How To Zoom Safely

Notice: Get more helpful Cyber Security Information by signing up for our Cyber Security Updates email list. 

With so much of the business world almost instantly beginning to work from home due to the global COVID-19 pandemic, the need to remotely collaborate with those we work with has become hugely important. One of the most popular collaboration tools is Zoom (www.Zoom.us), but the world is quickly discovering that as wonderful as Zoom is, like many other cloud-based systems, it is vulnerable to breaches and other security issues. That is why Digital Uppercut has put together this guide to “How To Zoom Safely.”

Watch The Video: How To Zoom Safely

Update: Response to this article has been overwhelming. Many of our readers asked where to find these settings, and how to set them, so we made a video for you to show you exactly that, plus a few additional settings and features. Read the article, then watch the video.

 

The Risks of a Zoom Breach

At its lowest level, Zoom offers free video conferencing for meetings up to 40 minutes long. And while the price is certainly right, this lowest level of Zoom comes without many of the Zoom security features. All it takes for an intruder to join a Zoom meeting is to guess at the seemingly-random 9 digit meeting ID number. “Zoom Bombers” -- uninvited intruders who join Zoom meetings -- are simply guessing at a 9 digit meeting ID and attending whatever meeting they happen to find.

While on these calls, they have been known to do a variety of things, including

• Listening in and waiting for confidential information to be discussed, such as bank account information, login credentials for other systems, trade secrets, etc.
• Impersonate a colleague to ask for login credentials to other systems (such as banks or network resources), make requests to allocate funds, and results similar to other types of “Phishing” activities.
• Record private calls without permission, and then threaten to release the videos unless paid a ransom.
• Sharing their screen with those on the call, often with pornographic images, racial slurs, and other offensive content.
• Sharing their video and audio with those on the call, also with offensive content.
• Malicious behavior, taunts, and other interruptions.

This list will certainly grow longer in the weeks and months ahead. So the question about how to Zoom safely becomes even more important.

How To Zoom Safely

A lot of our best advice about how to Zoom safely is similar to our advice about keeping other systems secure: Keep the software current, restrict access to resources, disable settings unneeded features by default (in the Zoom Settings), use available security features, and be vigilant at all times.

Keep Your Zoom Software Updated

Zoom updates their software approximately twice a month, and sometimes more often when necessary. If there is a new version available, you’ll be notified to update your software. If you would like to know if you’re running the latest version, then open the Zoom desktop client, click on your profile picture, and choose “Check for Updates” from the drop-down menu.

Beware of Zoom Phishing

People are invited to Zoom meetings often with a Zoom “Invitation” which contains a URL. But these links can be malicious links disguised to steal your Zoom credentials or install ransomware or other malware. Check every Zoom invitation link carefully, and make sure you are directed to the real Zoom domain, Zoom.us, rather than ZoomUs or Zoom-US or some other fake URL. According to Checkpoint security, more than 1700 new URLs with “zoom” in the name have been registered so far this year.

Beware of Zoom Social Engineering

Anyone can send a Zoom invitation. Be sure that the person who is sending you the invitation is who they say they are. For example, someone might have breached a colleague’s email account and sent you a Zoom invitation with the intention of discussing confidential information or asking for login credentials for company resources. Similarly, someone can send a Zoom invitation from a fake email address, yet claim they are someone you know. Be careful who is asking you to join a Zoom call. Verifying with an email, or requesting that Video be activated at the start of the call so you can verify the other person’s identity are two ways to keep yourself and your business safe.

Turn Off Participant Video

If you are the call administrator scheduling a meeting, Zoom gives you the option to prevent participants from sharing their video with the call. If you’re worried about Zoom Bombing with Video, turn this feature on. You can always allow individual participants to turn on video during the call.

Require a Meeting Password

A meeting password is a 3 to 6 digit number that your attendees will be required to enter before joining the call. You set the password when scheduling the meeting. Zoom can also make an invitation link with the password encoded into the link, which allows anyone with the link to join the meeting without the password. However, those who are attempting to Zoom Bomb random meetings by guessing at the 9-digit meeting ID will not be able to join. For an increased level of security, send the meeting invitation without the encoded password, and distribute the password separately.

