Zoom Seriously Needs To Up Their Security Game And Do So Quickly And Publicly

Posted in Commentary with tags on April 1, 2020 by itnerd

Zoom is the app de jour. Companies, individuals, and even the UK Government are using it to keep in touch, conduct meetings, and conduct business. However as Zoom’s profile has increased, so has the scrutiny of the app. And that scrutiny has revealed some troubling flaws within the app:

  • The Windows client has a flaw that has the potential to leak domain credentials if you put UNC paths (\\Server\folder for example) in a Zoom chat window. We would ask you not to use UNC paths in Zoom chats to ensure that domain credentials do not get leaked. You can find out more details here.
  • The Mac client has two issues: 
    • By taking advantage of the installation process, which is done without user interaction, a user or piece of malware with low-level privileges can gain root access to a computer — the highest level of privilege.
    • The second issue allows a local user or piece of malware to piggyback on Zoom’s camera and microphone permissions. An attacker can inject malicious code into Zoom’s process space and “inherit” camera and microphone permissions, allowing them to hijack them without a user’s knowledge.

The Mac related issues can only be exploited if you lose physical access to the Mac. So your best mitigation strategy is to maintain physical control of your Mac and lock the Mac so that nobody can access it. More details can be found here. It is a bit nerdy. Thus for a less nerdy explanation, click here.

Then there’s the fact that Zoom advertises itself as being “end to end encrypted.” Except that it isn’t according to security researchers, which in this day and age is really bad. And what’s worse is that Zoom continues to pedal what I consider to be “fake news” insisting that it is end to end encrypted.

And finally, all of that is on top of a phenomena called “Zoom Bombing” which can be best described as this. An uninvited guest join your meeting and then starts displaying offensive content. It’s become a bit of an unfortunate trend as Zoom has become more popular. You can find out more about this here. But my recommendation is that you enable the Zoom waiting room functionality. It can be best described as this via this document that Zoom has on the topic:

Attendees cannot join a meeting until a host admits them individually from the waiting room. If Waiting room is enabled, the option for attendees to join the meeting before the host arrives is automatically disabled.

All of these issues have the same root cause. Zoom is a company that has more marketing sense than security sense. This is the same company that got caught with a serious flaw that enabled video calls with zero interaction on the Mac, which they sort of fixed. But it wasn’t good enough for Apple as the lack of a fix that they liked forced them to get involved to take action against Zoom in a manner that was and still is unprecedented. Thus it’s hardly surprising that Zoom finds itself in a situation where their shoddy security practices are on full display.

Zoom can fix this, but they need to take decisive action immediately. Here’s what I would look for

  1. Zoom needs to come clean about end to end encryption and commit to making their service end to end encryption. In 2020 this is not optional. Thus Zoom needs to address this.
  2. Zoom needs to fix all the issues outlined by pushing out software updates that address these issues fully and completely.
  3. Zoom needs to open itself up to third party security auditing. Because Zoom has had a lot of chances to get this right. And they have failed miserably to get it right. Thus they need a third party to come in and set them straight.
  4. Everything Zoom does going forward needs to be done in public.

I will be interested if Zoom does all of the above. Because if they don’t, I can easily see a scenario where Zoom’s success may be very short lived.

Guest Post: Surfshark Discusses Research About The Most Privacy-Invasive COVID-19 Apps

Posted in Commentary with tags on April 1, 2020 by itnerd

With the COVID-19 wreaking havoc worldwide, the last thing people think about is their digital privacy. Unfortunately, in some countries, measures taken to tame the outbreak infringe people’s digital privacy. The analysis conducted by the privacy protection company Surfshark covers 12 applications in 12 different countries across the globe and aims to report what these apps are doing, what information they collect, and what consequences they could bring to the society.

Main findings:

  • At least 7 out of 10 apps* track GPS location
  • At least 6 out of 10 apps are unclear about what they track, don’t provide Terms and Conditions upfront, or use intrusive methods such as surveillance camera footage to track their users
  • At least 2 out of 10 apps clearly state that they share this information with third parties
  • At least 4 out of 10 apps were developed by or with the help of non-government bodies, such as private companies

*10 apps that are already released, as the UK and Belgium ones are not yet available

“Many crisis-management measures might become a fixture of life. Therefore, we must consider how our life after COVID-19 will be impacted permanently. Governments worldwide are introducing invasive, privacy-ignoring measures that people adapt to because they are afraid,” says Naomi Hodges, cybersecurity advisor at Surfshark. 

“Such Orwellian security measures, driven by the seemingly noble goal of public health safety, can be critiqued for a lot of reasons. The first of which is the fact that the majority of people lack cybersecurity education to evaluate the potential consequences of sharing their data,” explains Naomi Hodges.

Collecting an incredible amount of user data is increasingly recognized as a bad thing. It can fuel discrimination, especially since innocent-looking data may reveal sensitive information such as political views or sexuality.

