Over 500,000 Zoom Accounts Sold on the Dark Web and Hacker Forums

[jlc1978]

Take Zoom's retail pricing: $15/month. Nobody is going to pay that when you get Teams with Office 365 with dial-in conferencing for $5+4=$9/month, ignoring the other cloud services that come with it.

The problem with Teams, from my perspective, is the end user expereince is not that good. For example:

1. Teams doesn't integrate with many contact apps so you have to manually enter emails and since it doesn't integrate the groups you setup in a contact app aren't available as shortcuts.
2. It wants you to join MS teams, instead of sending a URL and list of dial in numbers; making it more difficult to do one off meetings
3. It wants you to d/l Teams and some orgs doesn't let you install unauthorized software so they may not be able to join unless the use a browser, except;
4. Some browser, such as Safari, are not supported.
5. I haven't figured out how to create an .ics file so I can email an invite to a last second addition to the call

I have clients whose internet is not that reliable, and the lack of dial in numbers on an invite means I'd have to find them and forward them separately, which means they may or may not have them handy when the meeting starts. In the end, using team si enough of a hassle that it is worth paying for a different solution, even if it costs more.

Zoom is far from perfect and its security issues makes it a no go for many users. Its ease of use, however, makes it a compelling solution for others. I showed a teacher how to use Zoom and had her up and running in 15 minutes on a free account. It meets her needs and she understands the security issues and how to avoid them. The district has Teams, but of course never taught anyone how to use it and so teachers struggle with tyrying to get oit to work, and can't tell parents what to do when something doesn't work as expected.

Will my company dump Zoom? Maybe, but for now it simply works and is reasonably priced.
We arr monitoring the securioty issues and so far have no real problems; if we go more into video conferencing to provide services then we will reassesses to ensure our work is secure when using a service.

[automerge]1586944423[/automerge]

When has Apple have that big a drop recently? I don’t think they had a drop like that even with the FaceTime issues last year (or the year before?).
You 1st wanted a list of companies who ban Zoom, I Gave you it. You said their stock was up, it’s not. Now you give excuse... ok cool, you like them and probably own stock in them.

Apple is fortunate in that issues no one product will bring down the company as they have diverse revenue streams, thus problems such as Antennagate, while impacting the price temporarily, are not seen as threatening the long term viability of the company. Zoom, OTOH, is a one trick pony.

 

[jtaylor673]

Zoom admits calls got 'mistakenly' routed through China

Zoom's security woes are compounding.

www.businessinsider.com

Zoom admits some calls were 'mistakenly' routed through China

The company said it's fixed the issue, but won't say how many users are affected.

techcrunch.com

I have used some for meetings for the last year. (Don't have an account though.)
So, like most apps, one needs to balance their needs for privacy, security, functionality, ease of use, etc.
For example, if you are FBI, CIA, Senator, Congressman, etc., then Zoom is probably not the best choice for your meetings. At least that is what I gather from the above. Routing of info through China is never secure. Even if Zoom 'fixes' the geofencing, these groups just can't take that chance.
However, for most of us, probably not as big a deal.

 

[konqerror]

I showed a teacher how to use Zoom and had her up and running in 15 minutes on a free account. It meets her needs and she understands the security issues and how to avoid them.

No, the problem is people think they know how to add "security", then bored kids and Internet trolls, who are much smarter with technology than the average teacher, administrator, and especially person who needs "help" setting up teleconferences blow holes right through their security.

Everybody says to use waiting rooms. While that lasted a few days because nobody is going to interview 30 kids individually to make sure they're legit, and it doesn't solve the issue of people putting somebody else's name on their account.

Now they're saying to require signed-in accounts, which I envision lasting a few days until trolls realize signing up a free account with a disposable address is trivial. Meanwhile, I spent probably 2 hours so far waiting delayed while people who were uninformed about the new practice signed up their own account. Plus, Billy forgets to sign out his dad's account, so teacher sees "John Doe" instead of "Billy Doe". Going kick Billy out of class for that?

