13 April 2020

Hackers Are Homing In On Finding Flaws In Video Teleconferencing Service Zoom To Cash In On Bug Bounties; And Selling Exploits On The Black Market; A Worrisome Connection To China — Makes This App A Reason For Concern


With the stay-at-home movement and video teleconferencing boom underway due to the coronavirus pandemic, it is little wonder that cyber thieves and the darker digital angels of our nature are seeking to exploit this target rich environment. James Pero posted an April 8, 2020 article to the DailyMail.com noting that “hackers are trying to cash in on a spate of security flaws with the increasignly popular video teleconferencing service Zoom.”

“According to a report from Motherboard, hackers both ethical and not, have begun trawling the service for [digital] vulnerabilities/flaws, that they can sell to either governments or Zoom itself, both of which pay ‘bug bounties’ for disclosing gaps in their security,” protocols Mr. Pero wrote. “In some cases, those flaws — which may compromise everything from webcam to microphone security, to sensitive data lke passwords, emails, or device information — and sold on theblack market, [Dark Web] to other hackers looking to use them on victims.” 

“One hacker, interviewed by Motherboard, who claims to have traded exploits found in Zoom on the black market,said that Zoom flaws typically sell for between $5000-$30,000 — a relatively low sum compared to other [similar] bugs that compromise web browsers like Chrome, or operating systems like iOS or Android,” the DailyMail noted.


“Other hackers interviewed by Motherboard who contract for the Department of Defense, said there hasn’t been a noticable increase in finding Zoom flaws, despite the increase in popularity,” Mr. Pero wrote. Whoever said that needs to be more careful with their words. More on that later. “One source told Motherboard that contractord are still unsure if Zoom is a big enough player to warrant looking into — given its relatively new position on the world stage.” Poppycock to that statement as well.

The rapid shift to remote working is significantly expanding the attack space for hackers; and, they are taking advantage of this target-rich environment. I am a bit troubled by the one source’s remark that they “haven’t seen a noticeable increase in finding Zoom flaws.” Remember, the best cyber thieves haven’t been caught yet. And, as my old boss/Secretary Rumsfeld used to say, “The absence of evidence — dose not constitute evidence of absence. Just because you haven’t seen or noticed hackers taking advantage of said flaws — DOES NOT MEAN THEY AREN’T. A whole new genre of artificially-enhanced malware is empowering even novice hackers to masquerade as a legitimate employee or senior company official in what appears to be a legitimate email. With everyone working from home — there are no quick trips down the hall to verify that the email was indeed sent by a colleague or boss. AI-enhanced malware which is easily obtainable on the Dark Web, is greatly aiding a malicious hacker to practice the art of denial and deception, with malware that hides when it senses it is under surveillance, as well as malware that changes its character and signature patterns.

I am not singling out Zoom, but the idea that they have strong enough cyber security protocols and procedures just doesn’t past muster. As noted cyber security guru Bruce Schneier wrote on his blog: SchneierOnSecurity, “Zoom’s security is at best sloppy; and malicious at worst.” In an April 3, 2020 blog post, “Security And Privacy Implications Of Zoom,” Mr. Schneier noted, according to the Motherboard report: “Zoom’s iPhone app was sending user data to Facebook, even if the user didn’t have a Facebook account. Zoom subsequently removed the feature; but, it’s response should worry you about its sloppy coding practices in general. This wasn’t the first time Zoom was sloppy with security,” Mr. Schneier warns. “Last year, a researcher discovered that a vulnerability in the Mac Zoom client, allowed any malicious website to enable the [victim’s] digital camera without permission.” Then earlier this year, it was discovered that Zoom for Windows can be used to steal a users Windows credentials, Mr, Schneier added.

And perhaps even more worrisome, “Zoom’s encryption is awful,” Mr. Schneier warns. “First, the company claims to provide end-to-end encryption; but, it doesn’t. It only provides link encryption, which means everythng is unencrypted on the company’s servers.” When confronted about the issue, a Zoom spokesperson wrote: “Currently, it’s not possible to offer/enable end-to-end (E2E) encryption for Zoom video meetings.” And the type of encryption software that the company utilizes is weak and leaves a lot to be desired. “Zoom documentation claims that the app uses “AES 256” encryption where possible. But as Mr. Schneier notes, “we found that in each Zoom meeting, a single AES 128 key is used in the ECB mode by all participants to encrypt and decrypt audio and video. The use of the ECB is not recommended, because patterns in the plaintext are preserved during encryption. The AES 128 keys, which Citizen Lab verified, are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting — through servers in China — even when all meeting participants, and the Zoom’s subscriber’s company is outside of China.” 

Mr. Schneier wrote: “I am okay with AES 128, but using ECB (electronic codebook) mode indicates that there is no one at the company that knows anything about cryptography. And, that China connection is worrisome.” You bet it is. There is little doubt that China has slipped some backfdoors into the Zoon network or its linkages.

If you put the enormous OPM breach of a few years ago — which exposed the personal information of millions of Federal employee’s — especially those who held Top Secret clearances — then Zoom becomes even more worrisome, My personal doctor’s office called yesterday to set up a Zoom appointment with me to go over any medications or medical issues I needed to discuss not COVID-19 related, and suggested we coduct this conversation via Zoom — and, that I needed to download the app in advance. I declined and opted instead for a phone call. The point is, if China already has the personal information on Federal employee’s who hold Top Secret clearances — they can use technology like Zoom to gather additional, personal medical information that could be embarrassing or place the individual in a compromising position. RCP, fortunascorner.com

No comments: