Securing Video Meetings, Preventing ZoombombingSecuring Video Meetings, Preventing Zoombombing
Renaming meeting files, setting a unique meeting password, and employing the waiting room feature are just a few tips for safer Zoom meetings.
April 9, 2020
Recently, thousands of Zoom videos were uncovered online and included everything from elementary classes to business meetings and even intimate moments. Additionally, a malicious actor on a popular dark web forum posted a collection of 352 compromised Zoom accounts on April, according to this Yahoo Finance article. Email addresses, passwords, meeting IDs, host keys, names, and Zoom account types were posted for everyone to see.
Government, Education, Enterprises Respond
These security and privacy concerns prompted the Department of Education Chancellor Richard Carranza to ban Zoom for use in New York. In lieu of Zoom, he recommended that schools use Microsoft Teams, which is compliant with the Family Educational Rights and Privacy Act (FERPA).
The FBI also issued a statement with regard to Zoom in the classroom and reported that two schools in Massachusetts experienced the following incidents:
A Zoom meeting that was being used for an online class was interrupted by an unidentified individual that yelled a profanity and then shouted the teacher's home address.
A second Massachusetts school reported that an unidentified individual with swastika tattoos was able to access a video meeting.
Outside of educational settings, UK’s Ministry of Defense, SpaceX, and NASA have all banned Zoom for employees. Many other organizations that rely on Zoom might have mistakenly thought that Zoom had end-to-end encryption, which they don’t.
Protect Your Zoom Call Recordings
Even though Zoom calls can be recorded, it doesn’t mean that they are being done safely. Not only does a host decide to record or not, they can either save it locally or upload it to Zoom servers. This is where the problem comes into further relief.
When Zoom saves a video to the host's computer, they use a default file name that is usually easy to predict. Malicious actors can then simply use a search to discover the file, access the recording, and locate a long stream of videos that anyone can download and watch. Also, many of the videos were recorded with Zoom’s software and saved onto a separate online storage space. They also have the same file name and don't require a password to access.
A simple fix is to rename the file, instead of using the default name. If you do record a session, also make sure that public sites that you use, like Dropbox, are set to private mode or protected by a password.
Ensure Your Settings Help, Not Hinder
So, what else can enterprises do? In response to these security threats, Zoom has made some further recommendations to ensure safer sessions:
Protect your meeting ID. Only send it to the people you want on the call.
Set a unique password for the meeting and limit password sharing.
If you plan on screen-sharing, set it to host only. This prevents others from invading the session with text or images. This is known as Zoombombing.
Employ the waiting room feature, which will prevent new participants from joining the session without the host’s approval.
If you want to block what is behind you, use a virtual meeting room.
A fuller discussion of recommendations is available from Zoom here. Another useful post from the National Cyber Awareness System is “FBI Releases Guidance on Defending Against VTC Hijacking and Zoom-bombing.”
