Zoom Security Problems; Critical Unpatched Microsoft Exchange Servers; NASA's "Exponential" Increase in Malware Attacks as Employees Work from Home

On 5 April, Zoom changed defaults to enable passwords and start with the waiting room feature. I'll pretty much repeat what I said last Friday in Newsbites: "The easy answer is there are more secure alternatives to Zoom and companies should be providing and recommending those. The real answer is that many employees working at home and their families will be using Zoom for the next few months." On the end-to-end crypto issue - a term that is thrown around a lot - many issues arise across many products. The bigger issue with Zoom has been user-stored sessions being easily findable and accessible on the Internet - another issue Zoom is working on. Great webcast on how to mitigate many Zoom issues by SANS instructor Mick Davis is available at https://www.sans.org/webcasts/zomg-zoom-114670: ZOMG it's ZOOM

John Pescatore

Great work by Citizen Lab analyzing the Zoom encryption issues. The part I find most concerning is the fact that simple statements, like the length of the key used, were obviously wrong in Zoom's description of the encryption protocol. This shows, yet again, a common tech startup problem: a leadership group that is over-confident in the capabilities of their product but has little connection to the reality of what their product is actually capable of doing. This is not uniquely a Zoom issue; it is pervasive among startups including security startups. Always double check the vendor's claims.

Johannes Ullrich

It is important to understand the security of any video teleconferencing system used. The Zoom Blog below explains the encryption options for Zoom, including noting they have an option for customers to use their own key management systems. Understanding and accepting the risk of where the encryption keys are and how they are managed is important for any outsourced service. User guides need to be clear regarding the differences in security of room meeting systems, telephone and using the native meeting client. Irrespective of the software used, using the native client for all functions by all participants is the most secure option for meeting participation.

Lee Neely

See more detailed comments on the "Zoom Acknowledges Encryption Problems" item, but with some basic security hygiene instruction for users and admins Zoom can used safely for many purposes, like education. One reality: just as all businesses learned they needed emergency backup power and had to periodically test switchover in advance of need, the same will be true for remote work/remote education etc. Businesses, schools, government will need to turn these emergency remote measures into safer and management backup capabilities. Just like schools have fire drills, the future should have "remote education" drills.

John Pescatore

For schools, configuration issues that lead to issues like "Zoom Bombing" are a real problem. Other collaboration platforms may have similar problems, and these problems are fixable in Zoom (and Zoom has addressed them with better default configurations).

Johannes Ullrich

Rather than a wholesale switch to another teleconferencing platform, look first at securing what you have. Simple changes may provide sufficient security without incurring the expense of replacement. Mick Douglas has an excellent analysis on Zoom security and associated risks. https://www.sans.org/webcasts/zomg-zoom-114670: ZOMG it's ZOOM

Lee Neely

Zoom is not the only video conferencing game in town. It has more mature, if more expensive, competitors. The decision not to use it should include the allocation of funds to pay for the more expensive options. If the schools pay as little attention to the secure use of the more mature systems as they have to that of Zoom, a simple change in platform will not help much. Properly configured and setup, Zoom remains a good choice for primary and secondary schools, if somewhat less so for college class sizes. (Simply by altering the default settings, Zoom has become more resistant to the more notorious abuses.)

William Hugh Murray

This vulnerability has been overlooked by many organizations because it can be exploited without requiring user credentials. Any user will do. If you are concerned about users re-using credentials, or being subject to phishing, then you should be concerned about this vulnerability. Exploitation will lead to a full compromise of the exchange server.

Johannes Ullrich

When working remotely, the user has an added responsibility as their system is not protected by the enterprise perimeter and network security systems. Consider leveraging information in the SANS Security Awareness Work at Home Deployment toolkit (https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit) to help users be secure and make good choices.

Lee Neely

Criminals will take advantage of any crisis and will target your company and employees. Revise your detection and response capabilities and processes to see how you can manage an incident when your response team is working from home.

Brian Honan

Note that the "increase in malware attacks" results in part from users visiting unsafe sites from home or from their own computers that they cannot or do not visit from work. Some will result from the use of home or family use computers that may already have been contaminated. Prefer enterprise owned and managed computers for all enterprise use without regard to the location where it is used. Recognize the need for user direction, compensating controls, or intentional risk acceptance.

William Hugh Murray

Unlike the recovery for Lake City and Riviera Beach Florida last year, there are two new variables in this incident. First that REvil/Sodinokibi are now promising to publish exfiltrated data from victims and second that COVID-19 introduces health-saftey challenges to the tasks of recovery and response. I have not seen a COOP/DR plan that includes provisions for preventing of infection, and including best practices from this pandemic in them is prudent.

Lee Neely

This provides an opportunity to verify your software update capability when the majority of the workforce is remote. Can your management systems provide updates when the VPN is disconnected? Consider communication to leave systems running or self-service update options. With the duration of current events unknown, waiting for systems to return for updates is unwise.

Lee Neely

It is incidents like this, and the ever increasing concerns raised over vulnerabilities in the networking and communications hardware we deploy on the Internet, that we should be using to highlight why strong encryption is so important to secure our data and inserting backdoors or golden keys only weakens that security.

Brian Honan

"Phishing" and other attacks designed to dupe and exploit users will continue to be the Achilles heel of the enterprise unless and until we isolate e-mail and browsing from other enterprise application

William Hugh Murray