ARTECULATE
No Result
View All Result
  • News
  • Premium
  • Features
    Insights from APAN56: A Comprehensive Look at 5 Days of Collaborative Excellence

    Insights from APAN56: A Comprehensive Look at 5 Days of Collaborative Excellence

    Almaden International

    Inside Almaden Towers: A New Horizon for Collaborative Innovation

    CodeGen | Culture | Innovation | Sri Lanka

    Transforming Holidays and Building Electric Sports Cars: Discovering the Dynamic Culture of CodeGen

    PickMe Pass and Uber One: Exploring Sri Lanka’s Mobility Subscriptions

    PickMe Pass and Uber One: Exploring Sri Lanka’s Mobility Subscriptions

    Gapstars | AI

    Embracing the Future: Highlights from Gapstars AI Day Exploring its Limitless Possibilities

    Creative Software | CSR | Together We Care

    Together We Care: A Better Sri Lanka through Impactful Engagement for Social Good by Creative Software

    Indonesia’s Baskit Is Empowering Traditional Distribution Businesses With Technology and Commercial Support

    Indonesia’s Baskit Is Empowering Traditional Distribution Businesses With Technology and Commercial Support

    Insights from Dr. Dhammika Elkaduwe: The First Sri Lankan Recipient of the ACM Software System Award

    Insights from Dr. Dhammika Elkaduwe: The First Sri Lankan Recipient of the ACM Software System Award

    Shaping the Future: How LankaPay Enables Customer-Driven Innovation in Sri Lanka’s Financial Sector

    Shaping the Future: How LankaPay Enables Customer-Driven Innovation in Sri Lanka’s Financial Sector

    PetParker helps Pets Spend More Time with Their Loving Owners

    PetParker helps Pets Spend More Time with Their Loving Owners

  • Startups
  • Events
  • Hotpicks
  • Community
    Unlock The Secrets of Startup Funding with Founders Institute Sri Lanka

    Unlock The Secrets of Startup Funding with Founders Institute Sri Lanka

    The RiskSense Story: Building a Cyber Security Product

    The RiskSense Story: Building a Cyber Security Product

    Negotiating to Thrive – Lessons from a Hostage Negotiator

    Negotiating to Thrive – Lessons from a Hostage Negotiator

    First wildlife travel-based management lessons book by Sarath Perera to be launched

    First wildlife travel-based management lessons book by Sarath Perera to be launched

    Hack:bit 2020 is bringing the ideas of students and undergraduates to life

    Hack:bit 2020 is bringing the ideas of students and undergraduates to life

    ESCaPe 2020: University of Peradeniya’s Engineering Students Conference

    ESCaPe 2020: University of Peradeniya’s Engineering Students Conference

    Trending Tags

    • Contributor
    • Billboard
    SUBSCRIBE
    • News
    • Premium
    • Features
      Insights from APAN56: A Comprehensive Look at 5 Days of Collaborative Excellence

      Insights from APAN56: A Comprehensive Look at 5 Days of Collaborative Excellence

      Almaden International

      Inside Almaden Towers: A New Horizon for Collaborative Innovation

      CodeGen | Culture | Innovation | Sri Lanka

      Transforming Holidays and Building Electric Sports Cars: Discovering the Dynamic Culture of CodeGen

      PickMe Pass and Uber One: Exploring Sri Lanka’s Mobility Subscriptions

      PickMe Pass and Uber One: Exploring Sri Lanka’s Mobility Subscriptions

      Gapstars | AI

      Embracing the Future: Highlights from Gapstars AI Day Exploring its Limitless Possibilities

      Creative Software | CSR | Together We Care

      Together We Care: A Better Sri Lanka through Impactful Engagement for Social Good by Creative Software

      Indonesia’s Baskit Is Empowering Traditional Distribution Businesses With Technology and Commercial Support

      Indonesia’s Baskit Is Empowering Traditional Distribution Businesses With Technology and Commercial Support

