{"id":113700,"date":"2020-04-06T11:48:23","date_gmt":"2020-04-06T15:48:23","guid":{"rendered":"http:\/\/rbach.net\/?p=113700"},"modified":"2024-05-22T19:54:03","modified_gmt":"2024-05-22T23:54:03","slug":"what-you-need-to-know-about-zoom","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/what-you-need-to-know-about-zoom\/","title":{"rendered":"What You Need to Know About Zoom"},"content":{"rendered":"\r\n<p><strong>Updated 12\/01\/2020 &#8211;\u00a0<\/strong>Zoom has <strong>agreed to settle<\/strong> <a href=\"https:\/\/www.ftc.gov\/system\/files\/documents\/cases\/1923167zoomacco2.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">allegations<\/a> (PDF) made by the US Federal Trade Commission (FTC) that it \u201cengaged in a series of deceptive and unfair practices that undermined the security of its users.\u201d Among the charges were that <strong>Zoom misled users<\/strong> by:<\/p>\r\n<ul>\r\n<li>Touting that it offered \u201cend-to-end, 256-bit encryption\u201d to secure users\u2019 communications, when in fact <a href=\"https:\/\/blog.zoom.us\/facts-around-zoom-encryption-for-meetings-webinars\/\" target=\"_blank\" rel=\"noopener noreferrer\">it provided a lower level of security<\/a>.<\/li>\r\n<li>Saying that recorded meetings that were stored on the company\u2019s cloud storage were encrypted immediately after the meeting ended, which was untrue in some cases<\/li>\r\n<li>Compromising the security of some users when it <a href=\"https:\/\/techcrunch.com\/2019\/07\/10\/apple-silent-update-zoom-app\/\" target=\"_blank\" rel=\"noopener noreferrer\">secretly installed a hidden web server on Macs<\/a>.<\/li>\r\n<\/ul>\r\n<p>The settlement does not require Zoom to admit fault or pay a fine &#8211; So <strong>they got away with it.<\/strong><\/p>\r\n<p style=\"text-align: center;\">&#8212;<\/p>\r\n<p><strong>Updated 05\/01\/2020<\/strong> &#8211; Zoom made a big splash when <strong>CEO Eric Yuan<\/strong> <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2020-04-30\/zoom-clarifies-it-has-300-million-participants-not-users\" target=\"_blank\" rel=\"noopener noreferrer\">claimed<\/a> the video conferencing firm had surpassed 300 million daily Zoom meeting users last week. That&#8217;s impressive growth in the face of security and privacy holes documented on the <em><a href=\"https:\/\/wp.me\/p2wgaW-tzS\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a><\/em> and around the <a href=\"https:\/\/citizenlab.ca\/2020\/04\/faq-on-zoom-security-issues\/\" target=\"_blank\" rel=\"noopener noreferrer\">Intertubes<\/a>.<\/p>\r\n<p>Well in a Zoom tradition they &#8220;<strong><a href=\"https:\/\/web.archive.org\/web\/20200618173827\/https:\/\/blog.zoom.us\/wordpress\/2020\/04\/22\/90-day-security-plan-progress-report-april-22\/\" target=\"_blank\" rel=\"noopener noreferrer\">back-tracked<\/a><\/strong>&#8221; that announcement, just like they back-tracked their definition of &#8220;<a href=\"https:\/\/theintercept.com\/2020\/03\/31\/zoom-meeting-encryption\/\" target=\"_blank\" rel=\"noopener noreferrer\">end-to-end encryption<\/a>.&#8221; <strong>Zoom artificially inflated the number of users<\/strong> by counting <em>meeting participants as \u201cusers\u201d and \u201cpeople.\u201d\u00a0<\/em><\/p>\r\n<p>Daily <strong>meeting participants can be counted multiple times <\/strong>&#8211; if you have four Zoom meetings in a day then you\u2019re counted four times. <em><a href=\"https:\/\/www.svconline.