Catch Of The Week: Security Tips For Using Zoom

By BECKY RUTHERFORD
Los Alamos

The COVID-19 pandemic has most of the world working, socializing, and going to school from home. This means a significant rise in the usage of video teleconferencing services (VTC), especially Zoom.

Zoom usage went from 10 million in December 2019 to 200 million in March 2020. It can be a great tool to bring people together in the virtual world, but it is already being abused via an attack known as “Zoom-bombing”. In this attack, uninvited guests hijack VTC meetings by disrupting them with pornographic/hate images and threatening language.

The problem has gotten so bad that the FBI released an advisory warning the public about Zoom-bombing. According to FBI Boston Division’s report, two schools in Massachusetts reported incidents of zoom-jacking in March. In one case, an attacker dialed into a school’s Zoom meeting and yelled a profanity, then shouted the teacher’s home address. In the other instance, the individual was visible on camera and displayed swastika tattoos.

Numerous other incidents have been reported across the world, including a case in Norway where a naked man hijacked a session attended by 9-year-old students.

Zoom-bombing has become quite the quarantine activity for attackers, and there are forums devoted to it, and sites devoted to showcasing videos of the shocked victims. There is also a tool called “zWarDial” that allows anyone to search for Zoom meeting IDs that are not password protected. It is becoming easier for these attacks to happen.

Why is this happening? Zoom doesn’t have security “baked in”; meetings are set by default to be open to all, and to allow screen sharing privileges to all by default. If you are using Zoom to host a meeting, make sure that you take some necessary precautions to ensure that your meeting is safe from these attacks:

Security experts recommend using a randomly generated meeting ID and setting a password on any meetings that you want to limit attendance. Turn on the “require a password” for meetings in user settings. More information about password settings can be found here: https://support.zoom.us/hc/en-us/articles/360033559832-Meeting-and-Webinar-Passwords-

Don’t announce your Zoom meeting to the world on social media or other public outlets. Only send messages to the participants you want, using email or other messenger programs.

Be in control of screen sharing; set it to “Host-only,” and if a participant requires screen sharing, you can allow it. You should only enable screen sharing when you know and trust everyone in the meeting.

Disable the “join before host” option and use the waiting room option. The waiting room option allows you to screen participants before entry to your meeting, which will keep out uninvited guests.

Disable the “allow removed participants to rejoin”, so that if you do have to remove an uninvited guest from the meeting, they can’t get back in.

In addition to the above configuration issues, security researchers have uncovered numerous vulnerabilities with the Zoom app. There also are some significant privacy issues; the company has been found to mine user data to sell to third parties. Zoom claimed to provide “end to end” encryption on all VTC meetings; this turned out to be incorrect.

Space X has banned all employees from using Zoom at all, citing “significant privacy and security concerns”.

Technology is fantastic, and it is great that we have tools like Zoom to help us stay connected during these difficult times. If you choose to use Zoom, make sure that you are aware of the risks, and that you are using it securely.

Stay safe, Los Alamos, and Zoom carefully.

Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.

Search
LOS ALAMOS

ladailypost.com website support locally by OviNuppi Systems