanning is done before the end-users gets the file or link no matter which collaboration tool they use. BitDam ATP is cloud-based and available for O365 and G-Suite users, allowing security teams to secure enterprise email as well as other collaboration channels such as cloud drives (OneDrive, Google Drive, Drpbox, Box), IM (Teams, Slack) and VC (Zoom, Teams, Skype) within a few clicks.
Phishing emails impersonating Zoom and WebEx
“Video conferencing has become very popular very quickly. Attackers have noticed and moved to capitalize on that popularity and brand strength,” noted Sherrod DeGrippo, Proofpoint’s Senior Director of Threat Research at Proofpoint.
“Not only are attackers using video conferencing brands as a lure for malware, but they’re using it for credential phishing, in particular to steal Zoom and WebEx credentials.”
Some of the lures are not particularly original, but will surely fool some of the targets. For example, an email that welcomes users to their new Zoom account and requests them to activate their account, or an email that claims that the user has missed a scheduled Zoom conference meeting (see above).
In both cases, the attackers are after account credentials, either for Zoom or for the target’s email account.
The fake emails purportedly coming from Cisco are a mishmash of unconnected visual elements and subject lines that command attention (e.g., “Critical Update!” or “Alert!”):
Many targets will spot the malicious nature of the email almost immediately, as it warns about an old vulnerability in a software that has nothing to do with Cisco WebEx (apart from the fact that both are developed by Cisco.) But there’s always some recipients who panic or are inattentive enough at the moment of perusal and will end up entering their login credentials.
The value of compromised video conferencing accounts is obvious. “Stolen account credentials could be used to login to corporate video conferencing accounts and violate confidentiality. They also could likely be sold on the black market or used to gain further information about potential targets for launching additional attacks,” DeGrippo noted.
Malware delivery campaign
The researchers have also spotted a email malware delivery campaign that does not impersonate the aforementioned developers of video conferencing solutions, but does exploit their widespread use.
The emails are made to look like they are coming from a potential client who asked for a quote, says they are available for a call via Zoom, and contain a booby-trapped Excel file in the attachment, supposedly containing the sender’s schedule.
To view the contents, the recipient is asked to enable macros. If they do, the macros execute a script that, unbeknownst to the victim, installs a legitimate remote control application, which the attackers then use to access files and information on the compromised system.
Users are warned to be on the lookout for these and similar lures, and to keep in mind that phishers love nothing more than (ab)using popular brands as social engineering lures. These specific campaigns were directed at employees in US companies in the technology, accounting, aerospace, energy, healthcare, telecommunications, transportation, government, and manufacturing sectors.
ZeroFOX has extended its artificial intelligence (AI) powered platform to now include advanced cyberattack protection capabilities for business collaboration platforms.
As adoption of these remote work platforms has exploded, emerging threats have developed to capitalize on that adoption. Zoom, in particular, has been the target of many such attacks. The ZeroFOX Alpha Team uncovered thousands of cracked Zoom accounts for sale on a single hacking forum and entire websites dedicated to sharing insecure Zoom call IDs.
Although Zoom has recently released updates focused on security and privacy, attackers are still able to easily target organizations and their employees through a variety of attacks that abuse the platform. It is critical to safeguard private information and users that leverage these collaboration platforms to do their jobs on a daily basis.
Remote work and business collaboration platforms like Zoom and Slack are rapidly expanding the publicly accessible attack surface of every organization. Organizations using these digital platforms require visibility and protection to identify risks like sensitive information leakage, malicious links and file sharing, and compliance violations.
To help organizations immediately address these issues, ZeroFOX is offering complimentary Zoom and Slack protection during this unprecedented time.
“Continuing a quick pace of innovation and maintaining world-class protection during this pandemic for the benefit of our customers is our priority,” said James C. Foster, CEO of ZeroFOX.
“We have seen a 189% increase in phishing-related attacks over the past six months and unsuspecting employees are the number one target of phishing attacks. We know that modern organizations rely heavily on Zoom and Slack to support operations while most employees are working from home today due to COVID-19. “We are proud to offer our customers complimentary access to our advanced security protection for Zoom and Slack.”
The ZeroFOX Enterprise Remote Workforce Protection solution provides customers the ability to secure and gain visibility into threats targeting collaboration platforms that traditional cybersecurity tools miss.
