With the surge in people using Zoom, we’re now hearing about security issues ranging from Zoombombing (crashing a meeting you’re not invited to and sharing explicit materials), to Zoom’s Mac application sharing data with Facebook and other third party sites, to threat actors taking over cameras and microphones to gain access to computers through the Mac application.
Securing your Zoom meetings
Zoom fixed the vulnerabilities associated with Apple, but Zoombombing is still a concern. Below are actions to prevent this from happening to you:
1. Add a Password
When creating a new Zoom meeting, Zoom will automatically enable the “Require meeting password” setting and assign a random 6-digit password. You should not un-check this option, as doing so will allow anyone to gain access to your meeting without your permission.
2. Use Waiting Rooms
Zoom allows the host (the person who created the meeting) to enable a waiting room feature that prevents users from entering the meeting without first being admitted by the host. Enable this feature during the meeting creation by opening the advanced settings, checking the ‘Enable waiting room’ setting, and then clicking on the ‘Save’ button.
When enabled, anyone who joins the meeting will be placed into a waiting room where they will see this message: “Please wait, the meeting host will let you in soon.”
The meeting host will be alerted when anyone joins the meeting and can see those waiting by clicking on the ‘Manage Participants’ button on the meeting toolbar.
The host can then hover over each waiting user and ‘Admit’ them if they belong in the meeting.
3. Keep Zoom Client Updated
Install updates from Zoom. The latest updates enable meeting passwords by default and add protection from people scanning for meeting IDs.
With Zoom so popular at this time, more threat actors will also focus on it to find vulnerabilities. By installing the latest updates as they are released, you will be protected from any discovered vulnerabilities.
4. Do Not Share Your Meeting ID, or Better Yet, Use an Auto-generated Meeting ID
Each Zoom user is given a permanent Personal Meeting ID (PMI) that is associated with their account.
If you give your PMI to someone else, they will always be able to check if there is a meeting in progress and potentially join it if a password is not configured.
Instead of sharing your PMI, create new meetings each time that you will share with participants as necessary.
5. Disable Participant Screen Sharing
Limit screen sharing to the host to prevent your meeting from being hijacked.
As a host, this can be done in a meeting by clicking on the up arrow next to ‘Share Screen’ in the Zoom toolbar and then clicking on ‘Advanced Sharing Options’ as shown below.
When the Advanced Sharing Options screen opens, change the ‘Who Can Share?’ setting to ‘Only Host’.
6. Lock Meetings When Everyone Has Joined
If everyone has joined your meeting and you are not inviting anyone else, you should Lock the meeting so that nobody else can join.
To do this, click on the ‘Manage Participants’ button on the Zoom toolbar and select ‘More’ at the bottom of the Participants pane. Then select the ‘Lock Meeting’ option as shown below.
7. Do Not Post Pictures of Your Zoom Meetings
If you take a picture of your Zoom meeting, anyone who sees this picture will be able to see the associated meeting ID. Uninvited guests can use this to try and access the meeting.
For example, the UK Prime Minister tweeted a picture of the “first-ever digital Cabinet” and included in the picture was the meeting ID.
This could have been used by attackers to try and gain unauthorized access to the meeting by manually joining via the displayed ID.
Thankfully, the virtual cabinet meeting was password-protected, but it does illustrate why all meetings need to use a password or at least a waiting room.
8. Do not Post Public Links to Your Meetings
When creating Zoom meetings, you should never publicly post a link to your meeting.
Doing so will cause search engines such as Google to index the links and make them accessible to anyone who searches for them.
As the default setting in Zoom is to embed passwords in the invite links, once a person has your Zoom link they can Zoom-bomb your meeting.
9. Be on The Lookout For Zoom-themed Malware
Since the Coronavirus outbreak, there has been a rapid increase in the number of threat actors creating malware, phishing scams, and other attacks related to the pandemic.
This includes malware and adware installers being created that pretend to be Zoom client installers.
To be safe, only download the Zoom client directly from the legitimate Zoom.us site and not from anywhere else.
Check your current version of Zoom
Find and open the Zoom app from your workstation. You can find the version at the bottom center of the application login screen.
Either way, if you open the client and log in (you may need to create an account) you will be prompted to update. You should also be able to download the latest version from here: https://zoom.us/download#client_4meeting. The manual update will overwrite the installed copy.
Unfortunately, cyber criminals are always out there, even during a pandemic. If you need more guidance around virtual meetings through Zoom or other channels, please reach out today to talk to someone on the Hartman team.