leaflet改变zoom
Recent research shows the sloppy security architecture of Zoom. After a former NSA employee has uncovered massive security holes and researchers from the Canadian CitizenLab found problems with Zoom’s encryption, a German security researcher has detected additional potential vulnerabilities. Our computers with Zoom on them may not be as private and secure as we think.
最近的研究显示了Zoom的草率安全体系结构。 NSA的一名前雇员发现了巨大的安全漏洞,而加拿大CitizenLab的研究人员发现Zoom的加密问题后,德国的安全研究人员发现了其他潜在的漏洞。 装有Zoom的我们的计算机可能没有我们想象的那么私密和安全。
The first thing that sparked suspicion in Thorsten Schröder was Zoom’s FAQs on data protection. The answer to the question “Does Zoom sell my data?” started with “Depends what you mean by sell.” (Zoom has changed the wording now — but I kept a screenshot as a souvenir). As he read on, Schröder realized: “Zoom, of course, gives away your data.” The second thing was that Zoom did not work with the security tools that Schröder had installed on his computer. These expert tools help him to detect malware or other problems in software. The third thing that made him nervous was a quick look into the code.
在ThorstenSchröder中引起怀疑的第一件事是Zoom的数据保护常见问题解答。 “ Zoom是否出售我的数据?”问题的答案 开始于“取决于您的意思是卖出。” (Zoom现在更改了措辞-但我保留了截图作为纪念品)。 在他继续阅读时,Schröder意识到:“缩放当然会释放您的数据。” 第二件事是Zoom无法使用Schröder在其计算机上安装的安全工具。 这些专家工具可帮助他检测恶意软件或软件中的其他问题。 让他紧张的第三件事是快速浏览代码。
Friends had invited Schröder for an after-work beer via Zoom, just like everybody is doing these days. But as an IT security researcher, Schröder has seen too much to simply use an app he was unfamiliar with without at least a rudimentary check. “If this app also wants to install software on my computer, I’ll look closely.” Unfortunately, this close look did not exactly calm Schröder down. According to him, Zoom probably has serious security holes on top of the ones that the company closed after other security researchers had made them public.
朋友们都邀请Zoom参加Schröder的下班后啤酒,就像如今每个人一样。 但是作为一名IT安全研究人员,Schröder看到了太多的东西,无法简单地使用他不熟悉的应用程序,而至少没有经过初步检查。 “如果这个应用程序还想在我的计算机上安装软件,我会仔细观察。” 不幸的是,这种仔细的观察并没有使Schröder完全平静下来。 据他介绍,在其他安全研究人员将它们公开之后,Zoom可能在公司关闭的安全漏洞之上还有严重的安全漏洞。
When Schröder sees something he thinks is insecure, he starts to hack in, to see just how bad it is. Normally he would carry out the attack to the end — exploiting security holes as if he were a hacker with bad intentions — before he goes public. That’s the reason for the word “probably” in the paragraph above: An attack takes time, and because these potential security holes are very dangerous, we agreed that I would write down the state of affairs here after our interview instead of waiting, until Schröder — who does not get paid for this work — finds time to finish the attack.
当Schröder看到他认为不安全的东西时,他开始入侵,以了解它有多糟糕。 通常,他会在公开之前将攻击进行到最后-利用安全漏洞,就好像他是一个恶意的黑客一样。 这就是上段中“可能”一词的原因:攻击需要时间,并且由于这些潜在的安全漏洞非常危险,我们同意在采访后我将在这里写下事态,而不是等到Schröder -谁没有为此工作获得报酬-找到时间完成攻击。
Zoom is the new normal: CEO Eric Yuan said the company saw a huge spike in users: up to 200 million people per day in March, from about 10 million in December. Half the world is using zoom right now — and of course this is the point where weaknesses become visible to a big audience. A few weeks ago nobody had heard about a phenomenon called “Zoom bombing”, where strangers conquer Zoom meetings they are not invited to and show (for example) pornographic images via the screen sharing tool. Now people are familiar with Zoom bombing, which can be offensive and disruptive — but there are way more dangerous potential things out there.
