- Zoom Security Tip: Avoid The App And Do This Instead, Here’s Why
- Fake Zoom apps and one annoying catch
- General Zoom security tips
- Zoom security: Your meetings will be safe and secure if you do these 10 things
- 1. Password protect your meetings
- 2. Authenticate users
- 3. Join before host
- 4. Lock down your meeting
- 5. Turn off participant screen sharing
- 6. Use a randomly-generated ID
- 7. Use waiting rooms
- 8. Avoid file sharing
- 9. Remove nuisance attendees
- 10. Check for updates
- Is Zoom videoconferencing safe to use? – The Mac Security Blog
- What is Zoom?
- Zoom and privacy
- Zoom and security
- Zoom and user configuration
- Zoom’s response
- Where can I learn more?
Zoom Security Tip: Avoid The App And Do This Instead, Here’s Why
If you're a Zoom user, a simple tip can make you more secure.
SOPA Images/LightRocket via Getty Images
Despite recent security and privacy issues, people are using Zoom more than ever. The popular video conferencing platform recently announced it has 300 million daily users—100 million more than it had at the start of April and an extraordinary increase on the 10 million Zoom users at the end of last year.
I’ve written multiple articles about Zoom’s security and privacy problems, including tips on how you can still use the service and stay secure.
Zoom’s now launched a number of measures aimed at preventing issues such as “Zoom bombing”—which can see uninvited guests crash your chat. However, if you’re a Zoom user rather than a host, and you’re taking an exercise class for example, there’s a really simple step you can take to increase your security.
Rather than downloading and installing the Zoom app, you can increase your security by using the web interface to access your meeting. This is because modern web browsers are built in a way that makes you more secure—the Zoom web version operates within the restricted environment of your “browser sandbox” and this reduces amount of harm it can do if there is a security issue with the app.
This advice is set out in a blog written by security company Kaspersky. As the blog highlights, shunning the app helps you avoid security issues such as the flaw in the Mac Zoom app that allowed hackers to take over your camera and microphone. The issue is now fixed, but more it will still turn up in the future.
David Emm, principal security researcher at Kaspersky points out that while Zoom is doing a lot to address security issues, “there’s no such thing as 100 per cent security and there’s always the risk that code will contain a vulnerability.”
And the fact that Zoom is adding users so rapidly makes it a bigger target than most. “Criminals are always on the lookout to exploit any vulnerabilities they can find,” Emm says.
“At the moment, there aren't any known issues with the Zoom app, but that could all change overnight, and there will ly be more issues found at some point,” says security researcher Sean Wright. However, he points out that Zoom reacted quickly and fixed previous vulnerabilities, meaning it’s ly the firm would do the same again.
MORE FROM FORBES Users Beware: Here's Why Messenger Rooms Is Not Actually That PrivateBy Kate O'Flaherty
Fake Zoom apps and one annoying catch
Another issue is, there are a ton of fake Zoom apps around which are actually dangerous malware.
In March, Kaspersky security researcher Denis Parinov found the number of malicious files incorporating the names of popular video conference services including Zoom had roughly tripled compared with the previous year.
If you do have to use the app, you should always go to Zoom’s official site to download the Mac or Windows app, or the Google Play Store or Apple App Store for mobile devices.
There is one annoying catch, though. If you want to use the web interface, Zoom sometimes just goes ahead and downloads the installer, and you have to install the app. If this does happen, Kaspersky advises you to limit the number of devices on which Zoom is installed to just one.
“Let it be your secondary smartphone or, say, a spare laptop,” Kaspersky says. “Choose a device with next to no personal information. We know that sounds somewhat paranoid, but better safe than sorry.”
MORE FROM FORBESZoom Alternatives: 5 Options For People Who Care About Security And PrivacyBy Kate O'Flaherty
General Zoom security tips
Zoom’s improving its security all the time, but you should still approach it with caution for anything too private and consider an alternative such as Signal, FaceTime or Jitsi.
And there are other things you can do to improve your security on Zoom as a host or participant, such as limiting the number of accounts you create. Participants don’t need to create a Zoom account, so avoid doing so if you can.
“A general security best practice is to only install apps and create user accounts when strictly necessary,” says security professional John Opdenakker. “The less apps and accounts you have, the smaller the chance of your devices and data being compromised.”
