Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on GitHub Follow marknca on YouTube

imgs/hero.jpg

Zoom Us and Practical Cybersecurity

13 minute read |An icon depicting a retail tag with a heart for 'favourite'LivestreamSecurityPrivacy

Video conferencing platform Zoom has been in the news almost constantly over the past few weeks. At first it was hailed as a tool to help reduce this isolated feeling all of us are experiencing, then it was a pile on for security and privacy issues, and finally the last two weeks have started a redemption story.

In this stream, we look at this story arc, how it relates to your privacy and the practice of practical cybersecurity.

References

Transcript

Mark: Hey everybody, how are you doing today? It’s been a while since I’ve done a live stream here on YouTube. My name’s Mark Nunnikhoven. I am an information security and privacy professional. I feel it’s, my mission, my goal, what I’m trying to accomplish is [crosstalk 00:00:19] not to have that audio going. these [inaudible 00:00:22] [laughs] streams that work great.

Let me restart that. My name’s Mark Nunnikhoven. I am an information security and privacy professional. My goal is to help you understand, that security and privacy are, do not have to be difficult, but of course they are, so I’m here to help you, you know, walk that bridge.

What I want to talk to you today in this live, stream, What I wanted to talk to you about was Zoom, the video conferencing platform.

[00:00:44] Now, Zoom has taken a lot of hits since the pandemic started in that we all started isolating at home, and I wanted to walk through why that is. I wanted to walk through, the realities of that, because now that that initial sort of freak out wherever we we this, and I’ll walk you, and walk you through the security and privacy angles of why that is, so let me just share out, my screen here.

Get me a little, there we go. That’s the view I want. All right, so there’s this great video, and I’m going to put the links in the description after the po- after the stream here, by the, verge, I think this one is on, How The Rise of Zoom? Like, why is it so popular? Why are you hearing it everywhere?

[00:01:29] And, the long story short is that you’re hearing about Zoom all the time, because it was a very popular video conferencing platform. It actually, you know, isn’t revolutionary.

It does a lot of the stuff that you expect from things like Skype, or GoToMeeting or WebEx, or a bunch of the platforms out there. There’s a ton of stuff that does this. You may be using FaceTime, anything and everything.

The reason why Zoom was pretty popular is because, quite a few corporations have adopted it after the, last, couple of years. so that it was just sort of n- something new, so they could talk about, and it made it pretty straightforward to join.

They have clients on all your devices, on all your PCs, that kind of stuff, so you could jump into a Zoom video conferencing call, and it works pretty well, okay? So, that’s why I was hearing it everywhere.

[00:02:09] And then, as soon as we all got these quarantine, and stay home orders, we needed a way to connect, so businesses, where we can ex- expand our video conferencing, and we can start having virtual meetings, and virtual events, and then people are starting to explore, other things beyond live streaming, and things like that, and it was really interesting, so Zoom came into our popular, opinion, or our popular, consciousness based on this need, sort of right place, right time, right?

Good enough solution, and, and it hit that sort of mainstream consciousness. It was talked about on all the, sort of news channels, and news networks, but, and I apologize for the [inaudible 00:02:53] it’s atrocious. I need to go back and fix it.

**[00:02:42]**Zoom had a long history of having some security challenges. This is a video that, I had published in, July of 2019 talking about a previous security issue, and actually this was the impetus for this, stream was somebody commented this, and said, “Great info, but it’s out of date.

You should really delete this.” And, I don’t believe in deleting the digital trail here, but mainly, mainly updating it, so I’ll add a description, or I’ll add a link to this video in that video, but essentially they had, privacy issues, they had security issues, they had a long history of these problems and after that initial wave of, “Hey, you should use Zoom to stay, in touch with people.”

All of this stuff started to come to light again and people said, “Wait a minute, there are, it has a horrible privacy policy.”

[00:03:20] It did, there have been changes, but Zoom had a standard Silicon Valley sort of privacy policy. Basically, if you’re going to use this for free, we’re going to vacuum up your data, and use it to sell ads, and use it to sell, as behavioural profiles to other people who are interested in selling you stuff. Pretty standard, also pretty horrible.

There was also a number of security issues around like the macOS installer. It used some very interesting tricks, not in a malicious way, but they are malicious tricks to get to the point where it could do updates without prompting you all the time, and that was the goal, was to have a better user experience, but unfortunately, they made that sacrifice in the name of security, and of course, when you start to really kind of peel back the layers, everybody gets really worried and goes, wait a minute, this thing is a steaming pile.

You know what? Why are we all jumping on board the Zoom train?

[00:04:03] Bruce Schneier had a blog post, which was pretty solid, and basically, he analyzed the implications for privacy and security, and came up with three big things. It’s got bad, bad, bad privacy practice, which we already covered, bad security practices, and bad default user configurations.

Now bad is a matter of perspective from the security perspective. It’s bad from the user experience perspective. Most of these things were pretty good privacy policy accepted, so that was sort of the challenge here is that you had, you have, you know, the security community having known about this platform for a long time, but in the, in one month in, I think it was February to March, because it was in a span of four weeks, Zoom went from 10 million users to 200 million users, so a lot more light being shined on these known issues.

[00:04:48] Tom’s guide has a great article up and again, I’ll, I’ll post the links in the description here, that essentially walks through all of these issues over time, and so, it was a, you know, a dozen or more privacy and security issues.

Some of them we’ve covered, some of them we haven’t, you don’t need to go on it, but basically this was the nitpicky phase. one of the big things here was that, I liked this article because it called it the practical side said, so you know what? Zoom is still safe to use in most cases. which is why I haven’t made anything, earlier than this on, an updated Zoom topic, because I thought, you know, it’s best just to let this kind of work itself out a little bit, but I love this, quote at the bottom, by Kim Zetter, which is [inaudible 00:05:42] view “Zoom will soon be the most secure conferencing platform out there.”

