Zeroing in on Zoom’s Threat to Financial Services – Traders Magazine

Posted on by

Ray Hillen, Managing Director of Cybersecurity at Agio

COVID-19 has induced a significant shift in the way we work. Remote is the new reality. As large swathes of the financial services economy acclimate to working from home, its workers are finding new methods for cross-enterprise communication.

For many, Zoom has been the answer to staying connected in the workplace. The video conferencing tools growth has exploded since virtual meetups became the new norm, with many organizations embracing the platform to exchange sensitive data, discuss proprietary information and conduct high-stakes business negotiations.

The apps customer base surged from 10 million users pre-outbreak to 200 million. Including 600,000 new clients onboarded on March 15 alone, the same day social distancing orders were first put in place across the country. The US government stands out here, having signed enterprise contracts with Zoom valued at $1.3m as part of its pandemic response.

There may be, however, a tremendous cost to Zooms convenience.

Simply put, the widespread adoption of Zoom amid a global pandemic might be the security vulnerability of the decade. In fact, any financial services organization using the service should immediately assume their user credentials are under malicious parties control. In recent weeks, New York Attorney General Letitia James has probed Zooms data security strategy, and whether the companys security protections can keep up with the spike in users. It is also our understanding the FBI, among other federal government agencies, has also prohibited the use of Zoom and WebEx due to security concerns.

At Agio, we have discontinued the use of Zoom. This piece explains why the platforms use poses a significant risk to organizations and what actions leaders should take to mitigate that risk.

Privacy Policy

Zoom has already set a precedent for lax privacy and security. Until recently, the platform created a local web server on users device allowing it to turn on the devices camera.This server was not mentioned in any official documentation and The Electronic Privacy Information Center filed an FTC complaintagainst Zoom, alleging intent to bypass browser security settingswithout the knowledge or consent of the user. This, in turn, introduced risks including remote surveillance, unwanted videocalls, and denial-of-service attacks. Arvind Narayanan, associate professor of computer science at Princeton University and digital privacy expert, has even referred to Zoom as malware.

The platforms privacy policy is another cause for concern. While it claims not to sell user data for money, this does not include sharing information with third parties like Google or Facebook, for targeted advertising or other undisclosed business purposes. Despite the exchange taking place, it is not bound by any privacy agreement. The process for rejecting data collection is also notoriously complicated, with experts reporting that users must opt out of more than 85 separate cookies.

Encryption

Another area of concern is Zooms claims around encryption capabilities. After initially stating its platform used end-to-end encryption to protect virtual meetings, the firm recently admitted in a blog post this was not the case. Instead, calls are encrypted using transport layer security (TLS), which is known to be less secure. The company also claims that audio and video meeting data is protected by 256-bit advanced-encryption-standard (AES) keys. Several sources, however, have revealed the keys are actually 128-bit. They are also run in electronic code book (ECB) mode, which fails to completely anonymize underlying data. This runs counter to the professional recommendation that encryption keys are run in Segmented Integer Counter or f8 mode. Crucially, Zooms lack of end-to-end encryption extends to its Company Directory, opening the door to thousands of email addresses and photos being leaked to strangers. With this information, a bad actor can conduct Zoom video calls with the owners of those emails.

Zoom now states it has implemented robust and validated internal controls to prevent unauthorized access to any content users share during meetings and that an on-premise solution exists today to give users direct control of the key management process. To date, however, Zoom has not addressed criticisms of encryption key length, mode discrepancies or its lack of true end-to-end encryption.

An added vulnerability, which is particularly prevalent on Windows operating systems, is Zooms ability to convert universal naming convention (UNC) paths into hyperlinks. If a meeting participant is duped into clicking on one of these links pasted inside Zooms chat section, they can unknowingly send their computers username and password hash to a bad actors server. Using decryption software to uncover these credentials, the bad actor can then breach users by joining calls as an uninvited guest (Zoombombing); accessing the users desktop remotely; browsing through any shared network folders; breaching local network devices; and conducting SMBRelay attacks (where the attacker can alter communications being exchanged between two other parties).

Server Hosting

A geopolitical dimension to our concerns around Zoom is the companys ties to China. The AES 128-bit keys used to encrypt Zoom meetings come from the companys cloud infrastructure, which consists of servers that situated all around the world, including China. Servers in China may even be engaged when a virtual meetings participants are all domiciled outside of the country.

Zoomsrecent filing with the SECreveals the company owns three China-based subsidiaries employing more than 700 R&D employees to create Zooms app. Keep in mind that more than 80% of Zooms revenue comes from North America. An application used by financial services businesses to exchange high-value information, especially one with limited security, is a ripe target for nation state attackers conducting electronic espionage.

Against the backdrop of a trade war and claims that 5G equipment manufactured by Chinese telecom companies might threaten US national security, one should consider whether Zoomcould be pressured, or legally obligated, to share servers or encryption keys with Chinese authorities on-request, and what the state would do with that information. Compared to other technology companies, Zoom has provided little information around how many government requests it receives for data, or whether they comply.

Conclusion

So, what protective retroactive steps can an organization take to secure itself, and its devices, when conducting virtual meetings? Here are some suggestions:

If an organization opts to use Zoom, the consequences can range from breached employee privacy and corporate sabotage, to reputational damage and theft of intellectual property. Regardless of Zooms retroactive measures, which allegedly include new patch fixes, enhanced bug bounty programs and third-party security expert review, this platform is not fit for commercial use.

In Zooms case, the convenience is simply not worth the cost.

The views represented in this commentary are those of its author and do not reflect the opinion of Traders Magazine, Markets Media Group or its staff. Traders Magazine welcomes reader feedback on this column and on all issues relevant to the institutional trading community.

Continued here:
Zeroing in on Zoom's Threat to Financial Services - Traders Magazine

Related Posts
This entry was posted in $1$s. Bookmark the permalink.