      Insights from Dr. Dhammika Elkaduwe: The First Sri Lankan Recipient of the ACM Software System Award

      Insights from Dr. Dhammika Elkaduwe: The First Sri Lankan Recipient of the ACM Software System Award

      Shaping the Future: How LankaPay Enables Customer-Driven Innovation in Sri Lanka’s Financial Sector

      Shaping the Future: How LankaPay Enables Customer-Driven Innovation in Sri Lanka’s Financial Sector

      PetParker helps Pets Spend More Time with Their Loving Owners

      PetParker helps Pets Spend More Time with Their Loving Owners

    • Startups
    • Events
    • Hotpicks
    • Community
      Unlock The Secrets of Startup Funding with Founders Institute Sri Lanka

      Unlock The Secrets of Startup Funding with Founders Institute Sri Lanka

      The RiskSense Story: Building a Cyber Security Product

      The RiskSense Story: Building a Cyber Security Product

      Negotiating to Thrive – Lessons from a Hostage Negotiator

      Negotiating to Thrive – Lessons from a Hostage Negotiator

      First wildlife travel-based management lessons book by Sarath Perera to be launched

      First wildlife travel-based management lessons book by Sarath Perera to be launched

      Hack:bit 2020 is bringing the ideas of students and undergraduates to life

      Hack:bit 2020 is bringing the ideas of students and undergraduates to life

      ESCaPe 2020: University of Peradeniya’s Engineering Students Conference

      ESCaPe 2020: University of Peradeniya’s Engineering Students Conference

      Trending Tags

      • Contributor
      • Billboard
      No Result
      View All Result
      ARTECULATE
      No Result
      View All Result

      You might want to think twice about Zoom

      Neville Lahiru Neville Lahiru
      April 3, 2020
      · 9 mins read
      Zoom security issues
      Share on Facebook Share on LinkedinShare on Whatsapp

      Following lockdowns and work from home protocols across the world, there’s one software that’s seen a boom in the past month. After all, it was hard to avoid people posting screenshots of their Zoom conversations all over social media. Zoom’s daily video conferencing numbers have grown from 10 million by December 2019, to over 200 million. As such, it should also come as no surprise that it’s raising some serious security questions.

      You may also like

      LEARN Hosts APAN56 in Sri Lanka: Uniting the Asia-Pacific Community for Collaborative Innovation

      LEARN Hosts APAN56 in Sri Lanka: Uniting the Asia-Pacific Community for Collaborative Innovation

      August 14, 2023
      Saison Capital

      Saison Capital Reveals its Asia-Forward Footprint Across Web3 Ecosystem and Token Fund

      April 11, 2023
      Gapstars | TukTuk

      Tech for Sustainable Tourism: Gapstars as the Technology Partner for Tuk Tuk Tournament 2022

      November 30, 2022
      GEW - Global Entrepreneurship Week

      Global Entrepreneurship Week Sri Lanka 2022 Has Begun!

      November 16, 2022

      More users translate to vital security infrastructure

      Shortly after the video conferencing software started getting traction, so did its scrutiny on security. Currently, it appears Zoom poses some significant security concerns, so much so that “Zoombombing” is an actual term. According to The Telegraph, a vulnerability in the software could potentially allow hackers to gain access to users’ email account passwords. Particularly the Windows version of the Zoom software.

      Automated Zoom conference meeting finder 'zWarDial' discovers ~100 meetings per hour that aren't protected by passwords. The tool also has prompted Zoom to investigate whether its password-by-default approach might be malfunctioning https://t.co/dXNq6KUYb3 pic.twitter.com/h0vB1Cp9Tb

      — briankrebs (@briankrebs) April 2, 2020
      An automated tool was able to find 100 Zoom IDs in an hour. This included information for almost 2400 meetings

      This vulnerability could be exploited by simply clicking a link sent over webchat. For example, if you send a Universal Naming Convention (UNC) path on the chat, Zoom will convert it to an actionable link. If this link is clicked, Windows will attempt to connect to a remote host via the Server Message Block network file-sharing protocol. With this, your sign-in name and NT Lan Manager credential hash are sent. The credential hash could be used to decode the username and password details.    

