Zoom: Ex-Dropbox employee Zoom say stalled the fix CNET on security

Zoom: Ex-Dropbox employees Zoom to say stalled on a security fix – CNET


Sarah Tew/CNET

As coronavirus pandemic forced millions of people  remainhome in the last months and more, Zoom all of a sudden the video-meeting-service of the election was: Every day the participants will meet on the platform increased from 10 million in December to 200 million in March.

With this popularity Zoom privacy came to, risks that the expansion rapidly to a large number of people. Of built-in attention-tracking features, the recent upticks, in “zoom bombing” (in which the uninvited participant to break and make interfere with hateful or pornographic content), Zoom-in security practices, drawing more attention to-along with at least three lawsuits against the company. 

Here’s everything we know about the Zoom-security saga, and when it happened. If you are not familiar with the Zoom security problems, you, from the bottom and work your way up to the most up to date information. We will continue this story update, as more errors and solutions come to light.

more: Zoom read Use for work? Here are the privacy risks to watch out for

Now playing:
look at this:

Zoom privacy: How to spy to keep eyes out of your meetings


21 April

the British Parliament continues to Zoom

The “Washington Post” reported on Tuesday that the British Parliament will continue to fulfill the social distancing guidelines on Zoom. Although the vote is also done remotely, the government said, pass on that due to threats from glitches or hackers, only by law to be insured, which would be introduced by overwhelming consent, on the platform. Instead of paper delivery, a virtual scream of voting “Yes” or “no” are accepted. 

Holocaust memorial Zoombombed with Hitler images

A virtual Holocaust memorial ceremony will be held by the Israeli Embassy in Germany Zoombombed with anti-Semitic slogans and pictures of Adolf Hitler, leading to a temporary blocking of the online event, The hill reported Tuesday. In a tweet, Israeli Ambassador in Germany, Jeremy Issacharoff, called the attacks a disgrace. 

more: read zoom bombing: What it is and how you can prevent it in the Zoom-video-chat

20. April

Former Dropbox engineers say Zoom knew about security vulnerabilities

Former engineers at Dropbox, a Zoom-partner, said that both companies knew about a significant security vulnerability that allows an attacker to control some user of Mac computers for several months before the Problem was fixed, according to a New York Times report. According to Hacker presented discovered the benefits and Dropbox the results to Zoom, Zoom took a few more months to fix the problem, and only after a further vulnerability was to exploit, with the same underlying. In July 2019 blog post, Zoom-founder and CEO Eric apologized Yuan. “We have misjudged the situation and not responding quickly enough-and that’s on us,” he wrote. 

‘user report’ button to get to Enlarge

PC magazine reported on Monday that Zoom-updated April 26, a button which allows to the participants report an abusive user. The new button is available to support the zoom bombing instances reduce to meet by it helps to Zoom-to collect data on the user to infiltrate the affected. The button is added, in order to Increase security of the user menu, and will help capture a zoom bomber the IP address to disguise if you are using a proxy, or virtual private network, the information. 

16. April

Two new, tremendous-Zoom-exploits-uncovered  

A security researcher has discovered two new important privacy vulnerabilities in the Zoom. With an exploit, a security researcher found a way to access — and download — of a company-videos, recorded previously, in the cloud through an unsecured connection. The researchers also discovered that the previously recorded user-videos can be deleted live on in the cloud for hours, even after by the users. Zoom has rolled out to prevent updates that malicious actors from exploiting the vulnerabilities in the mass. Also, the company changed its record on Cloud-Standard-setting-request to add the Upload user a password to the video file. 

“To further strengthen the security, we also have the implementation of complex password rules for all future cloud recordings, and the password protection setting is now turned on by default,” Zoom ” told CNET. 

Previously uploaded videos are still vulnerable to unauthorized viewing via common links, however. The company will advise the user in the provision and evaluate the privacy settings if necessary, any videos uploaded before Tuesday, the Zoom update. 