For instance, the app developed in Colombia asks people if they have participated in any mass events in the previous eight days. Due to the recent protests all over the country, it is controversial and may have life-threatening consequences.

In countries that hold laws against such invasion of privacy – Belgium and its app-in-development being one of the examples – changes may be made to accommodate for intrusive apps. 

On top of that, some app developers may have other interests – especially in cases such as Alibaba group helping develop the Chinese app, or Google being involved in the development of the CoronaMadrid app. Ultimately, people would have to trust every company involved not to exploit the crisis. 

“There is no argument against the fact that the COVID-19 pandemic is threatening to change our lives as we know them. It has already impacted millions of people who got sick, lost their jobs, and will impact so many more. Mass surveillance is quickly spreading along with the advancing technology – and this pandemic crisis is allowing them to both set a precedent and normalize it,” says Naomi Hodges.

The full analysis can be found here: https://surfshark.com/blog/privacy-invasive-covid-19-apps

Taskade: Real-Time Collaboration Platform Launches

Posted in Commentary with tags on April 1, 2020 by itnerd

Taskade, a Y-Combinator backed startup, launches a real-time organization and collaboration platform for distributed teams. This week, it announced it will be offering a 6-month free upgrade to its Pro version to support businesses and individuals adopting remote work amidst the COVID-19 situation.

Taskade is a real-time workspace for remote teams to manage tasks, write notes, and video chat together, on the same page.

In the past few weeks, the world has witnessed an unprecedented transition to work-from-home as businesses and organizations try to keep staff safe. But the overnight pivot to remote work has left many employees who haven’t previously worked off-site struggling with productivity and without access to adequate tools.

And these problems are all too familiar for the Taskade founding team.

Employees need a quick and easy way to dive into the work without the need for extensive training or high-level technical support. That’s why Taskade provides a user-friendly solution that lets fully distributed teams organize work, communicate via chat and video, share documents, manage tasks and collaborate in real-time.

If you have used tools like Asana, Trello, Todoist, Zoom, Microsoft Teams or Slack, you will feel at home as Taskade combines all the essential ingredients needed for remote collaboration into one simple tool. Another good news is that it’s available on all popular operating systems, including Windows, Mac, iOS, Android, and as a browser extension and syncs in real-time.

If you’re interested in taking the app for a spin, head over to https://www.taskade.com/ to create a free account. You can also download Taskade’s mobile and desktop apps for all your devices at https://www.taskade.com/downloads/.

Marriott Pwned Again… Over 5 Million Affected This Time

Posted in Commentary with tags on March 31, 2020 by itnerd

It seems that Marriott is unable to keep itself out of the news for all the wrong reasons. CNET among others is reporting that they’ve been hacked again. This hack affects at least 5 million guests. This follows a hack of Marriott property MGM Resorts back in February which leaked the details of 10.8 million guests. And that was on top of this absolutely epic hack from 2018. Here’s what happened this time around:

At the end of February, Marriott international said that it spotted an “unexpected amount” of guest information may have been accessed with the login credentials of two employees at a franchise property. The exposed information may include names, addresses, emails, phone numbers and birthdays.  Loyalty account details and information like room preferences may also have been breached. This is the second major incident to impact the hotel over a two year period. 

Clearly Marriott can’t get its act together when it comes to cybersecurity. It’s time that this hotel chain get slapped silly so that they get the point that they have to take cybersecurity seriously. Because they clearly don’t based on how often they get hacked.

Terranova Security Offers Tips And Resources To Protect Yourself From COVID-Related Scams

Posted in Commentary on March 31, 2020 by itnerd

Canadian-based Terranova Security, the global leader in cybersecurity awareness and education, is conducting a free live webinar on Thursday at 11:30am EST that is specifically focused on COVID-related scams.

With millions of Canadians suddenly thrusted from their comfortable office confines to hectic home environments, cyber criminals are taking full advantage of COVID-19 confusion to trick employees with online phishing e-mails and text messages.   

In fact, the Canadian Anti-Fraud Centre has received 43 reports of pandemic-related scams in the past two weeks alone. According to the FBI new, cyber attackers are creating phishing scenarios around charitable contributions, financial relief, airline carrier refunds, and fake cures, vaccines, and testing kits. In January 2020, over 4,000 coronavirus-related web domains have been registered of which 3% are malicious and 5% are suspicious.

To help protect Canadians (and their employers) from phishing attacks, which account for more than 80% of reported security incidents and cost the nation’s businesses an average of $12.4 million a year, Terranova Security has also created a 100% free and downloadable Protect Yourself from COVID-19 Cyber Scams Kit that includes tips and insights.

