MacInTouch Amazon link...

vulnerabilities and vectors


On the other hand....
Washington Post said:
Researchers praise Zoom’s quick pledge to fix a slew of security and privacy problems

... “It’s a rare case of a company acknowledging their problems, admitting they made mistakes and misleading statements, and laying out concrete steps to fix it,” Gennie Gebhart, associate director of research at the Electronic Frontier Foundation digital rights group, told me.

Researchers say this kind of response is a refreshing change from previous security and privacy scandals at other companies, including Facebook and Uber, where it's common to see months or years of guarded responses before any meaningful change.

Gebhart warned, however, that Zoom's promise to increase its security and privacy protections will mean little if it doesn’t follow through and ensure those problems are fully fixed over the next several months.

“There’s not much more you can ask, but they need to actually follow through. They’re not out of the woods yet,” she said.

Thanks for these resources. Don't know 'bout you all, but I and just one other in the room, so to speak, are the lone dissenters to those revelling on the bandwagon of Zoom in my workplace... Also, to be honest, I don't quite see that Zoom is so much more elegant than our other platform that I keep hearing in meetings. Frustrating.

Following up on Zoom, Tidbits' Glenn Fleishman has a very detailed article about Zoom security and privacy (Every Zoom Security and Privacy Flaw So Far, and What You Can Do to Protect Yourself) that points out clearly the many flaws in Zoom and how to mitigate most of them. I haven't used Zoom myself, but the grandsons are using it for school, and daughter is teaching using it. I am always wary of any software developed in China, especially when security is involved.

And here's another good one, an extensive analysis of Zoom's security issues via TidBITS:
Some rather non-trivial tidbits, in that piece.
So... how delusional am I being by thinking that an isolated install can be achieved by Zoom's option to install for a single user in the Change Location feature?
(Somehow I want to believe that its install behavior will be localized in the User Library as opposed to system library ... which could be deleted when colleagues come to their senses.)

Ric Ford

On the other hand....
But then on the other hand...
John Gruber said:
TechCrunch: ‘Zoom Admits Some Calls Were Routed Through China by Mistake’
This is really one hell of a “mistake”. It’s China. Considering everything we know about China — human rights violations, untrustworthy track record, unaccountable totalitarian leadership, vast resources, and their technical expertise to act, at scale, on access to potentially sensitive poorly-encrypted video calls — China is quite literally and obviously the last country on the face of the earth where you’d want video calls routed.

I am always wary of any software developed in China, especially when security is involved.
I know a lot of people, including my spouse, who are involved with software development. Unfortunately, companies of every size, from startups to the largest multinationals, all use a globalized development process now. Even if the firm releasing some software is officially based in, say, the US or Canada, it's pretty unusual for a final product to not be touched in some way by developers in countries with governments commonly regarded as hostile to privacy and security.

I don't think this is an easy problem to solve because there are multiple, unrelated causes. For example, the extreme geographic concentration of US tech firms, the widespread use of open source components, and the reliance of most IoT, gadget, and Wi-Fi gear manufacturers on a very small set of firmware and software suppliers all contribute to the widespread presence of code written in, say, Belarus, in our daily lives.

Ric Ford

Here's a discussion of security in collaboration/conferencing software other than Zoom:
ThreatPost said:
Beyond Zoom: How Safe Are Slack and Other Collaboration Apps?
As the coronavirus pandemic continues to worsen, remote-collaboration platforms – now fixtures in many workers’ “new normal” – are facing more scrutiny. Popular video-conferencing app Zoom may currently be in the cybersecurity hot seat, but other collaboration tools, such as Slack, Trello, WebEx and Microsoft Teams, are certainly not immune from cybercriminal attention.

For organizations leaning on these platforms, security should be top of mind. A failure to lock down Slack et al could lead to data breaches, brand damage, malware infestations and more. Researchers say that attackers are hard at work looking for new weaknesses to achieve all of the latter.

It seems to me that the security on the Internet is simply hitting a wall of absurdity.

• professional/commercial video conferencing applications that mimic (co-opt?) malware installation processes, and other, seemingly very loose app protocols​
• Adobe and fake Flash installers, resplendently still prominent after all these years​
• Google needing to issue weekly (or shorter) security flaw updates for its browsers​
• ATT login/captcha protocols that are so secure that it is impossible to actually log in with​
its own, provided, captcha sequence, in any browser (I would expect Safari might have problems) - not to mention the icing on that cake: the ATT Listen To Code feature actually recites a different code than the one displayed, and entering either one is a faulty credential. Now that's protection.​
Is it just me, or does there seem some sort of new level of disorder happening?

