"These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are compiled into lists that are sold to other hackers."
This feels like ridiculous piling on to Zoom. This comes down to the same old password reuse issue. You could almost certainly replace any other service provider with Zoom in that article and not reduce its accuracy. Pounds for pennies, other services have hundreds of thousands of accounts being sold courtesy of credential stuffing.
There are defenses against credential stuffing - you can get lists of pwned passwords (e.g. from haveibeenpwned) and force users who use one to change it.
You can run risk analysis on login and add CAPTCHAs to slow down attackers trying credentials, notify account owners on suspicious logins, possibly require confirmation via a link to an e-mail account if the login looks really phisy, make a different risk-convenience tradeoff (e.g. by enforcing 2FA), ...
They won't prevent it completely, but you can make it harder. So I don't think (also) blaming the service for successful large-scale credential stuffing attacks is unreasonable.
Except that at this moment Zoom is being used for all sorts of things. Guidelines or not, government and even military entities are hosting meetings via Zoom. Such leaks present a real risk of direct espionage, be it international or corporate.
How many US senators are holding calls on Zoom? How many of those calls are about new spending? How useful might it be to be ahead of that curve?
You could make a counterargument that any official that is reusing passwords should be fired for gross incompetence and not following basic security protocols. I've seen people in the private sector get fired for less and they aren't working with sensitive data.
Can you call a practice "gross incompetence" if everyone is doing it? The number of people using password managers is pretty close to zero. (I've recommended it to everybody for about a decade, and so far I think I managed to convince exactly one person.)
Cred stuffing can often be done with 5 or less "known" passwords used by the victim. When the attackers have enough IPs (via proxies or cloud providers - remember that most cloud providers give out multiple ipv6 /64s no questions asked), It'll end up looking like any other login attempt from a consumer VPN where the user forgot their password and is trying 3 or 4 different ones.
I would think you alarm when login failure rate spikes. Realize what is going on, list the probably affected accounts, and lock those accounts until they change their passwords. Doesn't seem like an impossible to mitigate problem.
Not that easily. A sophisticated attacker is going to be using a lot of different throwaway IP addresses. One of the common ways to (try to) prevent this are often how you end up with stuff like "all IPs we think are AWS or data centers or [...] are blocked from our service."
How many logins/second from how many different IP addresses and browsers would you have to try in order to achieve this in a way that is hard to detect? How hard is it to rent a botnet that would mean IP-based filtering would have too large a blast radius?
As an example: "At the 2020 RSA Conference, Microsoft reported that in January 2020 480,000 Microsoft accounts were compromised because those customers had reused passwords that had leaked from somewhere else." [0]
Each service provider needs to balance security and convenience based on the market they serve. Forced MFA for a product designed to be an easy to use video conferencing tool feels incorrect.
I disagree. Even the weakest form of MFA (click this link sent to your email to set an authorization cookie) prevents stuffing attacks, and is still available to anyone.
According to NIST's memorized secret (aka password) guidelines [1]:
> When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.
If Zoom had enforced that passwords can't be from a list of already compromised passwords as this guidance suggests, this attack wouldn't have been nearly as successful. This is just what happens when you don't have a decent security policy, and everyone that doesn't follow basic security best-practices should be called out for it.
It does not name specific sources, but it is not hard to find some. For example, in my programs I check passwords against the API provided by haveibeenpwned.com.
> When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context-specific words, such as the name of the service, the username, and derivatives thereof.
If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.
A minimal compliant implementation could likely be ["passw0rd"]. Hopefully most compliant systems try a little harder, but with time and budget pressures...
Ideally a modern system should use haveibeenpwned or atleast one of the various lists you can find in password cracking forums.
I think our internet behavior and metrics makes certain topics trendy for outlets. Most news outlets metric the crap out of their stories (journalists performance is often judged at least partially by clicks) and if pieces on Zoom get lots of clicks, they’re gonna keep writing them.
I think this is the most likely reason with their explosion in usage due to COVID. Anecdotally, around 25-30% of news articles shared in my company Slack channels recently have been about Zoom. We saw the exact same phenomenon during the 2016 election.
There's also press and Zoom is a hot topic. You don't have to care about Zoom itself to write something that's technically true and brings ad views / money.
That's actually a good thing. Zoom is a great tool, but mainly because it exposes how important video conferencing is, and if it's done well, there's a market for it. Still, it's not $40B great.
MS, Facebook, Apple and Alphabet now has to think about improving their video conferencing protocol, and not just the next iteration of material design.
So they paid $1000 for 530k accounts. What's the use case of a stolen zoom account? To impersonate an institution this doesn't seem quite enough, so is it just lulz?