- Advanced Security for Zoom ensures the organization has secure video conferencing and collaboration, free from Zoombombing and other security issues recently experienced by many organizations. The solution will ensure secure password-enabled meetings, identify malicious and fraudulent Zoom links, and protect credentials on Zoom. In addition, the solution enables organizations to identify and take down fraudulent Zoom meetings and links pretending to be your brand or people to interact with customers, partners, or employees.
- Advanced Security for Slack automates how organizations establish compliance and inline protection within the team collaboration application. With turnkey set-up, the organization will receive real-time notifications and automated remediation for inappropriate content, malicious links and files, and sensitive data shared on Slack channels. Advanced threat protection is the cornerstone for establishing good work from home (WFH) compliance policies and protecting companies from potential exposures.
ZeroFOX is offering a 15-day trial to help organizations protect their employees, customers and partners on Zoom and Slack. Organizations that rely on these business collaboration platforms to enable employees to complete work in a WFH world can activate and immediately secure these channels.
Zoom is in crisis mode, facing grave and very public concerns regarding the trust in management’s commitment for secure products, the respect for user privacy, the honesty of its marketing, and the design decisions that preserve a positive user experience. Managing the crisis will be a major factor in determining Zoom’s future.
The company has recently skyrocketed to new heights and plummeted to new lows. It is one of the few communications applications that is perfectly suited to a world beset by quarantine actions, yet has fallen from grace because of poor security, privacy, and transparency issues. Governments, major companies, and throngs of users have either publicly criticized or completely abandoned the product.
No company wants to be in this position: faced with dealing with mistakes publicly at a time when they are experiencing unimaginable growth. Zoom is sputtering to stay relevant, fend off competition, and emerge intact.
Knowing how to respond and manage product security incidents is becoming more important for digital companies. Zoom is an excellent test-case to explore the lessons in crisis management. These lessons are valuable to every product and service organization which could face a loss of customer confidence. It would be wise for business leadership in every industry to take an introspective look and understand how they can effectively respond during such a crisis. Preparation provides an advantage and gives insights that may help avoid catastrophe.
Cybersecurity is a discipline in managing the risks to security, privacy, and safety. It does not eliminate them, but rather seeks to find an optimal balance between the risks, costs, and usability. That means there will always be a chance for undesired impacts. If managed properly from the onset, the minimization of those residual risks can also be handled in ways that reduce the negative effects.
Crisis response is a specialty that benefits from forethought, experience, leadership, and skills.
I have lead crisis response teams over the years and been fortunate to be part of strong teams that handled events with speed, efficiency, and professionalism. I have also witnessed complete train-wrecks where the wrong people were attempting to lead, focus was misplaced, valuable time and resources were squandered, legal instruments were applied to hide the truth, communication was confusing, and feeble attempts leveraging marketing to “spin messages” were preferred over actually addressing issues head-on. Poor leadership is caustic, can result in more problems and a prolonged recovery.
Crisis response is a complex dance. It requires a clearly defined objective to pursue and an understanding of the opposition, obstacles, and resources. Executive support is required, but not necessarily welcome in all decisions. Time is a crucial resource as is the morale and commitment of employees. It is normally a thankless job, as the best-case scenario is the situation is resolved and quickly fades from memory.
But enough with the platitudes. Let’s dive into some specifics with an interesting use-case which is currently unfolding.
Zoom crisis: The test-case
Zoom has a number of technical, behavioral, and process issues to address, in order to dig themselves out of the hole in which they currently find themselves. The goal of their response should be to restore the confidence in the Zoom products and its organization. To do this, the company must evolve to better proactively manage the risks of product vulnerabilities, avoid design decisions that weaken privacy and allow for abuse, and foster trust by being accurate and transparent with users, regulators, and stockholders. Every crisis that is comprehensively managed is painful, as it requires accountability, commitment, and disruptive change.
Let’s go down the list of challenges and best-practices.
First and foremost, it takes executive management support for an organization to rally together to address a significant crisis. Time, resources, and even goodwill must be applied from across the company. There are opportunities that must be sacrificed and trade-offs made. Fortunately, Zoom’s CEO has aggressively come forward to recognize the issues, personally took responsibility, and committed to restore trust.