Ten Ways To Protect Yourself While Working From Home

  1. If you don’t recognize the email sender, don’t open the email.
  2. If the email or text message sounds too good to be true – it is.
  3. Be aware of cyber scams about COVID-19 treatments, vaccines, quarantine measures, and information from government officials.
  4. Pay attention to the spelling of email addresses, subject lines, and email content.
  5. Be wary of emails using urgent language or that ask you to share your confidential information.
  6. No health agency or government department will email you asking for your health details or sell you a COVID-19 vaccine or test.
  7. Do not click on links in unsolicited emails or text messages.
  8. Never send confidential information in an email – The Red Cross, World Health Organization, and your government health department will never ask for your confidential information in an email. 
  9. Do not accept social media followers or friends from accounts you do not recognize. If an account that you do not trust follows or friends you, block the account.
  10. Do not trust social media posts promising COVID-19 cures, tests, vaccines, or selling masks and gloves.

Bottom line, when in doubt, do not click. This includes downloading attachments, clicking links, and filling out web forms. Contact your IT department whenever you have doubts about an email. And if you receive a phone call from a health official, colleague, or government employee about COVID-19 – do not interact with the caller – hang up immediately and if possible, block the number.

Gartner Says Growth Companies Are More Actively Collecting Customer Experience Data Than Nongrowth Companies

Posted in Commentary with tags on March 31, 2020 by itnerd

Companies that have seen a positive revenue growth collect more customer experience (CX) data than nongrowth companies, according to a recent survey by Gartner, Inc. The survey found that nearly 80% of growth organizations use customer surveys to collect CX data, compared with just 58% of nongrowth organizations.

A growth organization is defined as one that had positive revenue growth from 2018 to 2019 and is expected to have positive revenue growth from 2019 to 2020. A nongrowth organization had reportedly unchanged or declining revenue from 2018 to 2019, with the same expected for 2019 to 2020.

Customer Surveys Used by Majority of Growth Organizations

Customer surveys remain the most popular medium among both growth and nongrowth organizations for collecting CX data, according to the Gartner survey. While surveys can provide product managers with a baseline understanding of customer experiences and sentiment, they do have some limitations.

Consumers are increasingly experiencing “survey fatigue,” with research showing declining response rates for each subsequent survey that a customer receives. Further, survey responses are often written in haste or provide ambiguous information, lowering the quality of the data collected. Surveys are also unable to surface real-time information.

Real-Time Analytics Accelerate and Deepen CX Insights

The use of near- and real-time analytics to collect CX data is a rising trend among growth companies, with 43% of product managers at growth companies using analytics to collect and analyze customer perception and sentiment data. This is compared with just 22% of product managers at nongrowth companies.

Artificial intelligence (AI) technologies can help organizations gather real-time data about customers’ current issues and experiences. This data can then be used to predict the customer’s next move, proactively recommending features, solutions or actions that improve the customer journey.

The Gartner Changing Approaches to Product Development survey was conducted online between July and September 2019, among participants with the title of manager or equivalent and above at organizations in high-tech industries with anticipated 2019 revenue of more than US$100 million. In total, 214 respondents were interviewed across the U.S., China, India, Canada, the U.K., France and Germany.

Gartner clients can read more in the report “Growing Companies Are More Actively Collecting CX Data Than Nongrowth Companies.”

Roku Announces Roku OS 9.3

Posted in Commentary with tags on March 31, 2020 by itnerd

Roku today announced Roku® OS 9.3 will start rolling out to Roku devices in Canada in the coming weeks. The free, automatic software update focuses on helping consumers get to content quickly and improving overall performance.

What’s new in Roku OS 9.3:

  • Increased Performance – A reduction in device boot times, faster launch times for a select number of channels (with more supported channels coming soon) and a more responsive Home Screen. 
  • Roku Voice – Roku Voice™ is enhanced to give users the ability to speak more natural phrases like “Show me …” or “I want to watch …” and also allows users to find movies using a selection of popular movie quotes. Roku Voice now also supports a greater variety of voice commands including media playback controls such as “Fast forward” or “Pause,” device control such as “Turn on closed captions,”.. Roku Voice is available on the remote of the Roku Streaming Stick™+ and through the Roku Mobile App for all Roku streaming devices.
  • Works with Amazon Alexa and Works with Google Assistant – Control Roku players and Roku TV models by speaking commands to Amazon Alexa and/or Google Assistant devices. Through Amazon Alexa and Google Assistant devices users can now control media playback and search for entertainment. Roku TV™ users additionally can tune into channels or inputs, control volume and switch their TV on/off.
  • Redesigned Roku Mobile App – The free mobile app features a new navigation bar at the top of the mobile screen providing access to Roku Search, the ability to switch between Roku devices and a shortcut to the remote control screen. The redesign includes quick access icons so users can launch useful mobile app features without the need to exit the remote control screen including the ability to browse and/or launch their recently viewed channels directly from the remote screen and more.

Availability

Roku OS 9.3 will begin rolling out to select Roku players in April and is expected to roll out to all supported streaming players in the coming weeks. Roku TV models are expected to receive the update in phases over the coming months.