Zoom Boosts Security With Pick-Your-Route Feature

Zoom’s paying customers will be able to choose the region they want to use for their virtual meetings, the company announced Monday.

Starting Saturday, paying customers can opt in or out of a specific data center region, although they won’t be able to change their default region, which for most customers is the United States.

Zoom has data centers in the U.S., Canada, Europe, India, Australia, China, Latin America, and Japan/Hong Kong.

The move comes after the University of Toronto’s Citizen Lab earlier this month released a report that found Zoom generated encryption keys on servers in China, even though all the people on a call were located outside of the country.

Although free service users won’t have the opt-in or -out options of paying customers, Zoom said it would not route data of any users located outside of China through the country.

Avoiding Unsafe Servers
“The data routing changes are a positive,” observed Colin Bastable, CEO of Lucy Security, a security awareness and training company located in Zug, Switzerland.

“All those free users should be happy that no data is routed through China, and paid users will be happy with the choices being offered,” he told TechNewsWorld.

Allowing customized routing will appeal to some companies that must meet compliance requirements for their industries.

“There are certain government and cybersecurity standards that require traffic remain within the U.S.,” explained James McQuiggan, security awareness advocate at KnowBe4, a security awareness training provider located in Clearwater, Florida.

“For organizations who do not wish to accept the risk of traffic leaving the U.S., this will mitigate and resolve that risk,” he told TechNewsWorld.

Managing a call path lets a meeting planner avoid potentially unsafe servers, said Justin Kezer, managing consultant at nVisium, a Falls Church, Virginia.-based application security provider.

“That limits the risk of someone listening to an active call through a missing application security feature, like a lack of password and access controls, or siphoning the data directly from a vulnerable server,” he told TechNewsWorld.

However, customized routing doesn’t address another flaw Citizen Lab found with Zoom, noted Charles Ragland, security engineer at San Francisco-based Digital Shadows, a provider of digital risk protection solutions.

“This does not mitigate the risk posed by the lack of true end-to-end encryption or weak encryption that was discovered by Citizen Lab,” he told TechNewsWorld.

Passwords for Sale
Zoom’s popularity skyrocketed with the spread of the COVID-19 virus and resulting increase of home workers. It appears its newfound popularity attracted more attention from hackers.

Information on more than 500,000 Zoom accounts has shown up for sale on the Dark Web and in hacker forums, priced at a penny for each, or less, Bleeping Computer reported Monday.

The data was compiled through credential stuffing attacks. Logins from prior data breaches were tried on Zoom, and the ones that worked were bundled together and sold to other hackers, BC explained.

“Criminals will always seize an opportunity to raise their profile or stay relevant. This would be more of the same,” Digital Shadows’ Ragland observed.

“Zoom is the current focus of the security industry, and plenty of in-depth discussions have been done around it, making it a prime target for criminals,” he explained.

“There are billions of credentials being hawked on the Dark Web — 500,000 makes no difference,” said Lucy Security’s Bastable. “Of course, the danger is that users are using the same passwords for other logins, which we know they do.”

The sale of the Zoom accounts on the Dark Web demonstrates how bad password hygiene is, observed Joseph Carson, chief security scientist at Thycotic, a Washington D.C.-based provider of privileged account management solutions.

“Once someone is of age and able to connect to the Internet, they should be educated on how to use a password manager — or, to be honest, it should be the default settings in our browsers,” he told TechNewsWorld.

The sale of the Zoom accounts “raises questions for some solutions on whether or not users should even be allowed to choose their own passwords,” Carson said.

Security-Minded Management
Although Zoom has found itself under the security magnifying glass, it hasn’t dropped the ball, maintained nVisium’s Kezer.

“Zoom is doing an excellent job reacting to the security issues. However, like most companies, proactive security measures and testing would have prevented these issues,” he said.

“They are quick to accept the vulnerability and promptly issue a patch — that is the most we can ask of any company,” Kezer continued. “Frankly, I am impressed that they have put all their development efforts towards security. That is a sign of a solid security-minded management team. They are now being proactive.”

Despite those security efforts, there are signs of anxiety in the Zoom community.

Twelve percent of the 4,000 professionals who responded to a recent survey had stopped using Zoom, including 100 percent of Tesla professionals. Blind, an anonymous workplace network of professionals based in San Francisco, released the results last week.

More than a third of the professionals surveyed (35.2 percent) said they were worried their information may have been compromised.

“Although Zoom had great intentions, they were attempting to accommodate the workforce during a pandemic quickly,” wrote Fiorella Riccobono, author at Blind Workplace Insights. “That rapid growth left the platform’s vulnerabilities exposed.”

Yet some companies are comfortable with Zoom.

“As a security company, we use Zoom every day,” said Ameesh Divatia, CEO of Baffle, a data protection company in San Francisco.

“We’re comfortable with it because we make sure that our users are educated about how to set up meetings and make sure they know who is participating,” he told TechNewsWorld.

One feature Baffle doesn’t use is passwords for meeting participants. It uses the “waiting room” feature. Meeting participants remain in a virtual waiting room until the meeting organizer clears them. That way the organizer need not worry about a participant’s password being compromised and an unwanted party crashing the meeting.

That feature has its problems, too.

“During our analysis, we also identified a security issue with Zoom’s Waiting Room feature,” states the Citizen Lab report on Zoom. “Assessing that the issue presented a risk to users, we have initiated a responsible vulnerability disclosure process with Zoom. We are not currently providing public information about the issue to prevent it from being abused. We intend to publish details of the vulnerability once Zoom has had a chance to address the issue.”

Written by