Security tips everyone needs to know about Zoom
With the coronavirus pandemic forcing millions of people to work, learn, and socialize from home, Zoom conferences are becoming a default method to connect. And with popularity comes abuse. Enter Zoom-bombing, the phenomenon of trolls intruding into other people’s meetings for the sole purpose of harassing attendees, usually by bombarding them with racist or sexually explicit images or statements. A small sample of the events over the past few days:
- An attendee who disrupted an Alcohol Anonymous meeting by shouting misogynistic and anti-Semitic slurs, along with the statement “Alcohol is soooo good,” according to Business Insider. Meeting organizers eventually muted and removed the intruder but only after more than half of the participants had left.
- A Zoom conference hosting students from the Orange County Public Schools system in Florida that was disrupted after an uninvited participant exposed himself to the class.
- An online meeting of black students at the University of Texas that was cut short when it was interrupted by visitors using racial slurs.
The basics
As disruptive and offensive as it is, Zoom-bombing is a useful reminder of just how fragile privacy can be in the world of online conferencing. Whereas usual meetings among faculty members, boards of directors, and employees are protected by physical barriers such as walls and closed doors, Zoom conferences can only be secured using other means that many users are unversed in using. What follows are tips for avoiding the most common Zoom conference pitfalls.
Make sure meetings are password protected. The best way to ensure meetings can be accessed only when someone has the password is to ensure that Require a password for instant meetings is turned on in the user settings. Even when the setting is turned off, there’s the ability to require a password when scheduling a meeting. It may not be practical to password protect every meeting, but conference organizers should use this measure as often as possible.
When possible, don’t announce meetings on social media or other public outlets. Instead, send messages only to the participants, using email or group settings in Signal, WhatsApp, or other messenger programs. This advice is especially important if you’re the leader of a country, such as the UK. (Fortunately, Prime Minister Boris Johnson had password-protected the meeting and was prudent enough not to have included the passphrase in his tweet. Even then, his tweet divulged the IDs of multiple participants.)
Carefully inspect the list of participants periodically, whenever possible. This can be done by the organizer or trusted participants. Any users who are unauthorized can be booted. (More about how to do that later.)
Carefully control screen sharing. The user settings allow organizers to set sharing settings by default. People who rarely need sharing should turn it off altogether by sliding the button to the right to off. In the event participants require screen sharing, the slider should be turned on and the setting for only the host to share should be turned on. Organizers should allow all participants to share screens only when the host knows and fully trusts everyone in a meeting.
And while you’re at it
The four measures above are cardinal. Here are a few other suggestions for securing Zoom meetings:
Disable the Join Before Host setting so that organizers can control the meeting from its very start.
Use the Waiting Room option to admit participants. This will prevent admittance of trolls should they have slipped through the two cardinal defenses.
Lock a meeting, when possible, once it’s underway. This will prevent unauthorized people from joining later. Locking a meeting can be accomplished by clicking Manage Participants and using the controls that appear on the right of the meeting window. Manage Participants also allows an organizer to mute all participants, eject select participants, or stop select participants from appearing by video.
Be aware of everything that’s within view of your camera. Whether working from home or an office, there may be diagrams, drawings, notes, or other things you don’t want other participants to see. Remove these from view of the camera before the meeting starts.
Beyond the above advice, Zoom users should consider using a browser to connect to meetings rather than the dedicated Zoom app. I prefer this setting because I believe the attack surface on my system—that is, the number of vulnerabilities a hacker can exploit to breach my security—grows with each app I install. In 2020, most browsers are hardened against attacks. Other types of software are less so.
Zoom makes the Web option difficult to find after clicking on the Join a Meeting link. In my testing on a Windows 10 machine, the option appeared only after I uninstalled the Zoom client. Even then, Zoom pushed an installation file after I tried to join a meeting. I was able to use the browser only after refusing the download and choosing Join from your browser. On a Mac, I was able to find the option, even when I had the Zoom client installed, by clicking cancel on the app installation dialog box. A Chrome extension called Zoom Redirector will also make it easy to find the link (Firefox and Edge versions of the open source addon are here). The permissions required by the extension suggest it’s not much of a privacy or security threat.
