Blog Layout
Video Conferencing Showdown, Part 1: Zoom
Chelsea Sauder • April 30, 2020
Given the recent explosion of remote work and social distancing practices, it’s likely you or someone you know has turned to a video conferencing solution like Zoom, Microsoft Teams, Cisco WebEx, Lifesize, Skype, Bluejeans, Google’s Meet & Hangouts, and others. How do you know which one is the safest, let alone the best one? Someone inviting you to a meeting may have a de facto standard which you’re required to use if you want to attend their meeting, and each has its own software and things you should be aware of.
In the news lately, most of us have heard about the privacy and security issues affecting Zoom, a very popular choice. That said, though, other video conferencing platforms have issues as well, and Zoom is
dealing with the fact that the entire world started working remotely, and very quickly – Zoom reported 200 million monthly active users in March 2020 compared to 10 million in December 2019.
The points I want to make are these: first, hackers tend toward actions with widespread effects, and second: flaws and vulnerabilities exist in every digital product and tool, and no app or software is un-hackable. Convincing yourself otherwise is foolish because there’s absolutely no way to render 100% cybersecurity (unless you’re still using the original
hardened system: stone tablets…and you know who you are). Switching from one platform to another doesn’t erase those issues, it just rearranges which ones you need to pay most attention to.
As usual the best defense is to arm yourself with some knowledge. In this series of blog posts, we’ll break down the usual suspects for video chat and analyze each with an emphasis on privacy and security.
How Does Zoom Stack Up?
Privacy
"Does Zoom sell Personal Data? Depends what you mean by "sell." We do not allow marketing companies, or anyone else to access Personal Data in exchange for payment. Except as described above, we do not allow any third parties to access any Personal Data we collect in the course of providing services to users. We do not allow third parties to use any Personal Data obtained from us for their own purposes, unless it is with your consent (e.g. when you download an app from the Marketplace. So in our humble opinion, we don't think most of our users would see us as selling their information, as that practice is commonly understood."
This appears carefully written by lawyers to permit them to do pretty much whatever they want with your information, while pretending otherwise, and it’s a really good thing they changed it. Zoom put out a significant revision their privacy policy on March 29 th
which clarified the difference between Zoom services (things you use to conference with other people) and its website, zoom.us. As it stands now, your Zoom services and your personal information are clearly walled off from use for advertising and trackers. However, they specifically exempt their own zoom.us site and so conceivably Zoom itself can use your data for their own marketing purposes.
Vulnerabilities
Zoom's security is somewhat dubious. Motherboard wrote in late March that Zoom's iPhone app was sending user data to Facebook, even if the user didn't have a Facebook account. Zoom killed that off, but their response leaves me worried about sloppy software development with unintended consequences:
"We originally implemented the 'Login with Facebook' feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data," Zoom told Motherboard in a statement on March 20.
Last year, a researcher discovered a problem
with the Zoom software for Mac which allowed any malicious website to enable the camera without permission. What this means is that Zoom designed its service to bypass browser security
settings and remotely enable a user's web camera without the user's knowledge or consent. Zoom has since patched this vulnerability.
On April 1 st
, we learned that Zoom for Windows can be exploited in an attempt to grab Windows usernames and passwords. This particular problem stems from two things working together to create insecurity:
1. A default setting in Windows automatically sends your credentials (username and password hash) when you click on a UNC link of the format \\server_name\share_name.2. Zoom made clickable links out of text determined to be a UNC path but it’s hardly the only application that does this – common applications in Microsoft Office like Outlook, Word, and Excel have the same behavior. Zoom removed this behavior in a software update. This is a case of “old problem, new route of trying to get people to click malicious links”.
There are configuration settings you can change within Windows to prevent this undesirable spewing of your credentials even if you click on a link; contact us
if you’d like more information.
On April 2 nd
, it was reported that Zoom showed users information from other participants’ LinkedIn profiles, with no indication to the latter party. Like above, Zoom has fixed this.
