What’s This About Zoom?

Zoom Announces New Capabilities & Integrations for Zoom Phone ...
ZoomUS

Zoom have seen a massive increase of use, since the COVID-19 outbreak. Figures show that they climbed from 10 to 200 million users around March – Reuters.

Zoom has helped millions stay in connect during these hard times and you can see why it was the preferred option. Other services such as Webex or Skype are just too clunky and in my opinion, the simplicity of Zoom was the thing that brought customers in. The problem is, the more popular you become, the more questions start to arise. As a service provider you have some basic responsibility in the form of protecting your users and their data and It was apparent quite early on that Zoom had some flaws.

One of the early stories that broke was about Zoom sending data to Facebook. Now after Netflixs ‘The Great Hack’, you don’t really want to be seen sharing data to Facebook especially if it can be seen as unnecessary. This was quickly fixed however, the story then broke that they sent data through China. This again, is a hot topic, especially for the US, after the Heuwai fail out. In fact for most, when you hear that your data “accidentally” routed through China, there is an immediate concern.

Around the same time, further news stories broke such as people hijacking meetings, sharing explicit content, UNC paths passing and a sudden rise in fake Zoom apps. Not to mention people investing into the wrong Zoom company…

With all this going on, companies such as Google have now banned the service all together whilst others such as the US Senate urge users not to use it – ZDNet

With all this going on, I should proably stop using it, right?

It’s entirely up to you. Millions are still using the service and now that the privacy concerns are “fixed”, what is left, is really up to the user…..until the next exploit. Companies such as Google have a lot more to lose, so will always play it safe whilst Security concerns are raised or having attention from malicious parties.

Most of these issues could have been prevented though, and I will show you what I mean. With things like this, I always try to kept in mind both sides of the pond. On one side, they want to make it easy to use. On the other, the users want it to be simple and secure. The tighter restrictions you set, the more it can come across as complex.

A simple a example would be Microsoft Azure. In Azure RDP is open to the internet, should you build a Windows VM. From a security point of view, you would think ARE YOU INSANE! but from a users point of view, it makes it easier for me to connect to my machine. Remember, they may not know about NSG/ASGs and how RDP can be used against them. Microsoft do this a lot with defaults and it’s about balance. You can’t go too far however as it puts your users at risk. This is perhaps what happened with Zoom.

Let’s start with Hjacking…..

A bunch of random people, were joining random meetings. How was this possible?
It’s really down to how the meeting organiser had setup the meeting. Before now, you didn’t have to set a password for your meeting. This could then let anyone joined, should the have the link. How would they get this though?

A simple technique would be using Google dorks. Google indexes the internet so it can be used to find things such as Zoom meetings.. More on Google Dorks

A few others settings that probably weren’t set such as enabling the waiting room. This allows you to see who is attempting to join the meeting. If this was set, it could have helped prevent against this events. On the flip side, why wasn’t a password enforced? We live in a world of passwords so it wouldn’t be too much of a burden.

Another piece of advise would be not to use your personal ID for your meetings. This is static and linked to your account. Instead, you should follow the advice here… Zoom

Sharing explicit content….

Here is an example of how bad it can get… BBC
This may have been caused by the above but also how the sharing content settings was configured. For most incidents, the cause was most likely due to this being set to allow others to openly share content.

Unless it’s a tightly closed meeting for collaboration, there shouldn’t really be a need for this to be set to All Participants. Especially if it’s set to this for both. What this allows is for anyone, to share whenever they want. In many of cases, this was explicit content. If you did want to be open, make sure that only the host can take back control.

People will and are scanning for these open meetings. Here is an example of a tool called zWarDial

https://krebsonsecurity.com/tag/zoom/

This will identify open meetings, and is really a POC, given the friendly warning. This is just one example as, just like the exploits, I imagine that more are out there and are being sold to malicious parties. Here is a simple script, I created just as a POC in Powershell that randomly searches for meetings (unreleased):

@securethelogs Zoomroller

Stealing Passwords…

Using DOS device paths to execute commands
BleepingComputer

This was done by using UNC paths. Normally in a chat windows, they don’t pass UNC paths as actionable link. Instead, they pass as text. This is for security reasons as UNC paths can be used for SMB relay attacks which in turn can harvest credentials. See more here…

Can they force you to click the link? Well no, it’s a bit like any Phishing attack. The user must actually click on the link for this to work. If you use Zoom or any service, you shouldn’t click on links that look like \\…..\ unless you are certain of what it is. Weblinks will start with https:// (or http://) which is the protocol used. Again, why is this allowed as many other providers don’t allow this. I did hear however, Skype did have this probably at one point.

The final bit, is the increase of fake Zoom applications, which basically comes with any popular app. When malicious parties see a trend, they go for it. Think of how many fake COVID-19 domains exist today or how many fakes were created when Flappybirds was first released. If you are in the news, or hot right now, people will use it against you. It the nature of Phishing.

I don’t want this to sounds like I’m on Zooms side as they have done wrong here and they know it. The good news is this attention and their recent revenue should drive them for better standards. The damage may be done for some, but if not, make sure you configure the meeting as you wish and take the time to review the settings. This goes with any service. Often when something is easy to use, the security settings are, let’s say, more flexible….

Here are points to remember if you are using Zoom:

  • Always set a password which I believe is now default.
  • Avoid using your personal ID for meetings.
  • Quick meetings and scheduled can have different settings. Especially when on mobile.
  • Enabling Waiting Rooms to see who wants to join.
  • Don’t allow everyone to share content in your meetings.
  • Don’t share your meetings on your Facebook or Internet sites, if you don’t want random people joining. There will always be those wanting to have a go.
  • Take the time to double check the settings, if it’s sensitive or personal.
  • Understand that they are a target at the minute.
  • Update the client when prompted in order to fix bugs.
  • Only download the app from the link on their official website: https://zoom.us/download

For help on configuring these, check here: https://support.zoom.us/hc/en-us/sections/201740116-Settings-Controls

One final point would be, that this isn’t going away. More exploits and vulnerabilities are sure to be released as people probe the service. The main point here is that most can be avoided with a little care and those that can’t, will be patched within time, so do update.

Remember, it’s not just Zoom. January was filled with holes in services such as the Netscalers, Juniper (2019 continued), Windows, Webex and Exchange (ECP). This should act as a reminder that we really need to take better care when using these services and the importance or keeping them updated.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s