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">SVCOnline<\/a><\/em> <a href=\"https:\/\/www.svconline.com\/needtoknow\/zoom-doesnt-really-have-300-million-daily-active-users\" target=\"_blank\" rel=\"noopener noreferrer\">explains<\/a> that by calling meeting participants \u201cdaily users\u201d <strong>makes Zoom usage seem larger than it is<\/strong>. The term most companies use to measure service usage is a daily active user (DAU). A <strong>DAU is counted once per day.<\/strong>\u00a0<\/p>\r\n<p style=\"text-align: center;\">&#8212;<\/p>\r\n<p><strong>Updated 04\/08\/2020<\/strong> -Zoom now faces <a href=\"https:\/\/www.cnet.com\/news\/zoom-sued-by-shareholder-over-security-issues\/\" target=\"_blank\" rel=\"noopener noreferrer\">four<\/a> <a href=\"https:\/\/drive.google.com\/file\/d\/1Xdfisiu2XETY6nVvMyY--cdJ6QVQcZTq\/view\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>lawsuits<\/strong><\/a> <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2020-03-31\/zoom-sued-for-allegedly-illegally-disclosing-personal-data\" target=\"_blank\" rel=\"noopener noreferrer\">over its<\/a> <a href=\"https:\/\/www.dropbox.com\/s\/h078rfxsq4x22um\/TZ_TaylorVZoom_Complaint_Final.pdf?dl=0\" target=\"_blank\" rel=\"noopener noreferrer\">security and privac<\/a>y practices. Today,\u00a0 <a href=\"https:\/\/www.buzzfeednews.com\/article\/pranavdixit\/google-bans-zoom\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Google<\/strong> has<strong> banned<\/strong> employees<\/a> from using Zoom, joining <a href=\"https:\/\/www.reuters.com\/article\/us-spacex-zoom-video-commn\/elon-musks-spacex-bans-zoom-over-privacy-concerns-memo-idUSKBN21J71H\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>NASA<\/strong><\/a>, <a href=\"https:\/\/www.fastcompany.com\/90485551\/elon-musks-spacex-bans-employees-from-using-zoom-over-significant-privacy-and-security-concerns\" target=\"_blank\" rel=\"noopener noreferrer\">SpaceX<\/a>, <a href=\"https:\/\/www.washingtonpost.com\/education\/2020\/04\/04\/school-districts-including-new-york-citys-start-banning-zoom-because-online-security-issues\/\" target=\"_blank\" rel=\"noopener noreferrer\">NYC schools<\/a>, <a href=\"https:\/\/www.ktnv.com\/news\/zoom-ban-causing-headaches-in-online-teaching-for-ccsd-teachers\" target=\"_blank\" rel=\"noopener noreferrer\">Clark County<\/a> (Las Vegas) schools. the governments of <a href=\"https:\/\/www.techradar.com\/news\/zoom-banned-for-official-use-in-taiwan\" target=\"_blank\" rel=\"noopener noreferrer\">Germany<\/a> and <a href=\"https:\/\/www.techradar.com\/news\/zoom-banned-for-official-use-in-taiwan\" target=\"_blank\" rel=\"noopener noreferrer\">Taiwan<\/a> as well as <a href=\"https:\/\/www.reuters.com\/article\/us-spacex-zoom-video-commn\/elon-musks-spacex-bans-zoom-over-privacy-concerns-memo-idUSKBN21J71H\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Apple<\/strong><\/a>.<\/p>\r\n<p style=\"text-align: center;\">&#8212;<\/p>\r\n<p><strong>Updated 04\/07\/2020<\/strong> &#8211; <a href=\"https:\/\/web.archive.org\/web\/20210227165846\/https:\/\/bgr.com\/2020\/04\/04\/zoom-security-private-video-chats-online\/\" target=\"_blank\" rel=\"noopener noreferrer\">Reports<\/a> of a new <a href=\"https:\/\/www.forbes.com\/sites\/kateoflahertyuk\/2020\/04\/04\/new-zoom-user-blow-this-is-how-thousands-of-video-chats-are-available-for-anyone-to-view-online\/\" target=\"_blank\" rel=\"noopener noreferrer\">blow<\/a> to Zoom\u2019s security cred&#8217;s researchers have discovered up to<strong> <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/zoom-blow-thousands-user-videos\/\" target=\"_blank\" rel=\"noopener noreferrer\">15,000<\/a> private Zoom recordings exposed online<\/strong>. Many of them were apparently stored in Amazon Web Services (AWS) S3 buckets without passwords.