Hacked - News Update - Zoombombs ahoy
Episode Date: April 7, 2020Jordan & Scott discuss zoombombing. Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
As a heads up, the audio I'm about to play you goes from real quiet to real loud, really fast.
Also, someone might be using a racial epithet.
It's kind of hard to tell.
But to be safe, discretion is advised.
Remember, now how many hydrogens do I have?
That was really unnecessary.
Whoever did that, that's your warning.
Don't do that again.
weeks ago. A significant chunk of the working population, office workers, educators, basically
most white-collar jobs, started working remote.
So Kyle, you can leave the session now. I think your behavior is very inappropriate.
And with that transition, millions of people found themselves in need of a video conferencing
solution. Hundreds of millions of them flooded onto the app Zoom.
You can either turn off your video and audio and remain in the Zoom session, or
Or you may leave the Zoom session.
And it sure as any technology company isn't going to love that kind of newfound scrutiny.
It was scary, to be honest with you.
Just you didn't know what was going to pop up next.
Any new technology is going to flex under the weight of that many new users.
First, they said stuff like, we're just here to talk about racism.
Within a few days, people had figured out that the meeting ID system,
Zoom used, was vulnerable.
And then the screen started flashing things like swastikas,
and pornography.
That it was very easy
to join random calls
between other groups of people.
Within a week,
someone had built a dedicated tool to do it.
If we were able to get in on your call,
we can find out where you live.
Which is when the troll showed up.
This is Zoom bombing
on this hacked update.
So I guess my first question is
Are you on Zoom?
Yeah, aren't we all now?
I think we're all on Zoom.
I'm pretty sure we are all on Zoom.
I'm on it professionally and socially.
I think for about a month now, it's basically a utility.
Yeah, like I probably spend more time on Zoom these days, at work especially, than not on Zoom these days.
So what is Zoom bombing?
Well, Zoom bombing is essentially just joining some.
someone else's Zoom. So you're kind of raiding into their Zoom call.
Is that, it's like I FaceTime people somewhat regularly. I've never dealt with someone
crashing into my FaceTime. Yeah, it's showing up. Yeah, just popping in. I make phone calls
sometimes because I'm old. I've never had someone burst onto my phone call.
Well, I'm older, so I've had a party line, so I have.
This feels like, Zoom feels like it's doing, I mean Skype for heaven's sake. Like, I've never
had someone burst onto a Skype call.
I've never really heard of this particular problem,
of people bursting the way into private conversations.
Yeah, I just think that Zoom existed in a space for a long time,
and people used it as kind of a solution primarily for technology companies
to do primarily work-based meetings.
And then all of a sudden one day it was like,
this is just how we all connect.
And I think, you know, with that increased, you know, business, truthfully, has come increased scrutiny and attention.
I think it went from 10 million users as of the end of last year.
I think at the last tally, it's about 200 million.
Yeah, it's probably more still.
I assume it's just constantly going up.
Like my fiancé works out on Zoom.
You know, I'd use it for work.
We have, we play board games with friends on Zoom.
Like literally everything in Lowe.
Every social aspect of our life revolves around Zoom are lots of them,
and lots of professional aspects of work revolve around Zoom these days.
So Zoom has 10 million primarily enterprise clients.
This happens.
What happens to that meeting ID system?
How does it flex under the way to this?
Well, it's like any kind of, you know, addressing system
because really all the meeting ID is is the address inside of the Zoom system.
So imagine it's like an IP address for a computer on the internet.
If you know the address, you could reach out to that computer.
And the Zoom ID system is just nine-digit code.
And if you know the nine-digit code, you can reach out to that meeting.
So what makes it vulnerable?
Well, the fact is that because Zoom, you know, kind of was this more esoteric product
and hadn't received this technological scrutiny and been such a target,
they'd managed to get by with pretty, you know, open.
security options. So like passwords aren't by default required or set for meetings. So like we have
Slack and we have the ability to kick a Zoom meeting off in any Slack channel with relative ease.
And those Zoom meetings are by default non-password secured. So they've since changed all of that
in rapid fashion because yeah, that's what makes it in secure.
You know, you essentially just have to know the nine-digit code and you can jump into someone's call.
Is this just kind of a case of a product being as secure as it needed to be back when its user base was considerably smaller?
Yeah. And like that the reality is, too, is that this is, you know, we've talked about this a bunch of times in the last little while.
This probably isn't intentional. This is just a byproduct of what's happening. It was probably secure enough for most corporate and enterprise users because those corporate and enterprise users aren't looking.
to cause mayhem. But once you start spilling it out to hundreds of millions of everyday people,
you're kind of incentivizing a little bit of mayhem.
I mean, this has now become the way that so many teachers are like teaching students.
Educators need a platform on which to get 30-some kids in the same space.
30-some kids in the same space online seems like a recipe for trolling.
Yeah. Well, and especially, you know, you've got to imagine that's just one
classroom. Imagine when you get all of those students. And if they're not actively in a class,
they know their friends are. All they need is the nine digit code to blop in and disrupt it and leave.
So I know you're seeing a lot of people and students kind of disrupting their like, you know,
cohorts classes because it's like, why not? Yeah, there's dedicated Discord servers now for
organizing Zoom raids. Yeah. See, it's like they've gamified it.