Although falling on one’s sword is not necessary for a CEO, it does eliminate much of the wasted time normally allotted to the blame-game, finding a scapegoat, or being lured by the attractiveness of trying to use marketing tricks to spin or change the narrative. Quickly and openly taking responsibility for shortcomings is a shortcut to align focus toward resolution and shows seriousness in ensuring processes will be in place to protect from future issues.
A strong and capable leader is required to oversee a crisis. It is a specific discipline and not one recommended to be led by the inexperienced. Assigning the wrong person to lead a crisis is the single greatest mistake I have seen in the past.
Marketing and legal people should be part of the team but never lead the crisis response. They look at crisis events through the lens of what they know and the capabilities they can bring into play. They immediately move to conceal, deny, ignore, find blame elsewhere, or focus on spinning the media messages rather than addressing the root problems. This can work to distract for a time and delay some pain, but is not the best path to an expedited, comprehensive, and sustainable solution. In fact, their actions can cause considerable deterioration of the already weakened trust by consumers.
CEOs should initiate, support, define the goals, approve major changes, deliver sweeping announcements, and identify a crisis leader, but not take charge. Again, a specific set of skills are required. Can a CEO get the job done? Potentially, but as most executives are not savvy in this area it would be a major struggle; they need to leave it to professionals. A good crisis leader will work closely with the C-suite every step of the way and make sure the right path is enlightened and understood so management can confidently support progress forward.
Although it may seem counter intuitive, engineering should not lead either. Engineers are an integral part of the resolution for design and coding issues, but they should not be leading. They know the technical aspect of the product or service and will be the mighty tool to fix many of the vulnerabilities. However, what Zoom and most other companies face in situations like this includes a combination of technical, behavioral, and process issues. Looking solely through the goggles of an engineer, one only sees part of the problem set and mistakes it as the entire picture.
An experienced crisis manager that understands risks will develop more comprehensive plans that align with the long-term capabilities to prevent recurrence and support the short-term acts necessary to restore trust. They will engage engineers and developers with a prioritized list for them to resolve the technical issues in concert with other efforts necessary to achieve the overall objectives.
Identifying and addressing the root cause is crucial. Analysis will provide insights to what problems have arisen and also highlight what may be next. If the origins are unknown then the chances for another crisis remains high. Proper crisis response is not just about putting out the immediate fire, but also making sure when things are rebuilt, they aren’t vulnerable to the same issues.
For Zoom the likely root cause was due to the over prioritization for rapid Go-to-Market efforts that fueled a de-prioritization of product security and overzealous marketing which didn’t put enough weight in being clear and truthful when it comes to privacy and security. This means there are probably many other vulnerabilities lurking in the product, possibly some sensitive customer data has been gathered as some point, inaccurate marketing materials may be floating about, and the developers are likely not savvy when it comes to security and privacy as part of the Development and Operations (DevOps) lifecycle. The good news is that all these issues can be addressed and if done correctly will result in the organization and products becoming stronger and more competitive.
Stop the bleeding. Aligning resources and resolving the most relevant immediate issues of the customers is the top priority. The first step is to freeze all work on new features and reallocate those technical folks to understand and address the known vulnerabilities. This requires time and engineering resources across development, testing, and validation domains. As part of this effort, the underlying configuration issues causing severe user-experience friction (e.g., Zoombombing, session hijacking) or regulatory non-compliance (e.g., privacy) must also be resolved.
In parallel, work must be initiated to address what is not publicly known, which may likely erupt and significantly add to the chaos. What other related issues exist that may have been ignored? With a root cause being people choosing to not invest in security, there are likely advocates in the organization who have been trying to raise issues. It is time for their vindication. These insights, reports, and champions can give great insights to other areas requiring immediate attention.
Setting clear and realistic expectations with customers is very important, as these steps can take some time to complete and may need to be done in stages. This is not the time for marketing spin. Honesty and transparency, mixed with a touch of humility, and presented in a professional manner will lay a foundation for trust. Select executives must be prepared to engage with the customers, resellers, suppliers, vendors, etc. in an open, consistent, and well-informed way. It is okay to not have all the answers and instead communicate how the organization will get there.
For Zoom I would recommend the following:
- Scan the corporate, vendor, and partner environments for customer data that falls outside of the policy and move to delete. If required by law, notify users.
