When Zoom Fails, Google Meet to the rescue

This morning, I had set up The Hourlings on Zoom early, before I went to bed, hoping, if I ran late, the meetup would already be set up, Marty would be early, and I could make him co-host in case I still needed time to read before we began at 10:00.

Instead, to my delight, my friend Cynthia was the first to log in around 09:30 and we had a few minutes to chat about life and her adorable Clove. I really admire Cynthia, or Max as she’s sometimes called. She writes some great LGBTQ literature and is a great guide of conscious for me. She’s also an ex-Marine. Sempre Fi, my friend!

Unfortunately, we couldn’t get her video working, so, thinking that it would be as simple as restarting the meeting, I did just that. She promptly requested to rejoin and I accepted, looking forward to continuing our conversation.

It failed.

We tried again. No dice. I created a new Zoom event. That didn’t work. I asked the account owner to try. Still no success. It was already 10:00 and almost everyone was waiting to get in. I accepted them all, but none of them could connect.

Finally, our unofficial moderator, Evan Friedman brought up an instance of Microsoft Teams. He, Marty, and I verified its feasibility a while ago, so I knew it could work and joined the Teams meeting. The nice thing is now Teams allows virtual backgrounds, which was cool. But, unfortunately, Teams was as wickedly hard to invite people into as before.

Meanwhile, Marty set up a Google Meet account. Back when we tried Google Meet before when I created a Google Apps account. Back then, you had to pay for a Google Meet account by having a Google Apps account, and the Google Meet didn’t have a grid view, however, it already accommodated a lot of people.

In the end, we went with Google Meet and decided to make that Meet event out official backup for whenever Zoom misbehaves again, though we shall still default to Zoom. Unfortunately, my nightmare hair isn’t hidden by Google Meet’s cameras like it is in Zoom, so I must have looked atrocious today. I wish the Hypochondriac would let me use my hair trimmer.

Google Meet
Google Meet

We found out during the meeting that we weren’t the only ones straining for Zoom capacity. Fortunately, there is a Zoom Status we can check the next time this happens, so we’re not left trying so hard to beat a dead TimeHorse. And the Zoom system was back up, just in time for us to finish our meeting.

Unfortunately, because of all the kerfuffle and notifications, I missed a 13:30 Zoom I was planning to attend. But at least I got to hang out with my fellow writers. Thank you for reading, and I should now get back to writing.

Microsoft Teams is not quite the Team Player we thought

The folks at CyberArk uncovered a new vulnerability in Microsoft Teams. In Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams, they investigate a serious security hole in Teams that could threaten your organization and provide access to confidential information. Fortunately, Microsoft has, in theory, patched this vulnerability thanks to locking down any vulnerable Microsoft Teams servers.

This is a startling development considering how I’ve had to defend Zoom with respect to its long-ago patched UNC Path vulnerability. Now, we find out that by intercepting the traffic during the sending of images like a Gif, an attacker can subvert a computer’s security, intercept a victims access tokens, and impersonate the victim to begin a social engineering attack.

The basic process is the attacker can use Fiddler to intercept a benign image being transmitted. Since the image is transmitted via its URI, the attacker can modify the packet that transmits the benign URI and change the source domain to come from a compromised Microsoft Teams server.

Next, the attacker needs to intercept traffic to the compromised Microsoft Teams servers. Once the victim loads the image in his Teams viewer, the victim’s computer transmits his authentication tokens to the compromised server and thus the attacker has the users credentials.

The main solution is to lock down any vulnerable servers in the Microsoft Teams subnet. However, it is interesting that Teams uses a REST API with JWT. This is a very common authentication method and one used by OAuth Authentication. I have developed a number of software components that use JWT from OAuth and use those tokens to make connections to various web services I typically use, like meetup and Google Drive.

Microsoft Teams uses two JWT. First, the user gets an authentication token, and with that, the user can get the session token called skypetoken_asm. Both tokens are required by the Microsoft REST API to communicate with the server. The interesting thing, though, is that the second token is called Skype Token. A few years ago Microsoft bought Skype. At the time, people speculated why and of course with Microsoft Teams, I thought it might be leverage Microsoft with its own video conferencing platform. The question was, was Microsoft Teams based on Skype? It looks like at least in part, the answer is yes.

Below, you can watch a video of how this attack might actually work.

Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams | CyberArk

So, be careful what video conferencing system you use. Clearly, Zoom isn’t perfect, but neither is Microsoft, and neither is Google likely to be. There is no reason to pick on any of them. All three are working hard to patch vulnerabilities as soon as they’re found. Just, try to keep your software up to date. And that’s my latest deep dive into Video Conferencing security. If you like what you’ve read, I’m available and eager for hire.