<\/p>\r\n<p style=\"text-align: center;\">&#8212;<\/p>\r\n<p style=\"font-size: 16px;\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-113757\" style=\"font-size: 16px;\" title=\"What You Need to Know About Zoom\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/arrow_up.png?resize=110%2C46&#038;ssl=1\" alt=\"What You Need to Know About Zoom\" width=\"110\" height=\"46\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/arrow_up.png?resize=150%2C63&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/arrow_up.png?resize=75%2C31&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/arrow_up.png?w=468&amp;ssl=1 468w\" sizes=\"auto, (max-width: 110px) 100vw, 110px\" \/><\/p>\r\n<p>Zoom has <a href=\"https:\/\/www.statista.com\/chart\/21323\/top-apps-in-the-us-android-apple\/\" target=\"_blank\" rel=\"noopener noreferrer\">taken off<\/a>. Thanks to the global <a href=\"https:\/\/www.svconline.com\/needtoknow\/ihme-release-state-by-state-prediction-of-arc-and-peak-timing-of-covid-19\" target=\"_blank\" rel=\"noopener sponsored noreferrer\">COVID-19<\/a> lock-down <a href=\"https:\/\/zoom.us\/\" target=\"_blank\" rel=\"noopener noreferrer\">Zoom<\/a>\u2019s (<a href=\"https:\/\/www.tradingview.com\/symbols\/NASDAQ-ZM\/\" target=\"_blank\" rel=\"noopener noreferrer\">ZM<\/a>) stock has surged over 250% on the <a href=\"https:\/\/www.nasdaq.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">NASDAQ<\/a> since October 2019. Zoom&#8217;s video conferencing platform daily usage has <a href=\"https:\/\/web.archive.org\/web\/20200619103906\/https:\/\/blog.zoom.us\/wordpress\/2020\/04\/01\/a-message-to-our-users\/\" target=\"_blank\" rel=\"noopener noreferrer\">exploded<\/a> from\u00a010 million in December 2019 to more than 200 million in March 2020.<\/p>\r\n<p><a href=\"https:\/\/zoom.us\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-113738\" style=\"font-size: 16px;\" title=\"Zoom logo\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Zoom-logo-e1585966246563-150x141.jpg?resize=95%2C89&#038;ssl=1\" alt=\"Zoom logo\" width=\"95\" height=\"89\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Zoom-logo-e1585966246563.jpg?resize=150%2C141&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Zoom-logo-e1585966246563.jpg?resize=75%2C70&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Zoom-logo-e1585966246563.jpg?w=381&amp;ssl=1 381w\" sizes=\"auto, (max-width: 95px) 100vw, 95px\" \/><\/a><\/p>\r\n<p>After its stock price run-up and exploitation of the COVID-19 pandemic Zoom has come under intense scrutiny. <strong>The FB<\/strong>I issued a <a href=\"https:\/\/www.fbi.gov\/contact-us\/field-offices\/boston\/news\/press-releases\/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic\" target=\"_blank\" rel=\"noopener noreferrer\">warning<\/a> about using Zoom. The <strong>New York Attorney General<\/strong>\u2019s office sent a <a href=\"https:\/\/www.nytimes.com\/2020\/03\/30\/technology\/new-york-attorney-general-zoom-privacy.html\" target=\"_blank\" rel=\"noopener noreferrer\">letter to Zoom<\/a> about its practices. Security professionals have found a disturbing list of flaws on Zoom. Here is a brief list of the risks you take when using Zoom.<\/p>\r\n<h3>Zoom Risks<\/h3>\r\n<p><strong>Phishing &#8211;<\/strong> Security firm <strong><a href=\"https:\/\/www.checkpoint.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Check Point Software<\/a><\/strong> <a href=\"https:\/\/blog.checkpoint.com\/2020\/03\/30\/covid-19-impact-cyber-criminals-target-zoom-domains\/\" target=\"_blank\" rel=\"noopener noreferrer\">says<\/a> criminals are waging phishing campaigns with Zoom-related themes as a lure. The <strong>phishing emails<\/strong>\u00a0that Check Point has observed <strong>spoof Zoom login<\/strong> pages and attempt to get victims to <strong>input their credentials. <\/strong>The Zoom\u00a0credentials are then <strong>harvested by the attackers<\/strong>. Also, Check Point has also uncovered malicious files with names that include &#8220;zoom&#8221; in the title.