Zoom to renew bug bounty

As part of the long term improvement of safety, Zoom Thursday revealed it has hired Luta safety and the redesign of its bug bounty program, so that white has to help hackers to search for security gaps. As reported by CNET sister site ZDNet, Luta, safety Manager, Katie Moussouris is best known for the set up of bug bounty programs for Microsoft, Symantec, and the Pentagon. Moussouris pointed in a tweet, the Increase is more high-profile names that will be joining soon. 

April 15

the$500,000 price for the new exploit 

hackers have two critical exploits-one for Windows and one for MacOS — enable someone can call spy to Zoom, according to a Wednesday report by the Motherboard. The Windows-specific vulnerabilities of the type of exploit is allegedly suitable for industrial espionage, and is available for sale on the underground market for $500,000. The MacOS use, is considered to be less dangerous. In a statement to the Motherboard, Zoom, said that it “takes user security very seriously. Since these rumors to learn, we are working around the clock with a reputable, industry-leading security company, to investigate.” 

14. April

the suit, filed claims against Facebook and LinkedIn

A new lawsuit in California against Facebook and LinkedIn, the two companies are “read” to Zoom the personal data of users. In a statement to Bloomberg Law, Dan Stoller, Facebook the accusations, saying, “Zoom denied the use of the Facebook SDK is not Facebook enable to ‘eavesdrop’ on a Zoom call, the SDK is not intended and not share of such content. The lawsuit has no merit and we will defend ourselves vigorously.”

New privacy option for paid accounts 

In a blog post Tuesday, Zoom, said, that, as of April 18, all paying subscribers will be able to choose to use which of the regional servers you want, or to avoid. The step is a follows Investigations of Citizen Lab, which found that Zoom-call traffic was routed through Chinese servers, you are prompted privacy concerns on the basis of the Chinese government the ability to retrieve encryption keys. 

April 13

500,000 Zoom-accounts sold on hacker forums

Cybersecurity intelligence company Cyble discovered that over 500,000 of the Zoom accounts to be sold on the dark web, and hacker forums, according to a Monday report from Bleeping Computer. The accounts are currently sold for less than a penny, with some handed out free of charge. Zoom users should change their passwords and verify the data breach notification, the site, I Have to help Pwned, to determine whether their E-Mail addresses were among those leaked in the attack. 

10. April

the Pentagon restricts Zoom use

The Department of Defense has reported that new guidelines for the use of Zoom-like-on Friday of the Voice of America. While the Pentagon allows the new rule, the use of Zoom for the government, a paid service tier of the software, a spokesman for VOA said that “DOD users can offers, no meetings with the Zoom’ s free or commercial.” 

9. April

Senate to prevent Zoom 

U.S. Senate said, to avoid the members, with Zoom for remote work during coronavirus-lockdown by security-questions around the video-conference app, the Financial Times reported on Thursday. It is an official ban, such as Google, not issued, allegedly for its employees, but the senators were apparently prompted to an alternative platform. 

Singapore, teachers are prohibited Zoom

Singapore Ministry of education, said that it exposed, the use of the Zoom by the teacher after receiving reports of obscene zoom bombing incidents targeting students learning at a distance. Channel News Asia reported that the Ministry is currently investigating the incidents. 

German government warns against using the Zoom function

According to the German newspaper Handelsblatt, the Federal Ministry for Foreign Affairs, said that to stop the staff in a letter this week, zooming, due to safety concerns. “Because of the associated risks for our IT system as a whole, we have not decided, how other departments and industrial enterprises, also to allow for the (foreign office), the use of Zoom on the devices for business purposes,” the Ministry said in a statement. 

8. April

Fourth suit

In a lawsuit Tuesday filed in a Federal court Zoom-shareholder Michael Drieu accused the company, to claim that “inadequate data protection and security measures”, and incorrectly, that the service will be encrypted end-to-end. Drieu also said that the reports in the media and the public concessions of the company on security have caused problems Zoom-stock crash.