      How you can work around the security flaw

      The Local Group Policy Editor fix

      One way to circumvent the vulnerability is to use the ‘Local Group Policy Editor’ on Windows. Here’s how,

      1. Open Start
      2. Search and select gpedit.msc
      3. Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
      4. Double-click Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
      5. Select Deny All
      6. Click Apply
      7. Click Ok
      8. Click Yes to confirm

      The above will prevent your system from sending your Windows 10 sign-in NLTM credentials to a remote host. However, it should be noted that this method works for Windows 10 Pro or Windows 10 Enterprise. Furthermore, this only works as a temporary measure. If you make this configuration to a Windows 10 device that’s connected to a domain or a file-sharing server, you’ll have problems accessing files on the remote device.

      Fixing via Registry

      Alternatively, if you’re running Windows 10 Home, this vulnerability could be circumvented via the Registry. Although, do note that editing the registry could have serious repercussions if not done properly. Thereby, remember to take a full backup of your computer should you choose to pursue this method.

      1. Open Start
      2. Search for regedit and select top result
      3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
      4. Right-click MSV1_0, select New, click DWORD (32-bit) Value
      5. Name it RestrictSendingNTLMTraffic and press Enter
      6. Double-click it and set value to 2
      7. Click Ok

      Of course, as with the previous method this is only a temporary measure.

      Is Zoom leaking personal data?

      According to a report by Motherboard, Zoom may be leaking personal information. As a result, strangers would have the ability to start a video call with random users. The issue stems from its “Company Directory” setting. This setting automatically adds people to a user’s contact list if they share the same domain. However, users allege that it had pooled them together with other users thinking they all worked for the same company. This is despite these users signing up on personal emails.

      Zoom security issues
      Zoom’s Company Directory setting may be leaking users’ personal data

      Following the Motherboard report, Zoom claimed that the company maintained a blacklist of domains. They went on to state that the company has blacklisted the specific domains highlighted on the Motherboard article.

      The LinkedIn Sales Navigator problem

      Thanks to a service called LinkedIn Sales Navigator, Zoom has been secretly displaying people’s LinkedIn data to other participants. Zoom users that signed up for LinkedIn Sales Navigator were able to access LinkedIn profile data about other users during meetings. Furthermore, this had happened without prior permission from users or notification when other participants were viewing their LinkedIn data.

      According to The New York Times, when users sign up for a meeting, Zoom automatically sends names and email addresses to a company system. This company system matches the data with relevant LinkedIn profiles.

      Neither the company’s Terms of Service or Privacy statement explicitly state how users’ LinkedIn data was displayed to other participants

      Enabling the Linked Sales Navigator meant that users were able to access LinkedIn-specific data such as employer names, locations, job titles, etc. The New York Times further states that users were able to access this LinkedIn data even when signing up invisibly for meetings.

      As of 2nd of April, Zoom has permanently removed the LinkedIn Sales Navigator app. The company stated that this was done “after identifying unnecessary data disclosure by the feature”.

      Privacy concerns

      Additionally, Zoom also raises privacy concerns for users. Recently, it was found that its iOS app sends analytical data to Facebook, or specifically Facebook Graph API. This is regardless of users having Facebook accounts. The primary issue lies with the fact that Zoom users may not be aware of this at all. Users might be signing up for one service, but they may end up providing data to 2 services inadvertently.

      The transferred data included OS type and version, iOS Advertiser ID, IP address, device time zone and language, device model, carrier, disk space and screen size. According to Zoom, this data didn’t include meeting-related information.

      By the 27th of March, Zoom patched an update on its iOS app addressing the above issue. The update removed the Facebook SDK that was used to implement the “Login with Facebook” feature. This is the feature that sent device data to the Facebook Graph API.

