Over the past few weeks, the use of Zoom video conferencing software has exploded, but with the increase in use, there have been notable security concerns that have surfaced. An article in The Hacker News explores the issues that have come up and what Zoom has done to address them. Below are the main takeaways.
- As with any application, the more it is used, the more flaws will be discovered. Because of the increase in usage and scrutiny of security flaws, Zoom has announced a 90-day freeze on releasing additional features to focus its resources on identifying, addressing and fixing any issues.
- A weakness in Zoom’s Windows app made it vulnerable to UNC path injections that could allow remote attackers to steal Windows login credentials. Zoom issued a patch on April 2 to address this bug.
- Zoom has had several issues with background data being collected that it has addressed by either clarifying its privacy policies or disabling the feature in question.
- A phenomenon called “Zoom-bombing” has been used to drop into an unprotected meeting and take over screen-sharing capabilities. Zoom began enabling the Waiting Room feature, which allows the host to control when or if a participant joins the meeting and requires users to enter a meeting password.
To read the full article, see this link: https://thehackernews.com/2020/04/zoom-cybersecurity-hacking.html
Conclusion
Because of Zoom’s quick response to the reported issues Southwest Cyber believes the use of Zoom for virtual meetings is acceptable with the following precautions:
- Always use a meeting password.
- Do not share the meeting information with anyone who is not attending the meeting.
- Do not share any confidential information or documents within the meeting itself. Follow the standard company process for sharing these documents (email, company portal, etc.).
- Use caution with the chat feature, as these conversations are available later if the meeting is being recorded.
Kaspersky published an article containing security and privacy tips for using Zoom. They are summarized below.
1. Protect your account by using a strong password and two-factor authentication and not sharing the Personal Meeting ID that is assigned.
2. Use your work email to register (not gmail or other common domain accounts).
3. Only download the Zoom app from the official Zoom website (www.zoom.us) for your computer or the App Store/Google Play for mobile devices.
4. Don’t share your meeting link on social media.
5. Protect every meeting with a password.
6. Enable Waiting Room so you can screen attendees.
7. Limit screen-sharing ability to only those who need to share screens.
8. Use Zoom’s website interface rather than installing the app on your device if you can.
9. Don’t discuss confidential information during the meeting.
10. Before joining the meeting, close any apps or windows on your desktop that you wouldn’t want anyone seeing.
You can read more detail behind these recommendations at https://www.kaspersky.com/blog/zoom-security-ten-tips/34729/