[Coco] Virtual CoCoFEST! On CoCoTALK! Saturday April 18th @ 2:00 PM EDT

Wed Apr 15 19:29:31 EDT 2020

On 4/15/2020 5:46 PM, neil at neilscomputerservice.com wrote:
>     I don't blame you for not wanting to use the Zoom service. News like
>     this article is scary stuff. I'd recommend anyone who has ever used
>     Zoom or is thinking of using Zoom in the near future to make sure their
>     password is changed and *not* the same on other web services.
>     -Neil
>     CoCo Crew Podcast
>     www.cococrew.org
>     https://www.nbcnews.com/tech/security/passwords-email-addresses-thousan
>     ds-zoom-accounts-are-sale-dark-web-n1183796

This is getting off topic a bit, and I'm not helping here, but:

As the article explains, this is not necessarily a Zoom account 
compromise, but a technique called "credential stuffing", where hackers 
get lists of credentials that have been compromised from other sources, 
and replay those into systems like Zoom to see if the people used the 
same credentials on multiple sites.  So, this article could easily be 
written about any service you use that does not require (or you have not 
enabled) 2 factor authentication (userid+password+the second factor 
item).  Teams, GotoMeeting, BlueJeans, Jabber, Skype, etc. are all just 
as susceptible to "credential stuffing", unless the provider has forced 
2FA or you have enabled it (which most people don't do, because it takes 
more setup time and periodically slows down the login process).  And, 
beyond services like this, any service can be the target of this attack 
(DropBox, Box, Wordpress.com, etc.)

Neil's guidance, generalized, is spot on though.  Don't re-use 
credentials across services on the Internet and seriously consider 
enabling 2FA if available.

I understand the general concerns and so don't want to under-represent 
them, but folks should remember this is a "conference call" that will be 
publicly simulcast on Youtube and Facebook and immediately released for 
online replay as they asses the risk involved.  Philosophical issues 
with the company's operation, dealing with other countries, etc., are of 
course, a different matter.

Above all, it's a shame the Internet is so much less innocent than in 
1985-1993 (NSFNet Era), where we all shared our email addresses with as 
many people as we could, had digital "pen pals" available almost every 
minute of the day, read about the machines we loved in the USENET 
comp.sys.* heirarchy of newsgroups, played on multiplayer underground 
dungeons (MUDs), and chose passwords primarily as an afterthought.

Jim