Meanwhile, hosts should take advantage of the Waiting Rooms feature, as well as using strong passwords and avoiding sharing meeting links, says ESET cybersecurity specialist Jake Moore.
He advises users who do set up a Zoom account to use two factor authentication on their email address and to “never reuse passwords.”
Zoom is making improvements all the time, so by all means, continue to use it for your exercise classes and business meetings, but also consider these tips to improve your security.
Zoom security: Your meetings will be safe and secure if you do these 10 things
As the novel coronavirus spread across the globe, the business landscape was forced to make a number of swift changes.
Lockdowns and social isolation measures, restricted travel, and the closure of firms not considered to be “essential” services proved to be a catalyst for home working, of which many of us were woefully unprepared to accommodate.
At the time of writing, there are 1.9 million coronavirus cases worldwide. The United States, Spain, Italy, and France are the hardest hit.
Stringent measures that prevent employees from going into offices have required many companies, large and small, to adopt remote and virtual alternatives to stop operations from grinding to a complete halt.
Email and the use of Virtual Private Networks (VPNs) aren't enough; workers and management need to be able to hold meetings, too.
There is a range of virtual conference solutions out there, including Skype, Microsoft Teams, BlueJeans, and GoToMeeting. (ZDNet's top enterprise picks can be accessed here).
A few weeks ago — although it may seem a lifetime — Zoom was not a well-known virtual conference option in the enterprise space. Almost overnight, however, it seemed everyone had adopted the platform as the go-to option to hold lessons, business meetings, and sensitive discussions.
Over 2020, the company has added 2.2 million new monthly users, outstripping the entire 2019 new user base of 1.19 million.
Zoom's explosive surge in popularity, however, has created security ramifications. You could almost feel sorry for the company — with its unexpected growth, the spotlight has also been shone on Zoom's security practices, some of which have fallen short of modern expectations.
CNET: Jobless after coronavirus layoffs, then struck by identity theft
In July 2019, a researcher disclosed a severe security issue in which Zoom opened up webcams to persistent spying and compromise; a bug that stayed in place even if the software was uninstalled due to a leftover local web server.
Now, more issues have been uncovered, including security flaws in the Windows 10 build of the platform's software, iPhone user data being sent to whether or not they had an account with the social media network, and a bug in URL generation that permitted attackers to eavesdrop on private conferences.
Zoom has also acknowledged that the company's “end to end encryption” marketing practices masked the truth. AES-256 encryption was meant to be implemented to keep video calls secure, but instead, a substandard AES-128 key in ECB mode was actually in use. Encryption remains a sticking point that the company insists it is working on.
Google, SpaceX, the New York City Department of Education, the Taiwanese, Australian, and German governments, to name but a few agencies, have banned employees from using the software until Zoom's security posture improves.
TechRepublic: The end of passwords: Industry experts explore the possibilities and challenges
Zoom has tried to clean up its act, and quickly. To try and prevent Zoom-bombing — the hijack of meetings and a practice the US Department of Justice recently deemed a crime — meeting ID numbers will no longer be shown in address bars.
A dedicated security tab has also been introduced to streamline the process of changing security settings for hosts and meeting attendees.
Zoom has also promised an upcoming change to where data is stored. Starting April 18, paid subscribers can opt-in or specific data center regions. China, too, has been geofenced to stop information outside of the country from being transferred to the area.
We've covered the basics and some useful tips for experienced users in a guide here. To maintain the security of your next meeting, our recommendations are below:
1. Password protect your meetings
The simplest way to prevent unwanted attendees and hijacking is to set a password for your meeting. Passwords can be set at the individual meeting, user, group, or account level for all sessions. In order to do so, first sign in with your account at the Zoom web portal.
If you want to set up a password at the individual meeting level, head straight over to the “Settings” tab and enable “Require a password when scheduling new meetings”, which will ensure a password will be generated when a meeting is scheduled. All participants require the password to join the meeting.
Subscription holders can also choose to go into “Group Management” to require that everyone follows the same password practices.
2. Authenticate users
When creating a new event, you should choose to only allow signed-in users to participate.
3. Join before host
Do not allow others to join a meeting before you, as the host, have arrived. You can enforce this setting for a group under “Account Settings.”
4. Lock down your meeting
Once a session has begun, head over to the “Manage Participants” tab, click “More,” and choose to “lock” your meeting as soon as every expected participant has arrived. This will prevent others from joining even if meeting IDs or access details have been leaked.