\u00a0<\/p>\r\n<p style=\"font-size: 16px;\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-113449\" style=\"font-size: 16px;\" title=\"Encryption\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Data_Encryption-2-e1586095330974-150x67.gif?resize=125%2C56&#038;ssl=1\" alt=\"Encryption\" width=\"125\" height=\"56\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Data_Encryption-2-e1586095330974.gif?resize=150%2C67&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Data_Encryption-2-e1586095330974.gif?resize=75%2C33&amp;ssl=1 75w\" sizes=\"auto, (max-width: 125px) 100vw, 125px\" \/><\/p>\r\n<p><strong>Phony end-to-end encryption<\/strong> &#8211; Zoom uses misleading\u00a0advertising to claim that its meetings use &#8220;end-to-end encryption,&#8221; <a href=\"https:\/\/theintercept.com\/2020\/03\/31\/zoom-meeting-encryption\/\" target=\"_blank\" rel=\"noopener noreferrer\">according<\/a> to <em><a href=\"https:\/\/theintercept.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">The Intercept<\/a><\/em>. Zoom uses the term end-to-end encryption&#8221; incorrectly.\u00a0Zoom admitted their definitions of &#8220;<strong>end-to-end<\/strong>&#8221; and of &#8220;<strong>endpoint<\/strong>&#8221; are different from everyone else&#8217;s. A spokesperson told <em>The Intercept<\/em>, &#8220;<em>When we use the phrase &#8216;End to End &#8230; it is in reference to the connection b<\/em><em>eing encrypted from Zoom endpoint to Zoom endpoint.<\/em>&#8220;<\/p>\r\n<p>Unlike Apple, Zoom&#8217;s data is only encrypted when it travels back and forth from an end-user to a Zoom server. Your data is decrypted at the Zoom server. Zoom (or TLA) can see and hear whatever is going on in its meetings. Zoom Chief Product Officer Oded Gal <a href=\"https:\/\/web.archive.org\/web\/20200619103816\/https:\/\/blog.zoom.us\/wordpress\/2020\/04\/01\/facts-around-zoom-encryption-for-meetings-webinars\/\" target=\"_blank\" rel=\"noopener sponsored noreferrer\">wrote<\/a>:<\/p>\r\n<p style=\"text-align: justify; padding-left: 30px;\"><em>We recognize that there is a discrepancy betwee<\/em><em>n the commonly accepted definition of end-to-end encryption and how we were using it.<\/em><\/p>\r\n<p><em>The Intercept<\/em> concludes that Zoom doesn&#8217;t decrypt user transmissions &#8212; but it could.<\/p>\r\n<p style=\"font-size: 16px;\"><a href=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/zoombomb.png?ssl=1\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-113744\" title=\"What You Need to Know About Zoom\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/zoombomb.png?resize=109%2C62&#038;ssl=1\" alt=\"What You Need to Know About Zoom\" width=\"109\" height=\"62\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/zoombomb.png?resize=150%2C85&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/zoombomb.png?resize=75%2C43&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/zoombomb.png?w=768&amp;ssl=1 768w\" sizes=\"auto, (max-width: 109px) 100vw, 109px\" \/><\/a><\/p>\r\n<p><strong>Zoom bombing<\/strong> &#8211; Zoom bombing occurs when a <strong>third party interrupts or<\/strong> takes over a video conference. <strong>Anyone can &#8220;bomb&#8221; a public Zoom meeting. <\/strong>All they need is the meeting number. Attackers can use the file-share to post shocking images or make annoying sounds in the audio. The host of the Zoom meeting can kick out troublemakers, but they can come right back with new user IDs <strong>The FBI issued a <a href=\"https:\/\/www.fbi.gov\/contact-us\/field-offices\/boston\/news\/press-releases\/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic\" target=\"_blank\" rel=\"noopener noreferrer\">warning<\/a> about zoom bombing<\/strong>.