The IT Nerd

A question a couple of my clients have called me to troubleshoot an issue that I want to bring to light. And it’s one that I have been able to reproduce rather easily.

Here’s the rundown.

If you have Zoom 5.91 or earlier installed on your Mac, and you’re running macOS Monterey 12.1 or earlier, and the Zoom app is running but not in a meeting of any sort, you’ll eventually notice that the orange dot that denotes when your microphone is in use appears in the top right corner on the menu bar. It will look like this:

One of the things that was added to macOS Monterey was a notification that lets you know when the microphone is in use. And that notification is the orange dot that you see above. And it appears that the Zoom app is apparently using the microphone. Which I confirmed by checking control center.

I tested this after reboots and in one case a reinstall of macOS and always got this result. Now to be clear, my guess is that Zoom are not spying on their users. But this isn’t a good look for Zoom regardless as many people are going to assume that they are. And in the process of researching this, I found out two things:

• First, this was supposedly fixed in version 5.91 of Zoom as per these release notes. But that apparently does not seem to be true as I was able to reproduce this numerous times on numerous macOS computers with version 5.91. This takes away Zoom’s ability to say that users should simply update to the latest version.
• Second, I am not alone in seeing this. This thread in the Zoom community along with this thread on Stackexchange details people seeing this as well. So clearly this is a pervasive problem that hasn’t been addressed by Zoom.

My advice is that you should only run the Zoom client when you actually need it until this gets addressed. Or if you’re really paranoid, use another conferencing product. As for Zoom, they’ve had their issues with security over the years. If you search my blog you will find those stories with ease. They need to step up and put this to bed quickly if they want to avoid going back to the days where trust in their product was questionable at best.

Zoom will have to cut a rather big cheque to the tune of $85 million to make a lawsuit related to lying about offering end-to-end encryption on its services, as well as providing user data to Facebook and Google without permission. Here’s the details:

Zoom has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and gave user data to Facebook and Google without the consent of users. The settlement between Zoom and the filers of a class-action lawsuit also covers security problems that led to rampant “Zoombombings.”

The proposed settlement would generally give Zoom users $15 or $25 each and was filed Saturday at US District Court for the Northern District of California. It came nine months after Zoom agreed to security improvements and a “prohibition on privacy and security misrepresentations” in a settlement with the Federal Trade Commission, but the FTC settlement didn’t include compensation for users.

I should note that Zoom has addressed a lot of these issues. And Zoom is making craploads of money. So does this really punish Zoom for their behavior? I don’t think so.

It seems that Zoom cannot stay out of the news for all the wrong reasons. This time Zoom is in hot water because Zoom issued a statement on Thursday acknowledging that the Chinese government requested that it suspend the accounts of several U.S.- and Hong Kong-based Chinese activists for holding events commemorating the anniversary of the 1989 Tiananmen Square massacre:

Recent articles in the media about adverse actions we took toward Lee Cheuk-yan, Wang Dan, and Zhou Fengsuo have some calling into question our commitment to being a platform for an open exchange of ideas and conversations. To be clear, their accounts have been reinstated, and going forward, we will have a new process for handling similar situations. 

We will do better as we strive to make Zoom the most secure and trusted way to bring people together. 

Now if you read the rest of the blog post, Zoom acknowledges that they screwed up here. And that they are going to take corrective actions:

• Going forward Zoom will not allow requests from the Chinese government to impact anyone outside of mainland China.
• Zoom is developing technology over the next several days that will enable us to remove or block at the participant level based on geography. This will enable us to comply with requests from local authorities when they determine activity on our platform is illegal within their borders; however, we will also be able to protect these conversations for participants outside of those borders where the activity is allowed.
• We are improving our global policy to respond to these types of requests. We will outline this policy as part of our transparency report, to be published by June 30, 2020.

Now that isn’t good enough for some. Three U.S. lawmakers asked Zoom to clarify its data-collection practices and relationship with the Chinese government:

Representatives Greg Walden, the top Republican on the House Energy and Commerce Committee, and Cathy McMorris Rodgers, the ranking member of a consumer subcommittee, sent a letter to Zoom CEO Eric Yuan on Thursday asking him to clarify the company’s data practices, whether any was shared with Beijing and whether it encrypted users’ communications. 

