Zoom hardens security after 'Zoombombing' attacks

Zoom Video Communications Inc. launched a 90-day security plan, designed to protect channel partner and end-user privacy and security following a trove of “Zoombombing” attacks against the popular video platform. The company disclosed on April 8, 2020, that consultant Alex Stamos, former chief security officer at Facebook, will assist Zoom’s newly formed CISO council and advisory board.

In an April 1, 2020, blog post titled “A Message to Our Users,” Zoom CEO Eric Yuan admitted the company had not foreseen its global spike in usage in public and private sectors. “Usage of Zoom has ballooned overnight – far surpassing what we expected when we first announced our desire to help in late February,” he wrote.

Yuan noted that over 90,000 schools in 20 countries use Zoom for remote education. “To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million," he said. "In March this year, we reached more than 200 million daily meeting participants, both free and paid.”

Hate-fueled attacks

Yuan acknowledged bad actors had exploited Zoom’s vulnerabilities in the initial weeks of the global pandemic. As reports of Zoombombing attacks circulated in TechCrunch, The New York Times and other major media, he doubled down on his promise to protect infrastructure integrity, to ensure that all Zoom users, "new and old, large and small, can stay in touch and operational."

In a March 20, 2020, article, titled, “‘Zoombombing’: When Video Conferences Go Wrong,” New York Times journalist Taylor Lorenz observed that default settings in Zoom enabled meeting participants to join meetings and share screens without permission. Trolls used these openings to inject meetings with hate speech and pornographic content, she noted, forcing hosts to shut down events.

“Anyone who has a link to a public meeting can join,” Lorenz wrote. “Links to public Zooms are traded in Facebook Groups and Discord chats, and are easily discoverable on Twitter and public event pages.”

Multipronged defense

In addition to patching vulnerabilities with software updates and educating users on best practices, Zoom took the following steps to improve its security posture:

• Customized routing options: Paid Zoom customers will be able to customize which data center regions their account can use for its real-time meeting traffic.

• Meeting, webinar passwords: Enhanced configuration settings, enabling account owners and administrators to create password requirements, including minimum length, letters, numbers, special characters, or only allowing numeric passwords. Past meetings scheduled with passwords will not be impacted.

• Meeting IDs: Created one-time random meeting IDs for newly scheduled meetings and webinars, which can now be up to 11 digits long. Zoom Personal Meeting IDs will remain the same; already scheduled meetings will not be impacted.

• Password for Cloud recordings: Updated password guidelines for hosts who share cloud recordings. Default setting will be on, requiring a complex password to access a shared recording. Existing shared recordings will not be impacted.

• Re-enabled third-party file sharing: Restored the functionality for file sharing on third-party platforms such as Dropbox or OneDrive, if configured on Zoom account, on version 4.6.11.

• Performance tuning for dashboard data: Repaired performance issues related to missing data and delay on dashboard and reporting.

• App version: Made Zoom app version clearly visible in all areas.

• Message preview control: Enhanced Zoom Chat function to enable or disable chat previews.

Cyber-hygiene protocols

Security analysts applauded Yuan for his transparent, decisive response to recent Zoombombing attacks. Cybersecurity expert Chuck White, CTO at Fornetix, recommends reviewing Zoom’s 90-day plan, published April 1, 2020, on Zoom’s blog, and implementing meeting passwords when using the Zoom platform.

Organizations must continue to address top threats to data security, White stated, by shielding remote workers from cyber risks and employing cyber-hygiene protocols to mitigate system protection failures. He added that to effectively protect sensitive data, IT managers must identify all of the places where data resides and employ an encryption strategy that covers their entire infrastructure out to the edge.

Yuan plans to share further details about Zoom’s new security updates and feature sets in an “Ask Eric Anything” webinar on April 22, 2020 at 10 a.m. EST. For additional details or to register for the event, visit: zoom.us/webinar/register/WN_9jdr63uuRuSRBX-yEJ2zVQ?id=3IWjZb4JTJm0II3A4lkBOg.

Additional information about Zoom’s 90-day security plan and software updates can be found at: blog.zoom.us/.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.