<\/p>\r\n<p>To prevent Zoom bombing <strong>do not share Zoom meeting numbers<\/strong> with anyone but the intended participants. Also require participants to <strong>use a password to log into<\/strong> the meeting.<br \/><strong><br \/>Windows password stealing<\/strong> \u2013 <a href=\"https:\/\/www.bleepingcomputer.com\/\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Bleeping<\/em> Compute<\/a>r <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/zoom-lets-attackers-steal-windows-credentials-run-programs-via-unc-links\/\" target=\"_blank\" rel=\"noopener noreferrer\">reports<\/a> that malicious users can use the <strong>Zoom side chats<\/strong> to post a <strong>Universal Naming Convention<\/strong> (UNC) link that points to a remote server. From there the victim&#8217;s Windows computer will try to <strong>reach out to the hacker&#8217;s remote server<\/strong> specified in the path. From there the PC will automatically try to log in with the <strong>user&#8217;s Windows username and password<\/strong>. The attacker could capture the password &#8220;hash&#8221; and decrypt it, giving them <strong>access to the Zoom user&#8217;s Windows accoun<\/strong>t.<\/p>\r\n<p><strong><a href=\"https:\/\/www.allstatescomputers.com\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-111585\" title=\"Windows malware injection\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/malware-28.jpg?resize=90%2C90&#038;ssl=1\" alt=\"Windows malware injection\" width=\"90\" height=\"90\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/malware-28.jpg?w=116&amp;ssl=1 116w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/malware-28.jpg?resize=75%2C75&amp;ssl=1 75w\" sizes=\"auto, (max-width: 90px) 100vw, 90px\" \/><\/a>Windows malware injection<\/strong> \u2013 The same flaw allows a hacker to insert a <strong>UNC path to a remote executable malicious<\/strong> file into a Zoom meeting. If a Zoom user running Windows clicks on it, the computer will try to load and <strong>run the malicious software<\/strong>. The victim will be prompted to authorize the software to run, which will stop some hacking attempts but not all.<\/p>\r\n<p><strong>Apple iOS profile sharing<\/strong> &#8211; Zoom sends iOS <strong>user profiles to Facebook. <\/strong>This is done with the &#8220;log in with Facebook&#8221; feature in the <strong>iPhone and iPad Zoom apps<\/strong>. After <a href=\"https:\/\/www.vice.com\/\" target=\"_blank\" rel=\"noopener sponsored noreferrer\"><em>Motherboard<\/em><\/a> <a href=\"https:\/\/web.archive.org\/web\/20200929085936\/https:\/\/www.vice.com\/en_us\/article\/k7e599\/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account\" target=\"_blank\" rel=\"noopener noreferrer\">exposed<\/a> the practice, Zoom said it <a href=\"https:\/\/blog.zoom.us\/wordpress\/2020\/03\/27\/zoom-use-of-facebook-sdk-in-ios-client\/\" target=\"_blank\" rel=\"noopener noreferrer\">hadn&#8217;t been aware<\/a> of the profile-sharing. Zoom\u2019s initial response was to blame the social network&#8217;s software development kit used in the Zoom software. <em>CNet<\/em> <a href=\"https:\/\/www.cnet.com\/news\/using-zoom-while-working-from-home-here-are-the-privacy-risks-to-watch-out-for\/\" target=\"_blank\" rel=\"noopener noreferrer\">concludes<\/a> that Zoom shares enough personal data that it qualifies as <strong>selling your data<\/strong>.