Zoom是新常态:首席执行官Eric Yuan说,该公司的用户数量激增:3月每天有2亿人,而12月只有1000万。 目前,世界上有一半的人正在使用缩放-当然,这是弱点对于大多数观众来说显而易见的地方。 几周前,没有人听说过称为“缩放爆炸”的现象,陌生人征服了他们不被邀请参加的缩放会议,并通过屏幕共享工具显示(例如)色情图片。 现在,人们已经熟悉了Zoom轰炸,它具有攻击性和破坏性,但还有更多的潜在危险之地。
“In my opinion, politicians and journalists should not use zoom,” said Thorsten Schröder after his first short dive into the depths of the software. But they do. Some even publicly announce their zoom meetings with the meeting ID, virtually inviting the bad guys to take advantage of this and interfere or eavesdrop on future video conferences. British Prime Minister Boris Johnson, for example, carelessly sent a screenshot of a Zoom cabinet meeting via Twitter recently, which included the meeting ID. We don’t want to speculate here about who might be interested to listen to the British government. Zoom quickly removed the ID from the screen with the following update.
“在我看来,政客和新闻记者不应该使用缩放功能,” ThorstenSchröder在第一次深入研究软件深度之后说道。 但是他们做到了。 一些甚至使用会议ID公开宣布其缩放会议,实际上是邀请坏人利用此优势并干扰或窃听未来的视频会议。 例如,英国首相鲍里斯·约翰逊(Boris Johnson)最近不小心通过Twitter发送了缩放内阁会议的屏幕截图,其中包括会议ID。 我们不想在这里推测谁可能有兴趣听英国政府的讲话。 Zoom进行了以下更新,Swift从屏幕上删除了ID。
Schröder is not alone in his warnings. “Though Zoom is incredibly popular it has a rather dismal security and privacy track record” wrote former NSA (US National Security Agency) employee Patrick Wardle a few days ago in his blog, where he published two new worrying security holes in Zoom, which he had found and which Zoom claims to have now closed.
施罗德并非只有他一个人警告。 前国家安全局(NSA)员工帕特里克·沃德尔(Patrick Wardle)几天前在博客中写道:“尽管Zoom非常受欢迎,但其安全和隐私记录却相当糟糕。”他在Zoom中发布了两个令人担忧的新安全漏洞,已经找到了,Zoom 声称已经关闭了 。
These were so-called “Zero-Day Vulnerabilities”, which means that for these bugs in a computer program there is no so-called “patch” yet, no “repair”, no update, which closes the security hole. This means that anyone who was using Zoom at the time — in this case with the Mac app — was de facto vulnerable. And not only in a way in that attackers can eavesdrop on and record zoom meetings unnoticed, they could also gain access to the computer itself, read out Windows passwords and obtain administrator rights for the computer system. Among other things, such attackers could switch on the camera and microphone at any time and spy on the affected person.
这些就是所谓的“零日漏洞”,这意味着对于计算机程序中的这些错误,尚无所谓的“补丁”,没有“修复”,没有更新,从而消除了安全漏洞。 这意味着当时使用Zoom的任何人(在本例中为Mac应用程序)实际上都是脆弱的。 而且,攻击者不仅可以偷听和记录缩放会议,而且还可以访问计算机本身, 读取Windows密码并获得计算机系统的管理员权限。 除其他外,此类攻击者可以随时打开摄像机和麦克风,并监视受影响的人。
However, even the official way the data travel is not as secure as Zoom claims. Security researcher Micah Lee and journalist Yael Grauer from “The intercept” recently found out that video chats are not end-to-end encrypted — what Zoom had claimed. This would mean that the data is encrypted from one participant to another in the video conference — so that Zoom itself, for example, cannot access the data. According to the Intercept, this isn’t what’s happening: Instead Zoom offers what is usually called transport encryption, which means that random listeners on the way between the conference participants and Zoom servers only see encrypted material, whereas Zoom itself can access the unencrypted video and audio content of Zoom meetings. End-to-end encryption would mean that really only the participants of a video call are able to unencrypt their data (in reality of course the software does that for them) This practice of only transport-encryption instead of end-to-end-encryption leads to further problems: For example, if the FBI demanded access, Zoom would have to hand over this data under American law. If they were encrypted, this would not be possible (or the FBI would not be able to make sense of the encrypted data).