- Proactively engage privacy regulators and customers to outline what steps are being taken to respect their privacy, both in the short and long term, and the processes that will be instituted to provide transparent oversight for their benefit.
- Conduct a vulnerability scan of code, dependencies, and libraries. Professional tools and services should be used. Do not rely upon the knowledge base of the developers. Resolve or mitigate the detected issues and be prepared to provide the audit and supporting proof.
- As part of a security assessment, form an internal blue team to identify technical, configuration, and usage issues that could undermine security, privacy, and trust. This should be a cross-discipline team, not just engineers. Pull from marketing, management, sales, etc. to get the widest possible perspectives. This activity can happen quickly and provide important user-facing issues.
- For a deep-dive assessment, a professional external red team is required. Hire a reputable team and make it a priority for in-house product engineering to help the red team begin their work. This takes time but will find a much more in-depth set of vulnerabilities. No product team initially likes this process, but they will come to respect it and become better engineers because of it.
- Adopt an industry-proven end-to-end encryption technology. For Zoom this is foundational to the restoration of trust and continue patronage by security-conscious customers. Encryption is not easy. Seldom does a product organization get it right and even getting part of it wrong undermines the whole structure. Do NOT attempt to build or configure this internally. Trust factors are at play here. There are solutions in the industry that are vetted and solid for comprehensive and sustainable data security across untrusted networks and devices. Implement one and be prepared to announce what is being adopted. Good encryption does not require algorithm or configuration secrecy. There will be questions, many of which will need to go to that vendor, so choose wisely.
- Ensure all code changes go through rigorous tests and validation before being rushed into a patch. A poor update can cause major outages, unanticipated issues, and be the cause of even more problems. Now is not the time to take shortcuts. Move as quickly as possible, but adhere to quality control standards.
Marketing will have the challenge of expressing the proactive changes without overselling the credibility. The Advisor role, DPO, and CISO must be competent, experienced, and willing to work with marketing to engage industry experts and the media in pragmatic ways but not contribute to unnecessary news cycles that prolong negative sentiment.
Zoom should adopt all the leadership recommendations, as they overlap and support each other. Understanding and accountability must originate from the top and established for data privacy, infrastructure security, and processes incorporated into product development.
In addition to a Security DevOps champion, products require intense and varied testing to detect vulnerabilities. Some of this can and should be done internally for known vulnerabilities, but a professional community is required for a deeper scan to detect unpublished weaknesses. The use of bug bounties, penetration testing, and red teams is an industry best practice. Vulnerability management is a continuous process that begins in development but must persist well after product release and throughout the lifecycle as new vulnerabilities are discovered. It must be put in place to adopt this new way of thinking and operating.
Product vulnerability lifecycle
Recommendations for Zoom to better manage their product vulnerability lifecycle:
- Work with an established bug bounty vendor to set up a continuous program, offering in aggregate ~$1 million in bounties. This economic incentive will draw a global community of security researchers and ethical hackers to thoroughly scrutinize your product in ways you cannot. They will provide you with the data before malicious hackers can take advantage. It is an incredibly powerful decentralized resource.
- Incorporate a code vulnerability scanner into the DevOps processes. Commercial tools and services are available that scan code or match to third-party libraries and dependencies to vulnerabilities. This becomes a learning tool for your developers as much as it is a security assurance control. DevOps will get better at security over time, thus being less of a productivity sink while accelerating release times for secure products and features.
- Red teams and penetration testing services are expensive, but return a methodical set of results that provide very strong assurance. Incorporate such capabilities for major releases and to prove that critical security holes are actually patched.
- Blue teams are less expensive but still provide value that other controls may overlook. They will find many of the misconfiguration, misuse, and oddball feature settings which can cause user stress by undermining security and privacy. Incorporate a lightweight blue team review for every update that touches the user interface (UI) or any administration function.
- Establish a process for researchers to confidentially engage the product security team to disclose new vulnerabilities. Respect, recognize, and reward those who do.
- Make sure that, by design, the product can be effectively patched. It seems basic, but the details can be tricky. There should also be a way of verifying the patch was successfully installed. Metrics for compliance are important, especially during crisis events, as it will be one of the determining factors for when the crisis can be closed.
