Zoom security doubtful

(Posting here as the Security forum seems to be almost moribund and this looks important)

A few days ago I read on a mainstream news site that the Cabinet was having virtual meetings using this software, yet the software is far from secure. Now we have further worrying information about it.

For instance it appears that data may be routing through China, including encryption and decryption keys, and 700 of the development team are in three companies in mainland China.

I did a quick search on these forums and see it is in use by some members, so posting to warn them and anybody else considering it in case they aren't aware of this.

I've been invited to join a group of friends on it for drinks but have refused because I'm deeply security paranoid.

That's as well as being deeply antisocial

By default all traffic to and from China is blocked by my firewall. I wonder if it would even work. It probably would if Zoom's explanation is correct.

Zoom has recently disabled web client access so users must now install an app to use the service - something which opens up even more potential security problems.

Edited by caffn8me (Sat 04-Apr-20 08:32:51)

I wonder how Zoom security compares to Cisco Jabber or Webex

In reply to a post by dect:

I wonder how Zoom security compares to Cisco Jabber or Webex

You might find this interesting:
https://www.schneier.com/blog/archives/2020/04/secur...

In reply to a post by caffn8me:

Zoom has recently disabled web client access so users must now install an app to use the service - something which opens up even more potential security problems.

I've used the Zoom web client a few times and indeed clicking on it now throws up "403 Forbidden".

Perhaps this is because the data sent via a browser was not secured sufficiently relative to the app (I'm giving Zoom the benefit of the doubt...).

A few days ago there was a picture on the BBC news of the cabinet using it!

AIUI the security depends on how you use it. You can configure it so that only the originator of a session can allow others to join. Even then the joiners have to know a 10 digit meeting ID.

In reply to a post by caffn8me:

By default all traffic to and from China is blocked by my firewall. I wonder if it would even work. It probably would if Zoom's explanation is correct.

I suppose you refuse to order a Chinese take away as well.

In reply to a post by jchamier:

You might find this interesting:
https://www.schneier.com/blog/archives/2020/04/secur...

Many thanks, its an interesting article.

I have used the Cisco products many times over many years but don't think I will be wanting to using Zoom anytime soon.

Edited by deleted (Sat 04-Apr-20 11:30:50)

In reply to a post by dect:

I have used the Cisco products many times over many years but don't think I will be wanting to using Zoom anytime soon.

My employer uses Cisco Webex (they bought them) exclusively, it seems to work very well. I am thankful I have good upstream bandwidth and VM in this area is not oversubscribed.

In reply to a post by Andrue:

In reply to a post by caffn8me:

By default all traffic to and from China is blocked by my firewall. I wonder if it would even work. It probably would if Zoom's explanation is correct.

I suppose you refuse to order a Chinese take away as well.

Well, I wouldn't order one from China (it'd be cold by the time it arrived).

The other difference is I don't have Chinese restaurants trying to break in all the time whereas with Chinese computers it's a constant and coordinated onslaught.

I really cannot comprehend how Johnson was allowed to use Zoom for a cabinet meeting - I would have expected GCHQ to be all over it.

This makes interesting reading https://www.theregister.co.uk/2020/04/03/dont_use_zo...

Our teams have been told not to use it at all now. Our local school wants to use it because they’re only talking about kids..........what could possibly go wrong!

I have to say I'm amazed that they don't seem to have a proper secure system for such purposes within the Cabinet Office. It's just ludicrous.

I know government IT contracts usually end as expensive disasters but writing such a system securely from scratch isn't exactly rocket science.

In reply to a post by caffn8me:

I have to say I'm amazed that they don't seem to have a proper secure system for such purposes within the Cabinet Office. It's just ludicrous.

The BBC article confirmed they did have a system for classified. Maybe this was only a "how well are you" conversation where some members only had their home PC.

It may have been used as a PR prop to show the country that "we can work from home, so can you".

We only have the press reports to go on!

The competition from Zoom prompted Webex to offer a free plan, so there's always that I suppose.

Here's some more interesting reading;

https://www.digitalmarketplace.service.gov.uk/g-clou...

Interesting.

Without wishing to don my tinfoil hat, Schneir's blog referred to Zoom's use of coders and servers situated in the Chinese republic:

However, this arrangement may make Zoom responsive to pressure from Chinese authorities.