但是,即使是正式的数据传输方式也没有Zoom声称的安全。 安全研究员Micah Lee和记者“拦截”中的记者Yael Grauer 最近发现 ,视频聊天未进行端到端加密-Zoom声称。 这意味着将数据从视频会议中的一个参与者加密到另一个参与者,例如,Zoom本身无法访问该数据。 根据Intercept的说法,这不是发生的事情: Zoom提供了通常称为传输加密的内容,这意味着在会议参与者和Zoom服务器之间途中的随机收听者只能看到加密的内容,而Zoom本身可以访问未加密的视频。和Zoom会议的音频内容。 端到端加密意味着实际上只有视频通话的参与者才能够解密其数据(实际上,软件当然会为他们加密)。这种做法仅是传输加密,而不是端到端。加密会导致更多问题:例如,如果FBI要求访问,则Zoom必须根据美国法律移交这些数据。 如果将其加密,则将不可能(否则FBI将无法理解加密的数据)。
In a blog post Zoom apologized for the misleading use of the term end-to-end encryption: “We recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.” (https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/) A few days later researchers from the Citizen Lab, a research group within the University of Toronto, found out that Zoom does not use the industry encryption standard for this case, but used a weaker version: Using this mode “is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input”, said the researchers. In addition they observed that keys for encrypting and decrypting meetings were transmitted to servers in China — where by Chinese law Zoom might be legally obligated to disclose these keys to authorities in China.
Zoom在博客文章中对端到端加密一词的误导性表示歉意:“我们认识到,普遍接受的端到端加密定义与我们的使用方式之间存在差异。” ( https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/ )几天后,大学实验室的一个研究小组公民实验室的研究人员多伦多的研究人员发现Zoom在这种情况下并未使用行业加密标准,但使用了较弱的版本:使用这种模式“很容易被理解为一个坏主意,因为这种加密模式会保留输入中的模式”,研究人员说。 此外,他们观察到用于加密和解密会议的密钥已传输到中国的服务器-根据中国法律,Zoom在法律上有义务向中国当局披露这些密钥。
“具有易于识别的密码,安全问题和位于中国的可处理会议密钥的离岸服务器的应用程序为资源合理的民族国家攻击者(包括中华人民共和国)提出了明确的目标” (“An app with easily-identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China”)
“An app with easily-identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China”, conclude the Citizen Lab researchers. As a result, the government of Taiwan, Google, SpaceX and New York City Schools among others banned Zoom. (Google, of course, has its own solution, NYC schools will be using Microsoft Teams. Others decide to use FaceTime, which is end-to-end encrypted. But it is hard to tell how secure other solutions are. What most experts recommended in my research is Jitsi.)
市民实验室研究人员总结道:“在中国,密码,安全问题和离岸服务器上具有易于识别的限制的应用程序可以处理会议密钥,这是资源合理的民族国家(包括中华人民共和国)的明确目标,” 。 结果,台湾,谷歌,SpaceX和纽约市学校等政府禁止了Zoom。 (当然,Google有其自己的解决方案,纽约市的学校将使用Microsoft Teams。其他人则决定使用端到端加密的FaceTime。但是很难说出其他解决方案的安全性。大多数专家建议在我的研究中是Jitsi。)
Zoom again apologized for this “oversight” and promised to work on the problem. The apology was similar to Zoom’s reaction to a critique a few days earlier, where researchers had found out that Zoom passed data to Facebook without communicating this to users, as Motherboard magazine reported. As a result, Zoom deleted this feature from the code. But again only after someone else had found out about it.
