One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 1633464 |
| Date de publication | 2020-04-02 01:23:55 (vue: 2020-04-02 06:08:21) |
| Titre | About them Zoom vulns... |
| Texte | Today a couple vulnerabilities were announced in Zoom, the popular work-from-home conferencing app. Hackers can possibly exploit these to do evil things to you, such as steal your password. Because of the COVID-19, these vulns have hit the mainstream media. This means my non-techy friends and relatives have been asking about it. I thought I'd write up a blogpost answering their questions.The short answer is that you don't need to worry about it. Unless you do bad things, like using the same password everywhere, it's unlikely to affect you. You should worry more about wearing pants on your Zoom video conferences in case you forget and stand up.Now is a good time to remind people to stop using the same password everywhere and to visit https://haveibeenpwned.com to view all the accounts where they've had their password stolen. Using the same password everywhere is the #1 vulnerability the average person is exposed to, and is a possible problem here. For critical accounts (Windows login, bank, email), use a different password for each. (Sure, for accounts you don't care about, use the same password everywhere, I use 'Foobar1234'). Write these passwords down on paper and put that paper in a secure location. Don't print them, don't store them in a file on your computer. Writing it on a Post-It note taped under your keyboard is adequate security if you trust everyone in your household.If hackers use this Zoom method to steal your Windows password, then you aren't in much danger. They can't log into your computer because it's almost certainly behind a firewall. And they can't use the password on your other accounts, because it's not the same.Why you shouldn't worryThe reason you shouldn't worry about this password stealing problem is because it's everywhere, not just Zoom. It's also here in this browser you are using. If you click on file://hackme.robertgraham.com/foo/bar.html, then I can grab your password in exactly the same way as if you clicked on that vulnerable link in Zoom chat. That's how the Zoom bug works: hackers post these evil links in the chat window during a Zoom conference.It's hard to say Zoom has a vulnerability when so many other applications have the same issue.Many home ISPs block such connections to the Internet, such as Comcast, AT&T, Cox, Verizon Wireless, and others. If this is the case, when you click on the above link, nothing will happen. Your computer till try to contact hackme.robertgraham.com, and fail. You may be protected from clicking on the above link without doing anything. If your ISP doesn't block such connections, you can configure your home router to do this. Go into the firewall settings and block "TCP port 445 outbound". Alternatively, you can configure Windows to only follow such links internal to your home network, but not to the Internet.If hackers (like me if you click on the above link) gets your password, then they probably can't use use it. That's because while your home Internet router allows outbound connections, it (almost always) blocks inbound connections. Thus, if I steal your Windows password, I can't use it to log into your home computer unless I also break physically into your house. But if I can break into your computer physically, I can hack it without knowing your password.The same arguments apply to corporate desktops. Corporations should block such outbound connections. They |
| Envoyé | Oui |
| Condensat | cox 445 about above access accidentally account accounts actually address addresses adequate advice: affect against all allows almost also alternatively always amazon announced answer is answering anything app appears applications applies apply are aren arguments as comcast asking asks at&t attention authentication authentication authentication or automatically average bad bank because becomes been behind being billion billions block blocks blogpost book bookshelf break broncos2016 browser bug but camera can care case catcher catches certainly chat choose click clicked clicking client close com com/foo/bar com/search combinations come companies computer computers conference conferences conferencing configure connect connections consider constantly contact control copies copy coronavirus: corporate corporations couple course coverage covid crack the cracked creating critical criticizing cuts danger dangerous depend designed desktop desktops different difficult distancing doesn doing don down during each either eliminating email encrypted encrypted form encrypting entered entire even everyone everywhere evil exactly example experts exploit exposed extremely facebook factor fail familiar far feature file file:// as file://hackme files firewall first fix follow foobar1234 fooled forget friend friends from further gain gateway gathered generally get gets good google google/facebook/twitter grab guessed/cracked guesses guessing hack hacker hackers hackme had happen hard hardware has have here hey hit home hostile house household how html https:// says https://haveibeenpwned hypertext important important accounts impossible inbound increasingly individuals instead internal internet invites isn isp isps issue just keyboard know knowing less like like https://google likely link links little local location log logged login lots mac mainstream make making manage managers managers or many match may mean means media members merits messages method microsoft mobile more most much naming need network networks never new news next nobody non normally not note nothing novel now nsa occasionally on one ones only onto original other others outbound over overhyped own pandemic pants paper paranoid part particular password password passwords people per person phone physically pick place point policy popular port pose possible possibly post potential practices preference print probably problem protect protected protecting protocol publication puqyqam6gzwpweyg push put q=foobar questions rates reason refer relatives remind remote response reveal robertgraham router rye on safe same say says second secondly secure security seeing send server servers settings short should shouldn sic sms social software somebody specialized spread stand standard steal stealing step stolen stop store stories story strong subset such summaryin supplying sure suspicious take taped tcp technique techniques technologies techy tell tells than that them themselves then there therefore these they thing things think those thought threat threats thus till time times today tricks trillion trillions trouble trust try twitter two under unless unlikely upon use used useful username and username/passwords using variety verizon very video videoconferencing view vigilant visit vuln vulnerabilities vulnerability vulnerable vulns way ways weak wear wearing web webpage websites what when where why wide widespread will window windows wireless within without work works: worksyou worry worrythe would write writing wrong years yet your yourself yourselfby zillions zoom |
| Tags | Hack Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.