\u00a0<\/p>\r\n<p><strong><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/new-malware-threatens-mac-users\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-113749\" title=\"Mac malware\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mac-malware-e1586095676302-112x150.jpg?resize=71%2C95&#038;ssl=1\" alt=\"Mac malware\" width=\"71\" height=\"95\" \/><\/a>Malware-like behavior on Macs<\/strong> &#8211; Zoom was caught using hacker-like methods to <strong>bypass normal macOS security.<\/strong> It was thought this <a href=\"https:\/\/www.engadget.com\/2019-07-10-apple-mac-update-removes-zoom-exploit.html\" target=\"_blank\" rel=\"noopener noreferrer\">flaw had been fixed<\/a>. But security researcher Felix Seele <a href=\"https:\/\/twitter.com\/c1truz_\/status\/1244737676990976001\" target=\"_blank\" rel=\"noopener sponsored noreferrer\">noticed<\/a> that Zoom installed itself on his Mac without the usual user authorization.<\/p>\r\n<p style=\"text-align: justify; padding-left: 30px;\"><em>The application is installed without the user giving his final consent and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware.<\/em><\/p>\r\n<p><strong>A backdoor for Mac malware &#8211; <\/strong>Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf\u00a0said in a <a href=\"https:\/\/objective-see.com\/blog\/blog_0x56.html\" target=\"_blank\" rel=\"noopener sponsored noreferrer\">blog post<\/a> that Zoom used a discontinued installation process. The deprecated process could allow malware to add malicious code to &#8220;<strong>escalate privileges.<\/strong>&#8221; This would allow an attacker to gain total control over the machine <strong>without knowing the administrator&#8217;s password<\/strong>.\u00a0<\/p>\r\n<h3>Zoom privacy issues<\/h3>\r\n<p><em><a href=\"https:\/\/www.csoonline.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">CSO Online<\/a><\/em> <a href=\"https:\/\/www.csoonline.com\/article\/3535789\/weakness-in-zoom-for-macos-allows-local-attackers-to-hijack-camera-and-microphone.html\" target=\"_blank\" rel=\"noopener noreferrer\">reports<\/a> that he demonstrated the backdoor. He installed a malicious script into the <strong>Zoom Mac client. <\/strong>This could give any piece of malware access to the Mac&#8217;s webcam and microphone. It would turn any Mac with Zoom into a <strong>spying device<\/strong>.<\/p>\r\n<p><strong>Leaks of email addresses and profile photos<\/strong> &#8211; Zoom automatically puts everyone sharing the same email domain into a &#8220;company&#8221; folder where they can <strong>see each other&#8217;s information<\/strong>. If you are not a user of large webmail clients like Gmail, Yahoo, Hotmail, or Outlook.com, you could end up in a &#8220;company&#8221; with dozens of strangers.<br \/><br \/><strong><a href=\"https:\/\/www.clearswift.com\/blog\/2014\/09\/22\/australian-federal-police-department-sensitive-data-leak-scandal\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-113164\" title=\"Data leak\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/data_leak-2-e1582929770533-150x98.png?resize=110%2C72&#038;ssl=1\" alt=\"Data leak\" width=\"110\" height=\"72\" \/><\/a>Sharing of personal data with advertisers &#8211; <\/strong>Privacy experts for <em><a href=\"https:\/\/www.consumerreports.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">Consumer Reports<\/a><\/em>\u00a0reviewed <strong>Zoom&#8217;s privacy policy<\/strong> and <a href=\"https:\/\/www.consumerreports.org\/privacy\/at-zoom-new-privacy-and-security-problems-keep-emerging\/\" target=\"_blank\" rel=\"noopener noreferrer\">found<\/a> that it gave Zoom the right to use Zoom <strong>users&#8217; personal data and to share it with third-party marketers.