FOXTROT/ALFA: Zoom Security Promise, New iPhone SE, Firefox Leaked Twitter Data

Welcome to issue 93 of FOXTROT/ALFA for Friday, 3 April 2020. Let’s see what has been happening in the world of technology today…

Zoom Trying to Deal with Increased Media Scrutiny, Shoddy Security

The videoconferencing tool Zoom, as far as I can tell, has always had security and privacy issues. But with a huge influx in users recently, these have become more relevant and were reported more widely. The company now vows to fix everything. Of course they do.

Video-conferencing app maker Zoom has promised to do better at security after a bruising week in which it was found to be unpleasantly leaky in several ways. The pledge came in a memo to customers from CEO Eric S. Yuan, in which he said: “Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust.”

The company said it has, amid the coronavirus pandemic forcing people around the world to work from home, seen its daily user numbers soar from 10 million in December to now 200 million. And with that increase, it’s experienced a shed load of scrutiny from the media and information security types.

The engineers now focused on security clearly have their work cut out. Last year, Check Point documented how it was easy to brute-force guess Zoom meeting ID numbers, which could be used to gatecrash non-password-protected conferences. In response, Zoom made creating a password a default setting, thwarting ID brute-forcing.

Unfortunately, miscreants keep Zoombombing virtual meetings, pasting in porno and other nonsense. So much so, Zoom published advice on how to keep uninvited morons out of private conferences. This week, the biz admitted to infosec journo Brian Krebs that this password-protected-by-default feature may not be working as intended, leaving people’s meetings exposed. In short, follow the advice to set a password, and don’t publicly share those credentials, and do set limits on individual participants.

The problem is that Zoombombing has become the new cool thing to do for hacker kids who got tired of hacking people’s Ring cameras. Only a matter of time before we get Zoombombing podcasts.

Krebs has been in touch with someone who has automated that meeting ID brute-forcing process. That someone is Trent Lo, a security professional and co-founder of Kansas City security meetup SecKC. “Lo and fellow SecKC members recently created zWarDial, which borrows part of its name from the old phone-based war dialing programs that called random or sequential numbers in a given telephone number prefix to search for computer modems,” Krebs explained. And zWarDial found about 100 open meetings each hour.

Which shouldn’t be possible, because Zoom is supposed to apply a password by default, indicating perhaps there’s a scenario in which passwords aren’t created by default. Or perhaps Zoom has so many meetings now, some are bound to have their passwords switched off by hosts to make life easier.

And like everything in corona-lockdown-panicland, this story has more than one level of madness to it.

At least Zoom has a share price that’s above its early 2020 level, something not many listed companies can boast right now. It’s standing at $121.93 apiece versus $68.72 on January 1. A Chinese company called Zoom Technologies also enjoyed a surge in investment after buyers mistook its $ZOOM ticker symbol for Zoom’s $ZM. America’s financial watchdog, the SEC, suspended trading of the Chinese company’s stock to stop that silliness.

Apple “Leaks” New iPhone SE

Apple must be getting hit as hard by the current situation as anyone, as they decided to “leak” a hint at a new iPhone that, presumably, will be released soon. Most likely they’re trying to drum up some excitement.

Apple’s upcoming 4.7-inch iPhone is likely to be announced imminently and looks set to be called the iPhone SE. A Belkin screen protector is currently live on the Apple Store and listed for the iPhone SE as well as the 8 and 7, matching reports that the new phone would feature a similar design to those models.

Earlier today 9to5Mac reported the iPhone SE name, as well as details including that it’ll come in white, black, and red color options with storage tiers of 64GB, 128GB, and 256GB. The device is expected to come with an A13 processor, though pricing information is still unknown. 9to5Mac’s previous reporting has suggested a new 5.5-inch iPhone is also on the way.

Tesla Stock Soars Amid Good Delivery Numbers

Well, at least Tesla is doing well:

Tesla produced 102,672 vehicles in the first quarter of 2020 and delivered 88,400 vehicles to customers, the company announced to investors on Thursday. While the delivery number is down from the previous quarter, the overall results were better than analysts had expected, sending Tesla’s stock up more than 10 percent in after-hours trading.

And notably, Tesla’s latest results are a big increase over its results a year earlier; the company produced 77,100 vehicles in Q1 2019 and delivered 63,000. The growth partly reflects improved productivity at Tesla’s flagship factory in Fremont, California. It also represents Tesla’s new manufacturing facility in Shanghai, which began operations in late 2019.

Philippines Latest Country to Consider Tracking Coronavirus Patients

The government in the Philippines is already locking people in their homes and threatening violence against any who break the coronavirus curfew. Now, they also want to trace infected people with an app.

The Philippines has imposed a strict lockdown and is distributing food to residents. President Rodrigo Duterte’s speech to the nation on Wednesday even suggested that those who cause trouble or impede government agents during the lockdown could face a violent response from local authorities. “My orders were to the police and the military, as well as the barangays [local goverments – ed] when they were disrupted and there was an opportunity to fight and your life was in danger, shoot them dead,” he said.

The Department of Information and Communications Technology (DICT) is “exploring and drafting protocols for [a] digital solution to track the steps of COVID-19 positive patients and augment the [Department of Health] Epidemiology Bureau’s data gathering and disease surveillance and response functions compliant with cybersecurity and privacy laws, rules and regulations.”

Western countries have also jumped on board. The UK is reportedly preparing to release an app which alerts people if they come too close to somebody who has tested positive for COVID-19. The government plans to release the app just before or just after lockdown is lifted, as people return slowly to normal life. Germany is also heading up the development of a similar app for European countries called, painfully, the Pan-European Privacy Preserving Proximity Tracing initiative.

The World Health Organisation recently said that tracking and limiting moveemtns of overseas travelers and other suspected COVID-19 coronavirus carriers has proven an essential tool in controlling the pandemic. But privacy advocates warn that any extraordinary measures implemented for the current crisis might have lasting effects in the future.

If you are interested in the privacy implications of the COVID-19 epidemic, I’ve recorded several podcast episodes on this topic in the last few weeks.

Firefox Leaked Private Twitter Data

Twitter has warned its users of a bug in Firefox that might have exposed personal information. But this only happens if you use several accounts on one computer. It probably mostly applies on public terminals or shared office computers.

Twitter on Thursday warned of an esoteric bug that, in limited circumstances, allowed users' non-public profile information to potentially fall into the hands of other users. If you used Firefox on a shared PC to, for example, send or receive media in private Twitter messages, or download an archive of your profile that contained non-public information, be aware this data was inadvertently cached on the computer.

Twitter did not specify what exactly caused private data to collect in the browser cache, though it appears a HTTP header was not used as expected, causing Firefox to retain media files and downloaded data for up to seven days.

Mozilla, meanwhile, noted that this is not something that would be remotely accessible to miscreants, for what that is worth. “When you use Firefox, cached data stays local on that device.” The social network also seems convinced it can fix the problem at its end, presumably by changing the HTTP header in question, meaning no Firefox updates will be needed.

Also Noteworthy

Some other things I’ve been reading:

Before I say goodbye, wishing you a good weekend, I’d like to recommend a TV show that has just been released by Amazon: Tales from the Loop. It is based on the breathtaking drawings by my favourite artist, Simon Stålenhag from Sweden. If you have never seen any of his work, I can only recommend that too!

Anyway, I hope you’ll have a relaxing weekend during these Days of Insanity. See you on Monday!


This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.