      Zoom security issues on iOS
      The company has since removed Facebook SDK access from its native iOS app

      Unfortunately, iOS problems don’t end there. On the 31st of March, there were also concerns raised regarding how Zoom’s iOS installer works around Apple’s OS restrictions. Fortunately, this was fixed, 3 days after the issue was raised.   

      This isn’t the first time for Zoom

      However, this isn’t the first time Zoom had a serious vulnerability in its systems. Back in August 2019, a vulnerability allowed hackers to eavesdrop on private business meetings. The vulnerability was discovered by researchers at Check Point, a cybersecurity company.

      The vulnerability was exploited via automated tools to generate random meeting room IDs. These automated tools could be used to generate genuine Zoom links to meetings without the need for passwords. “The additional member would be visible by others in the meeting if they look at the ‘participants’ window in Zoom. But in many cases, Zoom conferences can have 10 or more participants, so the hacker may not be noticed in a large list,” noted Alexander Chailytko, cybersecurity research and innovation manager at Check Point.

      Thankfully, this vulnerability was patched back in January 2020.

      It’s not end-to-end encryption

      Adding to the list of problems for Zoom is how its encryption works. The Intercept reported that Zoom doesn’t use end-to-end encryption, despite company claims. According to the report, the encryption on Zoom communications isn’t end-to-end, rather TLS. This is what’s used to secure HTTPS websites. This is called transport encryption. Essentially, your Zoom meeting video/audio content will likely be safe from hackers. But it won’t stop the company from accessing your content. Usually, end-to-end encryption would prevent this from happening.

      Zoom security issues
      Responding to the encryption issue, Zoom stated that the company doesn’t directly access users’ data

      Right now, only its in-meeting chat feature seems to have end-to-end encryption. As mentioned in the security white paper, “Zoom uses public and private key to encrypt the chat session with Advanced Encryption Standard (AES-256). Session keys are generated with a device-unique hardware ID to avoid data being read from other devices.”

      What is Zoom doing about this?

      Following the many questions raised, Zoom CEO Eric S. Yuan addressed the concerns in a company blog post. In it, he states that the company will be freezing all feature updates. Instead, Zoom’s engineering team will focus on upgrading its security over the next 90 days. This includes conducting a series of white box penetration tests and enhancing the current bug bounty program.

      As per the blog post, Zoom will also look to being more transparent. Eric goes on to mention that his company is “committed to being transparent throughout this process. We want to do what it takes to maintain your trust.” Notably, the company will be releasing a transparency report that highlights data, records and content matters. Furthermore, Eric will be hosting a weekly webinar to provide privacy and security updates.

      “Transparency has always been a core part of our culture. I am committed to being open and honest with you about areas where we are strengthening our platform and areas where users can take steps of their own to best use and protect themselves on the platform.”

      – Eric S. Yuan, CEO of Zoom

      So far, Zoom has already taken steps to patch existing vulnerabilities. The company removed the Facebook SDK from its iOS client, updated its privacy policy, patched the UNC link issue to name a few. Zoom had also published a blog post addressing the encryption matter.

      Should we use Zoom?

      Authorities are already questioning the viability of using Zoom. The UK is debating whether its government should use Zoom for its communications. Elon Musk already banned it for SpaceX meetings. Nasa also prevents its employees from using the software for work.

      Boris Johnson using Zoom for one of his cabinet meetings
      Despite the questions raised, the UK government has defended using Zoom for cabinet meetings

      By now, you’re probably asking yourself if you should even use the software. Yes, the software does have several security concerns. But on the bright side, the company appears to be proactively looking to fix its list of security vulnerabilities and privacy concerns. Obviously, this won’t be something that can be fixed with updates over a few days. Until such time, it would probably be wise to utilize alternatives. Apps like Skype’s ‘Meet Now’, Cisco Webex, Slack, Microsoft Teams, and even Google Hangouts may be better options for the time being.