Zoom再次为这种“疏忽”道歉,并承诺将解决该问题。 道歉与Zoom几天前对评论的React相似,研究人员发现, 正如Motherboard杂志报道的那样,研究人员发现Zoom将数据传递给Facebook却没有与用户进行交流。 结果,Zoom从代码中删除了此功能。 但是只有在其他人找到答案之后才再次出现。
This data will no longer be passed on to Facebook — but what should be more worrying is Zoom’s reaction to the recent problems. Words like “oversight” and “was brought to our attention” dominate the blog posts after every new reported security problem. After all, it means that Zoom itself doesn’t really know what its program does. In the case of data going to Facebook it’s not so much an intentional data trade as sloppy handling of its own and other people’s code. Privacy becomes collateral damage.
这些数据将不再传递到Facebook上-但更令人担忧的是Zoom对近期问题的React。 在每个新报告的安全问题之后,博客文章中都使用诸如“监督”和“引起我们注意”之类的词。 毕竟,这意味着Zoom本身并不真正知道其程序做什么。 就数据流向Facebook而言,它不是故意的数据交易,而是对自己和他人代码的草率处理。 隐私成为附带损害。
由于Zoom的草率安全架构,隐私成为附带损害 (Privacy becomes collateral damage due to Zoom’s sloppy security architecture)
And this sloppiness possibly runs through the entire code of the application and forms the basis for massive security holes. At least, this is what Thorsten Schröder’s findings indicate. Together with other security researchers from the German Chaos Computer Club (CCC), he had previously uncovered a Trojan (malware) used by the Bavarian state and discovered weaknesses in the election software for the 2017 federal elections in Germany. Schröder, who has been working in the field of IT security for 20 years, says: “I have a gut feeling where to look when it comes to confidentiality.”
这种草率可能贯穿应用程序的整个代码,并构成大量安全漏洞的基础。 至少,这就是ThorstenSchröder的发现所表明的。 他曾与来自德国混沌计算机俱乐部(CCC)的其他安全研究人员一起,发现巴伐利亚州使用的特洛伊木马(恶意软件),并发现了2017年德国联邦选举的选举软件中的弱点。 Schröder在IT安全领域已经工作了20年,他说:“对于机密性,我感到直言不讳。”
This feeling led him, among other things, to a freely available software library in Zoom’s code that Zoom uses to encrypt connections. In itself, using preexisting free software is a good thing, but Zoom has not updated this toolkit called OpenSSL for years. “Zoom delivers its current software with a completely outdated version of SSL that contains known security holes.” This old version of SSL is no longer updated to close security holes, which means that this vulnerable SSL toolkit is on Zoom — and thus on each person’s computer. And this in times when Zoom is predestined for attack. “Das wird vielen Leuten den Nacken brechen”, he said, using an idiom in German that translates roughly to “it will hurt a lot of people’s bottom line.”
这种感觉使他除其他外,进入了Zoom的代码中免费使用的软件库,Zoom用来加密连接。 就其本身而言,使用预先存在的自由软件是一件好事,但是Zoom多年来一直没有更新名为OpenSSL的工具包。 “ Zoom为其当前软件提供了完全过时的SSL版本,其中包含已知的安全漏洞。” 不再更新此旧版本的SSL以消除安全漏洞,这意味着此易受攻击的SSL工具包位于Zoom上,因此位于每个人的计算机上。 而这正是Zoom注定要攻击的时候。 他说:“ Das wird vielen Leuten den Nacken brechen”,用德语的成语大致翻译为“这会伤害很多人的底线。”
Schröder has found another possible vulnerability in the use of another library called SQLite. “When using an SQL database you can do a lot of things wrong — and Zoom uses techniques that are predestined to introduce exploitable security holes.” These are among the first things hackers look into, because companies often make these mistakes when using SQL databases. They can, for example, read out user data of all kinds. I accompanied hackers a few years ago while they did this as their first step to overtake a big European company — and it only took them a few minutes to capture thousands of names, addresses and passwords thanks to an incorrect SQL database use. (German article here)
Schröder在使用另一个名为SQLite的库时发现了另一个可能的漏洞。 “在使用SQL数据库时,您可能会做很多事情-而Zoom使用的技术注定会引入可利用的安全漏洞。” 这些是黑客首先要研究的内容,因为公司在使用SQL数据库时经常犯这些错误。 他们可以例如读取各种用户数据。 几年前,我伴随着黑客,这是他们接管一家欧洲大公司的第一步-由于使用了不正确SQL数据库,他们只花了几分钟就捕获了数千个名称,地址和密码。 (德国的文章在这里)
“But you can also execute malicious code via SQL,” explained Schröder, such as Trojans or ransomware. Attackers can therefore possibly exploit the installed Zoom app to delete, steal or encrypt data on the user’s computer, and then demand large sums of money so that the user can access it again. (This is what happened to many people and companies with “Wannacry” in May 2017) Zoom does not mention these possible vulnerabilities in the current blog posts — so these holes are probably not closed.
