beamzer/zoom_security.txt

## zoom_security.txt
[Zoom best practice secure configuration]
https://www.eff.org/deeplinks/2020/04/harden-your-zoom-settings-protect-your-privacy-and-avoid-trolls
https://www.uio.no/tjenester/it/telefoni-sanntid/videokonf/zoom/endringslogg/uio-zoom-configuration-status.html
https://www.forbes.com/sites/kateoflahertyuk/2020/04/03/use-zoom-here-are-7-essential-steps-you-can-take-to-secure-it/
https://www.telegraph.co.uk/technology/2020/04/09/set-zoom-meeting-safely/

[Zoom security whitepaper]
https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf

[Zoom Privacy Policy]
https://zoom.us/privacy

[ Zoom recordings op publieke Amazon S3 buckets]
https://www-washingtonpost-com.cdn.ampproject.org/c/s/www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/

[Zoom overview security and privacy issues]
https://tidbits.com/2020/04/03/every-zoom-security-and-privacy-flaw-so-far-and-what-you-can-do-to-protect-yourself/
https://www.cvedetails.com/vulnerability-list/vendor_id-2159/Zoom.html

[Bruce Scheier over Zoom]
https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html

[Zoom bombing]
https://www.bleepingcomputer.com/news/software/how-to-secure-your-zoom-meetings-from-zoom-bombing-attacks/
https://fortune.com/2020/04/02/zoom-bombing-what-is-meeting-hacked-how-to-prevent-vulnerability-is-zoom-safe-video-chats/
[Zoom enables waiting rooms by default to avoid Zoom bombing]
https://techcrunch.com/2020/04/03/zoom-waiting-rooms-default
https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic

[Zoom leaking e-mail addresses]
https://www.vice.com/en_us/article/k7e95m/zoom-leaking-email-addresses-photos
https://twitter.com/xs4all/status/1244217058868572163

[Zoom sharing data with facebook]
https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account
https://www.vice.com/en_uk/article/z3b745/zoom-removes-code-that-sends-data-to-facebook
https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-in-ios-client/

[Zoom exposing LinkedIn profiles]
https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html
https://www.theverge.com/2020/4/2/21205853/zoom-linkedin-feature-disabled-privacy-security-video-calling

[Zoom Encryption, End-to-End or not]
https://theintercept.com/2020/03/31/zoom-meeting-encryption/
https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/
https://support.zoom.us/hc/en-us/articles/207599823-End-To-End-Encryption-for-Chat
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/


[Zoom UNC hack]
https://www.pcworld.com/article/3535373/report-hackers-can-steal-windows-credentials-via-links-in-zoom-chat.html
https://www.bleepingcomputer.com/news/security/hackers-take-advantage-of-zooms-popularity-to-push-malware/

[EPIC (Electronic Privacy Information Center) privacy complaint against Zoom 2020-07-11]
https://www.epic.org/privacy/ftc/zoom/EPIC-FTC-Complaint-In-re-Zoom-7-19.pdf
& follow-up https://epic.org/privacy/ftc/EPIC-FTC-Zoom-Apr2020.pdf

[Zoom predictable Meeting Id's]
https://blog.checkpoint.com/2020/01/28/check-point-research-finds-vulnerabilities-in-zoom-video-communications-inc/

[130k zoom.us subdomains]
https://twitter.com/TwelveSecurity/status/1245409899133222913?s=20

[Zoom connections to China]
https://blog.12security.com/zoom-and-some-china-stuff/

[Zoom under investigation]
https://www.cnbc.com/2020/04/03/zoom-probed-by-three-states-for-potential-privacy-violations.html


[Zoom is still fine to use, but probably not to share sensitive information]
https://www.vice.com/en_us/article/n7jg7m/zoom-has-security-flaws-its-still-fine-to-use
Recently publicized findings, several of which have been fixed after they were disclosed, include:
* Zoom shared data with Facebook without noting that in its privacy policy
* Zoom allows anyone to join video calls if they have the meeting ID, which has led to the phenomenon of targeted (and random) “Zoom bombing”
* Automated “war dialer” tools have been written to brute force valid meeting codes, allowing for more Zoom bombing
* Zoom allows your boss / teacher / the person administering the call to determine whether you’ve been paying attention
* Forums have popped up to enable coordinated Zoom bombing
* Zoom’s calls are not actually end-to-end encrypted, even though it says they are
* Researchers have found vulnerabilities that could allow hackers to overtake a user’s webcam
* People who use less popular email services (i.e. not Gmail, Hotmail, etc) are sometimes put into a list as though they all work at the same company, allowing strangers to call them, see their email address, and photos
* A certain data harvesting feature allowed some Zoom users to match a meeting participant with their LinkedIn profile.
* "Private" text messages sent during a call can be read by the call's host

[hidden Zoom webserver on Mac's]
https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/

[Zoom & AVG/GDPR]
https://www.ictrecht.nl/blog/hoe-maak-je-avg-proof-gebruik-van-zoom-voor-je-webinar-of-videoconferentie

[LVMP, COVID-19: Beeldbellen en online behandelen]
https://www.lvmp.nl/e-health/

[Welke meeting tools kun je veilig gebruiken? © Charlotte's Law]
https://www.charlotteslaw.nl/welke-meeting-tools-kun-je-veilig-gebruiken

[NCSC, Videobellen en online vergaderen]
https://www.ncsc.nl/onderwerpen/veilig-thuiswerken/videobellen-en-online-vergaderen