Regardless of whether this was direct or indirect compromise, should not Zoom have emailed all its clients and even low level registrants of this issue?
Yes, but that almost always takes a fair amount of time to gather and sort through things to make sure what they say is factual and make every attempt to only notify those who were actually compromised, if possible, to let them know exactly what was revealed while not getting unaffected users unnecessarily anxious. There have, of course, been examples of companies that will sit on it for whatever reason and hope it goes away. The folks at Zoom are clearly consumed by all these issues right now, so I think it’s understandable that there may be a delay in [responding to] yet another crisis.

Unbiased security review of Zoom:
Unbiased? I disagree. The writer glossed over Zoom's public reactions to several problems, as comments on that page point out. He didn't at all mention the hidden web server that Zoom's installer deposited on many computers last year, nor some excuses Zoom's CEO has issued which, oddly, fall back upon a combination of "whoops" and "we never expected this much consumer attention." Neither did he mention Zoom's use of Chinese servers.

As one commenter said: "Zoom’s insecurity is rooted in their culture. They’ve been pushing hyper-growth at the expense of security throughout their existence." That fits Zoom's pattern of behavior over the past year far better than these attempts to placate.

The article suggests that Zoom has learned its lessons. I suggest that hasn't been proven yet.

Ric Ford

Half a million Zoom account credentials, less than a penny apiece (or free)...
BleepingComputer said:
Over 500,000 Zoom accounts sold on hacker forums, the dark web
Over 500 hundred thousand Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are compiled into lists that are sold to other hackers.

Ric Ford

Beware of these exceedingly nasty and dangerous attacks, here targeting Github users...
BleepingComputer said:
GitHub accounts stolen in ongoing phishing attacks
GitHub users are currently being targeted by a phishing campaign specifically designed to collect and steal their credentials via landing pages mimicking GitHub's login page.

Besides taking over their accounts, the attackers are also immediately downloading the contents of private repositories, including but not limited to "those owned by organization accounts and other collaborators."

"If the attacker successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens or authorize OAuth applications on the account in order to preserve access in the event that the user changes their password," GitHub's Security Incident Response Team (SIRT) says.

Ric Ford

Here are some Intel vulnerabilities affecting NUC computers, servers, etc.
ThreatPost said:
Intel Fixes High-Severity Flaws in NUC, Discontinues Buggy Compute Module
... Meanwhile, a high-severity flaw in Intel’s NUC (CVE-2020-0600) could enable users to access escalated privileges – if they have local access and are authenticated.

... Intel also fixed medium-severity flaws in its PROSet/Wireless Wi-Fi software...
BleepingComputer said:
Intel April Platform Update fixes high severity security issues
... Today's Intel security advisories are listed in the table embedded below, with information on their CVSS range severity rating to help users with patch deployment prioritization.

Ric Ford

For what it's worth, Zoom 5.0 has now been released, with a load of security and privacy improvements, including the facility to opt out of the use of Chinese servers (making that the default would, of course have been better, but hey-ho). Full details available from their blog...
Meanwhile, Zoom (and other web conferencing) credentials are apparently available for a penny a pop:
ThreatPost said:
Troves of Zoom Credentials Shared on Hacker Forums
Hackers have a new favorite topic of conversation on underground forums: How to obtain – and leverage – valuable credentials for Zoom, Skype, Webex and other web conferencing platforms increasingly used by remote workers.

... Maor’s discoveries are similar to those of other researchers, who have previously found as many as 500,000 credentials being sold (for less than a penny each) by cybercriminals. Beyond the trade-off of credentials, underground forums are also abuzz with discussion around launching credential stuffing attacks, phishing campaigns, DDoS attacks and data exfiltration attacks against remote workers – painting a grim picture for users of web conference platforms who don’t stay up to date with the best security practices.

Meanwhile, Zoom (and other web conferencing) credentials are apparently available for a penny a pop:
This reinforces the need for different credentials for different uses. Always use different passwords for different sites. Using, for example, Facebook login for non-Facebook uses may be convenient but then acts as a master key to your entire digital world with only one disclosure error.

