Friday, September 11, 2020

10 tips for security and privacy at Zoom

With the introduction of social distancing and quarantine measures, people around the world began to look for new ways to communicate. The convenient and affordable Zoom service quickly gained popularity. But it quickly became clear that the developers were not quite ready for the fact that their creation would attract so much attention.

With this heavy use, Zoom's flaws instantly surfaced. We must give the company its due: Zoom is successful in handling surges and responds quickly to findings from security researchers. However, it is not possible to solve all the problems found with updates - and some of them should be kept in mind. Here are 10 tips to help keep your Zoom communications safe and private.


What types of engineers are there

1. Protect your account

First and foremost, the Zoom account is another valuable account, and it also needs to be protected. Use a strong, unique password and enable two-factor authentication: it will protect your account even if your credentials are leaked online (fortunately, this has not happened yet, but such a nuisance cannot be completely ruled out).

The service has a peculiarity: in addition to the login and password, the user receives a personal conference identifier (Personal Meeting ID, or PMI). It's pretty easy to spot - you can invite people to public meetings on Zoom through PMI. Be careful with it: only share your PMI with trusted people, as anyone who knows your ID can join any online meeting you organize.

2. Use your work mail to sign up for Zoom

Due to a weird  glitch that has not been fixed at the time of this writing, Zoom assumes that all email addresses in the same domain (unless it's a very popular domain like @ gmail.com or @ yahoo.com) belong to the same company ... Therefore, the service combines all accounts with the same domain into a group, whose members can view each other's contact information.

For example, this happened to users from Kazakhstan, whose addresses ended with @ yandex.kz. The same can happen with clients of other small (or little-known in the West) email providers.

Therefore, we recommend using your work email to sign up for Zoom: it's okay if your work contact information is recognized by colleagues. If there is no such mail, open a mailbox in any popular public domain to keep your personal information private.

3. Beware of Fake Zoom Apps

According to Denis Parinov, a researcher at Kaspersky Lab, in March the number of malicious files, the names of which include the names of popular video communication services (Webex, GoToMeeting, Zoom, etc.), almost tripled compared to last year. This means that attackers are actively exploiting the growing popularity of Zoom and similar applications in an attempt to disguise malware as video clients.

Don't fall for this trick! Download Zoom clients for Windows and Mac only from the official website of the zoom.us service  , and applications for mobile devices from the  App Store  or  Google Play.

4. Do not share links to conferences on social networks

Perhaps you want to not only communicate with colleagues or relatives, but also hold public conferences. It is now the only format available for public events - in large part for this reason, Zoom's audience is growing very rapidly. But even if your event is open to everyone, we do not recommend publishing a link to it on social networks.

If you are already familiar with Zoom, then you have probably heard of the so-called "Zoombombing" (Zoombombing). The term,  coined by Techcrunch journalist Josh Constine , refers to troll raids on Zoom to display inappropriate content. Right now, future attacks are being discussed in Discord chats and threads on 4Chan (riddled with trolls).

How do trolls know about upcoming events? It's not difficult to guess - from public sources, in particular social networks. Therefore, try not to post links to Zoom meetings in public resources. If you do need to do this, turn off the Use Personal Conference ID (PMI) option for these events.

5. Protect each meeting with a password

Password-protecting a conference is the most secure way to restrict the list of participants to who you want to see. It has recently been used by default, which is very good (note: do not confuse the conference password with the account password). Like links to events, conference passwords should not pop up on social media or other publicly accessible sites.

6. Turn on the waiting room

The waiting room  is another useful feature that is now enabled by default. The idea is that those wishing to join the meeting are put on a “waiting list” and remain on it until the conference organizer approves their participation. This function will be especially useful if the password from the conference is still in the public domain.

You will also be able to transfer already connected participants back to the waiting room if they begin to interfere with your communication. We recommend that you do not disable this setting.

7. Pay attention to screen sharing settings

Typically, video conferencing apps allow you to share your device screen with other participants, and Zoom is no exception. Pay attention to the following settings:

Who can share the screen - only the host or anyone in the conference. In the case of a public video conferencing, you definitely do not want random users to have this option, so it is worth turning this option off.

Whether simultaneous screen sharing of multiple participants is allowed. If you don't know for sure if you need this feature, chances are you won't need it, and it's best not to allow it. Just keep in mind that there is such a setting.

8. Use a web client whenever possible

Zoom apps have various flaws. For example, one of the versions  allowed attackers to gain access to the microphone and camera of the device . Another version  allowed websites to add users to calls without their consent . The Zoom developers quickly fixed the above and some other issues. Also, the service stopped sharing user data with Facebook and LinkedIn.

Nevertheless, it is unlikely that all problems can be solved quickly. And in the absence of an independent security assessment, Zoom apps are likely to remain unreliable - for example, continue to disclose user data to third parties.

Therefore, to be sure, we recommend using Zoom in a browser and not installing service applications. The web version runs in a sandbox and does not have the device permissions that applications usually require. This limits the damage it can do.

Unfortunately, there is another problem here. Even if you want to use the web interface, it may turn out that Zoom decided everything for you - it downloaded the installation file and requires an application to connect to the conference. In this case, you can at least limit the number of devices on which the service is installed to only one. Whether it's your second smartphone or a rarely used laptop, choose a device that contains as little personal information as possible. Yes, it sounds like paranoia, but it's better to play it safe.

By the way, if your company uses Skype for Business (previously known as Lync), keep in mind that it supports Zoom conferences and does not have the drawbacks mentioned. So it can be used instead of the Zoom client.

9. Don't Trust Zoom's End-to-End Encryption Ads

Zoom has become popular not only due to its pricing policy and its capabilities, but also because of the end-to-end encryption advertised by its creators. It assumes that all communications between interlocutors are encrypted and only call participants can decrypt them (and everyone else, including Zoom Video Communications employees, cannot).

Sounds great. But as security researchers have found, this is not the case in practice. Zoom's developers  had to admit that by "end-to-end" they only meant encryption up to the Zoom server. That is, although the video is encrypted, company employees, and in some cases, law enforcement agencies, can access it. But the text of the chats is really protected with end-to-end encryption, and Zoom employees cannot access it.

We are not urging you to opt out of Zoom immediately - there is no end-to-end encryption in other video conferencing services either. But keep this in mind and try not to discuss really important confidential matters on Zoom.

10. Think about what your interlocutors can see and hear.

This clause applies to all video communications services, not just Zoom. Before joining a conference, think about what your interlocutors will see and hear. Even if you are alone at home, it is better to clean yourself up and dress decently. You can also remove the password sticker if it comes into the camera's field of view.

The same goes for your device screen. If you are going to demonstrate it, close all extraneous windows that others do not want to see. This can be a page of an online store where you are going to buy a gift for one of the participants, or a job search site, seeing which, your boss is unlikely to be happy. Other examples will tell you imagination.

No comments:

Post a Comment