Google prohibits Zoom

In an E-Mail to the staff, led by security holes that Google banned the use of Zoom on company owned employee devices, and warned, that the software will stop working on those devices this week. Zoom is a competitor to Google hangouts app. 

In an E-Mail to BuzzFeed, a Google spokesperson, the staff said, with Zoom, while you would work remotely, you need to look somewhere else and Zoom “does not meet our security standards for apps used by our employees.” 

Bug-bounty hunters emerge

Hacker around the world have begun to turn to bug-bounty-hunting, looking for possible weak spots in the Zoom-technology to be sold to the highest bidder. A Motherboard report estimate in detail a rise in the special payout for weaknesses, known as zero-day exploits, with a Hand that hackers are sold, the exploits for $5,000 to $30,000. 

New security Advisor and of the Council

“Zoom” according to the former Facebook and Yahoo Chief Security Officer Alex Stamos on the board he defended the company on Twitter. As previously reported by CNET sister site ZDNet, Stamos said he joined the company as a security Advisor after a telephone conversation last week with the Yuan, and that he will with Zoom’s engineering team.

In a statement, Zoom announced the formation of a chief information and security officer Council and the Advisory Board. The Board goal will be to carry out a full review of the safety of the company’s technology and includes Yuan said, “a subset of CISOs, as a consultant for me personally.” 

class room-safety

In an E-Mail, a Zoom-speaker, CNET said that the company will continue to push for a wider user training on the existing security features, and explained, to secure his movement to classroom application of the product.

“We have recently the default settings for educational change-user enrolled in our K-12 program to enable virtual waiting rooms, and to ensure that teachers are the only ones that said the parts of the content in the class,” the spokesman. 

“Effective 5. April, we allow passwords, and a virtual waiting room by default for our Basic Free and Single Per-user. We will continue to educate in order to proactively support the users, how their meetings from unwanted intruders to be able to protect, including through our range of training courses, tutorials, and webinars to understand in order to help users to make their own, account features and how to best use the platform.”

Usability versus security

In an interview with NPR, Yuan said, the balance between security and user-friendliness had moved for him. 

“If there is a conflict between usability and privacy and security, privacy, and security [] important — even at the cost of several clicks,” he said. “We are going to transform our business, a privacy-and-security-first mentality.”

IDs hidden

The company released a software update to improve the security, the bar is removed, the meeting ID in the title, when meetings take place. As reported by Bleeping Computer, the movement should be slow in circulating attackers screenshots of conference IDs on the open internet.

Weekly webinars

Yuan instead of, the first Zoom is promised, weekly webinars, is available on the company’s YouTube channel, emphasizing the increase in the users of work from home due to the COVID-19-pandemic “far exceeded what we expected.”

Yuan said that before the surge, the daily peak using the product, amounted to around 10 million users, but that it is now more than 200 million euros. Yuan also detailed the company’s error during the surge: Zoom-user-facing security features are not friendly enough for the average user-and enterprise-focused tools, such as his attention to the tracking function, no sense of privacy-minded average consumer. 

Yuan best, but also the sale of ride data, and he recommends that users of the software, the security features, as often as possible. He also said the company is on the position of the Zoom webinar tool, waiting room improvements, which will allow it to approve the meeting organizer user, before you are in a meeting, but he does not have a timeline for completion. Another security feature is in the works over the next 45 days is an encryption standard, improved, and a renewed focus on the protection of health-related data, he said. 

AI Zoombomb

zoom bombing a surreal turn, as a Samsung engineer Zoombombed a colleague with an AI-generated version of Elon Musk. 

7. April

Taiwan bans the Zoom of the government to use

Taiwanese authorities, was told not to zoom in, due to security concerns, with Taiwan ‘ s Department of Cybersecurity the approval of the use of alternatives, such as products from Google and Microsoft, according to a statement released on TuesdayDay. 