Ric Ford

Here's a newly announced Thunderbolt vulnerability, called "Thunderspy":
Björn Ruytenberg said:
All Apple Macs released from 2011 onward, except for Retina MacBooks, provide Thunderbolt connectivity and are therefore vulnerable to Thunderspy. You may wish to learn more about Thunderbolt-equipped Macs on Apple's website. For more information on Apple's position regarding Thunderspy, please refer to why has Apple not fixed Thunderspy.

If you are running MacOS, your system is partially affected by Thunderspy. For recommendations on how to help protect your system, please refer to protections against Thunderspy.

Windows and Linux (Boot Camp)
Running Windows or Linux using the Boot Camp utility disables all Thunderbolt security. Therefore, your system is trivially affected by Thunderspy.
Bleeping Computer said:
New Thunderbolt security flaws affect systems shipped before 2019
Attackers who gain physical access to Windows, Linux, or macOS devices can access and steal data from their hard drives by exploiting 7 vulnerabilities found in Intel's Thunderbolt hardware interface and collectively known as Thunderspy.
Wired said:
Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking
... A collection of flaws in Thunderbolt components known as Thunderclap revealed by a group of researchers last year, for instance, showed that plugging a malicious device into a computer's Thunderbolt port can quickly bypass all of its security measure.

... "Intel created a fortress around this," says Tanja Lange, a cryptography professor at the Eindhoven University of Technology and Ruytenberg's adviser on the Thunderspy research. "Björn has gotten through all their barriers."

Here's a newly announced Thunderbolt vulnerability, called "Thunderspy"...
All three of those links you provided do a poor job of explaining exactly how vulnerable Macs are to the Thunderspy group of exploits (and Bleeping Computer just outright gets it wrong).

The truth is, if you have a Mac running macOS, there doesn't seem to be much exposure. If you read the actual vulnerability report, and go to Section 2.2.2 (and Table 2), you'll see that most of the vulnerabilities do not affect macOS, and the remaining two that do are much reduced in effect.

The one thing to note is that if you have your Mac booted into Windows or Linux, Apple set the Security Level on Thunderbolt to "none", making it vulnerable to most exploits (Section 2.1.7). You should not run Windows or Linux on your Mac as a regular matter, of course.

This AppleInsider article gives more insight on the limited impact on Macs by the Thunderbolt vulnerability. First of all, the attacker must have physical access to your computer and actually open it to make the computer vulnerable:
The process involves unscrewing the backplate of the laptop, interfacing with the Thunderbolt controller with a single-board computer, rewriting the controller firmware and disabling security features.
In practical terms, attackers won't be able to disable the macOS lock screen or perform other attacks like they could if they had physical access to the device, as long as a user is running macOS instead of Windows or Linux via Boot Camp. Macs running Windows or Linux on Boot Camp, however, are just as vulnerable as other PCs.

If you read the actual vulnerability report, and go to Section 2.2.2 (and Table 2), you'll see that most of the vulnerabilities do not affect macOS, and the remaining two that do are much reduced in effect.
Furthermore, if you read through the details of the exploits, every one of them requires the attacker to open your computer's case in order to program an SPI-attached flash memory device (the "DROM")

In other words, you can protect yourself by simply exercising common sense and never leaving your computer unattended. When in a hotel room, don't leave it out when you leave the room - lock it in the room's safe when you leave the room. (I realize that some large laptops may be too big to fit in some safes - this is one reason I love traveling with my 11" MacBook Air.) I've been doing this for over 20 years, out of concern that someone might steal my computer, but it will also protect you against any kind of attack like this that requires physical access to the computer.

Additionally, it appears that the computer must be powered on (but can be asleep) for the exploit to work. So power it off before leaving it in your hotel room, whether or not you can lock it in the safe. It won't prevent an attacker from installing compromised DROM, but he won't be able exfiltrate data if the drive is encrypted (and if it isn't, there's no need for this elaborate exploit).

If you need to be extra-cautious (e.g. you've got sensitive data), you might want to get a roll of tamper-evident security seals. Put one or two across the seams of your computer's case. If you return to your hotel room and find that the seal indicates tampering, then it is safe to assume that someone attempted to open it, and you should take steps to see if your DROM has been compromised. (Of course, if you need to open the computer, it will also trigger the label, but you can always apply new ones afterward.)

Also, don't turn your back on it in a public place either. I doubt anybody's going to pull out a toolkit and start hacking into your hardware while your back is turned, but they could just steal the computer during that time, which isn't any better.

Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts