With the rapid spread of the new coronavirus epidemic forcing millions of people to stay at home, Zoom has become the first choice for remote video conferencing. The platform’s user base has also grown rapidly, from 10m in December to 200m in March to more than 300m in April.
While Zoom is being sought after by users, various privacy and security concerns are also in the spotlight. From built-in attention-tracking to recent Zoomombing,” where spoilers can easily enter meetings held on Zoom and share inappropriate content, causing meetings to be terminated), and the company faces at least three lawsuits.
Themedia CNET took stock of news reports about the Zoom security incident and rearranged it according to the time of the incident. If you didn’t know about Zoom’s security issues before, you can start at the bottom and stay up to date. We will continue to update this article as more issues and fixes emerge.
For a larger deployment of end-to-end encryption, Zoom announced in a blog post Thursday that it had acquired Keybase, a security messaging and file-sharing service. Zoom said Keybase will make an important contribution to Zoom’s 90-day program to enhance security and privacy on the platform. Keybase co-founder Max Krohn will lead Zoom’s security engineering team, reporting directly to Zoom founder and CEO Eric Yuan.
Founded in 2014, Keybase is dedicated to the study of end-to-end encryption and currently employs 25 people. Although Zoom’s recently released version 5.0 supports encrypting content to the industry standard AES-265, the post says the company will provide an end-to-end encrypted conferencing model for all paid accounts in the future. In the post, Zoom also said details of the new encryption design would be released on May 22.
“We will then hold discussions with civil society, encryption experts and customers to share more details and solicit feedback,” Zoom wrote in the post. Once we have evaluated this feedback to integrate into the final design, we will announce our engineering milestones and objectives for deployment to Zoom users. “
In response to the ongoing Zoomombing incident, the company said it would address the issue by strengthening the reporting mechanism for conference moderators and attendees, as well as using automated tools to find evidence of abusive users. Zoom said it would not develop any tools that law enforcement could use to decrypt the contents of the meeting, nor would it create any encrypted backdoors to keep the meeting under secret control.
According to a federal intelligence analysis obtained by ABC News, Zoom is vulnerable to foreign government spy agency. According to reports, the U.S. Department of Homeland Security’s Cyber mission and counter-espionage mission center released an analysis has been distributed to governments and law enforcement agencies across the country.
The report says security updates to the software may not be effective because malicious actors may exploit delays and develop vulnerabilities based on vulnerabilities and available patches. A spokesman for Zoom said there was serious misinformation about the report.
The Zoomombing incident continues to fester, including child abuse.
In recent reports, abusive pornography has emerged in academic and government meetings, which witnesses described as including racist language and child pornography images.
Students at Fresno State University and Bakersfield College were exposed to child pornography in two incidents reported Monday. Both incidents prompted an investigation by law enforcement.
Earlier in April, a Zoomombomber broke into a classroom at a Berkeley high school, exposing himself to students when he made obscene screams, prompting school officials to suspend all videoconferencing classes.
In late March, pornography was exposed in an online classroom at a Georgia high school, as was the classroom at a Utah elementary school in early April. On April 23, a Zoom meeting of the Oklahoma State Board of Education was interrupted when Zoomombombers was flooded with racial slurs on the video’s chat channel.
Zoom launches security updates
In a blog post Wednesday, Zoom said it would launch new security updates, with a focus on improving encryption. The company said Zoom 5.0 is expected to use AES 256-bit encryption to enhance privacy protection and will be available in all accounts by May 30.
Other improvements include user interface updates, moving security settings to more accessible locations, wider control over which regional servers your data is transferred through, and improved complexity of cloud-recording passwords.
The Washington Post reported Tuesday that the British parliament will continue to meet under the guidelines for social alienation by using the Zoom platform. While the vote will also take place remotely, the government says only legislation guaranteed to pass with overwhelming consent will be rolled out on the platform because of the threat of a failure or hacker.
Former Dropbox engineer says Zoom knew there was a security vulnerability
According to the New York Times, a former engineer at Dropbox, A Zoom’s partner, said the two companies were aware of a major security vulnerability that allowed attackers to take control of some users’ Mac computers for months before resolving the issue.
After Dropbox submitted the vulnerability to Zoom, it took months to fix the problem.
Zoom, which was popular during the outbreak, has hired dozens of outside security advisers in the past two weeks. Among them are former security and privacy experts from companies such as Facebook, Microsoft and Google who want to quickly resolve security vulnerabilities, according to people familiar with the matter.
Alex Stamos, Facebook’s former chief security officer, said Zoom’s move was a reference to Microsoft’s efforts to restore the image of Windows software nearly two decades ago. Microsoft’s reputation was damaged by years of security issues that made Windows users vulnerable to Internet worms and other viruses before it switched to “trusted computing” in 2002.