Having 530k unique accounts on any growing platform seems like a great investment even if it's not clear how to utilize them right now. Whatever someone could ever want to do with a bot army, they now have 530k fewer accounts to create. Mass-creating accounts will only get more difficult as Zoom's platform matures. There are plenty of ways utilize bot accounts for indirect financial gain on platforms like Reddit and Twitter.
Espionage - apparently there are entire darknet channels for trading insider information (presumably for trading purposes). Nefarious actors could easily tap into a pre-earnings call Zoom meeting and extract valuable information.
Huh? It's not like Zoom offers an SSO solution. The value of the accounts is two-fold:
1) Looking for Zoom premium accounts, there is actually a pretty good trade in stolen accounts on the dark web. Folks will pay a dollar for example for one of these accounts.
2) This is the more likely one—looking for people who use one shared password across multiple valuable logins.
SSO is offered at the "Business" plan level. So I guess the question would be how many of the stolen accounts were for users at a lower plan level but were also controlled by espionage-worthy companies.
You can authenticate with Zoom using your existing SSO solution, not the other way around. When using SSO the Zoom account wouldn't have a password at all.
Exactly. I'm surprised there are accounts from large companies that must have some sort of SSO with MFA solution. Are they not using it with Zoom? That's a no brainer
This is particularly concerning for those in China. Keep in mind over 1,000 Chinese hospitals now use Zoom, as detailed in the Feb 26th blog post by CEO Eric Yuan[1].
If anything, I suspect this has less to do with hacking and more with insiders abusing their access to the system. Chinese hackers are very often extremely competent day time programmers, and have been known to sell their internal access to the highest bidder[2].
Accounts were exposed in previous hacks, the accounts are now being exploited if the user didn't change the pw credentials and used the same email address.
Nothing in this suggests this is Zoom's fault (except that they might be able to check haveibeenpwned and warn users)
The report is technically true but also misleading by omission / its very existence: how many Microsoft accounts are sold on the darkweb? Tons, because accounts being sold on the darkweb is the default state of basically any online service. Credential-stuffing your way to a big list of accounts is not a new phenomenon, but reporting breathlessly on Zoom's latest fuckup without providing context is likely to give non-technical readers the wrong impression.
This isn't a reason to not want actual problems in Zoom fixed, but misrepresenting their posture relative to the rest of the industry benefits nobody besides incumbents.
How many MSFT keys, FB accounts, etc. do you think are being traded on tor right now? This isn't even news except for the fact that the media has their sight on Zoom right now.
It passes the FUD test: A lurker who only reads the headline and doesn't click through to the article would leave with a
worsened impression of Zoom; i.e. that they cannot manage the security of their accounts.
It's accounts that were found by testing user/passwords that were found in other hacks to see if people had used same password on zoom. It's nothing zoom did wrong. And, it's something that happens to basically every company.
Arguably in 2020 it is something Zoom did wrong in allowing people to re-use known passwords.
"Reject Pwned Passwords" is a very cheap security improvement during sign-up processes. Of course the problem for Zoom is that they've focused very hard on reducing "Bounce" where people decide they'd rather not sign up, which has led to a lot of the other complaints about Zoom we're also reading.
If you run a service that has an email + password type sign-in, the top TWO items I'd tell you are must haves for that service today - as in if you aren't live they need to be requirements for go-live and if you're already live they should be top of your pile are:
1. Sign-in-with-X services that out-source authentication entirely to somebody else, it doesn't much matter if it's Facebook, Google, Apple, almost anything is better than creating yet another service with yet more credentials. These services are relatively low friction. Zoom does offer this, and if you must have Zoom (as many of us must in this period) then this is the least worst option.
2. Blocking known passwords with something like PwnedPasswords. If you must build your own account authentication either out of hubris or with some genuine rationale for why it's necessary, use PwnedPasswords or a similar service to reject these passwords. Don't have stupid "policies" that sounded good to some idiot who still thinks regular expressions are a pretty neat idea, just reject these known bad passwords.
There are lots of more expensive things I think companies should do if they take security seriously, like implementing WebAuthn (ie FIDO security keys) but the above two are low hanging fruit. If you haven't done them it is something you did wrong.
Competitors to Zoom, for example, WebEx, have even more vulnerabilities than Zoom. Count the CVEs on cve.mitre.org. The small players haven't been poked as hard.
This feels like ridiculous piling on to Zoom. This comes down to the same old password reuse issue. You could almost certainly replace any other service provider with Zoom in that article and not reduce its accuracy. Pounds for pennies, other services have hundreds of thousands of accounts being sold courtesy of credential stuffing.