By William Knowles @c4i
Senior Editor
InfoSec News
April 3, 2020
It seems lately not an hour goes by without news of another ZoomBombing happening, just as I was preparing this story comes this headline from Vermont Senate committee Zoom hearing derailed by porn hacker
A Vermont Senate Committee on Agriculture Zoom hearing, which was being live-streamed on Youtube, was interrupted by a hacker Thursday who screen shared pornographic videos before reaching into his pants.
The sudden outburst came as the committee had been in the midst of discussing school lunch access and how farms were faring during the COVID-19 crisis.
The first sign of trouble began with a sudden outburst of “p—- ass” and a racial slur before a video from the site Pornhub began to play.
Without blaming the Zoom administrators, many of these stories of ZoomBombings remind me of early conversations about using Amazon Web Services and hearing minds blown about insecure EC2 instances. I can’t tell you how many enterprises thought the workloads they ran in AWS were completely secure by default. More than a few shops were counting their stars nothing happened.
I suspect a number of Zoom users naturally feel the same way as early AWS users, but fear not, Zoom has a guide with a number of recommendations to keep your video conferencing secure.
When you share your meeting link on social media or other public forums, that makes your event … extremely public. ANYONE with the link can join your meeting.
Avoid using your Personal Meeting ID (PMI) to host public events. Your PMI is basically one continuous meeting and you don’t want randos crashing your personal virtual space after the party’s over. Learn about meeting IDs and how to generate a random meeting ID (at the 0:27 mark) in this video tutorial.
Familiarize yourself with Zoom’s settings and features so you understand how to protect your virtual space when you need to. For example, the Waiting Room is an unbelievably helpful feature for hosts to control who comes and goes. (More on that below.)
Manage screen sharing
The first rule of Zoom Club: Don’t give up control of your screen.
You do not want random people in your public event to take control of the screen and sharing unwanted content with the group. You can restrict this — before the meeting and during the meeting in the host control bar — so that you’re the only one who can screen-share.
Follow this link for more tips on how to keep your Zoom conferences secure.
Also, Founder and CEO of Zoom, Eric S. Yuan said in a blog posting today that effective immediately, Zoom will have a feature freeze for the next 90 days, and shifting all engineering resources to focus on their biggest trust, safety, and privacy issues.
- Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
- Preparing a transparency report that details information related to requests for data, records, or content.
- Enhancing our current bug bounty program.
- Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
- Engaging a series of simultaneous white box penetration tests to further identify and address issues.
- Starting next week, Yuan will host a weekly webinar on Wednesdays at 10 am PT to provide privacy and security updates to our community.
