In IT Security, Remote Workforce

Zoom is currently one of the more popular video-conferencing tools being used and, along with widespread use, comes more opportunities for malicious actors to identify and exploit vulnerabilities.

Please be aware and alert. As the workforce continues to work from home, there is the temptation to be more lax or be at-ease.  As a reminder, the expectation of working from home is to conduct yourself as if you were physically on the premises of your employment location and be mindful of cybersecurity best practices.

If your meetings are more sensitive in nature, you should know that the platform’s claims of end-to-end encryption don’t really hold up, and critics have found the type of encryption it does implement lacking in some ways as well. We have some suggestions for other platforms that have more robust encryption in place below.

For privacy and trolling concerns, though, there are plenty of settings you can tweak to make Zoom a safer place for you and everyone else on the line.

Stop Zoombombs

Every Zoom meeting is based around a 9-digit meeting ID. If that ID becomes public somehow, or trolls find it in a web search or guess it, they can pop into your chats and disrupt them. That’s obviously a problem, and an increasingly common occurrence.

When you launch or schedule a meeting, the options panel lets you generate a random ID for the meeting rather than using your personal one. Using a random ID is another way to avoid trolls, though if you’ve got an office team who always meet with the same ID, you might not consider the extra inconvenience worth it.

To absolutely lock down a meeting, make sure participants need a password to access it. Again, this can be found in the options pane when you create or schedule a meeting. Of course, be careful how you share the password and who you share it with.

Finally, if you look under the advanced options for hosting meetings, you’ll see an Enable Waiting Room option. People are put on hold here before you give them specific approval to join, and it can help to block out anyone you weren’t expecting. All these options can be set on a meeting-by-meeting basis, or configured as defaults by going to your Zoom settings on the web.

Restrict Users

Even with those precautions in place, you’re still not completely protected against unwanted guests, or indeed from bad behavior by the guests that you have invited to your video chat. As a host, you’ve got a few handy options for limiting what other users can do.

For starters, you can restrict screen sharing: If you go to your Zoom settings on the web and click In Meeting (Basic), you’ll see a Screen sharing option to stop anyone except you from sharing the desktops or apps on their computer. You can still grant screen sharing privileges to specific users in a meeting later, if you need to.

The same option is available after you’ve launched a meeting on Windows or macOS. Click the small arrow next to Share Screen, then Advanced Sharing Options, and you can ensure that only you can bring up videos, images, or anything else from your computer or phone.

Another step you can take is to lock a meeting once you’re sure that everyone who needs to join has joined. From the desktop app, click Manage ParticipantsMore, and then Lock Meeting. Just make doubly sure that you weren’t expecting someone who hasn’t yet arrived, as they won’t be able to get in.

Add all of these measures up together and you can be very confident that your next Zoom meeting isn’t about to get rudely interrupted. Be careful not to get complacent though, particularly when it comes to limiting the exposure of the meeting IDs and the passwords that you’re using for your video calls.

Windows Password Stealing

Zoom meetings have side chats in which participants can send text-based messages and post web links.  Zoom makes no distinction between regular web addresses and a different kind of remote networking link called a Universal Naming Convention (UNC) path.  This leaves Zoom chats vulnerable to attack. If a Zoom bomber slipped a UNC path to a remote server that is maliciously controlled into a Zoom meeting , an unwitting participant could click on it. The hacker could capture the password “hash” and decrypt it, giving them access to the Zoom user’s Windows account.  Always scrutinize web links
before clicking on them.

Windows Malware Injection

A hacker can also insert a UNC path to a remote executable file into a Zoom meeting chatroom.  If a Zoom user running Windows clicks on it, the user’s computer will try to load and run the malware.

iOS Profile Sharing

Zoom sends iOS user profiles to Facebook as part of the “log in with Facebook” feature in the iPhone and iPad Zoom apps.  Vice News exposed the practice and Zoom stated it had not been aware of the profile-sharing feature.

Try An Alternative

If you’re not happy with Zoom, then you’ve got plenty of other options to turn to. For example, Google Duo: it recently updated the maximum video chat group size from 8 to 12, it’s available on mobile devices and the web, and video and audio calls are end-to-end encrypted (not even Google can peek at the data).

For those of you with colleagues, family, and friends who are all on Apple devices, FaceTime is an option. Group video chats of up to 32 people are supported, end-to-end encryption is turned on by default, and the apps are simple to use across iOS, iPadOS, and macOS. The downside is, of course, that no one on Windows or Android can join in.

Webex from Cisco is another group video calling tool that supports end-to-end encryption: It’s a little business-focused, but you do get support for video calls of up to 100 people, and a lot of the same features that Zoom brings to the table. The free tier is quite generous at the moment, though we’ll have to wait and see if it remains so after the current global pandemic has passed.

Like Webex, GoToMeeting has been in the virtual meeting business a long time, and includes end-to-end encryption as standard. Unlike Webex, there are no free plans, so you or your company will have to pay $12 a month and up for video calls with up to 150 different people. There’s also a 14-day free trial.

And Most Importantly…

Stay safe out there. Be vigilant and aware of the bad actors. Keep a good privacy and restriction policies. If you have any questions or concerns, please don’t hesitate to reach one of our IT specialists anytime at 858.346.1567 or support@wendego.com.

 

Credits and special thanks: Wired Magazine & Mike Satterlee.

Leave a Comment