      Regardless, hopefully the company will iron out its security lapses soon. Time will tell whether the company’s efforts will come to fruition.

      Tags: COVID-19Zoom
      ShareShareSend
      Previous Post

      The Sri Lankan Startup that made it to Seedstars Summit 2020

      Next Post

      10 reliable grocery delivery services to order online from Colombo

      Neville Lahiru

      Neville Lahiru

      Lahiru spends most of his spare time burying himself with a book or playing Apex Legends. Other times, he is often seen hiking through some random forest in the mountainside.

      Recommended Stories

      LEARN Hosts APAN56 in Sri Lanka: Uniting the Asia-Pacific Community for Collaborative Innovation
      News

      LEARN Hosts APAN56 in Sri Lanka: Uniting the Asia-Pacific Community for Collaborative Innovation

      August 14, 2023
      Saison Capital
      News

      Saison Capital Reveals its Asia-Forward Footprint Across Web3 Ecosystem and Token Fund

      April 11, 2023
      Gapstars | TukTuk
      News

      Tech for Sustainable Tourism: Gapstars as the Technology Partner for Tuk Tuk Tournament 2022

      November 30, 2022
      GEW - Global Entrepreneurship Week
      News

      Global Entrepreneurship Week Sri Lanka 2022 Has Begun!

      November 16, 2022
      PickMe Pass
      News

      PickMe Launches PickMe Pass: Enjoy Unlimited FREE Delivery on all your Orders!

      November 16, 2022
      Gapstars | Great Place to Work | Technology | Culture
      News

      Gapstars Continues To Break Records: Among the Top 100 Workplaces in Asia

      November 10, 2022
      Leave Comment

      Recommended Stories

      Insights from APAN56: A Comprehensive Look at 5 Days of Collaborative Excellence

      Insights from APAN56: A Comprehensive Look at 5 Days of Collaborative Excellence

      September 20, 2023
      Almaden International

      Inside Almaden Towers: A New Horizon for Collaborative Innovation

      August 31, 2023
      LEARN Hosts APAN56 in Sri Lanka: Uniting the Asia-Pacific Community for Collaborative Innovation

      LEARN Hosts APAN56 in Sri Lanka: Uniting the Asia-Pacific Community for Collaborative Innovation

      August 14, 2023
      CodeGen | Culture | Innovation | Sri Lanka

      Transforming Holidays and Building Electric Sports Cars: Discovering the Dynamic Culture of CodeGen

      August 7, 2023
      PickMe Pass and Uber One: Exploring Sri Lanka’s Mobility Subscriptions

      PickMe Pass and Uber One: Exploring Sri Lanka’s Mobility Subscriptions

      July 18, 2023
      Gapstars | AI

      Embracing the Future: Highlights from Gapstars AI Day Exploring its Limitless Possibilities

      July 7, 2023

      Popular Stories

      • Coca Cola and Avocado: A Partnership Rewarding Food Experiences

        Coca Cola and Avocado: A Partnership Rewarding Food Experiences

        0 shares
        Share 0 Tweet 0
      • Rhoda: The all-electric Sri Lankan Roadster

        0 shares
        Share 0 Tweet 0
      • Spotify Expands Into Sri Lanka: Exploring What It Has To Offer

        0 shares
        Share 0 Tweet 0
      • Leveraging the Power of AI: How EBI is Building a Digitally Inclusive Sri Lanka

        0 shares
        Share 0 Tweet 0
      • The DirectPay Story: Building a Virtual Bank One Digital Brick at a Time

        0 shares
        Share 0 Tweet 0
      No Result
      View All Result
      • News
      • Premium
      • Features
      • Startups
      • Events
      • Hotpicks
      • Community
      • Contributor
      • Billboard

      © 2020 Arteculate™ All Rights Reserved.

      Are you sure want to unlock this post?
      Unlock left : 0
      Are you sure want to cancel subscription?