#AxisOfEasy 140: Let’s Make This Simple: Zoom is Malware

 


Weekly Axis Of Easy #140


Last Week’s Quote was  “If you are going through hell, keep going.”, by Winston Churchill, winner was Tim Hillson

This Week’s Quote:The final outcome of credit expansion is general impoverishment” …by ????

THE RULES:   No searching up the answer, must be posted to the blog

The Prize:   First person to post the correct answer gets their next domain or hosting renewal on us.

 

We are so close to launching AxisOfEasy.com that by the time you receive this edition we may actually be publishing it there.

 

Listen to the podcast here:

#AxisOfEasy 140: Let’s Make This Simple: Zoom is Malware from Mark Jeftovic on Vimeo.

 

 

  • Big Tech jumping into red hot Coronavirus surveillance market 
  • Let’s Make This Simple: Zoom is Malware
  • A caution to governments about cell phone tracking during pandemic
  • Hacker finds seven 0-day exploits in iPhone camera
  • Facebook tried to use NSO spyware to surveil users
  • VPNs *SITES* are notorious for tracking your browsing habits
  • Update on the easyDNS Fold@Home team
  • A Warm Welcome to our new ArcticNames clients
  • The Jackpot Chronicles Scenario 1: Force Majeure 
  • Russian telco hijacks the internet

Big Tech jumping into red hot Coronavirus surveillance market 

There’s an old cliche that the Chinese sinograph for “crisis” are the ones for “danger” and “opportunity” combined with each other.  That’s actually a myth, btw, but it doesn’t change the reality that in every crisis there are always a few big winners and then a lot of big losers.

Similarly, politicians like to say, “Never let a good crisis go to waste”, a sentiment followed by Big Tech, especially the ones in the surveillance business.

Peter Theil’s secretive, and privately held Palantir (written about previously in #AxisOfEasy 46) is now furnishing the US CDC with Coronavirus tracking data.  Palantir has developed an app that CDC officials started using to tell them where Coronavirus is spreading the most and how hospitals in those areas are dealing with the load.

Google is also in on the trend, they are now releasing Community Mobility Reports for each country and region which breaks down the aggregated movement patterns of the populations there.  For example, I downloaded the report for Canada which tells me that overall, people visiting retail and recreation is down, at -59%, -35% for grocery and pharmacy, only down -16% for parks, -44% movement to workplaces and are only (quizzically) staying home +14%.

How does Google know?  Because people carry a Google tracking beacon with them wherever they go, they’re called Android phones (the Apple tracking beacons are called “iPhones”).

Among the other Big Tech companies piling into Corona snooping are Oracle and Amazon.  Recall in last week’s #AoE we reported on how Toronto was working with the big telcos to monitor cell phones as part of an effort to measure social distancing edicts.

Read:  https://www.google.com/covid19/mobility/

A caution to governments about cell phone tracking during pandemic

This one didn’t get published in time for last week’s edition where we discussed government initiatives to track mobile devices to monitor social distancing compliance.

The Internet Society Canada Chapter published a report on the privacy implications of doing that.  While recognizing the exigencies a global pandemic presents, and acknowledging that it forces governments into the unenviable task of choosing between citizen privacy and public health, the article lays out 5 recommendations to governments for navigating this dilemma.

I am a director to the ISCC but I didn’t write this piece, Phillip Palmer did.

Let’s Make This Simple: Zoom is Malware

We’ve covered Zoom in these pages before.  Back in #AxisOfEasy 104 it turned out that the Zoom installer was installing mini-web servers on your computer, and it wasn’t even taking them off when you uninstalled Zoom, leaving your device open to all manner of vulnerability.  It took Apple acting on its own to push out an unscheduled update to fix Zoom’s problem before they got to it.

Last week we outlined how Zoom was sending telemetry data about you to Facebook, even if you don’t have a Facebook account.

In the intervening week, all sorts of data points and news items came out about the (lack of) privacy issues with Zoom:

  • On April 1st, a (former NSA) hacker released two new Zoom 0-days that enable a hacker with local access to a Zoom session to take over the software to install malware.
  • The next day Krebs on Security reported on the fast spreading “Zoom Bombing” phenomenon where pranksters and miscreants were war dialing Zoom rooms, looking for ones without password protections and crashing the meetings, hurling insults and profanities at the participants.
  • It gets worse, turns out Zoom Bombing is a thing now, so the perpetrators are recording videos of their antics and releasing them on Tik Tok and who knows where else.
  • On the very next day (the cat came back….) it emerged that because of the naming scheme Zoom uses to create the files of video recordings participants make of their sessions, those records were easy to find and access on the web.
  • Toronto’s Citizen Lab reverse engineered the Zoom client and found that they had “rolled their own encryption scheme” and that it’s pretty lousy encryption. Their report is here.
  • Arvind Narayanan, a professor of Computer Science at Princeton distilled it down thusly, “Let’s make this simple: Zoom is Malware”

All of which has culminated in at least two US states Attorney Generals (so far) launching investigations into Zoom’s privacy protections (or lack thereof).

