Skip to main content

Zoom apologies for security issues, promises fixes


Zoom is to pause the development of any new features to concentrate on safety and privacy issues, in the wake of criticism from users of the app.
In a blog, the chief executive of the video conferencing app apologized for “falling short” on security issues and promised to address concerns.
He said that the use of Zoom had soared in ways he could never have foreseen prior to the coronavirus pandemic.
One security expert said he hoped the company culture would change.
Zoom is now being used by millions of people for work and leisure, as lockdowns are imposed in many countries.
Eric Yuan spoke candidly about how “usage of Zoom ballooned overnight”.
“As of the end of December last year, the maximum number of daily meeting participants, both free and paid, was approximately 10 million. In March this year, we reached more than 200 million, he said.
He admitted that despite “working around the clock” to support the influx of new users, the service had “fallen short of the community’s — and our own — privacy and security expectations”.
“For that, I am deeply sorry,” he wrote.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” he wrote.
“We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways presenting us with challenges we did not anticipate when the platform was conceived.”
Zoom has been criticized for a range of privacy issues, including sending user data to Facebook, wrongly claiming the app had end-to-end encryption, and allowing meeting hosts to track attendees.
Ex-NSA (National Security Agency) hacker Patrick Wardle identified a series of issues, including a flaw which left Mac users vulnerable to having webcams and microphones hijacked.
Security consultant Graham Cluley said that Zoom faced “a crisis”.
“It risked losing a large amount of goodwill it had received because of revelations about its less-than-perfect attitude towards security and privacy.”
The fact that it was addressing some of the “alarming vulnerabilities” and had recognized the need to focus on security rather than “adding bells and whistles” was good news, he said.
“Let’s hope that the company’s culture will change from its previous ‘fast and loose’ attitude when it comes to such concerns,” he added.

Zoombombing

The huge uptake of Zoom has created the new phenomenon of ‘zoombombing’ which sees uninvited guests join video conferences, usually to shout abuse, share pornography or make racist remarks.
The mischief-makers find out the details of the meetings either via links that have been shared publicly on social media platforms or websites or, in some cases, by simply guessing the nine digit ID code. It is reasonably easy to prevent attacks by password protecting meetings and not allowing anyone other than the host to screen-share.
Mr Yuan, who founded Zoom in 2011, said steps the firm had taken to address concerns included:
  • clarifying its encryption practices
  • removing code that meant information was shared from its iOS app to Facebook
  • releasing fixes for Mac-related issues
  • removing a LinkedIn feature to prevent unnecessary data disclosure
  • issuing guidelines about how to avoid becoming a victim of zoombombing
And over the next 90 days it plans to:
  • freeze development of new features to focus on safety and privacy
  • conduct a review with independent experts to understand new security features needed for new customers
  • prepare a transparency report on data requests
  • enhance its bug bounty program
  • hold a weekly webinar to provide privacy and security updates
Rik Ferguson, vice president of security research at Trend Micro, welcomed the changes.
“These issues run the full gamut: from configuration and lax default settings, software vulnerabilities, corporate policy and product roadmap decisions, and that it painfully clear from the blog post.”
“One has to feel some sympathy for an organisation that was one of the first to offer free services during the pandemic and found itself not just a victim of poor decision-making, but also a victim of its own success.”

‘High-risk’

There has been debate in the UK about whether the government should be using Zoom for cabinet meetings.
The government justified its use during “unprecedented times” when some members of the government were self-isolating and did not have access to more secure technology at home.
But the debate intensified when prime minister Boris Johnson tweeted a picture which included the ID number of the latest meeting.
It is also reported that Elon Musk has banned the use of Zoom for SpaceX meetings, citing security concerns. Nasa, which is one of Space X’s biggest customers, also prevents employees from using it.
Mr Cluley said anyone using it for sensitive conversations needed to be careful.
“Fixing these problems will take time. And those particularly high-risk users of Zoom, having highly sensitive discussions on the service, who might potentially be the target of state-sponsored attacks (for instance the UK cabinet), might be wise to find alternative, more secure methods of communication in the meantime.”

Originally published at https://www.bbc.com on April 2, 2020.

Comments

Post a Comment

Popular posts from this blog

Google can now help you figure out that song stuck in your head - all you have to do is hum (or whistle) into your phone

  Google just launched its “hum to search” feature, which allows users to hum, whistle, or sing for 10–15 seconds in order to identify a song. The feature currently works in 20 languages, and Google hopes to add more. Google has finally launched the perfect feature for when a song is stuck in your head but you don’t know any of the words. “Hum to search” launched today on both the Google app for iOS and Android, according to Google’s blog, The Keyword. Users can also whistle or sing directly into the mic to identify a song. The technology works like this: the user can hum (whistle, or sing) for 10–15 seconds, and then Google’s technology takes the song’s melody and turns it into a numbers-based sequence. From there, the sequence can be used to “identify songs based on a variety of sources, including humans singing, whistling or humming, as well as studio recordings,” according to Google’s announcement. The sequence also strips away any other outside noise, like accompanying instru...
Post a Comment
Read more

Ransomware's Dangerous New Trick Is Double-Encrypting Your Data

  Ransomware groups have always taken a more-is-more approach . If a victim pays a ransom and then goes back to business as usual-hit them again. Or don’t just encrypt a target’s systems; steal their data first, so you can threaten to leak it if they don’t pay up. The latest escalation? Ransomware hackers who encrypt a victim’s data twice at the same time. Double-encryption attacks have happened before, usually stemming from two separate ransomware gangs compromising the same victim at the same time. But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other. “The groups are constantly trying to work out which strategies are best , which net them the most money for the least amount of effort,” says Emsisoft threat analyst Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not act...
Post a Comment
Read more

WhatsApp Users Exchanged Over 100 Billion Messages on New Year’s Eve, A New Record

WhatsApp is one of the most widely used communication apps on the planet and as such, clocks an insane number of messages and media exchanges on a daily basis. But the New Year's Eve broke a record that has been standing since WhatsApp's debut a decade ago. WhatsApp has revealed that users exchanged over 100 billion messages on New Year's eve. And out of that number, more than 20 billion messages were shared by Indian users alone. Moreover, around 12 billion out of the 100 billion+ messages shared on the platform were images. WhatsApp wrote in a press release that over 100 billion messages were shared globally on December 31 in the 24-hour duration leading up to the midnight of New Year's Eve. This is a record-breaking volume and is the highest number of messages exchanged in a single day ever since WhatsApp kicked off its services ten years ago. Out of those 100 billion+ messages shared on New Year's eve, WhatsApp says over 12 billion were images. Meanwhile...
Post a Comment
Read more