[PLUG] Question on Zoombombin

Thu Apr 9 19:50:46 UTC 2020

Man, I need to stop reading the tech news today, it's just too stupid :)

Supposedly they found one of the more obvious sources of the zoombombing
problem:
https://www.zdnet.com/article/zoom-removes-meeting-ids-from-app-title-bar-to-improve-privacy/

PEBKAC. Social engineering is always the most effective weapon in a
hacker's arsenal.
-Ben

On Mon, Apr 6, 2020 at 12:22 AM Mark Allyn <allyn at well.com> wrote:

> Thank you, Ben. I was only a guest at the meeting yesterday, not the host,
> so I don't think I can initiate any action.
>
> However, it did spur me into doing research on how I can batten down my
> own meetings as a host to try to prevent this from happening to me.
>
> Mark
>
> ----- Original Message -----
> From: "Ben Koenig" <techkoenig at gmail.com>
> To: "Portland Linux/Unix Group" <plug at pdxlinux.org>
> Sent: Sunday, April 5, 2020 8:58:54 PM
> Subject: Re: [PLUG] Question on Zoombombin
>
> My assumption here is that you are correct. I am not a Zoom employee or
> legal authority on this matter so there are other factors I may not be
> aware of. If I were considering taking legal action against individuals who
> "zoombombed" my meeting, I would start by contacting their Support team to
> see what resources they offer for this situation. The answer you get from
> them would determine what your next steps would be, if needed.
>
> https://support.zoom.us/hc/en-us/articles/201362003
> You've got some excellent questions, and they do appear to have a support
> team ready to receive them. As a support tech at a data security company,
> I'm curious to know how willing they are to resolve these types of
> problems.
>
> -Ben
>
> On Sun, Apr 5, 2020 at 7:31 PM Mark Allyn <allyn at well.com> wrote:
>
> > Ben:
> >
> > Thanks. I was wondering about this. So if the server (zoom.com) were to
> > field the IP
> > addresses, than would it be Zoom who would have to trace Zoombombers and
> > take action?
> >
> > I have been reading reports that the FBI is starting to take interest in
> > this as
> > apparently Zoombombing is a violation of the CFAA, Computer Fraud And
> > Abuse Act and
> > it would not be myself as a meeting host to try to turn over IP addresses
> > to the
> > authorities.
> >
> > Or does Zoom even care?
> >
> > Mark
> >
> > ----- Original Message -----
> > From: "Ben Koenig" <techkoenig at gmail.com>
> > To: "Portland Linux/Unix Group" <plug at pdxlinux.org>
> > Sent: Sunday, April 5, 2020 7:17:06 PM
> > Subject: Re: [PLUG] Question on Zoombombin
> >
> > Short answer: no.
> >
> > Long answer: My understanding is that services like Zoom provide a
> central
> > server that allows clients to talk to each other. The only IP address you
> > need is that of the server, the others are abstracted away from the
> client.
> >
> > instead,
> > - each user sends their data to the server.
> > - the server aggregates the incoming connections
> > - server distributes data to clients as required
> >
> > Normally one or more of these clients would be dedicated as the "host" or
> > moderator, who is able to change how the server functions on-the-fly.
> This
> > includes things like kicking individual clients, and other functions. In
> > order to do get the IP address of each client in a meeting, the service
> > must expose that data to each client. This is normally considered a
> > security flaw,
> > however it would not be unheard of for a given piece of software to
> > accidentally leak that kind of data.
> >
> > That said, if there are bugs in the software that allow unauthorized
> users
> > to join meetings at will, then it's possible that a bug may exist that
> > allows you to identify the IP address of your peers in a given meeting.
> > This would be an interesting question for Zoom's customer service team,
> > since allowing other users to see your IP opens up some severe privacy
> > concerns. Personally I'd be interested just to know how they respond to
> > such a question.
> > -Ben
> >
> > On Sun, Apr 5, 2020 at 6:09 PM Mark Allyn <allyn at well.com> wrote:
> >
> > > Folks:
> > >
> > > I don't know if this is the right forum or not to ask this, but I am
> > > curious about this so called Zoombombing that's been creeping up.
> > >
> > > I was as a zoom meeting that did get bombed with porn on Saturday.
> > > Luckily, the host was able to kick them off very quickly.
> > >
> > > However, this leads me to a question.
> > >
> > > If I happen to have had another machine on my network running a
> sniffer;
> > > something like Snort; would have I got the IP address of whomever
> > > Zoombombed the meeting I was on?
> > >
> > > In a system like Zoom, do all of the videos come together to my desktop
> > or
> > > do they go to the host first and then out to the guests? Who would see
> > the
> > > source IP addresses of those who connect (including the zoombomber) if
> > they
> > > had a Snort or other sniffer running on their network?
> > >
> > > If this is not a good forum for something like this, would anyone know
> > > what forum I could take this to? Would it be DorkbotPDX?
> > >
> > > Thank you
> > >
> > > Mark
> > >
> > > --
> > > Mark Allyn
> > > Bellingham, Washington
> > > www.allyn.com
> > > _______________________________________________
> > > PLUG mailing list
> > > PLUG at pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >
> > _______________________________________________
> > PLUG mailing list
> > PLUG at pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> > --
> > Mark Allyn
> > Bellingham, Washington
> > www.allyn.com
> > _______________________________________________
> > PLUG mailing list
> > PLUG at pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
> --
> Mark Allyn
> Bellingham, Washington
> www.allyn.com
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>