Sophos Utm Zoom

01-05-2021
 |  [RAND-100] - Comments



Sophos UTM is easy to use thanks to the configurable real-time dashboard, flexible modular licensing, and intuitive reusable network object definitions. Network protection Easily configure firewall rules that cover multiple destinations, sources, and services – plus country blocking and intrusion prevention (IPS).

The annual Pwn2Own contest features live hacking where top cybersecurity researchers duke it out under time pressure for huge cash prizes.

  1. Zoom is the leader in modern enterprise video communications, with an easy, reliable cloud platform for video and audio conferencing, chat, and webinars across mobile, desktop, and room systems. Zoom Rooms is the original software-based conference room solution used around the world in board, conference, huddle, and training rooms, as well as executive offices and classrooms.
  2. UTM will then communicate with the directory server to track the IP address of all logged in users. When a web request is made by a client, the source is checked against all current logged in users. If no user is known to be logged in at the requesting client, then UTM will fallback to Basic User Authentication mode, and prompt the browser to.

Their quest: to prove that the exploits they claim to have discovered really do work under real-life conditions.

Indeed, Pwn2Own is a bug bounty program with a twist.

The end result is still responsible disclosure, where the affected vendor gets a chance to fix any flaws before they are made public, but the bug hunters don’t just submit their bug descriptions with a list of instructions for the vendor to follow and investigate.

The competitors are faced with a standardised, patched, vanilla configuration of the system they’re targeting, set up for them on hardware they didn’t choose theselves, and they have just 20 minutes in which to complete their attack during the competition.

That means there is very little time to adjust, adapt, rethink and rewrite code during the timed part of the event itself, so this really is a showcase for meticulous research, scrupulous preparation, careful rehearsal…

…mixed with a dash of je ne sais quoi and a dose of plain old luck.

The “plain old luck” factor exists because the participants do their demonstrations one after another over three days, with the order chosen randomly just before the competition starts.

If two teams show up with the same exploit, and both of those exploits succeed within the allotted time, then the winner isn’t the one who can prove they found it first during their research phase, but the one who just happened to get the earlier demonstration slot in the draw.

Clearly, the earlier the slot you draw, the less likely you are to get scooped by someone else who just happened to have found the same bug as you.

Greetz from Texas

Traditionally, the North American Pwn2Own event has taken place alongside the annual CanSecWest security conference held in Vancouver, Canada, but this year the official host city was Austin, Texas.

For obvious reasons, the actual hacking teams were distributed all over the world, rather than all travelling to meet in one place.

The full results for 2021 can be found on the Pwn2Own blog, including those who tried but failed, or those who tried but didn’t win any money because some part of their exploit chain was already known.

In some cases, competitors lost out because their exploits had been reported to the vendor before the competition by someone else, but not yet publicly disclosed; in other cases, they lost out simply through the bad luck of drawing a later slot in the competition than other participants who had brought along and exploited the same bugs.

We’ve listed the money-winning entries below – note that this year’s prize money totalled a very healthy $1.21 million!

The prize hierarchy looked like this:

  • $200k for code execution on a server or messaging platform
  • $100k for code execution via a browser
  • $40k for breaking out of a virtualised guest OS into the host OS
  • $40k for “getting root” (more properly, SYSTEM) on Windows 10
  • $30k for “getting root” on Linux

In case you are wondering, EoP below is short for elevation of privilege, which means exactly what it says: it doesn’t get you into a system in the first place, but it does gets you up to superpower level once you’re in.

Interestingly, there was a tenth product that was attacked in the competition, but that doesn’t show up in the list above because it remained unpwned within the allotted time: Oracle’s VirtualBox virtualisation software.

See you next year!

Congratulations to everyone who took part…

…and good news for all the rest of us, because all the bugs that were painstakingly uncovered, understood and used in the attacks above – and note that many attacks required a number of different exploits to be unleashed in a specfic sequence – will now all be fixed.