Incorporating these process enhancements will effectively establish an aggressive and proactive capability to find new vulnerabilities and maintain product security. Over time the organizations’ capability to produce and sustain secure products will continuously improve. It can be a significant competitive advantage on several fronts.
Privacy and the protection of data are also important. It is a responsibility shared among data owners, the DPO, and the CISO. Process improvement and accountability are expected when crisis situations highlight a lack of confidence in the current system and controls. When trust has been undermined, an independent third-party must conduct regular audits. These audits confirm compliance with the policies. They are valuable as a tool to strengthen customer confidence and for discussions with regulators. Zoom should establish a SAS 70 Type 2 type of recurring audit for data acquisition, security, and sharing. For the greatest level of trust, craft the audits so the results can be made public every year.
Establishing a DPO, updating data policies, instituting proper governance and oversight, and acting with transparency with regards to the checks and balances will set the organization on an admirable path that will build credibility as an asset. Privacy and data security continue to grow as important aspects of business. Zoom has an opportunity to showcase respect and responsibility if they maneuver correctly to embrace industry best practices.
I have covered some of the fundamentals for product security crisis response and done a walkthrough of what I would do, beginning Day 1 of leading a crisis response for a Zoom-type incident.
This is just a taste and not a comprehensive compendium. Cybersecurity crisis management is very complex and difficult. Being in the jaws of hourly crisis meetings and making tough decisions about ambiguous situations is grueling work that I don’t wish upon anyone. But if done correctly it can move rapidly and deliver results that benefit users and strengthen the organization.
Responding well to a crisis can highlight the professional, ethical, and adaptive qualities of an organization’s leadership. Optimally, it will enhance customers’ trust in management’s commitment for secure products, respect for user privacy, honesty of its marketing, and designs that preserve a positive user experience. If done poorly, it becomes a protracted blight on an organization, its products, and leadership. Often careers and businesses don’t survive for long.
Zoom has numerous challenges to face. It has already done many things right, you can read the details in their blog and watch a video of CEO Eric Yuan openly discuss the issues and efforts, but has a long way to go before it restores trust and makes its products secure. Every organization should take a moment to understand what Zoom is going through as a learning opportunity and introspectively explore how they want to avoid or address the risks. Confidence in products and an organization is at stake.
While Zoom Video Communications is trying to change the public’s rightful perception that, at least until a few weeks ago, Zoom security and privacy were low on their list of priorities, some users are already abandoning the ship.
Working on the security and privacy issues
The company initially concentrated their efforts into breaking into the enterprise market and, I believe, Zoom’s recent popularity explosion took even them by surprise.
While they are trying to quickly scale their offering to meet the rising demand, the fact that they’ve concentrated their efforts on usability and made unsavoury trade-offs that affect the product’s security and users’ privacy is coming back to bite them.
To their credit, the company and its CEO threw themselves into full and meaningful crisis management, announcing a temporary moratorium on new features and a shift of all their engineering resources to focus on trust, safety, and privacy issues.
They also quickly fixed most of the issues discovered by users and security researchers and exploited by attackers, announced concrete measures, added more to the list, and continue to add more still.
For example, they say that they are working on implementing more privacy-friendly encryption and that, later this week, every paid Zoom customer will have the option to opt in or out of a specific data center region (except the default), in order to prevent the unneeded (and questionable) routing of their meeting traffic through servers in China.
The company is also working with Luta Security, a consultancy founded and headed by
vulnerability disclosure / bug bounty program pioneer Katie Moussouris, on reexamining their bug bounty program.
Some users are done with Zoom
In the meantime, several governments and prominent companies (Tesla, Google) have prohibited staff and employees from using Zoom for work.
According to Blind, who polled 4,392 professionals from various big US companies, 12% of professionals have completely stopped using Zoom due to security issues, and 9% are using Zoom less.
Another thing that can end up pushing some consumers off the Zoom wagon is the fact that criminals are actively phishing for Zoom user credentials and compromising them via credential stuffing attacks, then selling the accounts on hacker forums.
Finally, the fact that Zoom now presents a big target for hackers who are aiming to sell bugs they discover to the highest bidder might cool many a user’s love for the popular video conferencing solution.
The US Senate has become the latest organization to tell its members not to use Zoom because of concerns about data security on the video conferencing platform that has boomed in popularity during the coronavirus crisis.