“但是您也可以通过SQL执行恶意代码,”Schröder解释说,例如Trojans或勒索软件。 因此,攻击者可能会利用已安装的Zoom应用程序删除,窃取或加密用户计算机上的数据,然后索要大量资金,以便用户可以再次访问它。 (这是许多人和公司在2017年5月发生“ Wannacry”事件时发生的情况。)Zoom在当前博客文章中未提及这些可能的漏洞-因此这些漏洞可能没有解决。
犯罪分子和民族黑客等恶意行为者的行动速度将比严肃的安全研究人员更快,这是一个时间问题 (It is a question of time when malicious actors such as criminals and nation-state hackers will act faster than serious security researchers)
Presumably, all of this is not Zoom’s intention, it’s rather sloppiness and a clear sign that security has been sacrificed for quick market success. This happens often when it comes to software: Whoever is first on the market in these areas can secure large market shares and is well positioned. But this leads to software in general becoming increasingly insecure on average. The fact that Zoom is currently lagging behind and only ever solves those problems that users or security researchers uncover does not speak well of the company.
据推测,所有这些都不是Zoom的意图,它只是草率而已,这清楚地表明为了快速取得市场成功而牺牲了安全性。 在软件方面,这种情况经常发生:在这些领域中首先进入市场的人可以赢得大量的市场份额,并且处于有利地位。 但是,这通常导致软件平均而言变得越来越不安全。 Zoom当前滞后,只能解决用户或安全研究人员发现的那些问题,这一事实并不能很好地说明该公司。
Almost certainly there are other security problems lurking beneath the surface due to the sloppy security architecture. So it is a question of time when malicious actors such as criminals and hackers will act faster than serious security researchers — and that could be dangerous. One can already observe the first corresponding activities: there is a program that automatically searches for zoom sessions that are not password protected. According to its makers, zWarDial can find on average 110 meetings per hour without passwords — all of them are vulnerable to “Zoom-Bombing.” And there are already more than 100,000 Zoom accounts, passwords and personal meeting IDs are for sale on the dark web. This happens because people reuse their passwords from other accounts — and because hackers think Zoom is an interesting target. And this is why Zoom should be extra secure instead of less secure. But unfortunately it isn’t.
由于草率的安全体系结构,几乎可以肯定还有其他安全隐患。 因此,犯罪分子和黑客之类的恶意行为者的行为速度将比严肃的安全研究人员快,这是一个时间问题,这可能很危险。 一个人已经可以观察到第一个相应的活动:有一个程序可以自动搜索没有密码保护的缩放会话。 根据其制造商的说法, zWarDial每小时平均可以找到110次会议,而无需输入密码-所有这些会议都容易受到“缩放爆炸”的攻击。 黑暗网络上已经有超过100,000个Zoom帐户,密码和个人会议ID 可供出售 。 发生这种情况是因为人们从其他帐户重用了他们的密码,并且因为黑客认为Zoom是一个有趣的目标。 这就是为什么Zoom应该特别安全而不是不太安全。 但不幸的是,事实并非如此。
In my research I heard many experts complaining that software is now hardly ever tested before it is released on the market. Security is complex and expensive, that’s what researchers have told me time and again, for example the German security researcher Christian Rossow for a story about attacks on critical infrastructures (German article here): “There are two competing motives: making software secure and bringing it to market as quickly and cheaply as possible.” Schröder also observed the same effect: “It is one of the bad habits of the last ten years that start-up companies publish their tools in an unfinished state and turn customers into testers.”