5. Turn off participant screen sharing
No-one wants to see pornographic material shared by a Zoom bomber, and so disabling the ability for meeting attendees to share their screens is worthwhile. This option can be accessed from the new “Security” tab in active sessions.
6. Use a randomly-generated ID
You should not use your personal meeting ID if possible, as this could pave the way for pranksters or attackers that know it to disrupt online sessions. Instead, choose a randomly generated ID for meetings when creating a new event. In addition, you should not share your personal ID publicly.
7. Use waiting rooms
The Waiting Room feature is a way to screen participants before they are allowed to enter a meeting. While legitimately useful for purposes including interviews or virtual office hours, this also gives hosts greater control over session security.
8. Avoid file sharing
Be careful with the file-sharing feature of meetings, especially if users that you don't recognize are sending content across, as it may be malicious. Instead, share material using a trusted service such as Box or Google Drive. At the time of writing, Zoom has disabled this feature anyway due to a “potential security vulnerability.”
9. Remove nuisance attendees
If you find that someone is disrupting a meeting, you can kick them out under the “Participants” tab. Hover over the name, click “More,” and remove them. You can also make sure they cannot rejoin by disabling “Allow Removed Participants to Rejoin” under the “Settings: Meetings – Basic” tab.
10. Check for updates
As security issues crop up and patches are deployed or functions are disabled, you should make sure you have the latest build. In order to check, open the desktop application, click on your profile in the top-right, and select “Check for updates.”
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
Is Zoom videoconferencing safe to use? – The Mac Security Blog
Security & Privacy
With much of the world in lockdown, and many people working from home, video-conferencing tools have become essential to hold meetings, and to chat with family. There are a number of such tools, but one, Zoom, has suddenly become the go-to app for hundreds of millions of people.
Yet Zoom has recently been found to have had numerous security and privacy issues, and this platform is now seen as a risk by many governments and companies. In this article, I’ll look at the many issues plaguing Zoom, so you can decide if you want to host or participate in calls using the service, and what precautions you can take.
What is Zoom?
Zoom is an audio- and video-conferencing tool that is available on multiple platforms. You can get apps for Mac, Windows, iOS, and Android, extensions for web browsers, an even add-in for Microsoft Outlook.
In 2020, the idea of Internet-based video meetings is by no means revolutionary; Skype, now owned by Microsoft, has been around since 2003. Apple’s FaceTime was released in 2010.
Google has its Hangouts—or is it Google Meet? or Google Hangouts Meet?—this service has been rebranded so many times it’s hard to keep track.
And there are plenty of other apps and services you can use for both audio and video conferences, such as GoToMeeting, RingCentral, and WebEx, just to name a few.
Zoom has one advantage: users don’t need to create accounts to use it. To use Skype, you need to set up an account, and you need to know the user names for each person you want to invite on a call.
FaceTime only works with Apple devices, and, as with Skype, you need to manually add each person to a call or meeting by adding them from your contacts, or, if they’re not in your contacts, by entering their Apple ID email address or phone number.
With Zoom, one person creates an account, sets up a meeting, then sends a link to others. Participants can either download the Zoom app to join the meeting, or do so in their web browser.
(Though in my experience, it’s not always possible to join meetings in a browser.) For ease of use, especially among non-tech savvy users, Zoom clearly wins.
And, the quality of Zoom calls is generally better than that of Skype or Hangouts; if you’re a regular user of either of these services, you know how annoying they can be.
But recently many privacy and security issues with Zoom have come to light, and it’s also difficult for users to know how to configure the service to make their meetings safe.
Zoom and privacy
Zoom was initially designed for enterprise use, so one would expect that with a client base of large companies, the company would be attentive to privacy. That doesn’t really seem to have been the case, at least from certain perspectives.
Zoom meetings can be recorded and saved in the cloud, and the service can even make transcripts of meetings, but users may not be aware of this.
And text messages sent during meetings are saved, even if they are not sent to the entire group on the meeting, but only between individuals.
So if you say something about your boss to a colleague, your boss can see this message after the meeting is over—and this is not made clear to users before they send a direct message (which one normally assumes to be a private communication between only the two parties).