The security companies that Zoom currently brings in include NCC Group PLC, a British security provider, Trail of Bits, based in New York, USA, Bishop Fox in Tempe, Arizona, and Praetorian Security in Austin, Texas. Zoom is also using security intelligence services provided by DarkTower, the security intelligence arm of CrowdStrike and Queen Associates.
Another hacker sold a 0 day remote code that affected the Zoom Windows client on the dark web to execute the exploit code for $500,000. It also comes with a vulnerability abuse code for a Zoom macOS client.
Such exploits have no fixed price, and the foreign vulnerability trading platform Zerodium offers between $20 million and $2.5 million for such exploits, depending on the popularity of the affected software or systems, the level of security, and the quality of the exploits submitted.
At present, the vulnerability and source code has not been made public, familiar with the 0 day vulnerability market related people said that there have been vulnerability trading agents with the business to contact the purchase loophole. Adriel Desautels, founder of the vulnerability trading platform Netragard, said the sale of two 0 day vulnerabilities affected macOS one and the other affected Windows.
Lawsuits with Facebook and LinkedIn
A new lawsuit has been filed in California against Facebook and LinkedIn, accusing the companies of “wiretapping” the personal data of Zoom users.
In a statement to Bloomberg Law’s Dan Stoller, Facebook denied the allegations, saying: “Zoom’s use of the Facebook SDK did not enable Facebook to ‘eavesdrop’ on Zoom’s call content; the SDK was not designed to share it or not. There is no legal basis for this lawsuit and we will vigorously defend it. “
New privacy options for paid accounts
In a blog post on Tuesday, Zoom said that from April 18, all paying users will have the option of using or avoiding some of the company’s regional servers.
More than half a million Zoom accounts are sold on the Dark Web for less than a cent or even a “free gift.” According to Business Today, Cyble, a cyber security intelligence firm, found on the dark web and hacking forums that more than half a million Zoom accounts were being sold, including email addresses, passwords, personal meeting links and keys. The seller’s asking price is only 0.002 cents per share, and some are even completely free, for example, 290 accounts related to colleges such as the University of Vermont, the University of Colorado, Dartmouth, lafayette, and the University of Florida are released free of charge.
According to Cyble, the seller’s goal is not to make money, but to enhance his “reputation” in the hacking community. By collecting compromised account and password information on the Internet, hackers try to log in to Zoom in in bulk, and then generate a list of successful logins and sell them at a list price. Hackers are often able to access this information because users use the same account number and password on different platforms.
Pentagon restricts use of Zoom
According to VOA, the U.S. Department of Defense has issued new guidance on the use of Zoom. While the new Pentagon rules allow the use of Zoom for Government, the paid service tier for the software, a spokesman told VOA, “Defense Department users are not allowed to use Zoom’s free or commercial products to conduct meetings.” “
U.S. Senate bans use
The U.S. Senate has “warned all senators not to use the service,” the Financial Times reported Thursday. One person familiar with the matter said the warning suggested that offices should find an alternative for the remote meeting. The person also said the warning “did not formally ban the company’s products”.
New Gabor teachers prohibited use
Singapore’s Ministry of Education said it had suspended the use of Zoom by teachers after receiving reports of obscene Zoom incidents targeting students in distance learning. The Ministry of Education is investigating the incident, the Asia News Station reported.
The German government warns against the use of the ban
Germany’s foreign ministry told employees in a notice this week to stop using Zoom for security reasons, the German newspaper Handelsblatt reported. “Due to the risks associated with our IT systems as a whole, we, like other departments and industrial companies, have decided that the use of Zoom on equipment used for business purposes is not permitted by the Federal Foreign Office,” the German Foreign Ministry said.
In a lawsuit filed in federal court on Tuesday, Zoom shareholder Michael Drieu accused the company of “inadequate data privacy and security measures” and falsely claimed the service was an end-to-end encryption service. Drieu also said media reports and security issues publicly acknowledged by the company had caused Zoom’s share price to plummet.
Google bans Zoom
Google recently banned its employees from using zoom software on company-provided computers and smartphones because of security concerns,media reported.
“For a long time, we have not allowed employees to use unapproved applications to work outside the company’s network,” Jose Castaneda, a Google spokesman, told the media. Our security team recently notified employees using the Zoom desktop client that they can no longer run the app on company computers because it does not meet employee security standards for using the app. “
Zoom CEO Eric S. Yuan told CNN in an interview Sunday local time that the company’s intentions were good, despite recent security concerns. “We’re moving too fast … We made some mistakes. We learned our lesson and took a step back to focus on privacy and security. “
In an interview with the Wall Street Journal, Yaun said that as a CEO, he had a poor job and felt he had a “responsibility to win back the trust of his users”.
The video conferencing platform had been in turmoil after Yuan acknowledged the error. Zoom’s use has skyrocketed as a result of the outbreak of a new crown pandemic. In an April 1 blog post, Yuan wrote that the company had 200 million daily meeting participants in March, up from 10 million in December.