Meanwhile, Teams integrates into LMS, automatically creating classes and restricting entry to exactly who you need. Teams has federation which allows your authentication to come over from other companies you specify.

All these people are trying to find a magic bullet against disruption with no setup at all, and that doesn't exist.

 

[jlc1978]

No, the problem is people think they know how to add "security", then bored kids and Internet trolls, who are much smarter with technology than the average teacher, administrator, and especially person who needs "help" setting up teleconferences blow holes right through their security.

Not really. Once someone understands what to do, and is familiar with how to deal with disruptions they can use Zoom, or Webex or whatever without problems. Quite frankly, with all the accounts out there, security by obscurity iis pretty effective overall.

Everybody says to use waiting rooms. While that lasted a few days because nobody is going to interview 30 kids individually to make sure they're legit, and it doesn't solve the issue of people putting somebody else's name on their account.

Except you don't have to do that; you quickly recognize their login and admit them. As for using someone else
s name, no system will stop a concerted effort to bypass security. Of course, if they use an unsupported browser you don't have the problem of hving to admit them.

Meanwhile, Teams integrates into LMS, automatically creating classes and restricting entry to exactly who you need. Teams has federation which allows your authentication to come over from other companies you specify.

And if they try to use a different account you have the same problem with teams and no easy fix. As for lMS integration, many public schools don't have an LMS; and even if they did don't bother to train teachers how to use it let alone integrate it with Teams.

All these people are trying to find a magic bullet against disruption with no setup at all, and that doesn't exist.

True, no product is perfect. It comes down to balancing security and ease of us; and for many putting up with Team's great big bag of hurt ain't worth it for what little added sense of security you get.

End then end it's about delievring a solution that the users can actually use effectively with a reasonable amoount of security.

 

[konqerror]

Quite frankly, with all the accounts out there, security by obscurity iis pretty effective overall.

False assumption. The attacks we see today are essentially insider attacks. Kids with authorized access use the credentials or give them to somebody else to disrupt the class. Totally different threat model.

Other conferencing apps allow issuance of per-invite credentials, but Zoom does not, thus making leaked credentials untraceable. Further, no other conferencing app allows anybody with a 6 digit PIN to take control of the entire meeting.

Except you don't have to do that; you quickly recognize their login and admit them. As for using someone elses name, no system will stop a concerted effort to bypass security.

Wrong. Kids and other participants don't have login credentials because A) it's not expected to have to sign up, and B) Zoom charges money for them, even today, because the model is credentials entitle you to hold meetings. In the Zoom model, only meeting organizers are expected to have credentials.

This is why students aren't issued Zoom credentials.

The second problem is Zoom has no easy way of separating authenticated in-domain users (name managed via SSO) vs authenticated users with a different domain (including random free accounts). Even determining which users were not signed in (guests) was not possible unless you set an optional checkbox buried literally in 10+ pages of settings.

Now you can lock down meetings so that you must use SSO to join, but now you're back up to the first issue.

And if they try to use a different account you have the same problem with teams and no easy fix.

No, Teams has a fundamentally different model because it was, and still is, built as an IM app. In the Teams model, everybody is expected to have an account, and students are issued accounts as part of their school's suite of services (e-mail, OneDrive, etc.).

 

[jlc1978]

Wrong. Kids and other participants don't have login credentials because A) it's not expected to have to sign up, and B) Zoom charges money for them, even today, because the model is credentials entitle you to hold meetings. In the Zoom model, only meeting organizers are expected to have credentials.

This is why students aren't issued Zoom credentials.

The second problem is Zoom has no easy way of separating authenticated in-domain users (name managed via SSO) vs authenticated users with a different domain (including random free accounts). Even determining which users were not signed in (guests) was not possible unless you set an optional checkbox buried literally in 10+ pages of settings.

Now you can lock down meetings so that you must use SSO to join, but now you're back up to the first issue.

Fair enough. Zoom and other similarly setup apps trade an easier end user experience for less security; which it is why you need to understand the tradeoffs and risks. We use Zoom with clients because it best fits our needs, but we are careful to keep confidential documents and discussions off the platform.

