Archive for April 1, 2020

Zoom Seriously Needs To Up Their Security Game And Do So Quickly And Publicly

Posted in Commentary with tags on April 1, 2020 by itnerd

Zoom is the app de jour. Companies, individuals, and even the UK Government are using it to keep in touch, conduct meetings, and conduct business. However as Zoom’s profile has increased, so has the scrutiny of the app. And that scrutiny has revealed some troubling flaws within the app:

  • The Windows client has a flaw that has the potential to leak domain credentials if you put UNC paths (\\Server\folder for example) in a Zoom chat window. We would ask you not to use UNC paths in Zoom chats to ensure that domain credentials do not get leaked. You can find out more details here.
  • The Mac client has two issues: 
    • By taking advantage of the installation process, which is done without user interaction, a user or piece of malware with low-level privileges can gain root access to a computer — the highest level of privilege.
    • The second issue allows a local user or piece of malware to piggyback on Zoom’s camera and microphone permissions. An attacker can inject malicious code into Zoom’s process space and “inherit” camera and microphone permissions, allowing them to hijack them without a user’s knowledge.

The Mac related issues can only be exploited if you lose physical access to the Mac. So your best mitigation strategy is to maintain physical control of your Mac and lock the Mac so that nobody can access it. More details can be found here. It is a bit nerdy. Thus for a less nerdy explanation, click here.

Then there’s the fact that Zoom advertises itself as being “end to end encrypted.” Except that it isn’t according to security researchers, which in this day and age is really bad. And what’s worse is that Zoom continues to pedal what I consider to be “fake news” insisting that it is end to end encrypted.

And finally, all of that is on top of a phenomena called “Zoom Bombing” which can be best described as this. An uninvited guest join your meeting and then starts displaying offensive content. It’s become a bit of an unfortunate trend as Zoom has become more popular. You can find out more about this here. But my recommendation is that you enable the Zoom waiting room functionality. It can be best described as this via this document that Zoom has on the topic:

Attendees cannot join a meeting until a host admits them individually from the waiting room. If Waiting room is enabled, the option for attendees to join the meeting before the host arrives is automatically disabled.

All of these issues have the same root cause. Zoom is a company that has more marketing sense than security sense. This is the same company that got caught with a serious flaw that enabled video calls with zero interaction on the Mac, which they sort of fixed. But it wasn’t good enough for Apple as the lack of a fix that they liked forced them to get involved to take action against Zoom in a manner that was and still is unprecedented. Thus it’s hardly surprising that Zoom finds itself in a situation where their shoddy security practices are on full display.

Zoom can fix this, but they need to take decisive action immediately. Here’s what I would look for

  1. Zoom needs to come clean about end to end encryption and commit to making their service end to end encryption. In 2020 this is not optional. Thus Zoom needs to address this.
  2. Zoom needs to fix all the issues outlined by pushing out software updates that address these issues fully and completely.
  3. Zoom needs to open itself up to third party security auditing. Because Zoom has had a lot of chances to get this right. And they have failed miserably to get it right. Thus they need a third party to come in and set them straight.
  4. Everything Zoom does going forward needs to be done in public.

I will be interested if Zoom does all of the above. Because if they don’t, I can easily see a scenario where Zoom’s success may be very short lived.

Guest Post: Surfshark Discusses Research About The Most Privacy-Invasive COVID-19 Apps

Posted in Commentary with tags on April 1, 2020 by itnerd

With the COVID-19 wreaking havoc worldwide, the last thing people think about is their digital privacy. Unfortunately, in some countries, measures taken to tame the outbreak infringe people’s digital privacy. The analysis conducted by the privacy protection company Surfshark covers 12 applications in 12 different countries across the globe and aims to report what these apps are doing, what information they collect, and what consequences they could bring to the society.

Main findings:

  • At least 7 out of 10 apps* track GPS location
  • At least 6 out of 10 apps are unclear about what they track, don’t provide Terms and Conditions upfront, or use intrusive methods such as surveillance camera footage to track their users
  • At least 2 out of 10 apps clearly state that they share this information with third parties
  • At least 4 out of 10 apps were developed by or with the help of non-government bodies, such as private companies

*10 apps that are already released, as the UK and Belgium ones are not yet available

“Many crisis-management measures might become a fixture of life. Therefore, we must consider how our life after COVID-19 will be impacted permanently. Governments worldwide are introducing invasive, privacy-ignoring measures that people adapt to because they are afraid,” says Naomi Hodges, cybersecurity advisor at Surfshark. 

“Such Orwellian security measures, driven by the seemingly noble goal of public health safety, can be critiqued for a lot of reasons. The first of which is the fact that the majority of people lack cybersecurity education to evaluate the potential consequences of sharing their data,” explains Naomi Hodges.

Collecting an incredible amount of user data is increasingly recognized as a bad thing. It can fuel discrimination, especially since innocent-looking data may reveal sensitive information such as political views or sexuality.

For instance, the app developed in Colombia asks people if they have participated in any mass events in the previous eight days. Due to the recent protests all over the country, it is controversial and may have life-threatening consequences.

In countries that hold laws against such invasion of privacy – Belgium and its app-in-development being one of the examples – changes may be made to accommodate for intrusive apps. 

On top of that, some app developers may have other interests – especially in cases such as Alibaba group helping develop the Chinese app, or Google being involved in the development of the CoronaMadrid app. Ultimately, people would have to trust every company involved not to exploit the crisis. 

“There is no argument against the fact that the COVID-19 pandemic is threatening to change our lives as we know them. It has already impacted millions of people who got sick, lost their jobs, and will impact so many more. Mass surveillance is quickly spreading along with the advancing technology – and this pandemic crisis is allowing them to both set a precedent and normalize it,” says Naomi Hodges.

The full analysis can be found here: https://surfshark.com/blog/privacy-invasive-covid-19-apps

Taskade: Real-Time Collaboration Platform Launches

Posted in Commentary with tags on April 1, 2020 by itnerd

Taskade, a Y-Combinator backed startup, launches a real-time organization and collaboration platform for distributed teams. This week, it announced it will be offering a 6-month free upgrade to its Pro version to support businesses and individuals adopting remote work amidst the COVID-19 situation.

Taskade is a real-time workspace for remote teams to manage tasks, write notes, and video chat together, on the same page.

In the past few weeks, the world has witnessed an unprecedented transition to work-from-home as businesses and organizations try to keep staff safe. But the overnight pivot to remote work has left many employees who haven’t previously worked off-site struggling with productivity and without access to adequate tools.

And these problems are all too familiar for the Taskade founding team.

Employees need a quick and easy way to dive into the work without the need for extensive training or high-level technical support. That’s why Taskade provides a user-friendly solution that lets fully distributed teams organize work, communicate via chat and video, share documents, manage tasks and collaborate in real-time.

If you have used tools like Asana, Trello, Todoist, Zoom, Microsoft Teams or Slack, you will feel at home as Taskade combines all the essential ingredients needed for remote collaboration into one simple tool. Another good news is that it’s available on all popular operating systems, including Windows, Mac, iOS, Android, and as a browser extension and syncs in real-time.

If you’re interested in taking the app for a spin, head over to https://www.taskade.com/ to create a free account. You can also download Taskade’s mobile and desktop apps for all your devices at https://www.taskade.com/downloads/.