[00:05:27] Yeah, and Kim’s right? Because the more eyes, and the more scrutiny that are on a platform, the more they’re going to solve these problems, because if you think the problems that we see iterated in these, en- enumerated in these Zoom articles are unique to Zoom, they’re not, and this is why I didn’t come out earlier and say, “Hey, you guys really need to get off the platform.”

Because the practical matter of it is that we needed a tool to solve the problem, which was to keep people connected, and Zoom was filling that nicely with an adequate level of security, and that’s really the key to adequate level of security, so one of the big problems, upfront early with Zoom bombing, which is basically the practice of where somebody uninvited were coming to your meeting rooms, and this highlighted that exchange of usability versus security and privacy.

[00:06:08] Zoom meetings by default used to never have passwords, so if you knew the URL, or the meeting ID, you could simply join, and of course, being the enterprising, people that they are cyber criminals and, miscreants, and people just wanted to, to mess with people realized very quickly that you could write a script that just iterated through the meeting IDs because they were just numbers.

And if you found one that responded, you can then jump in, and there’s some pretty horrible things that happened. you can see, you know, there was one, a couple of examples where classes were interfered with, by people spewing out hate, and racist stuff, which was totally unacceptable, and not something you want when you’re trying to really solve a problem with people, keeping people connected. Having somebody from the outside come in and interfere with your meeting is not at all what you’re going for.

[00:06:49] So, that was a major issue that brought people, [inaudible 00:07:15] up into the sort of mainstream audience of like, oh, this is something serious. so much so that former CSO from Facebook, Alex Stamos who’s, at, Stanford, I think now he’s at one of the high, prestigious universities, practicing and researching there now. he was invited by Zoom because he was, talking to them on Twitter, and he was invited by them to, be a consultant.

And he had, really good tweets to kind of kick this off, and basically you can see in this article one, so the Zoom is going to de- need to demonstrate more transparency, including putting a security face on all these responses.

[00:07:20] Well, guess who the security face ended up being? But, that’s a really positive thing ‘cause back to Kim’s comment earlier was that the more people shining a light on this, the better the security is going to be, and the quicker for Zoom to the point where zoom CEO came out, and said, “Hey, we’ve asked Alex to come in and help us, but also we are not going to be building any more features for the time being. We’re going to focus purely on security, improvements and privacy improvements to the product.”

Which is a fantastic thing. That’s what we as users want. so first thing they did was they removed meeting IDs from the title bar, because people, especially politicians, were tweeting out screenshots, and saying like, “Look at how good we are doing. We’ve moved from a physical event to an online event, here’s proof.”

[00:07:57] And unfortunately, the proof was a meeting ID, not necessarily with a password, or had a very simple password that let people join, so the most famous example of this is Boris Johnson in the UK, tweeted out a virtual cabinet meeting with the ID, not horrific, but just one of those things where you go, oh, come on.

He could have just not included that, so Zoom started to remove that. Really simple feature update, but something that was really nice, and we’ve seen progressive improvements.

They’ve improved their privacy policy, they’ve updated the way they install software on macOS, so it’s a little more cumbersome for us, but it’s far more secure. and I noticed this over the weekend, which I was really impressed about, is they added actually a security button for hosts in the meeting, and you can lock the room, you can enable a waiting room, you can share, turn off various features for participants, which is absolutely a strong, strong move.

[00:08:43] So, the point of this was just to recap the Zoom story, but also, to give you the perspective from a security practitioner. There’s always trade offs. There’s always problems. a- early on in this pandemic, in the lockdown, we needed tools that can help us get together, and tools that would reduce that, overhead that, make a smoother user experience, because troubleshooting these tools is a huge burden on IT infrastructure.

Everybody was scrambling to get things in place so that companies could continue to operate, schools can continue to teach, people and friends could continue to communicate. I know here, in our neighborhood we’ve had a neighborhood trivia nights over Zoom. you need these tools for people to stay afloat, and Zoom was not horrible in its security.

It made some very common security mistakes where they had traded off in favor of usability, at the sacrifice of, of security. and of course they have the standard Silicon Valley privacy policy.

[00:09:33] The good news, because they went from 10 million to 200 million users, they’ve taken steps to fix it all, and they continue to take those steps. Nothing’s perfect.

The idea is being transparent about where your flaws are, and working to improve them in a, in an open manner in response to the situation. That’s what security is all about, so there’s no need to freak out and panic. even that example you saw earlier in this, in the stream where the New York school board had shut down the use of Zoom, everyone had freaked out and said, hey, they’re overreacting.

For the use case they actually work, because one of the things that school boards need is the assurance that they can, protect the students, which is why a lot of the time you’ll see, G suite for education is ironic, is that ends up being, interesting Google.

[00:10:09] They allow all the students to authenticate, and lock them down as opposed to being Zoom bombed, or share links outside of that domain, so a school board has a very different [inaudible 00:10:53] very different risk appetite than companies, or friends, or other groups, so again, security is never, you know, black or white it’s never a binary decision.

You really need to apply that practical gradient, and Zoom is a great example of where there are issues, but the issues are getting addressed in a reasonable manner, in quite a, expedient manner, which is great, because there are so many people, looking at them now.

[00:10:40] Let me know what you think. Hit me up in the comments below. As always, I’m Mark, Nunnikhoven. We’ll be way more active and streaming here on YouTube and posting again.

Like everybody else, everything’s been up in the air for me for the last, couple months trying to deal with this situation, but if you want to hear more about different security and privacy topics, please let me know in the comments below.

Hit me up on social @marknca, or as always by email [email protected].

Thanks for tuning in. We’ll talk to you soon.