Use The “Manage Participants” Window

While in a meeting, any user can click on the “Participants” button to view the Participants screen. Keeping the window open will quickly alert you to any uninvited guests joining your call.

Upgrade To A Pro or Business Plan

The Free Zoom membership lacks some very important security features. Paying the $15 a month to upgrade to a Pro account can be well worth the expense for the security features alone. Upgrade from the Free version to Pro to activate the settings below.

Require Registration

You can click the “Require Registration” box when setting up your call. This will require that all attendees to your meeting will need to register for the call prior to being allowed to join the call. Once registered, the user will receive a unique link to use in order to join the call.

Only Allow Authenticated Zoom Users

When scheduling a meeting, click the “Only authenticated users can join” box, which will require that each user log into their Zoom account prior to joining the call. This means that they will have had to register with Zoom, which is presumably something a cyber-thief or Zoom Bomber would not want to do.

Restrict Screen Sharing

Since Zoom Bombing often results in the appearance of offensive content shared from a screen, turning off Screen Sharing for the participants prevents that. You can permit screen sharing for individual users during the call.

Restrict Recording

If you are worried about unauthorized recordings of your meeting, consider restricting recording of the call. When scheduling your meeting, set Recording to “Host Only.” Of course, you cannot prevent someone from using a screen-capture program on their own computer to record the call, but this option at least removes the easiest option for people who wish to do you harm with a recording. Note also that if someone is recording the call using Zoom, you will see a recording icon on the screen.

Use Waiting Rooms

The Pro plan allows you to activate Waiting Rooms. New callers enter the waiting room, where they must be verified by the call administrator before being allowed to join the actual call.

Zoom Advanced Security

Zoom has a set of Advanced Security features which you can set for your own account, or for your Business and Enterprise users. To access these settings, log into the Zoom website and click My Account. In the Admin section, choose Advanced, and then Security. Among the options you will find there are:

• Increase Password Strength
• Require Login after a period of inactivity
• Require Two-Factor Authentication
• Allow Single Sign-on using Facebook or Google
• Allow Single Sign-on using Active Directory, SAML2.0 (available only with Business accounts with more than 10 hosts)

Zoom has full documentation about these and other Advanced Security features by visiting this page on their website.

Update: New Zoom Bug Reveals User Info and Passwords

There’s a new vulnerability in Zoom that is potentially more serious than all the others discussed so far. It allows a malicious intruder to send a link to the participants in the meeting via Zoom chat that could do any of the following…

• Steal your Windows 10 computer username and password
• Run a program on another computer on your network, if you mistakenly allow it.
• Run a program on your computer instantly, even without your permission.

Zoom has not yet fixed this vulnerability but they certainly will. In the meantime, if you use Zoom in a corporate LAN or WAN environment, there is a workaround. It involves updating either your network’s Group Policy or the Registry on individual PCs. This is not something you should do on your own, but rather have your IT team do it for you. If you don’t have someone to do this for you, contact Digital Uppercut. We can help you.

Using Other Online Meeting Systems Safely

Every system is unique, but if you use another online meeting system, you will find some of this advice also can be applied to them. For example, many of these settings are also available in GoToMeeting by Citrix, Microsoft’s Team system, and others.

Keeping Your Whole Business Safe As You Work Remotely

These are unusual times, and just as there are new ways to breach your company with Zoom, there are new ways to breach your company other ways, too, especially with so many new remote workers with not-so-secure work environments at home. Now is not the time to relax your cyber security efforts. In fact, it’s time to make them stronger.

That’s why Digital Uppercut is offering its free Remote Worker Security Suite, which includes:

• Free Monitored Antivirus Protection for remote users
• Free Password Management Solutions for companies to securely share information
• Free Cyber Awareness Training to help prevent Phishing & Social Engineering attacks.

Just reply to this email with your contact information, or call my office at 818-913-1335 and let’s protect your business with these free tools. And now that you’ve learned how to Zoom safely, you should add these measures to your daily routine as well.

Notice: Get more helpful Cyber Security Information by signing up for our Cyber Security Updates email list.