Skip to content

Zoom Upgrades Encryption Keys to What It Promised All Along

It was another week of social distancing or quarantine for most of the world, but Google published findings that it has seen 12 government-backed hacking groups undeterred by the pandemic and, in fact, trying to take advantage of those conditions for intelligence-gathering. Another report found that China, for one, has been busy during the pandemic hacking Uighurs’ iPhones in a recent months-long campaign.

We broke down how Apple and Google are using aggregate smartphone location data to visualize social distancing trends. And in an exclusive interview with WIRED, Federal Bureau of Investigation director Christopher Wray warned that domestic terrorism is a growing threat in the United States.

On top of all the other digital threats, researchers emphasized this week that so-called “zero-click” hacks that don’t require any interaction from users to initiate may be more prevalent and varied than most people realize. Such attacks are difficult to detect with current tools.

And there’s more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

On Wednesday, the videoconferencing service Zoom announced a number of small but needed security improvements. As Zoom usage has increased during the pandemic, so has scrutiny of the service’s security and privacy offerings. This week’s announcement of incremental improvements is part of a 90-day plan the company announced to overhaul its practices. One change is that Zoom will now offer AES 256 encryption on all meetings, meaning data will be encrypted with a 256-bit key. Zoom previously used AES 128, a reasonable option, but a controversial one in Zoom’s case, because the company claimed in documentation and marketing materials that it used AES 256 all along.

Facebook data from more then 267 million profiles is being sold on criminal dark web forums for £500, or about $618. The information doesn’t include passwords, but does include details like users’ full names, phone numbers, and Facebook IDs. Though such information can’t be used to break into the accounts directly, it can fuel digital scams like phishing. Most of the trove seems to be the same as data found by researcher Bob Diachenko in an exposed cloud repository last month. Even after that bucket was taken down, though, a copy of the information plus an addition 42 million records popped up in a different repository.

A growing number of Nintendo users over the past few weeks had watched fraudsters take control of their accounts, and in many cases use saved credit cards or linked PayPal accounts to buy Nintendo games or currency for the popular game Fortnite. At the beginning of April, Nintendo encouraged users to turn on two-factor authentication to protect their accounts, but it had been unclear how hackers were breaking in. On Friday, the company confirmed that hackers had gained unauthorized access to accounts and announced it was discontinuing users’ ability to log into their Nintendo Accounts using Nintendo Network IDs, from older Wii U and 3DS systems. Nintendo also says it will contact affected users about resetting passwords. On its US customer support page, the company writes, “While we continue to investigate, we would like to reassure users that there is currently no evidence pointing toward a breach of Nintendo’s databases, servers or services.”

More Great WIRED Stories