<\/strong> In a <a href=\"https:\/\/web.archive.org\/web\/20200618151633\/https:\/\/blog.zoom.us\/wordpress\/2020\/03\/29\/zoom-privacy-policy\/\" target=\"_blank\" rel=\"noopener noreferrer\">blog<\/a>, Aparna Bawa, Zoom\u2019s chief legal officer, claimed &#8220;<em>we do not sell your personal data.<\/em>&#8221; The lawyer definitely concluded, \u201c<em><strong>We are not changing any of our practices<\/strong>.<\/em>\u201d But we don&#8217;t know the details of Zoom&#8217;s business dealings with third-party advertisers.<\/p>\r\n<p><strong>Cloud snitching &#8211;<\/strong> For<strong> paid subscribers<\/strong>, Zoom&#8217;s <strong>cloud recording<\/strong> feature can be a problem waiting to happen.\u00a0 <a href=\"https:\/\/mashable.com\/\" target=\"_blank\" rel=\"noopener sponsored noreferrer\"><em>Mashable<\/em><\/a> <a href=\"https:\/\/mashable.com\/article\/zoom-conference-call-work-from-home-privacy-concerns\/\" target=\"_blank\" rel=\"noopener sponsored noreferrer\">points out<\/a> that any time Zoom is used, your person-to-person chat messages are saved and could be sent to your boss by any authorized user. <em><a href=\"https:\/\/www.cnet.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">CNet<\/a><\/em> <a href=\"https:\/\/www.cnet.com\/news\/using-zoom-while-working-from-home-here-are-the-privacy-risks-to-watch-out-for\/\" target=\"_blank\" rel=\"noopener noreferrer\">notes<\/a> that Zoom administrators can limit the recording&#8217;s accessibility by IP addresses \u2013 but this is not enabled by default.<\/p>\r\n<p><strong>Tattle-tale attention-tracking feature &#8211; <\/strong>Zoom&#8217;s attention-tracking feature allows the meeting host to monitor if you are paying attention to their PowerPoint deck. The Zoom desktop client or mobile app alerts the host if any attendees go more than 30 seconds without Zoom being in focus on their screen.<\/p>\r\n<p><strong><em>rb-<\/em><\/strong><\/p>\r\n<p><em>I agree with those who are calling Zoom&#8217;s <a href=\"https:\/\/www.circleid.com\/posts\/20200403-zoom-security-the-good-the-bad-and-the-business-model\" target=\"_blank\" rel=\"noopener sponsored noreferrer\">development<\/a>\u00a0processes <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2020\/04\/security_and_pr_1.html\" target=\"_blank\" rel=\"noopener noreferrer\">lazy<\/a> \u00a0As you can see\u00a0 &#8211; Zoom&#8217;s software development process creates\u00a0a <strong>huge <a href=\"https:\/\/web.archive.org\/web\/20220111214800\/https:\/\/whatis.techtarget.com\/definition\/attack-surface\" target=\"_blank\" rel=\"noopener noreferrer\">attack surface<\/a><\/strong>.<\/em><\/p>\r\n<p><a href=\"https:\/\/www.tomsguide.com\/\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Tom&#8217;s Guide<\/em><\/a> is <a href=\"https:\/\/www.tomsguide.com\/news\/zoom-security-privacy-woes\" target=\"_blank\" rel=\"noopener noreferrer\">tracking<\/a> the status of Zoom&#8217;s problems.\u00a0\u00a0<em>So is\u00a0 Zoom safe to use?\u00a0 &#8211; That is your call. &#8211; You need to <strong>make an informed decision and patch your Zoom software.