To learn more about vulnerabilities and how attackers chain them together for more devastating results, listen to our Understanding Vulnerabilities podcast below:

LISTEN NOW – UNDERSTANDING VULNERABILITIES

Podcast originally recorded in 2010. You can also listen directly on Soundcloud.

With so much of the world self-isolating, physically distancing themselves from others and remotely working from home, people are flocking to remote-work apps such as Microsoft, Slack and Zoom – anything that can make them feel connected by teleconference or videoconference.

Well, hang on to your hats, hosts: before you set up meetings, you need to know how to block the trolls. Specifically, if you’re using the Zoom videoconferencing app to connect people, you need to configure meetings so your participants don’t wind up connecting to the closest receptacle as their guts suddenly start to churn.

I’m talking about ZoomBombing: a new form of trolling in which asshats use Zoom’s screensharing feature to scorch other viewers’ eyeballs with the most revolting videos they can find, be they violent, pornographic, or a mixture of multiple revolting ingredients into a bile-rising cocktail.

As TechCrunch reports, on Tuesday, WFH Happy Hour – a popular daily public Zoom call hosted by The Verge reporter Casey Newton and investor Hunter Walk – got ZoomBombed. Dozens of attendees were suddenly exposed to disturbing imagery when a troll entered the call and screenshared a brain-scorching fetish video along with other “horrifying” sexual videos, Josh Constine reports.

Attendees of the WFH Happy Hour videoconference found it futile to block the barrage. The perpetrator simply re-entered the call under a new name and kept up the screensharing of nastiness. Since they couldn’t stop the assaults, the hosts simply ended the call.

It doesn’t have to be this way

Unfortunately, it’s Zoom policy that enables the infliction of this abhorrent content. To wit:

Sophos Utm Zoom

The host does not need to grant screen share access for another participant to share their screen.

By default, any participant in a meeting can share their video, screen, and audio.

“By default?” To avoid this kind of horror show, the setting should really be “screensharing only with moderator permission.” Be that as it may, hosts can disable the option in settings, pre-meeting, by changing screensharing to “Host Only.” Otherwise, during the meeting, hosts can turn on that setting as soon as they see that the screensharing feature is being abused.

Here’s where you can check out Zoom’s instructions on managing participants in a meeting.

As well, Tech Crunch passed along these tips from entrepreneur Alex Miller on other ways to protect your Zoom calls:

  • Disable “Join Before Host” so people can’t cause trouble before you arrive.
  • Enabling “Co-Host” so you can assign others to help moderate.
  • Disable “File Transfer” so there’s no digital virus sharing.
  • Disable “Allow Removed Participants to Rejoin” so booted attendees can’t slip back in.

Don’t be like The Verge’s Newton, who found himself apologizing to his parents, who were on the #WFHappyHour call on Tuesday for the first time. He told Tech Crunch that he didn’t capture screenshots of the attack since he was too busy screaming. Constine quoted him sometime after his heart rate returned to normal:

Today we all learned an important lesson about disabling screen sharing and saw once again the importance of good content moderation.

Haven’t we learned this lesson before?

Sophos utm zoom exceptions

Yes, we kind of have: ZoomBombing is the latest iteration of an ancient fad known as bluejacking that first popped up in 2003. It allowed pranksters to exploit mobile phones’ Bluetooth technology, which lets devices communicate with each other up to a range of about 30 feet. When Bluetooth is activated, it automatically seeks out other Bluetooth devices in the vicinity, and that lets people send anonymous messages to each other.

Or, say, pictures of their junk. In 2017, one woman was subjected to 120 down-the-pants selfies via iPhone AirDrop while riding public transport.

Now’s as good a time as any to remind everybody that inflicting depictions of wobbly flesh on others is a crime. In England, sending indecent images is classified under section 66 of the Sexual Offences Act (2003), given that it’s the same as exposing genitals and intending that the recipient “see them and be caused alarm or distress”. At least back in 2017, the penalty for breaking the law was a prison term of up to two years.

Sophos Utm Zoom Login

Latest Naked Security podcast

Sophos Utm Zoom Qos

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.