Here at easyDNS we are working to facilitate video conferencing and remote collaboration tools for you and your teams and families.  We’re relying on open source tools like Matrix and Jitsi that use peer reviewed, publicly accepted encryption techniques and will seek to put the data under your control and nobody else’s.  Watch this space.

Hacker finds seven 0-day exploits in iPhone camera

Remembering nostalgically the Zoom 0-day, (the one from last year, not the two from last week), it was an RCE in the iPhone camera that brought me to this find.  Security researcher Ryan Pickren found seven 0-days in Safari which can be used to hack the iPhone camera.  Some can be used on the laptop version as well.

Pickren reported the bugs in December.  Three of them were fixed in the Safari 13.0.5 update in January and the remainder in 13.1 (March).  Apple paid Pickren $75,000 as part of their bug bounty program.

Facebook tried to use NSO spyware to surveil users

Israeli-based NSO Security has come up here before (here) and (here). They are a spyware-as-a-service company that caters primarily to government intelligence agencies who are endeavouring to spy on meddlesome journalists, foreign diplomats and more.

Now it appears as though Facebook (among the first tech platforms that thinks it is a nation state IMHO, Google being the other) also attempted to hire NSO in order to spy on monitor its own users.

VPNs are notorious for tracking your browsing habits

[ CORRECTION/UPDATE]
It’s been pointed out in the comments (by Sean) that this article research refers to the VPN providers websites themselves, and not to the tunnel services they are providing. Thanks Sean – this was a fundamental misread of the article on my part. I blame cabin fever.

Security researcher Jan Youngren analyzed 120 VPN services.  He found that VPN companies undertake comprehensive monitoring of their users’ online travels and browsing habits, with a significant number going so far as to use “Session Replay Scripts”, effectively taking screen recordings of user sessions as they browse the web.

The key take aways are, out of 120 VPN services tested:

  • 102 have at least 1 tracker
  • 26 websites have at least 10 trackers
  • 32 have session replay scripts
  • 45 websites have Facebook trackers
  • 39 have multiple Facebook trackers
  • 17 websites have trackers from risky third parties

Only 17 sites had no trackers at all.

Update on the easyDNS Fold@Home team

A couple weeks ago we started up a Fold@Home team.  Fold@Home is a distributed computing platform similar to SETI@Home or even a blockchain.  In this case the computing power is dedicated to molecular folding calculations which for the moment, Fold@Home is optimizing toward Coronavirus computation.

I’m happy to report that some big guns have added some CPU power to the easyDNS team, propelling us into the top 5,000 teams thus far.

Thanks to:  brujack, TIMF, Bill Pye, Blitherman and everybody else pitching in on the Fold@Home effort.

To join Team easyDNS use team id 248458

A Warm Welcome to our new ArcticNames clients

Last week we completed the first and largest phase of the acquisition of the ArcticNames family of domain registrars.  ArcticNames is exiting the naming space to concentrate on their core business and needed to find a good home for their customers.

Hopefully they’ll agree that they’ve found one.  We had an initial screw up where we misplaced a bunch of domains into the wrong accounts (sorry!) but it was quickly rectified and if you were affected, you should have also received a notification about what happened.

If you’re new here, welcome aboard and you can learn more about the system here, including a short explainer video about our control panel at the link below:

 

The Jackpot Chronicles Scenario 1: Force Majeure 

Over on Guerrilla Capitalism I managed to write the second installment of “The Jackpot Chronicles” which examines four possible post-Coronavirus scenarios:

  1. Force Majeure:  where traditional institutions and social contracts break down
  2. Tin Foil Hat:  examines what if we really are living in a crazy conspiracy theory
  3. Mandatory Pollyanna:  would be if central banks and governments undertake an LBO of the entire economy and legislate that we all have to be happy about it
  4. Deglobalization: is where we all realize that buffers and savings are a good thing and that maybe relying on a just-in-time supply chain for everything might not be so smart

 

Russian Telco Hijacks the Internet 

Just as I was finishing up this week’s edition a reader sent me an article about a pretty big BGP hijack that occurred last week which I missed completely.

Turns out that Rostelecom, out of Russia, a repeat offender when it comes to BGP hijacks, pulled one of their biggest incidents yet, announcing their own routes for nearly 200 CDN and cloud providers worldwide including Amazon, Google, Cloudflare et al.

The incident affected more than 8,800 internet traffic routes from 200+ networks, and lasted for about an hour.”

I lamented Why you must learn to love DNSSEC that the layers below DNS, where the internet routing tables are maintained, are basically held together with spit and twist-ties.  There is no security protocol there and it’s easy to advertise bogus routing announcements.

There is no easy answer for dealing with this other than the magic bullet of hoping it doesn’t happen to you…. and maybe enabling DNSSEC.

 

Leave a Reply

Your email address will not be published. Required fields are marked *