Zoom Zero-Day

Zoom Zero-Day, GDPR Fines, Google Assistant Recordings

Play episode

This is your Shared Security Weekly Blaze for July 15th 2019 with your host, Tom Eston. In this week’s episode: Zoom video conferencing zero-day, massive fines being issued for violating GDPR, and who might be listening when you talk to your Google Assistant.

Looking to protect your laptop, smartphone, and key fobs this summer? Well this week I’m excited to announce that you could win one of two Silent Pocket vacation prize packages which includes a passport wallet, medium faraday sleeve, and 5 liter drybag! Check out our post on Twitter @sharedsec or on Instagram @sharedsecurity for contest rules and how to enter. And don’t forget, listeners of this podcast receive 15%  off at checkout using discount code “sharedsecurity”. Visit slientpocket.com to see the latest Silent Pocket products built to protect your digital privacy.

Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

Do you or your organization use Zoom for video conferencing? If so, and you happen to be using it on a Mac, you’ll want to pay close attention to this story. The problem? Well a security researcher last Monday disclosed that a vulnerable web server is automatically installed on Apple Mac computers during the installation of the Zoom client. What this means is that any website could be used to forcibly join a user to a Zoom call, with their video camera activated, and without the user’s permission. On top of that the researcher also discovered that the vulnerability would allow any webpage to conduct a Denial of Service attack on a victim’s Mac by constantly joining a user to an invalid call. And if that wasn’t enough when you uninstall the Zoom client, the web server continues to be installed and active. The researcher disclosed the vulnerability to Zoom back in March but after many meetings (and fixes that didn’t work) the researcher decided to disclose the vulnerability to the public. The next day Zoom issued a patch to remove the web server and to allow users to uninstall the Zoom client which will now fully remove the web server. Zoom’s CEO posted a blog post apologizing to customers and noting that they will be improving their bug bounty program as well as issuing another update that took place over the weekend of July 13th to further lock-down the “video on” by default setting. Also, Apple made a surprising move on Wednesday by issuing a silent update to all Macs automatically uninstalling the Zoom web server. Many people don’t realize that Apple has the power to issue patches and updates to Macs connected to the Internet at any time and while this seems creepy, it’s actually a good thing when Apple can take immediate and swift action to patch a critical vulnerability without user interaction. Check out our social media feeds for the latest updates on this developing story.

The General Data Protection Regulation, or also known as GDPR, is now starting to penalize organizations which are found to have violated these now enforced consumer privacy protections in the European Union. Last week the Information Commissioner’s Office in the UK has issued British Airways a staggering fine of 183.4 million pounds (which is about $230 million dollars) because of the data breach affecting 500,000 customers last year. This $230 million dollar fine is roughly 1.5% of British Airways revenue and is the largest fine issued to date for violating GDPR regulations. And that’s not all, the global hotel giant Marriot was also issued a fine of $125 million for their data breach which impacted 339 million customers across the world. Of course both companies can contest the fines to make their case but this is the first time we’ve seen a large financial impact due to a GDPR violation.

But does issuing fines for violating regulations actually help prevent data breaches? If we use PCI DSS compliance fines as an example, not much will probably change. PCI DSS (which stands for the Payment Card Industry Data Security Standards) is what US merchants who process and store credit card data need to comply with. Fines from the card brands can vary between $5,000 – $100,000 per month depending on lots of things like the size of your business and the type of non-compliance you happen to be violating. And in some extreme cases, violations can prevent a company from taking credit card payments. Now PCI has been around for a long time, and have we seen the amount of data breaches related to credit cards go down? Not reallly. In fact as I talk about on this podcast all the time, data breaches seem to be increasing. So is that the game that’s being played? The more data breaches that happen, the more money the regulators make? Look, I’m sure fines are a pretty severe penalty for most businesses, but when it comes to giant companies like Marriott and British Airways, will this just be another accounting write off or will GDPR really set the stage to force more organizations to take data privacy seriously.

And now a word from our sponsor, Edgewise Networks.

The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.

But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.

But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”

Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.

At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.

Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.

Visit edgewise.net to find out more about how Edgewise can help stop data breaches.

These days, it’s rarely a case of “if” you’ll be hacked and more a question of “when.” Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically.

There is one single source of truth that can expose the hacker — the packets on the network. They contain the information necessary to understand where a hacker may be, what they’re stealing, and where they’re going next.

That’s where NETSCOUT comes in.

Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud.

With NETSCOUT’s Visibility Without Borders you’ll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com.

If you think Amazon is the only company that is taking heat about privacy issues with their popular voice assistants, think again as Google is also in the hot seat as they admitted last week that Google contractors can access voice recordings from Google Assistant. This all started with a Belgian journalist who obtained audio files which contained voice recordings of about 1,000 users. The recordings were found to have had personal data like names and addresses disclosed as well as conversations that would be deemed extremely private. Google hires contractors to assist with making translations as well as making the technology better by having humans review thousands of voice recordings. The Google Assistant works just like Amazon and Apple’s voice assistants by saying a wake word or key phrase like “OK, Google”. But like all of these voice assistants they will sometimes record unintentionally if you happen to say a word similar to a key phrase or when recordings for some reason continue when you’re finished asking a question.  Google issued a statement noting that the contractor who disclosed these recordings violated their data security policies and that they do hire language experts to do transcriptions on about .2 percent of all recordings, which are not associated with user accounts.  So what do you think? If your personal information was disclosed in a Google Assistant or other Amazon Alexa recording would you be concerned? Or are you OK with giving up a little bit of your privacy for the convenience of using a voice assistant.

That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.

More from this show

Leave us a Review

Signup for our Newsletter

Follow Us