Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Friday, 31 March, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

In Defense of Zoom

Edgescan’s Senior Security Consultant, Guram Javakhishvili, gives his take on the Zoom debacle

by Sabina
April 17, 2020
in Featured, News
edgescan logo
Share on FacebookShare on Twitter

Guram stresses that he is not ‘sponsored by Zoom’ 😊

First of all, nothing is bulletproof and anything can be hacked. We all make mistakes and learn from them. That’s how and why we improve and update software on a regular basis.

Question is: on what basis are other blog posters or researchers assuming that there’s RCE, UNC Path Injection, weak or no E2E encryption and many other vulnerabilities which have been mentioned over the past few weeks? If they have been testing or targeting Zoom systems in its production environment without penetration testing authorisation then that is illegal and unethical. I believe most of these blog posts are just repeating unethical researchers unauthorised publications.

A brief clarification on a few of the vulnerabilities recently posted and my personal thoughts on them:

  1. Zoom video recordings accessible to the public

This is a user issue. There is an option within the Zoom admin panel where you can set video records to be private, public or only accessible by call participants. If you are not aware of current settings, better check before recording. If recording is set to ‘Public’ then anyone with access to the link will be able to see the video content.

By default, users tend to leave ‘Public’ enabled and then if they post the link somewhere or even access the link through the shared browser (since the encrypted key of the video record is contained in URL) it will stay in browser history and whoever has access to the machine will be able to access it.

  1. Zoom bombing (attackers can brute force ID and Password)

Even if you had valid password and ID, you still start a call in a ‘waiting room’ until host admits you. You can basically do nothing in the waiting room, and there is no way you can bypass until the host admits you to the meeting.

Also, I’m not too sure about brute-forcing since Zoom uses WAF protection Cloudflare. This needs a little bit of tuning (I would have thought, Zoom allowed multiple failed login attempts without blocking joiners, since participants might get password or id wrong) but again this can be enhanced from admin panel if one is familiar with the settings.

Again, user awareness – choose to use complex passwords, you can always set this yourself if you wanted to be safe.

  1. UNC Path Injection

UNC Path is possible with other modern applications too, not just Zoom. MS Outlook does also allow UNC Path as hyperlink. So what? We have never abandoned Outlook for this. Nevertheless, Zoom already addressed this and latest release does not allow UNC Path anymore.

  1. Zoom does not support E2E Encryption

Zoom acknowledges encryption problems and they proactively worked on this to address E2E encryption issues. Zoom indeed always supported TLSv1.2 for all its communications but there was a weak cryptographic cipher. A single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.

It should be mentioned that even if third-party deliberately disables E2E encryption and initiates a meeting but then if guest joins with E2E encryption enabled then this feature gets enforced and communication for both parties become encrypted.

  1. Inconsistent Application of Security Policy

Advice to Zoom team and Zoom users on anomalies with file sharing, recording and, screenshare and remote controlling:

  • File Sharing

File share can be disabled from Zoom admin panel and people from your organisation will not be able to transfer files during Zoom chat/meetings. However, if a third-party host has this function enabled, it is possible to send files to all participant users (guests). If participants have file share disabled by their Admin and they can’t send files, they will still be able to receive and download files from third-party host, which increases the risk of being sent malware or other malicious files.

  • Recording

If the Recording feature is disabled from your organisation’s Zoom Admin, and someone from your organisation is hosting a meeting, the recording feature will not be available for any party, including third-parties. However, if a third-party host has this function enabled, then this function is available for all meeting participants (your organisation and third-party).

  • Screenshare + Remote Controlling

I would recommend reviewing the use of this function and disabling if not required.

By default, ‘Remote Control’ feature is not disabled and locked by administrators. Enabling Remote Control function for your organisation’s participants or host users increases the risk of your members permitting third-parties to potentially take remote control over an internal host system and possibly accessing unintended information or your organisation’s network resources.

It should be noted that an end-user must still grant permission to allow remote controlling of their system.

In summary

Most importantly, testing or using third-party software unethically is illegal and authorisation should be sought prior to any activity. EternalBlue targeted thousands of Windows systems and more than 200K organisations suffered as a result of EternalBlue vulnerability but no one abandoned Windows systems and still use it. Whatsapp also suffered from some serious vulnerabilities but we still use them. As long as Zoom is taking actions on all security concerns and tries to resolve issues as soon as possible, that’s the main thing.

Zoom free version comes with limited administrative access and might not give you full control over security controls and settings. If you choose to use a free licence you accept that it will not have the full range of features as the paid version.  If you want those features, pay for them.

Review your Zoom admin panel settings thoroughly and ensure you understand what is what and what does what.

You can read more about the security of collaboration apps here.

 

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Portuguese energy giant EDP being held to ransom after malware attack

Next Post

Hackers linked to Syrian government target civilians with spyware via mobile apps  

Recent News

Data Privacy Day: Securing your data with a password manager

For Cybersecurity, the Tricks Come More Than Once a Year

March 31, 2023
cybersecurity training

Only 10% of workers remember all their cyber security training

March 30, 2023
Pie Chart, Purple

New API Report Shows 400% Increase in Attackers

March 29, 2023
Cato Networks delivers first CASB for instant visibility and control of cloud application data risk

Cato Networks Recognised as Leader in Single-Vendor SASE Quadrant Analysis

March 29, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information