Encryption
Before they got popular, Zoom claimed that it offers end-to-end encryption, but it this has been proven untrue. Zoom published a security guide whitepaper
touting End-to-end encryption as an option for the meeting host:
In Zoom's white paper, there is a list of "pre-meeting security capabilities" that are available to the meeting host that starts with "Enable an end-to-end (E2E) encrypted meeting." Later in the white paper, it lists "Secure a meeting with E2E encryption" as an "in-meeting security capability" that's available to meeting hosts. When a host starts a meeting with the "Require Encryption for 3rd Party Endpoints" setting enabled, participants see a green padlock that says, "Zoom is using an end to end encrypted connection" when they mouse over it.
When pressed, Zoom admitted: "Currently, it is not possible to enable E2E encryption for Zoom video meetings”. As of this writing, the whitepaper still exists on Zoom’s site, but has been updated to remove any mention of end to end encryption.
The problem isn’t so much that Zoom is using transport encryption over the public Internet – after all, this is the same technology used between your browser and your secure websites like online banking. When it’s properly implemented, TLS is reasonably good at its job of protecting your data from digital eavesdropping as it goes across the public Internet.
A Citizen Lab pointed out, that very same security guide whitepaper claims that the Zoom app uses AES-256 encryption for meetings where possible. They discovered, though, that in reality, each Zoom meeting only uses a single AES-128 key (in ECB mode) shared by all meeting participants for crypto of the audio and video data. to encrypt and decrypt audio and video.
The use of electronic codebook (ECB) mode for AES-128 is disturbing. Without descent too far into the cryptography rabbit hole, ECB is the simplest block cipher mode applicable to AES-128, with the primary disadvantage is how it handles patterns in data, such as identical blocks of text or uniform areas of color.
Here’s an example:
Our logo, normal and unencrypted
The same logo, encrypted with AES-128 and ECB
The same logo, encrypted with AES-128 and CBC
See the problem with ECB?
User Settings
"Zoombombing" is problem that everybody’s heard about. Bad actors would find open Zoom meetings, join, and start sharing all sorts of offensive content with everyone. That said, if you don’t have effective access control on your meetings and by default allow every attendee to screen share, it was bound to happen.
Zoom meeting IDs consist of a 9 to 11-digit number; many hosts use their phone number as a Personal Meeting ID. This is trivial to guessing and brute force attacks, and a Zoom meeting is vulnerable if it’s not using the newly rolled out Zoom Waiting Room feature for a host to approve each attendee, or setting a meeting password – again, not historically the defaults. Our recommendation is that you use a password versus a Waiting Room
– assigning a password makes your meeting undetectable to common tools which search for meetings, and Zoom now embeds the password in the invitation, so legitimate attendees to whom you send it will be able to join easily. The Waiting Room feature can be disruptive to meeting hosts, especially when they’re speaking or presenting.
Zoom now offers guidance on securing your meetings. In short:
Summary
Contact TexasPGB
To their credit, Zoom announced they are suspending all development not focused on security, safety, and privacy issues. In addition, Zoom has released version 5.0 of their software which (among other improvements) does away with AES-128-ECB and replaces it with AES-256-GCM, which is much more appropriate from the standpoint of crypto -- but then again, it's also the crypto Zoom was claiming all along, when in reality what was in use to protect your confidentiality was significantly weaker. Combine that with other proven mis-steps (such as Zoom allowing users to save ostensibly private recordings of their meetings to the Zoom Cloud, but having no authentication to retrieve these, making all of these recordings entirely publicly accessible) and the security world is wary of Zoom.
Only time will tell, but the company does
appear to be listening and hearing concerns being raised, and moving relatively quickly to improve and fix things. These are overall positive steps, and the fact is that Zoom is easy to adopt and quickly get started with video conferences. The “It Just Works” factor is high, and that makes a difference in the number of non-technical people that ultimately adopt a given solution.