在我的研究中,我听到许多专家抱怨说,软件在投放市场之前几乎没有经过测试。 安全性既复杂又昂贵,这是研究人员一次又一次告诉我的。例如,德国安全研究员克里斯蒂安·罗索(Christian Rossow)讲述了有关关键基础设施遭受攻击的故事( 此处为德国文章 ):“有两个相互竞争的动机:使软件安全并带来尽快将其推向市场。” Schröder还观察到了相同的效果:“这是过去十年的不良习惯之一,这是初创公司以未完成的状态发布其工具并将客户变成测试人员的情况。”
“不再只是视频聊天是否正在被窃听的问题。 关键是个人可以成为攻击的目标,而与视频聊天无关。” (索尔斯滕·施罗德) (“It is no longer only the question of whether a video chat is being eavesdropped. The point is that individuals can become targets of attacks, independent of the video chat.” (Thorsten Schröder))
Schröder emphasizes that, in contrast to the ex-NSA hacker Wardle, he did not investigate these potential security holes to the end. It is theoretically possible that hackers will encounter other obstacles when they do. But what he has seen indicates a unprofessional approach to security — and that produces the potential for devastating attacks.
Schröder强调,与前NSA黑客Wardle相比,他没有调查这些潜在的安全漏洞。 从理论上讲,黑客有可能遇到其他障碍。 但是他所看到的表明,这是一种非专业的安全方法,并且产生了毁灭性攻击的可能性。
“It is no longer only the question of whether a video chat is being eavesdropped,” Schröder emphasizes. “The point is that individuals can become targets of attacks, independent of the video chat.” What particularly annoys him: these days you can’t get around Zoom anymore. Companies use Zoom, universities, even Schröder’s friends use it for the aforementioned after-work beer. “The group decides for the individual” — who may then have to bear the consequences that malware causes on their computer. Schröder has found his own workaround: For Zoom he uses a computer that he does not use otherwise and on which no important and personal data is stored. “I don’t install Zoom on my normal computer, which I also use for other things.”
Schröder强调说:“不再只是偷听视频聊天的问题了。” “关键是个人可以成为攻击的目标,而与视频聊天无关。” 令他特别烦恼的是:这些天您再也无法绕过Zoom。 公司使用Zoom,大学,甚至Schröder的朋友都将其用于上述的下班后啤酒。 “团队为个人决定”,然后他们可能不得不承担恶意软件在其计算机上造成的后果。 Schröder找到了自己的解决方法:对于Zoom,他使用的计算机以前没有使用,并且没有存储任何重要的个人数据。 “我没有在普通计算机上安装Zoom,我也将其用于其他用途。”
There have been many examples in the past, where hackers spend a lot of time and money to gain access to the systems of others and to disrupt them. Nation-state hackers, among others, invest a lot in order to either spy on other states, undermine them by means of hacker attacks, influence elections or steal ideas. For these hackers — as well as for “normal” criminals — golden times have come when politicians, journalists and companies now use Zoom on a grand scale. “So, what to do?”, Ex-NSA hacker Werdle concludes his blog post: “Honestly, if you care about your security and/or privacy, perhaps stop using Zoom.”
过去有很多例子,黑客花费大量时间和金钱来访问他人的系统并破坏它们。 民族国家的黑客等进行了大量投资,以监视其他国家,通过黑客攻击破坏它们,影响选举或窃取思想。 对于这些黑客以及“正常”罪犯而言,当政客,记者和公司现在大规模使用Zoom时,黄金时代已经来临。 “因此,该怎么办?”,前美国国家安全局黑客Werdle在其博客文章中总结道:“老实说,如果您关心自己的安全和/或隐私,也许就停止使用Zoom。”
— —
— —
Update 04/16: Because more and more people were asking for details, Thorsten Schröder provided his findings in detail here.
更新04/16:由于越来越多的人要求提供详细信息,因此 ThorstenSchröder在此处详细介绍了他的发现。
leaflet改变zoom
174
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
