Zoom can’t seem to catch a break. The latest bad press for the videoconference service is about reused username/password pairs. It seems hackers have discovered half a million compromised, reused credentials matching Zoom accounts.
This comes hot on the heels of recent previous “scandals”—selling PII to Facebook, being a conduit for malware, using a secret pseudo sudo, lying about using E2EE, and routing calls through China. Yikes.
But is this merely a pile-on situation? In this week’s Security Blogwatch, we examine the case for the defense.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: lockdown penguins.
Stop enabling credential reuse
What’s the craic? Lawrence Abrams reports—Over 500,000 Zoom accounts sold on hacker forums, the dark web:
These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.
…
The [lists] include a victim's email address, password, personal meeting URL, and their HostKey [a PIN used to claim host control in a meeting]. … In a statement … Zoom stated:
…
"It is common for web services that serve consumers to be targeted by this type of activity. … We have already hired multiple intelligence firms to find these password dumps and the tools used to create them. … We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords.”
And Lee Mathews adds—500,000 Hacked Zoom Accounts Given Away For Free:
New users have flocked to the Zoom video conferencing platform as … organizations look for ways to meet safely during the Coronavirus pandemic. Unfortunately many of those brand new accounts appear to have been secured with old passwords.
…
It’s likely that most — if not all — of the half-million-plus passwords on offer are old. They might be new to the Zoom accounts in question but may well have been used elsewhere by the same individuals.
…
Password re-use remains a huge security issue. … Fatigued users feel like they can’t remember yet another password so they set up new accounts using an old stand-by.
But what was Zoom supposed to do? Heed the advice of PureParadigm:
According to NIST's memorized secret (aka password) guidelines: “When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.”
If Zoom had enforced that passwords can't be from a list of already compromised passwords … this attack wouldn't have been nearly as successful. This is just what happens when you don't have a decent security policy.
…
For example, in my programs I check passwords against the API provided by haveibeenpwned.com. … More context from the guidance: “If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.”
Seems a bit mealy-mouthed? Way Smarter Than You puts it more swearily:
This was not rocket science. … 99% of users can barely follow Corporate IT instructions to install an app or start it up … and frankly it is not the job of the average user to have to know this stuff.
It is the year ****ing 2020 already. … We know this has to be done, so why the **** are [they not]?
…
It is ****ing mind boggling this is even still a thing today. … ****ing ridiculous.
Is it time for a “get off my lawn” outburst? MrNigel has a “WTF?” moment:
As someone who first started video calling/conferencing when it was in B&W running over a private wire (or ISDN 2B+D) … I am wondering how Zoom has suddenly become a [verb] in the same manner as Google and Hoover. … I can only guess it is from social notworking video calling users who have been forced to use video conferencing for WFH reasons for the first time in their short working lives.
…
And watching Microsoft trying to turn Teams into a consumer product is not a pretty sight. … I am currently working on a contract with a project team from India, UAE, Europe and USA and have daily Teams conf calls with 10-50 users. The only video we need is the mandatory PowerPoint and Excel screen sharing.
…
Never mind, the world will return to a new normal next year when Zoom usage will go the same way as hand sanitizer and facemask sales and social VC users go back to TikTok and Snapchat on their mobile as they return to physical schooling.
Wait. Pause. Is Zoom merely the target du jour? Here’s Twirrim:
This feels like ridiculous piling onto Zoom. This comes down to the same old password reuse issue.
You could almost certainly replace any other service provider with Zoom in that article and not reduce its accuracy. Pounds for pennies, other services have hundreds of thousands of accounts being sold courtesy of credential stuffing.
And TXJD sees the SNAFU:
While researchers have found 500K Zoom accounts, in reality what they found is credentials for many different services where users use the same userid/password combo. So Zoom was never hacked but rather since these 500K users use the same credentials for Zoom as other services, the credentials can be used.
In other words they went searching for Zoom accounts. Now, it would be interesting to see what other services they have userid/password combos for, but are not as popular at the moment with COVID-19.
Perhaps Matt Hanson is also piling on? Zoom finally gets a much-needed security feature – but there’s a catch:
Zoom … will finally introduce an important security feature that many users have been asking for – the ability to choose what countries their virtual meetings are routed through. While this is welcome news … there is a fairly major catch, as only Zoom users who pay a subscription will be able to use the feature.
…
Previously, Zoom came under a lot of criticism when it emerged that its calls are … being routed through countries – such as China – that could demand access to calls going through Zoom servers based in the country. [But] people using the free version will not be able to choose which countries their calls are going through. … Users of the free version of Zoom may feel disappointed to be left out.
Meanwhile, noisejoy has this interesting thought:
The top dog usually gets the most scrutiny. And so they should. I’d be more worried if that wasn’t the case.
The moral of the story?
Are you checking credentials against lists of common passwords and compromised accounts?
And finally
Bored Penguins Endure Lockdown
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: PDPics (Pixabay)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