Republican Senator Josh Hawley also wrote to Yuan asking him to “pick a side” between the United States and China. 

The three politicians have previously expressed concerns about TikTok’s owner, Chinese firm ByteDance, which is being scrutinized by U.S. regulators over the personal data the short video app handles.

Seeing as this is an election year, I would not be at all surprised if Congressional Hearings were called and Zoom CEO Eric Yuan was called onto the carpet. Because if Yuan thought his blog post would put out the fire related to this latest scandal, he’d be wrong.

Zoom has been working hard to overcome their security issues over the last few months. One of the things that they needed to address is the fact that communications were not end to end encrypted, even though the company claimed that they were. The company finally admitted that this was something that needed to be addressed. And it looks like that end to end encryption is about to be lit up, assuming that you have the latest version of the Zoom app, and you happen to be a paying customer:

The company, whose business has boomed with the coronavirus pandemic, discussed the move on a call with civil liberties groups and child-sex abuse fighters on Thursday, and Zoom security consultant Alex Stamos confirmed it on Friday. 

In an interview, Stamos said the plan was subject to change and it was not yet clear which, if any, nonprofits or other users, such as political dissidents, might qualify for accounts allowing more secure video meetings. 

He added that a combination of technological, safety and business factors went into the plan, which drew mixed reactions from privacy advocates.

Now I can look at this two ways:

• It makes sense that Zoom would focus this on paying customers. After all, that is what keeps the lights on. It also gets rid of the people who are hogging resources related to the free tier of the app which likely costs Zoom money.
• Other apps like iMessage, WhatsApp, and Signal offer end to end encryption for free.

You’ll note that the plan is subject to change. I suspect that it may change based on either the blowback that they get, or if people on the free tier abandon the platform for another video chat solution en masse.

My take is that I think that Zoom is doing the right thing. Yes there’s going to be blowback from some who think Zoom should enable end to end encryption for all. But that’s really not viable in my opinion. Zoom is a business and not a charity. At some point they have to pay for all the security improvements that are going into the app. And if you want want those security improvements, you need to pay up. So I would suggest that users who are on the free tier of Zoom who want these improvements should put their money where their mouths are.

With the closure of Canadian schools over the last 10 weeks and with many not scheduled to reopen this school year, video communication technology has become an essential tool for many educators as they look to maintain the feeling of in-person classes and lessons. To help teachers, students and parents get the most out of their virtual classrooms, Zoomhas put together a number of resources and best practices designed to facilitate a smooth and secure transition to online learning.

Best practices for securing online classrooms

With security as a paramount concern for educators, parents and students alike, it’s important that teachers know exactly how to control the virtual meeting environment. Zoom has developed an online resource guide to help facilitate secure online learning sessions. Some of the top tips include:

• Lock your virtual classroom: Teachers can lock a Zoom session that’s already started so no one else can join. Give students time to join and then lock the meeting (kind of like closing the classroom after the bell!).
• Use the Waiting Room: The Waiting Room feature is one of the best ways to protect your Zoom virtual classroom and keep out those who aren’t supposed to be there. There are two options to choose from when this is in use: either all participants will be sent to the virtual waiting area, where the teacher can admit them individually or all at once; or the host can opt to have known students skip the Waiting Room and join, but have anyone not signed in/part of your school sent to the virtual waiting area. (As of March 31, the Waiting Room feature is automatically turned on by default.)
• Control screen sharing: Zoom has recently updated its settings for educational users to allow only the host (typically the teacher) to share his or her screen by default. If students need to share their screens, teachers can still give that privilege to students on a case-by-case basis.
• Lock down the chat: Much like a hawk-eyed teacher might stop a note being passed in class, teachers can restrict the chat function of Zoom so students cannot privately message others during class time.
• Other important security functions such as removing participants and securely scheduling a class are also available to teachers using Zoom to facilitate online learning. Please see all the tips on Zoom’s official blog.

