Hard to say, although this article talks about the
Post# of 32969
(Total Views: 437)
Posted On: 04/02/2020 1:10:24 PM
Re: Jumperfish #19044
Hard to say, although this article talks about the latest Zoom security issues (as it notes, there have been issues in the past): https://www.theverge.com/2020/4/1/21202584/zo...d-response .
In the past it could hijack MacOS cameras.
Now the latest vulnerabililty is:
"Each Zoom call has a randomly generated ID number between 9 and 11 digits long that’s used by participants to gain access to a meeting. Researchers have found that these meeting IDs are easy to guess and even brute forceable, allowing anyone to get into meetings.
Part of this ease of use has led to the “Zoombombing” phenomenon, where pranksters join Zoom calls and broadcast porn or shock videos. At fault here are Zoom’s default settings which don’t encourage a password to be set for meetings, and allow any participants to share their screen. Zoom adjusted these default settings for education accounts last week, “in an effort to increase security and privacy for meetings.” For everyone else, you’ll need to tweak your Zoom settings to ensure this never happens."
So I'm sure Verb has their own method of generating meeting ID's. Usually one generates a very long id which is called a UUID which is 128 binary digits, therefore it would take a long time to brute force it, and also one would hope that repeated attempts would lock a user out (easily done by locking out that mac address).
I would guess Verb is smart enough to know a 9 to 11 digit meeting id is easily hackable even by brute force running through all the numbers. Using a UUID is easy - the definition of a UUID is at https://en.wikipedia.org/wiki/Universally_unique_identifier .
Also, again I am surprised Zoom does not lock someone out after several attempts (3 should be enough), and that would be easily done by preventing that MAC address (tied to the computer hardware) from connecting to that meeting after 3 invalid attempts. It is a stunning security lapse for sure!
The definition of MAC address is https://en.wikipedia.org/wiki/MAC_address . By the way, MAC address has nothing to do with an Apple iMac or other MacOS device. MAC is short for Media Access Control and utilizes a very long unique number that each hardware device has (no two computers or other devices will have the same number). MAC addresses are represented in a series of hexadecimal digits - so each digit can have 16 values. An example MAC address is 86:64:40:3E:C7:7D . So that is 14 hexadecimal digits, which makes the number of possible MAC addresses equal to 16 to the power of 14 which is such a huge number it has to be represented as 7.2057594e+16 . That means roughly 7 followed by 16 more zeroes!
So I'm sure Verb Live does not have the issue for these reasons:
1. Unlike Zoom it doesn't use 9 to 11 digit meeting ID's, more likely just uses a randomly generated UUID
2. Most likely doesn't allow unlimited attempts to access a meeting id by brute force (just running through all the combinations) which shockingly, Zoom apparently does.
3. Unlike zoom, doesn't have default settings that don't require a meeting to require a password!!! Hopefully Verb Live requires all meetings to have passwords. Seems silly not to, and I kind of think Verb would make having a password for a meeting mandatory!
So Zoom opened up a fairly simple security exploit, which is shocking when one thinks about it.
I have to think the folks at Verb are much smarter than that!
In the past it could hijack MacOS cameras.
Now the latest vulnerabililty is:
"Each Zoom call has a randomly generated ID number between 9 and 11 digits long that’s used by participants to gain access to a meeting. Researchers have found that these meeting IDs are easy to guess and even brute forceable, allowing anyone to get into meetings.
Part of this ease of use has led to the “Zoombombing” phenomenon, where pranksters join Zoom calls and broadcast porn or shock videos. At fault here are Zoom’s default settings which don’t encourage a password to be set for meetings, and allow any participants to share their screen. Zoom adjusted these default settings for education accounts last week, “in an effort to increase security and privacy for meetings.” For everyone else, you’ll need to tweak your Zoom settings to ensure this never happens."
So I'm sure Verb has their own method of generating meeting ID's. Usually one generates a very long id which is called a UUID which is 128 binary digits, therefore it would take a long time to brute force it, and also one would hope that repeated attempts would lock a user out (easily done by locking out that mac address).
I would guess Verb is smart enough to know a 9 to 11 digit meeting id is easily hackable even by brute force running through all the numbers. Using a UUID is easy - the definition of a UUID is at https://en.wikipedia.org/wiki/Universally_unique_identifier .
Also, again I am surprised Zoom does not lock someone out after several attempts (3 should be enough), and that would be easily done by preventing that MAC address (tied to the computer hardware) from connecting to that meeting after 3 invalid attempts. It is a stunning security lapse for sure!
The definition of MAC address is https://en.wikipedia.org/wiki/MAC_address . By the way, MAC address has nothing to do with an Apple iMac or other MacOS device. MAC is short for Media Access Control and utilizes a very long unique number that each hardware device has (no two computers or other devices will have the same number). MAC addresses are represented in a series of hexadecimal digits - so each digit can have 16 values. An example MAC address is 86:64:40:3E:C7:7D . So that is 14 hexadecimal digits, which makes the number of possible MAC addresses equal to 16 to the power of 14 which is such a huge number it has to be represented as 7.2057594e+16 . That means roughly 7 followed by 16 more zeroes!
So I'm sure Verb Live does not have the issue for these reasons:
1. Unlike Zoom it doesn't use 9 to 11 digit meeting ID's, more likely just uses a randomly generated UUID
2. Most likely doesn't allow unlimited attempts to access a meeting id by brute force (just running through all the combinations) which shockingly, Zoom apparently does.
3. Unlike zoom, doesn't have default settings that don't require a meeting to require a password!!! Hopefully Verb Live requires all meetings to have passwords. Seems silly not to, and I kind of think Verb would make having a password for a meeting mandatory!
So Zoom opened up a fairly simple security exploit, which is shocking when one thinks about it.
I have to think the folks at Verb are much smarter than that!
(12)
(0)