The Senate sergeant at arms has warned all senators against using the service, according to three people briefed on the advice.
One person who had seen the Senate warning said it told each senator’s office to find an alternative platform to use for remote working while many parts of the US remain in lockdown. But the person added it had stopped short of officially banning the company’s products.
Zoom is battling to stem a public and regulatory backlash over lax privacy practices and rising harassment on the platform that has sent its stock plummeting. The company’s shares have fallen more than 25 per cent from highs just two weeks ago, to trade at $118.91.
Zoom was forced to apologize publicly last week for making misleading statements about the strength of its encryption technology, which is intended to stop outside parties from seeing users’ data.
The company also admitted to “mistakenly” routing user data through China over the past month to cope with a dramatic rise in traffic. Zoom has two servers and a 700-strong research and development arm in China. It had stated that users’ meeting information would stay in the country in which it originated.
The revelations triggered complaints from US senators, several of whom urged the Federal Trade Commission to investigate whether the company had broken consumer protection laws. It also prompted the Taiwanese government to ban Zoom for official business.
The FBI warned last month that it had received reports that teleconferences were being hacked by people sharing pornographic messages or using abusive language — a practice that has become known as “Zoombombing.”
A spokesperson for the company said: “Zoom is working around-the-clock to ensure that universities, schools, and other businesses around the world can stay connected and operational during this pandemic, and we take user privacy, security and trust extremely seriously.
“We appreciate the outreach we have received on these issues from various elected officials and look forward to engaging with them.”
However, the US Department of Homeland Security said in a memo to government cyber security officials that the company was actively responding to concerns and understood how grave they were, according to Reuters. The Pentagon told the Financial Times it would continue to allow its personnel to use Zoom.
The Senate move follows similar decisions by companies including Google, which last week decided to stop employees from downloading the app for work.
“Recently, our security team informed employees using Zoom Desktop Client that it will no longer run on corporate computers as it does not meet our security standards for apps used by our employees,” Jose Castaneda, a Google spokesperson, said. However, he added that employees wanting to use Zoom to stay in touch with family and friends on their mobiles or via a web browser could do so.
The Google decision was first reported by BuzzFeed.
Zoom has tried to stem the tide of criticism in recent days. The company said on Wednesday it had hired Alex Stamos, the former Facebook security chief, as an outside security consultant, days after saying it would redirect its engineering resources to tackle security and privacy issues.
Though some claim that this forced “work from home” situation has shown that many of the discussions that previously required office meetings can actually be expedited simply by exchanging a few emails, there’s no doubt that, for some tasks, face-to-face meetings – even if over the internet – are a must.
Which video conferencing solution should teams (organizations) use, and which consumers?
Zoom Video Communications, the creators of the Zoom remote conferencing service, have benefited the most from this sudden surge of demand for video conferencing solutions. The number of Zoom users has exploded and the name became a synonym of face-to-face online chatting seemingly overnight.
Though the sudden popularity shone a harsh light on solution’s many privacy and security issues, the company recently pledged to do better and outlined their plan. The most recent developments of that plan include the official formation of a CISO Council and Advisory Board and welcoming former Facbook CSO Alex Stamos as an outside advisor.
Nevertheless, the jury is still out on whether or not the service is secure enough for enterprise use (i.e., use where confidentiality is paramount). In fact, many say it’s not, particularly after Citizen Lab researchers revealed that “Zoom uses non-industry-standard encryption for securing meetings, and that there are discrepancies between security claims in Zoom documentation and how the platform actually works.”
For all of those reasons, Google has banned Zoom from corporate computers, though they can continue use it through a web browser or via mobile.
The feature was introduced late last year, but is now being touted as the perfect videoconferencing solution for consumers, who don’t have to have a Skype account or download an application to use it. They can simply create a link and send it to friends and family as an invitation to participate in the video call. The participants open the link in Microsoft Edge or Google Chrome, and they are “in” the call.
Microsoft Teams, the company’s unified communication and collaboration platform aimed at enterprise users, offers video conferencing inside the client software.
“Google Meet’s security controls are turned on by default, so that in most cases, organizations and users won’t have to do a thing to ensure the right protections are in place,” the company noted.