Now if you had an authoritarian State that was heavy on surveillance with a big emphasis on face recognition, you would want to train your algorithms on the largest possible database of subjects. A suitable database might consist of large groups of people talking directly to camera.......

I understand that Zoom has hidden features that allow a user to be added to a call, without their knowledge... so no worries then!

https://www.theguardian.com/technology/2020/apr/02/z...

I think for the average home user it is not going to be a problem. Government departments using it etc - absolute madness.

It goes to show you how disorganised government departments (central or non central) are which is why they're taking the easy route of using Zoom, because they probably lack any sort of ability to provision a more secure service.

Nothing new there then though.

I though I had read on the Register but cannot now find, that the Cabinet Office had earlier sent out a message to all departments that Zoom wasn't to be used.

In reply to a post by MCM:

I though I had read on the Register but cannot now find, that the Cabinet Office had earlier sent out a message to all departments that Zoom wasn't to be used.

It isn't to be used.
My question would be, why would that message need to be sent in the first place ?
All government hardware should be locked down as a matter of course, that in itself should make it impossible for anyone using a government computer to install anything on it.

In reply to a post by kitfit1:

It isn't to be used.
My question would be, why would that message need to be sent in the first place ?
All government hardware should be locked down as a matter of course, that in itself should make it impossible for anyone using a government computer to install anything on it.

You don't need to install anything to use the Zoom web client so then you're looking at a different way of blocking it. A quick way (which is relatively easy to circumvent if someone has technical knowledge) is just to block requests for zoom.us DNS lookups.

Others appear to have cottoned on!

Post deleted by MrSaffron

In reply to a post by caffn8me:

You don't need to install anything to use the Zoom web client so then you're looking at a different way of blocking it. A quick way (which is relatively easy to circumvent if someone has technical knowledge) is just to block requests for zoom.us DNS lookups.

You'd hope that there's substantial, mandatory endpoint security running on the machines government employees, MPs, etc, are using to conduct their business and that they are expressly forbidden from using anything not provided by uk.gov for these purposes and comply with this.

Wishful thinking on my part, isn't it?

In reply to a post by richardonlin:

finding an alternative to Zoom is the utmost solution for enterprises to run their businesses. Without end-to-end collaboration, meetings in businesses, there is no productivity or efficiency from your employees.

Welcome to the forum Richard

If I didn't know better I would think this is a sales pitch.

Spam I believe it is and dealt with accordingly.

In reply to a post by CarlTSpeak:

Wishful thinking on my part, isn't it?

Shouldn't be, Windows builds in execution control tools, and prior to that we've been using tools from providers such as Lumension (now Ivanti) to whitelist applications.

Its not rocket science!

In reply to a post by CarlTSpeak:

In reply to a post by caffn8me:

You don't need to install anything to use the Zoom web client so then you're looking at a different way of blocking it. A quick way (which is relatively easy to circumvent if someone has technical knowledge) is just to block requests for zoom.us DNS lookups.

You'd hope that there's substantial, mandatory endpoint security running on the machines government employees, MPs, etc, are using to conduct their business and that they are expressly forbidden from using anything not provided by uk.gov for these purposes and comply with this.

Wishful thinking on my part, isn't it?

Considering the Billions of £'s the government spends on software and computers i would be shocked if all government computers are not fully locked down. Not only with access but bios locked, hardware locked and software locked. If they are not, i would very much love to know what idiot made that decision and why.

In reply to a post by CarlTSpeak:

You'd hope that there's substantial, mandatory endpoint security running on the machines government employees, MPs, etc, are using to conduct their business and that they are expressly forbidden from using anything not provided by uk.gov for these purposes and comply with this.

Wishful thinking on my part, isn't it?

I think BYOD is the trendy thing these days and it's a nightmare. Having said that, I was recently chatting to someone who works for one of the large consulting firms. Their internal systems are supposed to be pretty locked down so sending dodgy files to their internal systems should be difficult. Except it's still possible to do it via WhatsApp.

In reply to a post by jchamier:

In reply to a post by CarlTSpeak:

Wishful thinking on my part, isn't it?

Shouldn't be, Windows builds in execution control tools, and prior to that we've been using tools from providers such as Lumension (now Ivanti) to whitelist applications.

Its not rocket science!

No, it's not impossible, but the problem is that it's not being done where it needs to be. I bet there are still Government owned laptops without hard drive encryption even though it's mandatory [PDF].