Frequently asked questions – answered!
From hosting a webinar or a meeting, to properly setting up a virtual classroom for students, there are many questions teachers are looking to have answered — even if they have already started using Zoom for online teaching. Zoom has compiled a list of its top 10 virtual classroom most frequently asked questions for educational users to help teachers make the best of their online classrooms. Some of the top tips include:

• How do I share my screen? Screen sharing lets teachers present slides, videos and other content to students.
• Should I use a Zoom meeting or Zoom webinar? Webinars allow teachers to better present information in a one-to-many setting, similar to a lecture style, whereas meetings allow for more two-way flow of conversation. Which ever type of Zoom session teachers choose, they should consult the best practices for securing their online classroom.
• How do I take classroom attendance? Zoom can mimic a classroom attendance sheet by allowing teachers to review the registration report to see which students registered and attended a given class.
  

Be sure to review all the questions including how to see all your students on video, and how to host a meeting using a mobile device on the official Zoom blog and on this resource page for educators. Zoom regularly posts updates about product features and resources for users to its official blog.

Zoom and Keybase today announced that Zoom has acquired Keybase, a secure messaging and file-sharing service. The acquisition of this exceptional team of security and encryption engineers will accelerate Zoom’s plan to build end-to-end encryption that can reach current Zoom scalability. 

As members of Zoom’s security engineering function, the Keybase team will provide important contributions to Zoom’s 90-day plan to proactively identify, address, and enhance the security and privacy capabilities of its platform. Max Krohn, Keybase.io co-founder and developer will lead the Zoom security engineering team, reporting directly to Eric S. Yuan, CEO of Zoom. Leaders from Zoom and Keybase will work together to determine the future of the Keybase product. The terms of the transaction were not disclosed. 

Visit the Zoom blog for more details on the plans for building the end-to-end encryption offering. 

A blog post went up in the last 24 hours where Zoom has updated the public on its progress to improve their security. Which has you are likely aware has been found to be lacking as the popularity of the conferencing app has skyrocketed.

Besides announcing Zoom version 5.0, the company has also announced the following:

• AES 256-bit GCM encryption: Zoom is upgrading to the AES 256-bit GCM encryption standard, which offers increased protection of your meeting data in transit and resistance against tampering. This provides confidentiality and integrity assurances on your Zoom Meeting, Zoom Video Webinar, and Zoom Phone data. Zoom 5.0, which is slated for release within the week, supports GCM encryption, and this standard will take effect once all accounts are enabled with GCM. System-wide account enablement will take place on May 30.
• Security icon: Zoom’s security features, which had previously been accessed throughout the meeting menus, are now grouped together and found by clicking the Security icon in the meeting menu bar on the host’s interface.
• Robust host controls: Hosts will be able to “Report a User” to Zoom via the Security icon. They may also disable the ability for participants to rename themselves. For education customers, screen sharing now defaults to the host only.
• Waiting Room default-on: Waiting Room, an existing feature that allows a host to keep participants in individual virtual waiting rooms before they are admitted to a meeting, is now on by default for education, Basic, and single-license Pro accounts. All hosts may now also turn on the Waiting Room while their meeting is already in progress.
• Meeting password complexity and default-on: Meeting passwords, an existing Zoom feature, is now on by default for most customers, including all Basic, single-license Pro, and K-12 customers. For administered accounts, account admins now have the ability to define password complexity (such as length, alphanumeric, and special character requirements). Additionally, Zoom Phone admins may now adjust the length of the pin required for accessing voicemail.
• Cloud recording passwords: Passwords are now set by default to all those accessing cloud recordings aside from the meeting host and require a complex password. For administered accounts, account admins now have the ability to define password complexity.
• Secure account contact sharing: Zoom 5.0 will support a new data structure for larger organizations, allowing them to link contacts across multiple accounts so people can easily and securely search and find meetings, chat, and phone contacts.
• Dashboard enhancement: Admins on business, enterprise, and education plans can view how their meetings are connecting to Zoom data centers in their Zoom Dashboard. This includes any data centers connected to HTTP Tunnel servers, as well as Zoom Conference Room Connectors and gateways.
• Additional: Users may now opt to have their Zoom Chat notifications not show a snippet of their chat; new non-PMI meetings now have 11-digit IDs for added complexity; and during a meeting, the meeting ID and Invite option have been moved from the main Zoom interface to the Participants menu, making it harder for a user to accidentally share their meeting ID.

