Author Topic: Zoom Client Leaks Windows Login (Read 20200 times)

polonus · « **on:** April 01, 2020, 03:13:19 PM »

Lectori Salutem,

The privacy dangers using a tool like Zoom. FBI warns users.

Read: https://www.bleepingcomputer.com/news/security/zoom-client-leaks-windows-login-credentials-to-attackers/
The developers thereof even thought of a new definition to what E2E encryption means as they see it:
https://www.theregister.co.uk/2020/04/01/zoom_spotlight/

Certainly not a tool when you wanna keep information from others, again perfect tool when you wanna leak info to the world.
Re: https://support.zoom.us/hc/en-us/articles/115004055706-Managing-Contacts
and recently this:
https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account

FBI warning against Zoom-bombing: https://techcrunch.com/2020/03/17/zoombombing/
Security advice: https://www.csuci.edu/news/releases/zoom-bombers-2020.htm

Privacy friendly alternatives working from your home used by Tor Project developers?

1. Riseup Pads notifier: https://pad.riseup.net/
2. Productivity Platform NextCloud: https://nextcloud.com/
3. One-on-one chat-app Signal: https://www.signal.org/
4. Zoom alternative: JitsiMeet: http://meet.jit.si/
5. Sharing app = OnionShare: http://onionshare.org/
6. Sharing app for non-critical data: http://share.riseup.net/
1-6 all courtesy of Tor Project developers mentioned as tools they use at home to communicate (more) safely and securely.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Asyn · « **Reply #1 on:** April 02, 2020, 11:20:22 AM »

Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing
https://theintercept.com/2020/03/31/zoom-meeting-encryption/

PS: More here https://www.heise.de/security/meldung/Videokonferenz-Software-Ist-Zoom-ein-Sicherheitsalptraum-4695000.html (German)

polonus · « **Reply #2 on:** April 02, 2020, 02:23:41 PM »

Nasa & SpaceX ban the use of zoom over security concerns.
https://www.jpost.com/International/Elon-Musks-SpaceX-bans-Zoom-over-privacy-concerns-623307

All of a sudden they wanna work on these issues: https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/ But can we trust them as they apologize? https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

See it happen first to really believe it, every corporation online is out there to grab your data
an make a sell-out to the highest bidder.

polonus

bob3160 · « **Reply #3 on:** April 02, 2020, 04:56:27 PM »

Update to the latest version.

polonus · « **Reply #4 on:** April 03, 2020, 05:40:41 PM »

New problems found: https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

polonus

bob3160 · « **Reply #5 on:** April 03, 2020, 06:36:53 PM »

Quote from: polonus on April 03, 2020, 05:40:41 PM

New problems found: https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

polonus

ZOOM should not be used if the meeting discusses any kind of secrets until they fix their security issues.
There certainly isn't any reason not to use this product for anything that isn't of a confidential mature.

polonus · « **Reply #6 on:** April 04, 2020, 03:17:26 PM »

Hi bob3160,

Agree with that, but "zoom bombing" is going on around us and your FBI warns you that to do so is an offence:
https://www.justice.gov/usao-edmi/pr/federal-state-and-local-law-enforcement-warn-against-teleconferencing-hacking-during

So be aware you should never share such links (zoom-ids) to any third party and/or do not share on social media.
Put a password to secure the waiting room is a good advice.

On a side-line, remember Zoom's CEO had links to Shandong in Mainland China (he was born there in 1969/70),
and he had his USA-visa refused eight times in the past.

polonus

bob3160 · « **Reply #7 on:** April 04, 2020, 06:00:57 PM »

Quote from: polonus on April 04, 2020, 03:17:26 PM

Hi bob3160,

Agree with that, but "zoom bombing" is going on around us and your FBI warns you that to do so is an offence:
https://www.justice.gov/usao-edmi/pr/federal-state-and-local-law-enforcement-warn-against-teleconferencing-hacking-during

So be aware you should never share such links (zoom-ids) to any third party and/or do not share on social media.
Put a password to secure the waiting room is a good advice.

On a side-line, remember Zoom's CEO had links to Shandong in Mainland China (he was born there in 1969/70),
and he had his USA-visa refused eight times in the past.

polonus

ZOOM Booming has already been addressed and they are working on the other items.

Asyn · « **Reply #8 on:** April 05, 2020, 05:59:29 AM »

Zoom will enable waiting rooms by default to stop Zoombombing
https://techcrunch.com/2020/04/03/zoom-waiting-rooms-default/

polonus · « **Reply #9 on:** April 05, 2020, 01:36:00 PM »

Hi Asyn,

New York bans zoom for use by city-schools. All pupils now have a Microsoft Team account:
https://www.nbcnewyork.com/news/local/new-york-city-schools-call-for-end-to-zoom-calls-amid-security-concerns/2360279/

polonus

polonus · « **Reply #10 on:** April 06, 2020, 01:45:23 PM »

EFF instructs how to better make use of Zoom.
Disable chat auto saving; also disable "Attention Tracking".
Keep your meeting IDs to yourself and install a password.

Zoom should not be used where any confidentiality comes involved.
Read: https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/:

1) The claimed AES-256 encryption seems only to be AES-128. Not to big of a problem.
However using AES in ECB mode (see figure 5 in mentioned link);
2) All participants make use of one and the same key, occasionally also shared with some server in Mainland China.

Read https://www.theregister.co.uk/2020/04/03/dont_use_zoom_if_privacy/ & https://www.metzdowd.com/pipermail/cryptography/2020-April/035887.html.

All updates are not being installed automatically,
re: https://www.metzdowd.com/pipermail/cryptography/2020-April/035890.html.

Info credits go out to Erik van Straten.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

bob3160 · « **Reply #11 on:** April 06, 2020, 01:52:46 PM »

polonus · « **Reply #12 on:** April 06, 2020, 06:23:24 PM »

https://tidbits.com/2020/04/03/every-zoom-security-and-privacy-flaw-so-far-and-what-you-can-do-to-protect-yourself/

polonus

Asyn · « **Reply #13 on:** April 09, 2020, 09:45:32 AM »

Google Told Its Workers That They Can’t Use Zoom On Their Laptops Anymore
https://www.buzzfeednews.com/article/pranavdixit/google-bans-zoom

bob3160 · « **Reply #14 on:** April 09, 2020, 02:50:17 PM »

Quote from: Asyn on April 09, 2020, 09:45:32 AM

Google Told Its Workers That They Can’t Use Zoom On Their Laptops Anymore
https://www.buzzfeednews.com/article/pranavdixit/google-bans-zoom

Considering that Google wants you to use their own product, this was expected.

For those using ZOOM, there was another update yesterday.