6. April

Some school districts Zoom

school districts ban started ban the teachers from with Zoom teach at a distance in the middle of the Corona-Virus outbreak, citing safety and privacy questions about the video conference app. The New York Department of Education called for schools to switch to the Microsoft team “is reported as soon as possible,” Chalkbeat.

Zoom-accounts on the dark web

the Cybersecurity company Sixgill revealed that he discovered that an actor in a popular dark web posted forum had threatened a link to a collection of 352 Zoom-accounts. Sixgill told Yahoo Finance that these links contain E-Mail addresses, passwords, meeting IDs, host-key and name, and the type of Zoom account. Most of them were personal, but not all of them.

“belonged to a major U.S. health care provider, and seven more at various educational institutions, and to a small business,” Sixgill Yahoo Finance said. 

read more: zoom bombing: What it is and how you can prevent it

Zoom is looking to grow its lobbying presence in Washington

“Zoom”, panned the answer to security concerns, Washington, DC. The company said, Politically it was to grow on the search, its Lobby presence in Washington and hired Bruce Mehlman, a former assistant secretary of commerce for technology policy under President George W. Bush had. 

Pushing for an FTC investigation

In an open letter, the Electronic Privacy Information Center,” called to examine the Federal Trade Commission, the Zoom and the subject of data protection-guidelines for video conference platforms. 

sen. Richard Blumenthal, a Democrat of Connecticut, recently known for spearheading the  legislation, say critics, cripple-the-art encryption standards, demanded to investigate the FTC, Zoom, via what he described as “a pattern of security failures and privacy violations.” 

third class-action lawsuit filed

A third class action lawsuit was filed against Zoom in California, citing the three most important security issues in the learning of science: Facebook-data-sharing, the company is admittedly incomplete end-to-end encryption, and the security flaw enables malicious actors access to user webcams. 

more: 10 free-to-Zoom alternative apps for video chatting

5. April 

call accidentally redirected Chinese whitelisted Server

In a statement, Zoom, admitted that some of the video-calls were made “accidentally” routed through two Chinese whitelisted Server, if they are not to be had. Certain meetings were allowed “to connect to systems in China, where it should not have been in the situation,” she said. 

4. April

More Zoom-apology

“I really more than a dirty CEO, and we must, to win back their confidence. This kind of thing should not happen,” Yuan told the Wall Street Journal in a lengthy interview. 

the Surveying of the damage to the reputation of the company, Yuan described how the Zoom-button is pressed for the expansion in an effort to accommodate workforce changes during the early stages of the COVID-19-outbreak in China. 

3. April

Zoom-video-call records left, visible on the web

An investigation by The Washington Post found thousands of shots, Zoom-video-calls were left unprotected and visible on the open web. A large number of unprotected calls, including the discussion of personally identifiable information, such as private treatments, telemedicine, training, phone calls, small business meetings, discussed exposed to private company’s financial statements and the primary school classes with students ‘ information, the newspaper found. 

attacker-planning ‘zoom raids’

Reporting from both CNET and The New York Times social media showed platforms like Twitter and Instagram, which were used by anonymous attackers, how to organize rooms zoom raids” — the term for a coordinated mass zoom bombings, to harass where intruders and misuse, the private participant.”Abuse reported during zoom raids has

Zoom apologizes again

” Zoom given that you have the custom encryption is sub-standard found, according to a Citizen Lab report, the company had already its own encryption, a less secure AES-128 key instead of the AES-256 encryption, which it previously claimed. In a direct answer, Yuan publicly stated, “We recognize that we can do better with our encryption technology.”

Second class-action lawsuit filed

Tycko and Zavareei LLP, a collective filed a lawsuit against Zoom — the second lawsuit against the company, — for the exchange of users ‘ personal data with Facebook.

the Congress calls for information

the democratic Republic of the Jerry McNerney of California, and 18 of his Democratic colleagues from the house Committee on energy and Commerce sent a letter to Yuan concerns and questions in relation to the privacy practices. The letter requested a response from Zoom to April 10. 