So like what are the immediate solutions? Because Zoom did have different.
security options that existed, they just weren't default. You did have the meeting room system,
you did have passwords. What has Zoom since done in response to this? Because this story
popped off faster than most stories I see in the tech world. People went from not knowing
that this was possible, to knowing that it was plausible, to knowing that it was endemic in, like,
one news cycle. So what has Zoom done as a response to that? I think the big change that'll
kind of stem this is they've just made passwords default. If I click new meeting, it immediately
has a password. Because the big thing is, is the urals that they send out. So like if I create a
meeting and then invite, you know, you to it, it'll send you a click to join Zoom button. That
button has the password embedded in the URL. So it doesn't affect your user experience. It just
affects whether the door is left unlocked. Think about the last time you heard a breach story
on this show. It always starts the same way. Someone somewhere saw something too late. An alert buried,
a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up
for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agentic system powered by the swarm of
experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents
that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything
trustworthy.
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries.
human analysts. Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience. The team brings
customer-specific context directly into the platform so every AI-driven decision reflects your
environment instead of generic assumptions. The automation frees your concierge security team to focus
on higher value strategy and proactive risk reductions while the agents handle the grind. If you want to see
what trustworthy, production-ready AI and security operations actually looks like, go to arcticwulf.com
slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches, from sophisticated
ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fear-mongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
So in the intro story, I use this one clip from a CBS piece on a CNAHO school district
Zoom bombing.
I'll just run the clip.
If we were able to get in on your call, we can find out where you live.
Is that real?
Is that an actual danger that if you get Zoom bombed, that people doing it could
theoretically figure out who you are, where you live, your personal information?
You're asking me a question that I don't know the answer to because I don't exactly know how the
Zoom back end makes the connections, because if you have an independent connection to everybody
else in the Zoom call, assuming you're not routing through a universal hub or a server,
if you actually end up building a connection to each person,
then you will have access to their remote IP address.
And remote IP addresses are actually connected to location data.
It wouldn't be like this exact house.
But you'd be able to generally figure out where they are, yeah.
Generally speaking, a teenager is zoom bombing you, though.
Probably not.
Cool.
Yeah, probably not super interested in getting to know the person
whom they've just been super inappropriate to.
Right.
They've also gotten their risk slap for their privacy
in regards to Facebook
and how they encrypt their calls.
Yeah, they've definitely had a spotlight
kind of turned and pointed at them.
A couple small things.
Like, I think they got their wrist slapped
or getting currently in the process
of getting their risk slap for disclosing some data,
user data to Facebook.
It wasn't explicitly expressed in their privacy policy.
and, you know, because all of us spend days reading those things, I'm sure it would have made a huge difference.
What else they get in trouble for recently? It seems like they've had a constant stream of stuff.
I know they have an encryption issue. They use an AES-based encryption tool algorithm, and I don't think their implementation of it is, you know, the best version of itself.
Or is the encryption algorithm that they've chosen the best version for the task?
So I know that there's a little bit of gripe about that.
Talk to me about war dialers.
Yeah, so you mentioned in the intro.
Somebody has built essentially a custom tool to check meeting IDs and find open meetings.
They did that with such speed because that tool essentially already existed.
Because war dialing, which is something I'm old enough to remember,
back when you had to dial onto the internet and dial into computers.
So instead of having VBNs and stuff,
like we do today, your corporation would have a modem bank and you would dial into the corporation
and literally connect to the corporation's network via dial-in. So that was called war dialing.
It was essentially calling all of the numbers in a certain prefix trying to find a computer
that would pick up. So they essentially took that same, you know, kind of algorithm and piece of
software. But instead of war dialing, instead of dialing phones, they're literally just reaching out
to Zoom meeting IDs until they find ones that respond saying, yeah, I'm open. Do you want to join?
Is this why most modern security isn't based on a single key?
Yeah, yeah, yeah, yeah. Like with enough of the instances of that war dialer, you can cover pretty
much, I think, every possible Zoom ID almost concurrently. So the second a meeting spins up, you could
know about it if you had enough power.
Do you think that the community that reworked those war dialers to work for Zoom is going to
try and keep digging?
And do you think that they're going to keep pursuing Zoom or do you think this was just sort
of a crime of opportunity?
We have software that's good at guessing numbers.
They have software that is vulnerable to number guessing.
Put it together.
This is going to be a controversial statement, but I think Zoom is getting a ton of security
analysis for free right now.
The community is showing them where they're.
flaws are and making their product better.
And the fact that they're responding so timely shows that they're taking it seriously.
Like the fact that they, I think, hot patched the default password thing like a week after
it kind of became a big deal.
Like that's pretty quick for a big software company.
And I think, you know, instead of paying bug boundaries to tell them what's wrong with their
software, they're just literally getting the voice of the community who's doing it for them now.
Hey, everybody.
Thanks for listening.
A slight update on this story.
On April 6th, the day before this launches, New York mayor, Bill de Blasio, has banned Zoom in public classrooms.
We want to hear from you about this.
If you're still using Zoom, if you're using something else for your teleconferencing,
talk to us on Twitter at Hacked Podcast, or support the show on Patreon.
Patreon.com slash hacked podcast.
Thanks for listening.