Newsletter

11.16.2021 | 6'' read

Let’s talk about security at Zoom

by Ryan Naraine

~~ Presented by Symmetry SystemsProcess Unity and SecurityWeek ~~

* The most clicked link from the last newsletter was Patrick Howell O’Neill’s piece on data from Atlantic Council that claims to paint a detailed picture of the ways Western companies are selling cyber weapons and surveillance technology to NATO’s enemies.

Note.

  • I’ll be moderating an exciting roundtable discussion on threat intelligence, nation-state malware attacks, and the use of IOCs and data to combat ransomware at SecurityWeek’s Threat Hunting Summit. November 17, 2021. Register here.
Monday blues.

Let’s talk about Zoom for a minute.  In every corner of the world, Zoom is a mandatory piece of software to get any work done.  It’s installed on billions of Windows and macOS machines, tightly integrated with calendars to provide the communications plumbing for all our virtual meetings and events.

About 19 months ago, Zoom leased a visible section of the security research community — including cyber super-influencer Alex Stamos — as part of a very public 90-day plan to shore up its security, privacy and safety posture.  Immediately after, Zoom bought Keybase (yeah, I scratched my head at that one too) and talked about building enterprise E2E capabilities at scale.

The Zoom software is also riddled with security vulnerabilities.  Some of these flaws are devastatingly bad.  Zoom has been rolling out high-risk patches on what appears to be a monthly cadence but, inexplicably, Zoom users are never given this information.

Zoom does not have a self-patching, auto-updating mechanism.  This is considered a minimum requirement for internet-connected software but, in 2021, Zoom does not offer this.  Instead, Zoom users must manually check for updates (that’s also bit of an adventure) and, even when one is available, there’s zero documentation on the vulnerabilities being patched.   If you scroll down the release notes long enough, you’ll eventually find a line about “security enhancements” on offer.

This is disgraceful.  At minimum, Zoom and its influencers should insist on automatic updates for everyone. Proper disclosures about the severity of fixes should also be standard.  This isn’t asking for much.

Along the same vein, weren’t you expecting all those threat-intel/darkweb monitoring badass vendors to claim the multi-million dollar rewards for tracking down the DarkSide/REvil ransomware gang leaders?  Me neither.

_ryan

On to the newsletter…


~~ Sponsored ~~

Breaking stuff.

Ransomware.

JD Work on Cyber weaponry.     

This op-ed by JD Work takes an interesting look at how China is using hacking contests to serve as a type of military parade showcasing skills and capabilities.  In China Flaunts Its Offensive Cyber Power – War on the Rocks, Work argues that the Tianfu Cup competition in Chengdu is a remarkable display of cyber-weaponry that conveys several key messages to an international audience.

Key quote: “The Tianfu competition demonstrated the continued ability to hold key Western systems and networks at risk, highlighted the substantial depth of China’s offensive cyber inventories, and showed off a talent base of aggressive hackers undeterred by blowback from international exposure of its activities. Taken in total, this signaling also seems to suggest a trajectory towards a surprising future in which China’s offensive cyber power surpasses that of the West.”

This is another nuance to the .gov 0day ecosystem worth your attention.

Security essays.

Research papers.

Tangentially.

Wanna check an iPhone for traces of the Pegasus .gov spyware?  Here are the instructions from Amnesty International’s Claudio Guarnieri.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.
|

This site uses cookies and may process personal data based on our Privacy Policy