Now playing:

look at this:

Zoom responds to privacy concerns


<, h2>2. April

automatic tool Zoom-sessions

security researchers revealed an automated tool was able to find to 100 Zoom meeting IDs looks in one hour, collecting information for almost 2,400 Zoom sessions in a single day, reports security expert Brian Krebs. 

The visible-meetings were those that still aren’t using passwords, but the tool was able to successfully generate meeting IDs up to 14% of the time, according to reporting by The Verge. 

More plans for zoom bombing

Motherboard, now discovered to hijack 8chan forum users had planned, the Zoom gets a Jewish school in Philadelphia in an anti-Semitic zoom bombing campaign.

Data mining feature discovered

The New York Times reported that a data mining feature to Zoom allowed some of the participants secretly access to LinkedIn profile data about other users.

1. April

SpaceX bans Zoom

Elon Musk SpaceX rocket company prohibited employees from using the Zoom function, citing “significant privacy and security concerns,” as previously reported by Reuters

More security vulnerabilities

Reporting from the Motherboard  discovered;another revealed damage vulnerability, Zoom, search for the application was leaking a user E-Mail addresses and photos to strangers via a function that is loosely designed for use as a corporate directory. 

sorry of Yuan

Yuan issued a public apology in a blog post, and vowed to improve security. That included the activation of the waiting room and password-protection for all calls. Yuan also said the company would. freeze features updates for security problems. in the next 90 days 

March 30 

The Intercept study: the Zoom is not to use end-to-end encryption, as promised

An investigation by The Intercept noted that Zoom-call-data to be sent back to the company, without the end-to-end-promised encryption, in its marketing materials. 

“Currently it is not possible, E2E encryption for the Zoom video meetings”, a Zoom spokesman said of The Interception. 

More bugs discovered

After the discovery of a Windows-related to the Zoom bug, the the people to to password theft, two more bugs were discovered by a former NSA hackers, one of which malicious actors take control of a Zoom user’s microphone or webcam. Another weak Zoom allowed root access to the MacOS desktop, a risky level of access is best.  

< / h3>the First class action lawsuit

filed A class-action lawsuit was against the company, claiming that Zoom infringed, California, the new data protection law, prior consent from the users about the passing of your Zoom-data in Facebook.nbsp;

letter from New York Attorney General

the office of The New York state attorney Letitia James sent Zoom a letter, in privacy vulnerability concerns and ask what steps, if any, had to keep the company in the place to its users, given the increase of traffic on your network.&sent nbsp;

classroom zoom bombings

notification of cases in the class room zoom bombings, including a reported incident in which hackers broke in to a class meeting  to be displayed and a swastika on students ‘ screens, led the FBI to issue a public warning about Zoom security vulnerabilities. The organization advised the educators to protect video calls with passwords, and locking safety with the currently available privacy features in the software.  

27. March

Zoom removes Facebook data collection function

Responding to concerns by the Motherboard, study, Zoom is the Facebook-data-collection function from its iOS app, and apologized in a statement. 

“the data that The Facebook SDK does not contain any personal information, but contain data about users, devices such as the mobile OS type and version, the device time zone, device, operating system, device model and carrier, screen size, processor cores, and hard disk storage,” Zoom told Motherboard. 

March 26 

Motherboard examination: Zoom iOS app sending user data to Facebook

An examination of the Motherboard revealed that Zoom, the iOS app will send user analytics data to Facebook, even with Zoom-user, not a Facebook account via the app to interact with Facebook’s Graph API. 

Now playing:
look at this:

YouTube at work on TikTok rival, Increase the risks for privacy


Released on Tue, 21 Apr 2020 20:33:35 +0000

Leave a Comment