No, Teams has a fundamentally different model because it was, and still is, built as an IM app. In the Teams model, everybody is expected to have an account, and students are issued accounts as part of their school's suite of services (e-mail, OneDrive, etc.).

That's the one of the big problems I have with teams; not all our participants have MS accounts, and we often have one off attendees so getting them to setup an account is a non-starter.

Teams, in my experience, is fine if you have well defined teams where everyone has an MS account. If that is not the case it is a PITA. In the end, each solution needs to be matched to user needs.

 

[I7guy]

False assumption. The attacks we see today are essentially insider attacks. Kids with authorized access use the credentials or give them to somebody else to disrupt the class. Totally different threat model.

Other conferencing apps allow issuance of per-invite credentials, but Zoom does not, thus making leaked credentials untraceable. Further, no other conferencing app allows anybody with a 6 digit PIN to take control of the entire meeting.



Wrong. Kids and other participants don't have login credentials because A) it's not expected to have to sign up, and B) Zoom charges money for them, even today, because the model is credentials entitle you to hold meetings. In the Zoom model, only meeting organizers are expected to have credentials.

This is why students aren't issued Zoom credentials.

The second problem is Zoom has no easy way of separating authenticated in-domain users (name managed via SSO) vs authenticated users with a different domain (including random free accounts). Even determining which users were not signed in (guests) was not possible unless you set an optional checkbox buried literally in 10+ pages of settings.

Now you can lock down meetings so that you must use SSO to join, but now you're back up to the first issue.



No, Teams has a fundamentally different model because it was, and still is, built as an IM app. In the Teams model, everybody is expected to have an account, and students are issued accounts as part of their school's suite of services (e-mail, OneDrive, etc.).

Basically for companies where zoom users use domain sso, there is no security issue for zoom users. If an insider gives an outsider their credential information, it's tough to stop it, and would probably be against company policy for the insider. An insider could also give an outsider the information needed to log in to the domain, so there is that. The option for authentication is not really buried, but like other software one has to know the options and configure the options.

 

[konqerror]

Basically for companies where zoom users use domain sso, there is no security issue for zoom users.

For internal collaboration (ignoring all the unintentional security bugs that have popped up). A problem is collaboration tools need to work across organizations to be effective; that's why Microsoft has federation across it's platform and why schemes like InCommon are important in the education world.

And as I mentioned, this is an issue where your company has a large number of employees that don't need to host meetings, similar to students. Microsoft calls these "frontline workers" and they have solutions for that, but Zoom is firmly stuck in the Silicon Valley belief that only middle-class desk workers exist, or at least are the only ones worth selling stuff to.

 

[I7guy]

For internal collaboration (ignoring all the unintentional security bugs that have popped up). A problem is collaboration tools need to work across organizations to be effective; that's why Microsoft has federation across it's platform and why schemes like InCommon are important in the education world.

And as I mentioned, this is an issue where your company has a large number of employees that don't need to host meetings, similar to students. Microsoft calls these "frontline workers" and they have solutions for that, but Zoom is firmly stuck in the Silicon Valley belief that only middle-class desk workers exist, or at least are the only ones worth selling stuff to.

All well and good, but it (zoom) still works and works well for our needs. (ignoring the hubris of the last couple of days). Personally I've never liked webex. And Teams justs looks like a pain. Can't see how to setup someone (or 300 different someones) to join a meeting that is outside your domain, that may not be affiliated with a domain.

 

[Tech198]

Well, Zoom may be popular and the security breachers should be on top rather than subverted as 'popular app'

For me though.... this is one time i thank myself i have no recorders in the cloud.

How can you keep calling an app 'popular' when it has security breaches BTW? It just means that no-none takes it seriously.

 

[Teach4]

The two sites the article cites to check your email, want money to give you information so of course it tells you that you have been hacked.

 

[Abazigal]

The two sites the article cites to check your email, want money to give you information so of course it tells you that you have been hacked.

Not to mention they basically require you to key in your email addresses, which are sure to be legitimate. It may well be an honest service, but I will still take my chances elsewhere.