In reply to a post by caffn8me:

No, it's not impossible, but the problem is that it's not being done where it needs to be. I bet there are still Government owned laptops without hard drive encryption even though it's mandatory [PDF].

Sure, and I bet many are still Windows 7.

In reply to a post by caffn8me:

I think BYOD is the trendy thing these days and it's a nightmare. Having said that, I was recently chatting to someone who works for one of the large consulting firms. Their internal systems are supposed to be pretty locked down so sending dodgy files to their internal systems should be difficult. Except it's still possible to do it via WhatsApp.

It certainly is, however endpoint security is the cool thing alongside. You want to connect to the internal network, you accept the endpoint software and policies

That's certainly what I'm seeing. Next generation firewalls are looking like obsolescence is coming for them sooner rather than later in favour of endpoint security for pretty much everything besides some use of NGFW for limited amounts of backhauled traffic.

Working from home + cloud + encrypted everything + SD-WAN/SDN isn't great for bits of tin sitting in offices doing firewall duty.

And they can get 3 years extended support for Win 7 - government price for extended support this year is pretty low cost.

In reply to a post by CarlTSpeak:

Working from home + cloud + encrypted everything + SD-WAN/SDN isn't great for bits of tin sitting in offices doing firewall duty.

The islands of security model, which my company seems to be moving to with heavily managed endpoints over the internet. VPN only required for legacy internal systems.

In reply to a post by jchamier:

Sure, and I bet many are still Windows 7.

Relatively recently I saw a Windows 2000 system being used by the RAF.

Hmmmm!

Plans to allow MPs to take part in some parliamentary business virtually have been approved by the body responsible for administration in the Commons.

The House of Commons Commission said ministers will be quizzed via Zoom for the first time in the House's 700-year history.

This "unprecedented step" will "keep democracy going" during the coronavirus crisis, it said.

MPs will have to approve the plan next week when they return on 21 April.

It means that up to 120 MPs will be able to take part in proceedings virtually at any one time, while 50 could remain in the chamber under social distancing rules.

…

The National Cyber Security Centre has advised the Commission that for public Parliamentary proceedings it considers the use of Zoom appropriate, if the installation and the use of the service is carefully managed.

"If".

I note that is for public proceedings, surely those that are documented in Hansard anyway, so were public on paper?

Hansard is available online too . As are full live television coverage of the House of Commons and some recorded Committee hearings plus some House of Lards sessions. (Freeview 232).

Typo is good, so left in .

In reply to a post by RobertoS:

Typo is good, so left in .

In reply to a post by ian72:

And they can get 3 years extended support for Win 7 - government price for extended support this year is pretty low cost.

That is news to me. Maybe government departments who have opted for all the sucky Office365 E5 licensing and Azure add-on stuff have a discount, that's because they've already been proverbially bent over.

And with or without the extended support, the security of the older operating systems is still poor compared to the newer versions, so just because it is getting patched doesn't mean it is an acceptable state to be in.

It is quite possible for an organisation to be free of outdated and unsupported operating systems and the like if they are organised and have the right investment. There's very little excuse with the Win7 -> 10 argument because the majority of stuff that works on 7 works fine on 10. XP to 7 was a different matter so just because it might have been acceptable then doesn't mean it is now.

Basically what they are saying is that once again another government department is stuck in the stone age and doesn't have a competent IT department which can get some more appropriate software installed (like Microsoft Teams - not great but more secure than Zoom).

In the absense of competent IT that can manouvre quickly pressures have forced them to start using Zoom because it is easier for the staff to install and get up and running first, IT can wash their hands of the matter then for a couple of months until zoom has actually fixed the security issues. At that point IT can get involved and rubber stamp it and make it approved etc etc.

As for the NCSC - not the first time they have come out with some questionable advice.

Good news is that Zoom have taken the criticism seriously and making changes fast. If you use Zoom, then keep updating it, on any platform.

1) They have removed the meeting ID from the screen, you now have to click to see it. This means when people take screen shots and post to social media they aren't sharing the ID.

2) Many changes around the waiting room, it has been automatically enabled. The option to find it is now more obvious, and you can change it on/off during a meeting.

3) Paid accounts can now choose which data centre they are served by. The free accounts are limited to the data centre they signed up near.

Quite impressive for a company with explosive growth, more so that any Microsoft or Google or Cisco competitor.