[KNMG, Beeldbellen tijdens de coronacrisis]
https://www.knmg.nl/actualiteit-opinie/nieuws/nieuwsbericht-corona/beeldbellen-tijdens-de-coronacrisis.htm
	[Zoom best practice secure configuration]
	https://www.eff.org/deeplinks/2020/04/harden-your-zoom-settings-protect-your-privacy-and-avoid-trolls
	https://www.uio.no/tjenester/it/telefoni-sanntid/videokonf/zoom/endringslogg/uio-zoom-configuration-status.html
	https://www.forbes.com/sites/kateoflahertyuk/2020/04/03/use-zoom-here-are-7-essential-steps-you-can-take-to-secure-it/
	https://www.telegraph.co.uk/technology/2020/04/09/set-zoom-meeting-safely/

	[Zoom security whitepaper]
	https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf

	[Zoom Privacy Policy]
	https://zoom.us/privacy

	[ Zoom recordings op publieke Amazon S3 buckets]
	https://www-washingtonpost-com.cdn.ampproject.org/c/s/www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/

	[Zoom overview security and privacy issues]
	https://tidbits.com/2020/04/03/every-zoom-security-and-privacy-flaw-so-far-and-what-you-can-do-to-protect-yourself/
	https://www.cvedetails.com/vulnerability-list/vendor_id-2159/Zoom.html

	[Bruce Scheier over Zoom]
	https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html

	[Zoom bombing]
	https://www.bleepingcomputer.com/news/software/how-to-secure-your-zoom-meetings-from-zoom-bombing-attacks/
	https://fortune.com/2020/04/02/zoom-bombing-what-is-meeting-hacked-how-to-prevent-vulnerability-is-zoom-safe-video-chats/
	[Zoom enables waiting rooms by default to avoid Zoom bombing]
	https://techcrunch.com/2020/04/03/zoom-waiting-rooms-default
	https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic

	[Zoom leaking e-mail addresses]
	https://www.vice.com/en_us/article/k7e95m/zoom-leaking-email-addresses-photos
	https://twitter.com/xs4all/status/1244217058868572163

	[Zoom sharing data with facebook]
	https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account
	https://www.vice.com/en_uk/article/z3b745/zoom-removes-code-that-sends-data-to-facebook
	https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-in-ios-client/

	[Zoom exposing LinkedIn profiles]
	https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html
	https://www.theverge.com/2020/4/2/21205853/zoom-linkedin-feature-disabled-privacy-security-video-calling

	[Zoom Encryption, End-to-End or not]
	https://theintercept.com/2020/03/31/zoom-meeting-encryption/
	https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/
	https://support.zoom.us/hc/en-us/articles/207599823-End-To-End-Encryption-for-Chat
	https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
	https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/


	[Zoom UNC hack]
	https://www.pcworld.com/article/3535373/report-hackers-can-steal-windows-credentials-via-links-in-zoom-chat.html
	https://www.bleepingcomputer.com/news/security/hackers-take-advantage-of-zooms-popularity-to-push-malware/

	[EPIC (Electronic Privacy Information Center) privacy complaint against Zoom 2020-07-11]
	https://www.epic.org/privacy/ftc/zoom/EPIC-FTC-Complaint-In-re-Zoom-7-19.pdf
	& follow-up https://epic.org/privacy/ftc/EPIC-FTC-Zoom-Apr2020.pdf

	[Zoom predictable Meeting Id's]
	https://blog.checkpoint.com/2020/01/28/check-point-research-finds-vulnerabilities-in-zoom-video-communications-inc/

	[130k zoom.us subdomains]
	https://twitter.com/TwelveSecurity/status/1245409899133222913?s=20

	[Zoom connections to China]
	https://blog.12security.com/zoom-and-some-china-stuff/

	[Zoom under investigation]
	https://www.cnbc.com/2020/04/03/zoom-probed-by-three-states-for-potential-privacy-violations.html



	[Zoom is still fine to use, but probably not to share sensitive information]
	https://www.vice.com/en_us/article/n7jg7m/zoom-has-security-flaws-its-still-fine-to-use
	Recently publicized findings, several of which have been fixed after they were disclosed, include:
	* Zoom shared data with Facebook without noting that in its privacy policy
	* Zoom allows anyone to join video calls if they have the meeting ID, which has led to the phenomenon of targeted (and random) “Zoom bombing”
	* Automated “war dialer” tools have been written to brute force valid meeting codes, allowing for more Zoom bombing
	* Zoom allows your boss / teacher / the person administering the call to determine whether you’ve been paying attention
	* Forums have popped up to enable coordinated Zoom bombing
	* Zoom’s calls are not actually end-to-end encrypted, even though it says they are
	* Researchers have found vulnerabilities that could allow hackers to overtake a user’s webcam
	* People who use less popular email services (i.e. not Gmail, Hotmail, etc) are sometimes put into a list as though they all work at the same company, allowing strangers to call them, see their email address, and photos
	* A certain data harvesting feature allowed some Zoom users to match a meeting participant with their LinkedIn profile.
	* "Private" text messages sent during a call can be read by the call's host

	[hidden Zoom webserver on Mac's]
	https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
	https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/

	[Zoom & AVG/GDPR]
	https://www.ictrecht.nl/blog/hoe-maak-je-avg-proof-gebruik-van-zoom-voor-je-webinar-of-videoconferentie

	[LVMP, COVID-19: Beeldbellen en online behandelen]
	https://www.lvmp.nl/e-health/

	[Welke meeting tools kun je veilig gebruiken? © Charlotte's Law]
	https://www.charlotteslaw.nl/welke-meeting-tools-kun-je-veilig-gebruiken

	[NCSC, Videobellen en online vergaderen]
	https://www.ncsc.nl/onderwerpen/veilig-thuiswerken/videobellen-en-online-vergaderen

	[KNMG, Beeldbellen tijdens de coronacrisis]
	https://www.knmg.nl/actualiteit-opinie/nieuws/nieuwsbericht-corona/beeldbellen-tijdens-de-coronacrisis.htm