[TriLUG] Zoom - conferencing

Mike Viscount via TriLUG trilug at trilug.org
Sat Apr 25 12:10:43 EDT 2020 

Before saying anything else ... I'm not a huge Zoom guy, never hosted my
own Zoom meeting, and am not saying anyone else should or should not.  Just
offering up some info I've come across so others can evaluate for
themselves in the interest of info sharing.

Many concerns with Zoom for sure and I've been watching with interest over
the past couple weeks as I've been invited to a couple zoom meetings.  Most
of the concern that I've seen have been default settings that are contrary
to what anyone concerned about privacy would expect.  Of course, others
being able to join your meetings is not a good thing... but they can't if
you don't let them by using passwords or only allowing those who you let in
during the meeting.

Another big gripe I **think** that I read along the way was that they said
it was encrypted but that it's not actually end-to-end encrypted .  If I
remember correctly it's encrypted from you to them, then unencrypted on
their servers, then encrypted to the final endpoint but I may be wrong
about that.  Additionally the encryption was not of the highest standards.
A concern for some for sure.

As far as having to install another app on your box ... which I'm not a
huge fan of for something that I'm only going to use occasionally when I
have to vs. want to ... as I understand it you can "join from your browser"
and do not have to install the app.  I didn't know this when I joined my
first Zoom meeting as it wasn't obvious to me.  I plan to uninstall the app
and give the browser version a try next time someone invites me to a
meeting.

My understanding is that given the beating they've taken they are
addressing all of these issues.

To add to the discussion and info sharing ... following from SANS newsbites
this week ... and for those with a desire to slap a little google foo on
the subjectt I'm sure there's more than you care to read about it ... and
repeated ad-nauseum.

Hope this is helpful ...

From: SANS Newsbites   April 24, 2020   Vol. 22, Num. 033

Zoom 5.0 Includes Security and Privacy Improvements
(April 22, 2020)

Zoom has released a new version of its teleconferencing software. New
features in Zoom 5.0
include controlled data routing, and passwords on by default for all
meetings; administrators
can now establish password complexity requirements. Zoom is also
implementing stronger
encryption, which is expected to be enabled system-wide by the end of May.
The newest version
of Zoom will be rolled out to users over the next week.

Editor's Note

[Pescatore]
Zoom continues to live up to its promise to enhance security, but there is
a predictable
trajectory when IT platforms retroactively add security features. Security
management
capabilities tend to lag, providing limited visibility into and tracking of
critical
security policies/events. The Business version of Zoom has an admin
dashboard that is
mostly performance oriented and relies on exporting .CSV files for any
deeper analysis
– never a scalable approach. Third-party partner vendors can fill the gap,
but the Zoom
App Marketplace has a very limited choice of small vendors. Zoom may add
more security
management capabilities, but training will be required for admins and
security analysts
on how to properly configure and monitor security relevant features, how to
integrate to
SIEM, etc. Many will require direct vendor support until these capabilities
mature. At
the Enterprise pricing level of Zoom ($1999/month minimum) you get a
dedicated “Customer
Success Manager” which many may need to buy.

[Neely]
The update is not available yet; yes, I tried to update before reading
that, too. The
plan is to push out client updates next week. They are updating to AES 265
GCM encryption,
and allowing your account admin to control meeting routing. They are also
grouping the
security settings together under a new security icon. The Zoom blog
explains the new
features: blog.zoom.us: Zoom Hits Milestone on 90-Day Security Plan,
Releases Zoom 5.0

Read more in:
- www.theregister.co.uk: After intense scrutiny, Zoom tightens up security
with version 5.
  New features include not, er, spilling video calls to network snoops
  https://www.theregister.co.uk/2020/04/22/zoom_5/
- www.zdnet.com: Zoom adds data center routing, security updates

https://www.zdnet.com/article/zoom-adds-data-center-routing-security-updates/
- www.cyberscoop.com: Zoom bolsters software security in latest move to
reassure users
  https://www.cyberscoop.com/zoom-software-update-security-coronavirus/
- siliconangle.com: Zoom update addresses security issues with enhanced
encryption and new features

https://siliconangle.com/2020/04/22/zoom-update-addresses-security-issues-enhanced-encryption-new-features/


On Fri, Apr 24, 2020 at 3:33 PM Michael Rulison via TriLUG <
trilug at trilug.org> wrote:

> Dear TriLUGers,
>
> I will stick my neck out and let you correct my understandings:
>
> Zoom insecurity and privacy issues has been overblown, IMO.
>
> Yes, some sessions were hacked into (AFAIK, using emails garnered/stolen
> outside of Zoom).
> Some of those sessions involved school kids and perhaps 'inappropriate'
> visual and audio content; that was not nice or kind, but that is the
> world we live in. Protections from crazies ARE needed.
>
> So, AFAIK Zoom allows
>
>   * meeting invitations to persons I select
>       o along with a password specific to that meeting
>   * a 'waiting room' from which the host may admit to the conference
>     only those persons recognized as properly invited persons.
>   * the host may mute all persons accepted into the meeting
>   * the host may unmute/mute only those he/she chooses.
>   * the host may enable/disable screen sharing for him/her self and any
>     participant
>
> To me this seems to give adequate security for most
> meetings/conferences. What have I missed?
>
> I have been in a score of Zoom meetings in the past several weeks, using
> Firefox as my browser. There have been frequent problems of participants
> unable to unmute themselves, or use their webcam, or share their screen,
> but these have been lack of knowledge, not software problems.
>
> Some meetings have been from my free account with a limit of 40 minutes
> a session, which Zoom has often graciously not enforced.
>
> I find it very satisfactory, though I want to check Discord and
> BigBlueButton.
>
> --
> >> N.B.: Email <> SMS Txt <> voice mail <> Phone Call
> >> You choose the one you want; I choose how my phone treats it.
> >> N.B.2: Please do not confuse, a short, pointed email with an epic novel.
> ====================
> Michael v.E. Rulison
> 3256 LEWIS FARM RD, RALEIGH NC 27607-6723
> ☎ 919 205 9168
>
> --
> This message was sent to: MikeV <mviscount at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> https://www.trilug.org/mailman/options/trilug/mviscount%40gmail.com
> Welcome to TriLUG: https://trilug.org/welcome

More information about the TriLUG mailing list