The solution employs anti-hijacking measures for both web meetings and dial-ins and makes it difficult to brute force meeting IDs (a problem Zoom has).
“We limit the ability of external participants to join a meeting more than 15 minutes in advance, reducing the window in which a brute force attack can even be attempted. External participants cannot join meetings unless they’re on the calendar invite or have been invited by in-domain participants. Otherwise, they must request to join the meeting, and their request must be accepted by a member of the host organization,” the company added.
Several new features make it impossible for participants to remove or mute meeting creators or allow external (not officially invited) participants to join via video.
Additional security advantages of using Google Meet include:
- It works with Google accounts (which can be secured with 2FA)
- All data is encrypted in transit by default. “For every person and for every meeting, Meet generates a unique encryption key, which only lives as long as the meeting, is never stored to disk, and is transmitted in an encrypted and secured RPC (remote procedure call) during the meeting setup,” Google says.
- A secure-by-design infrastructure
- Compliance controls, and more
There are other options
The solutions outlined here the only options for one-on-one video conferencing or video conferencing for teams, just those most widely used at the moment. There’s also GoToMeeting, Adobe Connect, Jitsi Meet (an open source solution), Samepage, TeamViewer, join.me, and many others.
We are, by no means, advising for the use of one solution instead of another. It’s on users and enterprises to evaluate which solution is the right for them based on their requirements and risk model/appetite.
Since the advent of Covid-19, remote conferencing tools have been a lifesaver for all those stuck at home, forced to work and socialize online. Zoom, in particular, has witnessed a massive influx of new users, which lead to increased scrutiny from information security researchers.
In the last few weeks, many of Zoom’s privacy and security issues have been pinpointed and publicized, including:
- The attendee attention tracker feature
- The incorrect claim that Zoom meetings/webinars were capable of using end-to-end encryption
- The iOS client sending user device information to Facebook (because of the Facebook SDK used)
- A UNC link issue that could result in attackers stealing users’ passwords and run malware
- Two vulnerabilities that could be used by attackers with local access take over a Zoom user’s Mac, as well as tapping into the device’s webcam and microphone. Exploitation of one of these is possible because Zoom uses a shady installation technique also used by some macOS malware. (In a similar vein, last year Zoom stopped installing a hidden web server on Macs that helped with frictionless installation of the tool)
- A feature that provided info on Zoom meeting participants (pulled from LinkedIn)
- Zoombombing (i.e., trolls crashing and disrupting Zoom meetings), additionally exacerbated by lax privacy and security choices made by users and vulnerabilities that allow for the creation of tools like zWarDial, which automates Zoom meeting discovery (The tool hasn’t been publicly released.)
Promised Zoom security and privacy improvements
Most importantly, Zoom Video Communications’s CEO Eric Yuan publicly pledged that, for the next 90 days the company will temporarily stop working on new features and shift all their engineering resources to focus on trust, safety, and privacy issues.
He apologized for the company failing short of the community’s privacy and security expectations, said that many of the issues were due to the fact that Zoom was built primarily for enterprise customers (large institutions with full IT support).
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived. These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform,” he noted on Thursday, and promised to “make Zoom better.”
Aside from fixing many of the discovered issues and providing resources for users to use Zoom effectively and safely, Yuan said that they will:
- Engage third-party experts and users to review new consumer use cases to discover possible security and privacy problems arising from them, as well as engage experts to perform a series of simultaneous white box penetration tests for the same reason/goal
- Prepare a transparency report and enhance their bug bounty program
- Consult with various CISOs to stay on top of security and privacy best practices
- Regularly share information about privacy and security improvements they’ve implemented.
Should you use Zoom?
Yuan’s announcement was welcomed by many infosec practitioners, who praised the company’s intention to finally put more effort into the security and privacy of the popular solution.
The issues unearthed the last couple of weeks may have stopped some users from using the app but, in general, it should be relatively safe for personal use – just avoid sharing extremely sensitive data, for a variety of reasons.
Zoom – has bugs like all other software.
Zoom – fixing bugs and being responsible.
Zoom – software I easily taught my dad to use for remote classes over email and WhatsApp.
Zoom – not rated for sensitive data: natsec, confidential sources, etc.
Zoom – use it, it’s fine.
— thaddeus e. grugq (@thegrugq) April 2, 2020