This all seems positive. But I would wait to see what security researchers have to say about all of this. After all, it’s those same security researchers who raised the alarm about the security issues with Zoom. Thus their opinions will really tell you if Zoom has really stepped up to the plate to fix their issues.

I’ve received a few emails over the last 48 hours asking for a concise guide on how to secure their Zoom sessions seeing as Zoom’s app security is dodgy at best. Though to be fair to Zoom, they are trying to address this. So here are my top tips to secure your Zoom meetings:

1. Keep your Zoom apps up to date: With so many security researchers looking at Zoom right now, new issues are being discovered at an almost daily rate. And to Zoom’s credit, they are fixing these issues quickly. Thus you want to make sure that as those updates are applied as quickly as possible. I recommend checking for updates on a daily basis inside the Zoom app, or via the App Store or the Google Play Store.
2. Password protect your meetings: “Zoom Bombings”, or uninvited people crashing your meeting, can only happen if your meeting isn’t password protected. Thus you should enable passwords on your meetings ASAP. The options “Require a password when scheduling new meetings”; and “Require a password for instant meetings” should be set. At the same time, disable the option “Embed password in meeting link for one-click join” and enable “Require password for participants joining by phone.”
3. Do not share your meetings on social media: Another way that “Zoom Bombings” happen is that the meeting details are freely available online. Which means that miscreants simply have to get the details, dial in, and do their worst. So you can take this off the table by simply not posting your meetings in public.
4. Enable waiting rooms: Zoom has a waiting room function that allows a host to see meeting attendees arrive, and it allows you to admit them one by one. That way miscreants can’t get into your meetings. This document that Zoom has on the topic can help you to enable this feature.

Now one thing that I should point out is that this is a very fluid situation. So I will say that if additional threats pop up, which they likely will based on what this has gone on this week, and mitigations exist, I will publish them. Related to that, if you have any tips that can help Zoom users, please pass them along.

Yesterday, I wrote a story about Zoom’s security issues and what they needed to do to fix them. In the last few hours a lot have happened. For starters, a memo from Elon Musk of Tesla and Space-X was leaked to Reuters. The memo stated that Zoom was banned due to security and privacy issues. Related to that Zoom posted a blog post from its CEO. In it he says this:

For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.

At least he recognizes that he has a problem. This is what he has done to fix things:

We have also worked hard to actively and quickly address specific issues and questions that have been raised.

• On March 20th, we published a blog post to help users address incidents of harassment (or so-called “Zoombombing”) on our platform by clarifying the protective features that can help prevent this, such as waiting rooms, passwords, muting controls, and limiting screen sharing. (We’ve also changed the name and content of that blog post, which originally referred to uninvited participants as “party crashers.” Given the more serious and hateful types of attacks that have since emerged, that terminology clearly doesn’t suffice. We absolutely condemn these types of attacks and deeply feel for anyone whose meeting has been interrupted in this way.)  
• On March 27th, we took action to remove the Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users. 
• On March 29th, we updated our privacy policy to be more clear and transparent around what data we collect and how it is used – explicitly clarifying that we do not sell our users’ data, we have never sold user data in the past, and have no intention of selling users’ data going forward.
• For education users we:
  • Rolled out a guide for administrators on setting up a virtual classroom. 
  • Set up a guide on how to better secure their virtual classrooms. 
  • Set up a dedicated K-12 privacy policy.
  • Changed the settings for education users enrolled in our K-12 program so virtual waiting rooms are on by default.
  • Changed the settings for education users enrolled in our K-12 program so that teachers by default are the only ones who can share content in class.
• On April 1, we:
  • Published a blog to clarify the facts around encryption on our platform – acknowledging and apologizing for the confusion.
  • Removed the attendee attention tracker feature.
  • Released fixes for both Mac-related issues raised by Patrick Wardle.
  • Released a fix for the UNC link issue.
  • Removed the LinkedIn Sales Navigator after identifying unnecessary data disclosure by the feature.