Zoom also collects a lot of data about users, and, until there was outcry from privacy advocates, the service sent data to , even if you didn’t have a account. Zoom still uses third-party trackers to collect data, even though there is no need to do this to run the service.
Zoom and security
Security and privacy go hand in hand, and with Zoom, weaknesses in one area bleed into the other. A number of issues have been discovered with the Zoom app and the way it communicates.
In July 2019, a security researcher discovered that Zoom installed a hidden web server on Macs, that launched on login and ran in the background all the time, and that allowed the software to enable the webcam in Macs without users’ knowledge.
This was so serious that Apple opted to use an emergency malware removal procedure to mass-delete the software from Macs—an unprecedented move by Apple.
Zoom has since changed the way the app works on Mac, so this particular issue is no longer a concern in 2020, but it’s worth mentioning that the recently discovered issues are not the first major security problems that have been found in Zoom software.
Zoom has also made claims about its security that are not accurate. The company said that it uses “end-to-end encryption” for its meetings, but this claim is misleading at best.
While meetings are encrypted in transit between the end users and the Zoom servers (which is “transport encryption”—comparable to loading a Web page over HTTPS), Zoom has access to the unencrypted video and audio content as it traverses their service, meaning it isn’t actually end-to-end encrypted from user to user. This means that sensitive discussions over video or audio may be accessible to Zoom employees.
The only part of the service that can optionally have true end-to-end encryption enabled is in-meeting text chat—but this functionality must be enabled by whomever manages your organization’s Zoom account—and therefore, as mentioned previously, your seemingly private chat messages may be accessible to your employer without your knowledge or consent.
An issue was discovered where Zoom on Windows could be leveraged to steal user account credentials, which could be use to access shared network resources.
Zoom displayed data from people’s LinkedIn profiles, allowing participants to potentially snoop on others.
A phenomenon called “zoombombing” allowed people to enter meetings they’re not invited to, potentially sharing pornographic or hate images or shouting profanities. This was so serious that the I issued a warning to schools.
In the wake of this, a number of international government agencies and organizations have banned the use of Zoom: this includes Google (since they have their own product, this is understandable), SpaceX, NASA, the New York City Department of Education, and the United States Senate, just to name a few.
Zoom and user configuration
Zoom settings can be confusing, and initially, Zoom meetings did not require passwords. This led to zoombombing (see above), and also Zoom “wardialing,” where people would use software to search for active Zoom meetings to crash. Even if they don’t disrupt the meeting, they could listen in on discussions that may be personal, or may contain sensitive business information.
Zoom now requires that meeting organizers use a password by default, so to enter a meeting you need to have both a link and a password.
The ability to use passwords was present before, but Zoom’s settings are particularly opaque, and most users didn’t even think of the need to protect their meetings.
To understand how to ensure security in Zoom meetings, see the company’s Complete Guide to a Secure Zoom Experience.
Faced with the avalanche of issues around the software, Zoom’s CEO Eric Yuan replied to this criticism in a post on the Zoom blog. It’s obvious that they’re taking these issues seriously, but some of his statements are head-scratchers. He said, “our platform was built primarily for enterprise customers,” and then that,
“…we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
One would think that if Zoom was designed to be an enterprise product, then security and privacy would be extremely important, but this statement almost seems to suggest that security and privacy may not have been a priority for Zoom until after their reputation had been marred.
The company has since addressed and mitigated some of the issues mentioned above, and in a few cases the speed of Zoom’s response was impressive. Nevertheless, the fact that there were so many serious issues, most of which were discovered just days apart from each other, is worrying.
For now, if you’re just using Zoom to keep in touch with family, you don’t need to worry too much; but do make sure your meetings are password protected.
However, if you’re in a business that holds highly sensitive meetings over Zoom, you might want to try to find a service that has more of a focus on security and confidentiality (Microsoft Teams is often suggested as an alternative, and there are many others).
The recent issues were serious enough for the I to issue a warning about the software, and any business that uses Zoom needs to be aware of the risks.
If you use Zoom, be sure to keep your Zoom software updated frequently in the coming months, as new issues are discovered and addressed.
Where can I learn more?
You can hear more about Zoom in episode 129 of the Intego Mac Podcast, and in subsequent episodes, where we discuss the latest revelations about the software.
Subscribe to Intego’s e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple, security, and privacy news.
Follow Intego on your favorite social and media channels: , Instagram, , and (click the