<\/strong><\/em><\/p>\r\n<p><a href=\"https:\/\/www.cnbc.com\/2020\/03\/21\/why-zoom-has-become-darling-of-remote-workers-amid-covid-19-outbreak.html\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-113746 size-medium\" title=\"Zoom CEO Eric Yuan\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Yuan_eric.jpeg?resize=100%2C150&#038;ssl=1\" alt=\"Zoom CEO Eric Yuan\" width=\"100\" height=\"150\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Yuan_eric.jpeg?resize=100%2C150&amp;ssl=1 100w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Yuan_eric.jpeg?resize=50%2C75&amp;ssl=1 50w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Yuan_eric.jpeg?w=262&amp;ssl=1 262w\" sizes=\"auto, (max-width: 100px) 100vw, 100px\" \/><\/a><\/p>\r\n<p><em><strong>You should be suspicious of \u201cfree\u201d products<\/strong>. As in the case of Google and <strong>Facebook<\/strong>, you are the product for Zoom. They are <strong>monetizing you<\/strong>. Follow the money.<\/em><\/p>\r\n<p><em>Eric Yuan, the founder, and <strong>CEO of Zoom is profiting <\/strong>by using your info. His\u00a0personal wealth has increased <a href=\"https:\/\/www.bloomberg.com\/billionaires\/profiles\/eric-s-yuan\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-analytics-module=\"summary_bullets\" data-analytics-post-depth=\"0\">112% to <strong>$7.57 billion<\/strong><\/a><strong> in the past three months<\/strong>, as the use of Zoom skyrockets amid the pandemic. While the other 99%f the world braces for a <strong>global recession<\/strong>.<\/em><\/p>\r\n<p><strong><em>How does he get all of that money on free software?<\/em><\/strong><\/p>\r\n<p>&nbsp;<\/p>\r\n<p style=\"text-align: center;\"><em><strong><a href=\"https:\/\/web.archive.org\/web\/20240728154520\/https:\/\/www.cdc.gov\/coronavirus\/2019-ncov\/prevent-getting-sick\/prevention.html?CDC_AA_refVal=https%3A%2F%2Fwww.cdc.gov%2Fcoronavirus%2F2019-ncov%2Fprepare%2Fprevention.html\" target=\"_blank\" rel=\"noopener noreferrer\">Stay safe out there!<\/a><\/strong><\/em><\/p>\r\n<p><strong>Related article<\/strong><\/p>\r\n<ul>\r\n<li><a href=\"https:\/\/www.theguardian.com\/technology\/2020\/apr\/03\/youtube-coronavirus-treatments-profit-misinformation\" target=\"_blank\" rel=\"noopener noreferrer\">YouTube profits from videos promoting unproven Covid-19 treatments<\/a>\u00a0(<a href=\"https:\/\/www.theguardian.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">The Guardian<\/a>)<\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<p><em><a title=\"Ralph Bach\" href=\"https:\/\/rbach.net\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0<a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on <a class=\"broken_link\" href=\"http:\/\/www.linkedin.com\/in\/rb48334\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>,\u00a0and\u00a0<a href=\"https:\/\/twitter.com\/rbach48334\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>. Email the Bach Seat\u00a0<a href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>Zoom has taken off as the COVID lockdown continues but Zoom security and privacy issues may be a problem for many users of the video conferencing platgotm<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[2697,3397,3419,824,3435,2162,37,4,3490,3430,3436,3433,3434],"class_list":["post-113700","post","type-post","status-publish","format-standard","hentry","category-security","tag-2697","tag-3397","tag-covid-19","tag-encryption","tag-eric-yuan","tag-hacking","tag-recession","tag-security","tag-video-conference","tag-work-from-home","tag-zm","tag-zoom","tag-zoombonb"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/113700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=113700"}],"version-history":[{"count":50,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/113700\/revisions"}],"predecessor-version":[{"id":132002,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/113700\/revisions\/132002"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=113700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=113700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=113700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}