Users opting for the browser option will have the best results if they use Chrome. Firefox and other browsers will prevent some key features, such as audio and video, from working at all. As a courtesy, meeting organizers can choose a setting that can make it easier for participants to find the option.
Fortunately, Zoom has disabled an attention-tracking feature that allowed organizers to tell when a participant didn’t have the meeting in focus for more than 30 seconds, for instance, because the participant switched to a different browser tab. This capability was intrusive. It’s great that Zoom removed it.
This article was written by Dan Goodin and originally appeared in Ars Technica.
Zoom Alternatives: Rethinking Zoom? How WebEx, Teams and Google Meet and Duo Compare on Privacy and Security
If you’re among the many looking for a new video conferencing tool after adding “zoombombing” to your vocabulary, you’re in luck. While a no one-size-fits-all solution doesn’t exist, many other options exist with proven security features. Here’s a roundup of some of Zoom’s competitors and their privacy and security features.
Webex
The Webex video conference platform has been around since 1995 and is a favorite of the privacy-conscious healthcare, information technology, and financial services industries. This is partially due to the fact that all three industries commonly relied on virtual meetings well before the Covid-19 pandemic, but mostly because Webex has a reputation for maintaining robust cybersecurity. Cisco, its parent company, is an industry leader in network hardware, software, and security products.
Webex offers end-to-end encryption. Using it, however, limits popular video options including remote computer sharing and personal meeting rooms. Worth noting: Webex and Cisco products have had security issues in the past.
Microsoft Teams
Like Zoom, Microsoft Teams experienced an uptick in the recent crisis, in part due to its integration with the company’s flagship Office365 cloud and productivity services. Microsoft says that Teams are encrypted “in transit and at rest,” but details about support for end-to-end encryption are vague.
Like Webex, one advantage of Teams is that its parent company is a major provider of networking, software, and cybersecurity services. Microsoft has an internal rating system for the security of its products, and has designated Teams to be Tier-D compliant, which means that it can adhere to the strictest government and industry security standards and legal requirements.
Neither Microsoft nor Teams are immune to security vulnerabilities, but as a company, Microsoft’s bandwidth to address them when they occur is probably unparalleled. Microsoft also has a more transparent privacy policy, and a better track record when it comes to protecting user and customer data than many of its competitors, including Zoom.
Google Hangouts Meet / Google Duo
Google offers Hangouts and Duo as two of their primary video meeting platforms, both of which offer “free” and paid versions bundled in with its G Suite line of applications. While Google Hangouts offers similar functionality to Zoom, it limits 25 attendees per video conference. Other considerations include a long history of security and privacy concerns and the fact that Google Hangouts don’t offer end-to-end encryption.
Duo is end-to-end encrypted, and can support video meetings with up to twelve attendees.
Like Cisco and Microsoft, Google has more resources dedicated to cybersecurity, but the company has a lengthy track record of mining user data, especially for “free” services. The company is also notorious for quickly and unceremoniously dropping support for many of its projects, and has done so with several previous video conferencing and meeting apps.
Is Zoom Worth Sticking With?
It depends on your business needs. Zoom’s rapid increase in popularity in an already crowded market is a testament to its many qualities, features, and ease of use.
The company has made some misleading claims about user privacy and data, and the recent discovery of multiple serious security vulnerabilities will test the company’s ability to support and sustain its user base.
A good sign is that Zoom announced a 90-day freeze on any new features so it can focus on security and privacy issues. This move could help the platform and the company to continue the meteoric rise in the number of people using the service.
For industries with stringent data privacy and security requirements, platforms like Webex or Microsoft Teams may be a better fit, but every company, platform, and technology has its own set of drawbacks and vulnerabilities. The main takeaway is that every company, regardless of size, needs to have a solid understanding of what its own internal security needs are in order to make an informed decision.
This article was written by Adam Levin and originally appeared in Inc.
Ready to Get Started with mDS?
Fill-out the quick form & a MDS technical expert will contact you soon!
+1 (888) 123-4567