Welcome to Absolutely Clickable for November. It's been an interesting year for tech. Just when we thought we were getting a handle on devices within our networks—boom—we have most employees working from home and we have to worry about their networks too. Not to mention keeping devices up to date and working.
Who would have guessed an FTC ruling about Zoom would be a big deal today? "Zoom meeting" has the brand appreciation equivalent of "Kleenex" or "Xerox" today and any news they make is big news. Let's kick off Absolutely Clickable with the news about Zoom, the FTC, and E2EE.
As schools adapt to more distance learning and remote staff, we’re in a wholly different security space than we were at the beginning of this year. Digital Resiliency is a core part of protecting schools and students. In two posts from the Absolute Blog we get a look into how Absolute enables you to both secure and understand your devices and why resiliency needs to be seen as a critical KPI.
As you’ll learn below, Zoom ran into trouble with the FTC because it said their solution was HIPAA compliant, when it wasn’t. Absolute makes sure your health care facility stays HIPAA compliant with robust endpoint security. Sound Physicians medical clinics protects their endpoints and PHI with help from Absolute Resilience. Be sure to check out that post, too.
The US Federal Trade Commission recently went after Zoom for two big security issues. While the company said that they offered 256-bit end to end encryption (E2EE) in 2016, it turns out that they didn't really get E2EE working until this year. They also failed to mention their servers in China had the encryption keys stored on them - meaning anyone could listen in to customer meetings, even though they were "encrypted."
Zoom has worked out these issues, but falsely claiming to be HIPAA compliant—that's a no no.
Zoom slipped also piece of software in a July 2018 update for Mac users (ZoomOpener) that bypassed Safari's malware protections. The idea was to make it seamless for people to launch meetings… but it opened a security hole big enough to drive a truck through.
How does all of this end? Zoom settles with the FTC.
If you haven't updated Chrome in the past couple days, you should go and do it now. No, its okay, I'll wait…
Back? Great. The issue is a slew of zero day flaws in Chrome that researchers found—which also have active exploits live in the wild. It isn't often that the CISA and Homeland Security makes a strong public announcement to update an app or OS right away. This is one of those times. Just go do it.
Over 23,000 databases from years of hacks were leaked online from an old hacker breach site. The databases were leaked on one site, which was taken down fast. They then spread to Telegram and other sharing sites. This is one of the biggest leaks of its kind and could have repercussions for a long time.
ZDNet got a copy of the leaked files before they slithered back into the darkweb. As you'd expect, the databases are full of the usual trove of usernames, passwords, and such. A good reminder to change and update your passwords often. Oh, and 123456 is still the most popular password – in case you might be using it.
Speaking of passwords and security, we know using two factor authentication (2FA) is a proven way to protect your accounts. A lot of us use SMS-based 2FA because it's easy and convenient. We're all glued to our phones, so why not use it for 2FA? Because it is vulnerable to SS7 and SIM jacking attacks, SMS not the most secure 2FA option. Microsoft is pushing for us to leave SMS behind and use app-based tools instead.
It's been a while since we've had to worry about DNS cache poisoning attacks sending us to the scam sites. A dozen years in fact. The original flaw based on sending tons of transaction IDs to DNS servers to see if a hacker would get the right one and be able to poison the DNS cache. The problem was fixed by clever trick of port randomization and with the transaction ID. Unfortunately researchers found a way to spoof things by tricking ICMP rate limiting. Nothing is in the wild, but this is another threat to keep our eyes on.
If the Chrome flaws and DNS poisoning wasn't bad enough, news came out through Vice that a large number of zero day bugs were reported by Google that were being exploited. Sure, happens all the time… but, this time the how and who were exploiting the bugs isn't being revealed. Essentially Google released information on these bugs—some of which may have existed for years—as the tech equivalent of having an envelope with the Watergate tapes in it land on your desk. No names. No other information. Just "here, you should know about these." On the one hand, we should be happy the bugs are patched. On the other hand, we have no idea how much damage may have been done until they were.
In the "one for the good guys" column, there has been a release of a new feature in Firefox 83 called HTTPS-Only Mode. When you turn it on, Firefox will default to HTTPS for all the sites you visit. Most sites have HTTPS available, but sometimes it isn't the default (or someone uses a non-HTTPS link). Firefox will make sure you're browsing securely with HTTPS. If you come to a site without HTTPS Firefox will put up a big warning before it lets you continue. For the few sites that don't have HTTPS, don't expect many visits from Firefox users. The warning is enough to scare off most people, even though you can still continue insecurely. All the more reason if your sites aren't using HTTPS—you should start. Firefox isn't going to be last browser to have this feature. Expect more browsers to follow suit soon.
That's all for this month. Hope you enjoyed this crop of links. We'll wrap the year next month. And hope 2021 starts off with no new tech surprises.