Security and Zoom

Posted April 6th, 2020 at 6:49 pm.

As the most popular web-conferencing solution on the market (some industry analyses estimate it has almost double the market share of competitors like Go To Meeting), Zoom has become a target for online trolling attacks. Zoom is also facing several investigations and lawsuits about the transparency and security of its practices for sharing data with third party applications like Facebook. This article discusses things you can do to use Zoom securely.

Protection Against Zoom-Trolling

Trolling attacks have so far stemmed from exploitation of Zoom’s default meeting settings, rather than security gaps in the software itself. Zoom has responded by making defaults for educational licenses such as Bryn Mawr’s more restrictive.

Hosts can take these steps to make it harder for trolls to find/enter meetings:

  • Use a randomly generated meeting ID (default for scheduled and instant meetings) rather than your Personal Meeting ID. Personal Meeting IDs remain the same from meeting to meeting and are therefore more vulnerable to exploitation.
  • Keep the “waiting room” enabled for all participants. A host will have to manually admit participants before they can join the meeting and this gives you the most control over who gets in.
  • Be careful about sharing Zoom meeting links and don’t post them publicly (i.e., on a web page that anyone can access).
    • By default Zoom embeds the meeting password into the auto-generated meeting link (look for pwd= in the link). This enables participants to join by simply clicking the link, but it means anyone who has the link can join. Posting such a link to the Internet makes it easier for trolls to discover it.
    • Instead, if you are hosting a public meeting, use Zoom’s Registration for Meetings option to require people to sign up to receive the meeting link via email.
  • Leave the Allow a removed participant to rejoin disabled in your In Meeting (Basic) settings. If you have to remove a disruptive participant from a meeting, this prevents them from rejoining a meeting. (It does not impact people who voluntarily leave a meeting and then rejoin.)

Hosts can make these adjustments to meeting settings (or to their default In Meeting (Basic) settings) to make it harder for trolls to take over a meeting if they do get in:

  • Turn File transfer off to prevent participants (including hosts) from posting files in the chat window.
  • Under Screen Sharing, change Who can share? to Host Only. As host you will still be able to permit participants to share their screens during the meeting, but the participants will not be able to initiate screen sharing themselves.

Hosts can also control participant permissions within a meeting:

  • You can remove a participant by clicking Manage Participants, hovering over their name in the participant’s list, clicking More and choosing Remove from the drop-down menu.
  • For a full overview of Host controls, see Managing Participants and Host and Co-Host Controls.

Responsibly Sharing Recordings of Zoom Meetings

There have been recent reports of Zoom meeting recordings showing up in online searches. Details are still sketchy, but the reports seem to involve recordings that were posted to streaming services (e.g., YouTube) with default Zoom filenames, which were easy for searchers to reverse engineer. It is not clear at this point whether to what extent posters intended to publish these recordings.

If you need to create and share recordings of Zoom meetings, LITS recommends:

  • Informing meeting participants that you are recording and how you intend share/publish the recording.
  • Recording confidential meetings to your hard drive, rather than to Panopto Cloud. Although there is no evidence that Panopto Cloud has been breached, recording to your hard drive removes a level of vulnerability.
  • Uploading confidential videos to Panopto (see Upload a Video to Panopto) and restricting whom you share with.
  • No matter where recordings are stored or how visible they are: delete them once you no longer need them.

Keep Your Zoom App Up-to-Date

Like most software publishers, Zoom provides regular software updates, which may include fixes for security issues.

  • If you are prompted to install an update with you open or close the Zoom app, do it!
  • In the desktop app (Mac or PC), you can click on your user icon and choose Check for Updates to manually check for and install updates.

Third-Party Integrations and Privacy Concerns

The College is being very careful and conservative about third-party integrations with our institutional Zoom license:

  • We have disabled the options to log in with Google and Facebook.
  • We will only enable integrations for platforms with which the college has a contractual relationship that included a review of data security and privacy policies, and then only if integration provides substantial functionality benefits.
  • To date, the only integration we have enabled is turning on the Zoom add-in for Outlook/O365. This add-in enables you to schedule Zoom meetings from within Outlook or your webmail calendar. If you do not wish to link Outlook/O365 and Zoom, we recommend continuing to schedule meetings in Microsoft’s built-in web-conferencing platform, Teams.
Filed under: Web Conferencing,Zoom Tags: by Jenny Spohrer

Comments are closed.