How are your cloud providers holding up?
March 31, 2020
Return to Work Surveys
April 30, 2020With a lot more people on Zoom and lots of bored people at home, jumping on random Zoom conferences and playing porn or just being verbally disruptive is becoming a thing. Is hour firm using zoom? Are you sending educational messages, blocking zoom or taking other actions?
8 Comments
Zoom has patched the Facebook plug-in leak, be sure to upgrade.
Zoom session numbers are 7-9 digits, so some bored people are home are jumping on random zoom conferences to distrust them. Use a password foreach conference. The password will be passed with the meeting invite, so there is no inconvenience to it.
Some other suggestions from media articles:
• Don’t make meetings or classes public. You can require participants to use a password, or the meeting manager can make participants first appear in the waiting room and be admitted individually.
• Invite with care. Do not share links to your meeting on social media. Email or text them directly to participants.
• Limit screen sharing. Hosts can prevent others from posting video by changing the screen sharing options to “Host Only.”
• Lock the door. You can close your meeting to newcomers once everyone has arrived. Hosts can click the Participants tab at the bottom of the Zoom window to get a pop-up menu, then choose the Lock Meeting option.
• Use your silencer features. You can disable video for participants and mute an individual or all attendees.
• Cut out the chatter. The host can disable the ability to text chat during the session to prevent the delivery of unwanted messages.
• Boot the uninvited. Hosts can remove a participant by putting the mouse over that name and choosing the Remove option. Allen says you can block people from rejoining meetings if they were removed.
• Preparation. Make sure participants have the latest version of Zoom’s software, which was updated in January. That update added meeting passwords by default and disabled a feature allowing users to randomly scan for meetings to join.
Cisco Webex Teams has true end-to-end encryption where encrypted transport meets at a server the client controls. In this way, the client has the encryption keys, not Cisco.
Microsoft Teams, Skype and Zoom all use a model in which encrypted transport connections terminate to their own severs where they control the encryption keys. That that qualifies as full encryption, it is possible for those vendors to monitor the communication if they wish.
According to the Skype Security Wikipedia page:
Eavesdropping by design[edit]
Chinese, Russian and United States law enforcement agencies have the ability to eavesdrop on Skype conversations, as well as have access to Skype users’ geographic locations. In many cases, a simple request for information is sufficient, and no court approval is needed. This ability was deliberately added by Microsoft after they purchased Skype in 2011 for the law enforcement agencies around the world. This is implemented through switching the Skype client for a particular user account from the client-side encryption to the server-side encryption, allowing dissemination of an unencrypted data stream.[10][11] [12]
We always use passwords on all meetings. One of our attorney’s kids online class was Zoom bombed and it was recorded for posterity. The video is hilarious….
Is it online?
No, they locked it down but the attorney showed it to me.
Citizen Lab at the University of Toronto has performed a crypto analysis of zoom and found a number of problems:
1) Single AES-128 encryption key in ECB mode for all participants which does not change as participants are added and subtracted like Apple FaceTime and Cisco Teams
2) They allow self-signed digital certs, which enables man-in-the-middle attacks such as the authors performed.
3) The choice of AES0128 ECB uses fixed blocks with no chaining, so accidental or intentional changes are not detected
4) They found a security flaw in Zoom Waiting rooms which they have only disclosed to Zoom so far. They recommend avoiding waiting rooms until the bug is fixed.
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
Be sure to upgrade to Zoom 5 to get the new security features. However, the AES-256 encryption will not be in force until May 30th, at which point the old client will no longer work.
While zoom announced that conferences will not default to having a password, if you have changed your preferences, they will not make that change. So you should go into your own Zoom preferences and click the button to add passwords by default.
It is important to always use a password because zWarDialers are constantly scanning for meetings which are not password corrected to collect email addresses and malware construction material. You don’t want your clients receiving malware constructed with the material from your zoom meeting!