He then outlines these steps to fix this situation going forward:

• Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
• Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
• Preparing a transparency report that details information related to requests for data, records, or content.
• Enhancing our current bug bounty program.
• Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
• Engaging a series of simultaneous white box penetration tests to further identify and address issues.
• Starting next week, I will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to our community.

These are very good steps and fit within the things that I suggested in the story that I wrote yesterday. But if you’re a Zoom user, you need concrete things that you can do right now to ensure your security. Here is what I would suggest:

• Update your macOS and Windows clients now. As in RIGHT NOW. The macOS client (Version 4.6.9 (19273.0402)) can be found here, and the Windows client (Version 4.6.9  (19253.0401)) can be found here. Now I tested both versions and I can confirm that the issues that I raised yesterday are fixed.
• Enable the waiting room functionality. This document that Zoom has on the topic can help you with that.

I have to applaud Zoom on taking action quickly and transparently. And you can bet that lots of people will be watching to make sure that they follow through on their promises. Because it’s a safe bet that if they don’t I among many others will not hesitate to call them on it.

Zoom is the app de jour. Companies, individuals, and even the UK Government are using it to keep in touch, conduct meetings, and conduct business. However as Zoom’s profile has increased, so has the scrutiny of the app. And that scrutiny has revealed some troubling flaws within the app:

• The Windows client has a flaw that has the potential to leak domain credentials if you put UNC paths (\\Server\folder for example) in a Zoom chat window. We would ask you not to use UNC paths in Zoom chats to ensure that domain credentials do not get leaked. You can find out more details here.
• The Mac client has two issues: 
  • By taking advantage of the installation process, which is done without user interaction, a user or piece of malware with low-level privileges can gain root access to a computer — the highest level of privilege.
  • The second issue allows a local user or piece of malware to piggyback on Zoom’s camera and microphone permissions. An attacker can inject malicious code into Zoom’s process space and “inherit” camera and microphone permissions, allowing them to hijack them without a user’s knowledge.

The Mac related issues can only be exploited if you lose physical access to the Mac. So your best mitigation strategy is to maintain physical control of your Mac and lock the Mac so that nobody can access it. More details can be found here. It is a bit nerdy. Thus for a less nerdy explanation, click here.

Then there’s the fact that Zoom advertises itself as being “end to end encrypted.” Except that it isn’t according to security researchers, which in this day and age is really bad. And what’s worse is that Zoom continues to pedal what I consider to be “fake news” insisting that it is end to end encrypted.

And finally, all of that is on top of a phenomena called “Zoom Bombing” which can be best described as this. An uninvited guest join your meeting and then starts displaying offensive content. It’s become a bit of an unfortunate trend as Zoom has become more popular. You can find out more about this here. But my recommendation is that you enable the Zoom waiting room functionality. It can be best described as this via this document that Zoom has on the topic:

Attendees cannot join a meeting until a host admits them individually from the waiting room. If Waiting room is enabled, the option for attendees to join the meeting before the host arrives is automatically disabled.

All of these issues have the same root cause. Zoom is a company that has more marketing sense than security sense. This is the same company that got caught with a serious flaw that enabled video calls with zero interaction on the Mac, which they sort of fixed. But it wasn’t good enough for Apple as the lack of a fix that they liked forced them to get involved to take action against Zoom in a manner that was and still is unprecedented. Thus it’s hardly surprising that Zoom finds itself in a situation where their shoddy security practices are on full display.

Zoom can fix this, but they need to take decisive action immediately. Here’s what I would look for

1. Zoom needs to come clean about end to end encryption and commit to making their service end to end encryption. In 2020 this is not optional. Thus Zoom needs to address this.
2. Zoom needs to fix all the issues outlined by pushing out software updates that address these issues fully and completely.
3. Zoom needs to open itself up to third party security auditing. Because Zoom has had a lot of chances to get this right. And they have failed miserably to get it right. Thus they need a third party to come in and set them straight.
4. Everything Zoom does going forward needs to be done in public.

I will be interested if Zoom does all of the above. Because if they don’t, I can easily see a scenario where Zoom’s success may be very short lived.