Remember, this post is part 1 of a series. Come back next week and each week in May,
where we’ll examine Teams, WebEx, Lifesize, Skype, Bluejeans, and Hangouts in similar fashion. Contact our team
if you need help configuring the right applications for your remote workforce.
Share this post with others:
When it comes to automating processes around your business, it can simultaneously seem like everything can be automated, and absolutely nothing can be automated. As with many other things, the real answer is somewhere in the middle but can be a bit challenging to put your finger on. These projects usually start when someone at the strategic level of the organization has decreed that “we are going to automate!” and either they personally go on the hunt for what to automate or they hand it off to someone on their team to go do the leg work and come back with “automation” (maybe in a nice box with a bow on it). Sound familiar?
Data is everywhere. You’ve got a lot to focus on and it can be hard to stay on top of what’s going on with your business. Report creation in Excel is often time-consuming and can quickly become a nightmare. Modernizing your reports and streamlining your process with PowerBI to get more reliable and consistent reporting across all of your systems can be a game changer for your business. Read on to learn about three key acceleration tactics that our team uses on every implementation that we facilitate.
83% of knowledge workers require technology to work together. Microsoft Teams is a cloud-based collaboration and communication tool that lets workers share the right information to the right people all through one integrated platform. According to a Forrester report, The Total Economic Impact of Microsoft Teams, there are a variety of ways using Teams saves organizations time and money. Read and download the infographic to share here .
How to Get Started with the Power Automate app for Teams You can get started with Power Automate app in just 3 quick steps: Click on the … in the left-hand corner of your teams browser Search for “Power Automate” Click on the Power Automate app icon and pin it to your left-hand Teams navigation panel
As mentioned, there are several options available for automating your business. One of our favorite low-code/no-code options is the Microsoft Power Platform. As a suite of 4 different tools, the Power Platform can automate routine tasks, customer support, data visualization, and more. A few highlights on the effectiveness of the Power Platform are:
It is no secret that 2020 and the coronavirus pandemic altered the reality of doing business. These changes are showing little signs of letting up and a lot of the adjustments made to respond to a remote workforce may very well become a permanent feature in daily business operations. As business decision makers (BDMs) and IT decision makers (ITDMs) head into a new year it is important to keep an eye out for technology solutions that can further support these operational changes while increasing efficiency. This post briefly highlights the top 3 digital solutions we have our eyes on for 2021 and our Microsoft-based clients.
In our latest video series, Patrick Boren, Principal Consultant at TexasPGB, introduces the newest addition to the Microsoft Project family, Microsoft Project Operations. In this video Patrick discusses: What challenges Project Operations aims to solve What is Project Operations and common use cases for the tool Who uses Project Operations Upcoming "Day in the Life" Sessions Watch the video or read the condensed transcript below.
Having a wealth of data at your fingertips is great, but what happens when your data is so vast that it takes you years to make a key discovery? A friend of mine told me a story recently about an experience he had. His first company conducted a VP meeting every quarter – everyone scrambling to put together their presentations and make their case based on the data from Excel spreadsheets. Departments and information tended to be segmented into silos. While much of the data could be shared across the company, rarely was it compiled in a way to show how one area of the business could affect another.
If you are looking to migrate your data to Microsoft 365 there are two common methods to funnel your data - SharePoint or Common Data Service (CDS). SharePoint solutions take advantage of lists and libraries. Data is housed, originated, and manipulated entirely within the SharePoint platform. CDS solutions use both standard and custom entities to collect and house data that is then integrated across the Microsoft 365 platform. Below we will review a few ways each method is different and what you should look for before making a final decision for your data migration plan.
When it comes to technology, do you have a one-size-fits-all vendor? In today’s world of cost cutting, we see more and more organizations that end up missing out on huge technology opportunities by assuming a single vendor can and will do it all. As a technology consulting firm, we’re frequently asked “aren’t you the same as my managed service provider (MSP)?” Fortunately, for those that ask, we’re able to shed light on how a Technology Consulting Firm varies from an MSP.
