SSI VISIO – US Senate tells members not to use Zoom

ft.com

US Senate tells members not to use Zoom

Kiran Stacey in Washington DC and Hannah Murphy in San Francisco

15 hours ago

4-5 minutes

The US Senate has become the latest organisation to tell its members not to use Zoom because of concerns about data security on the video conferencing platform that has boomed in popularity during the coronavirus crisis. The Senate sergeant at arms has warned all senators against using the service, according to three people briefed on the advice. One person who had seen the Senate warning said it told each senator’s office to find an alternative platform to use for remote working while many parts of the US remain in lockdown. But the person added it had stopped short of officially banning the company’s products. Zoom is battling to stem a public and regulatory backlash over lax privacy practices and rising harassment on the platform that has sent its stock plummeting. The company’s shares have fallen more than 25 per cent from highs just two weeks ago, to trade at $118.91. Zoom was forced to apologise publicly last week for making misleading statements about the strength of its encryption technology, which is intended to stop outside parties from seeing users’ data. The company also admitted to “mistakenly” routing user data through China over the past month to cope with a dramatic rise in traffic – an issue it says it has now fixed. Zoom has two servers and a 700-strong research and development arm in China. It had previously stated that users’ meeting information would stay in the country in which it originated. The revelations triggered complaints from US senators, several of whom urged the Federal Trade Commission to investigate whether the company had broken consumer protection laws. It also prompted the Taiwanese government to ban Zoom for official business. The FBI warned last month that it had received reports that teleconferences were being hacked by people sharing pornographic messages or using abusive language — a practice that has become known as “Zoombombing”. A spokesperson for the company said: “Zoom is working around-the-clock to ensure that universities, schools, and other businesses around the world can stay connected and operational during this pandemic, and we take user privacy, security and trust extremely seriously. “We appreciate the outreach we have received on these issues from various elected officials and look forward to engaging with them.”

Coronavirus business update

How is coronavirus taking its toll on markets, business, and our everyday lives and workplaces? Stay briefed with our coronavirus newsletter. Sign up here However, the US Department of Homeland Security said in a memo to government cyber security officials that the company was actively responding to concerns and understood how grave they were, according to Reuters. The Pentagon told the Financial Times it would continue to allow its personnel to use Zoom. The Senate move follows similar decisions by companies including Google, which last week decided to stop employees from downloading the app for work. “Recently, our security team informed employees using Zoom Desktop Client that it will no longer run on corporate computers as it does not meet our security standards for apps used by our employees,” Jose Castaneda, a Google spokesperson, said. However, he added that employees wanting to use Zoom to stay in touch with family and friends on their mobiles or via a web browser could do so. The Google decision was first reported by BuzzFeed. Zoom has tried to stem the tide of criticism in recent days. The company said on Wednesday it had hired Alex Stamos, the former Facebook security chief, as an outside security consultant, days after saying it would redirect its engineering resources to tackle security and privacy issues. Additional reporting by Katrina Manson

SSI PDT VISIO – Zoom’s Encryption Is “Not Suited for Secrets”

Zoom’s Encryption Is “Not Suited for Secrets” and Has Surprising Links to China, Researchers Discover

Micah Lee

micah.lee@theintercept.com

@micahflee

9-11 minutes


Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.

The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university’s Citizen Lab — widely followed in information security circles — that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.

Zoom could not be reached for comment.

https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to-china-researchers-discover/

SSI RH – 1-2-3-Cyber Serious game de sensibilisation

1,2,3 Cyber est un jeu de société sur le thème de la cybersécurité,
permettant de sensibiliser les 11-14 ans de manière ludique aux risques d’Internet et aux bons réflexes et bonnes pratiques à adopter.

Ce jeu est le fruit d’une collaboration entre l’association CCJ et le cabinet de conseil Wavestone, avec la participation du dispositif Cybermalveillance.

https://github.com/wavestone-cdt/1-2-3-Cyber

SSI VEILLE – Qui contrôle Internet ?

Par Damien Leloup Publié le 01 septembre 2011 à 19h46 – Mis à jour le 14 mars 2012 à 18h47

Après la publication de notre article consacré au projet Commotion, qui permet de créer des réseaux informatiques non censurés et faciles à déployer dans des pays dictatoriaux, de nombreux lecteurs nous ont interpellés pour savoir qui contrôle aujourd’hui Internet. En raison de  sa nature décentralisée, Internet n’est pas « contrôlé » par un unique organisme, Etat, ou entreprise. Contrairement à une idée répandue, le réseau n’est pas non plus une « jungle » totalement libre : à tous les échelons, de nombreux organismes exercent ou peuvent exercer un contrôle ou une censure sur les informations qui y circulent.

https://www.lemonde.fr/technologies/article/2011/09/01/qui-controle-internet_1566544_651865.html#CP6LihRev4d6LPbl.99

SSI PDT – Operation Poisoned News – Mobile Malware via Local News Links

From Trend Micro

By Elliot Cao, Joseph C. Chen, William Gamazo Sanchez, Lilang Wu, and Ecular Xu

A recently discovered watering hole attack has been targeting iOS users in Hong Kong. The campaign uses links posted on multiple forums that supposedly lead to various news stories. While these links lead users to the actual news sites, they also use a hidden iframe to load and execute malicious code. The malicious code contains exploits that target vulnerabilities present in iOS 12.1 and 12.2. Users that click on these links with at-risk devices will download a new iOS malware variant, which we have called lightSpy (detected as IOS_LightSpy.A).

https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/