まるちゃんの情報セキュリティ気まぐれ日記

こんにちは、丸山満彦です。

Zoomのセキュリティ、プライバシーの問題が話題となっていますが、ツールを使って1日かければ、2,400のZom IDを見つけられるという報告がありますね。。。

● Krebs on Security

・ 2020.04.02 ‘War Dialing’ Tool Exposes Zoom’s Password Problems

丁寧にいろいろと情報を書いていますね。。。

-----

zWarDial, an automated tool for finding non-password protected Zoom meetings. According to its makers, zWarDial can find on average 110 meetings per hour, and has a success rate of around 14 percent.

-----

● The VERGE

・2020.04.02 Automated tool can find 100 Zoom meeting IDs per hour

なお、ZoomのFounder and CEOの"Eric S. Yuan"がブログで、今後90日間は機能開発は止めてセキュリティ、プライバシーの問題の解決を優先するとのことです。。。対応が早いですね！！！

● Zoom Blog

・2020.04.01 A Message to Our Users

-----

What we’re going to do 

Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes: 

• Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
• Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
• Preparing a transparency report that details information related to requests for data, records, or content.
• Enhancing our current bug bounty program.
• Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
• Engaging a series of simultaneous white box penetration tests to further identify and address issues.
• Starting next week, I will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to our community.

-----

【参考】

● まるちゃんの情報セキュリティ気まぐれ日記

・2020.04.02 Zoom関連の脆弱性など。。。

・2020.03.31 FBIが、COVID-19で在宅勤務や在宅学習が増えることによるZoomを使ったサイバー犯罪についての注意喚起をしていますね。。。