Security and Zoom

Posted April 6th, 2020 at 6:49 pm.

As the most popular web-conferencing solution on the market (some industry analyses estimate it has almost double the market share of competitors like Go To Meeting), Zoom has become a target for online trolling attacks. Zoom is also facing several investigations and lawsuits about the transparency and security of its practices for sharing data with third party applications like Facebook. This article discusses things you can do to use Zoom securely.

Protection Against Zoom-Trolling

Trolling attacks have so far stemmed from exploitation of Zoom’s default meeting settings, rather than security gaps in the software itself. Zoom has responded by making defaults for educational licenses such as Bryn Mawr’s more restrictive.

Hosts can take these steps to make it harder for trolls to find/enter meetings:

  • Use a randomly generated meeting ID (default for scheduled and instant meetings) rather than your Personal Meeting ID. Personal Meeting IDs remain the same from meeting to meeting and are therefore more vulnerable to exploitation.
  • Keep the “waiting room” enabled for all participants. A host will have to manually admit participants before they can join the meeting and this gives you the most control over who gets in. Starting Sept. 27, Zoom will require all meetings to have a password or have the waiting room enabled.
  • Be careful about sharing Zoom meeting links and don’t post them publicly (i.e., on a web page that anyone can access).
    • By default Zoom embeds the meeting password into the auto-generated meeting link (look for pwd= in the link). This enables participants to join by simply clicking the link, but it means anyone who has the link can join. Posting such a link to the Internet makes it easier for trolls to discover it.
    • Instead, if you are hosting a public meeting, use Zoom’s Registration for Meetings option to require people to sign up to receive the meeting link via email.
  • Leave the Allow a removed participant to rejoin disabled in your In Meeting (Basic) settings. If you have to remove a disruptive participant from a meeting, this prevents them from rejoining a meeting. (It does not impact people who voluntarily leave a meeting and then rejoin.)

Hosts can make these adjustments to meeting settings (or to their default In Meeting (Basic) settings) to make it harder for trolls to take over a meeting if they do get in:

  • Turn File transfer off to prevent participants (including hosts) from posting files in the chat window.
  • Under Screen Sharing, change Who can share? to Host Only. As host you will still be able to permit participants to share their screens during the meeting, but the participants will not be able to initiate screen sharing themselves.

Hosts can also control participant permissions within a meeting:

  • You can remove a participant by clicking Manage Participants, hovering over their name in the participant’s list, clicking More and choosing Remove from the drop-down menu.
  • For a full overview of Host controls, see Managing Participants and Host and Co-Host Controls.

Responsibly Sharing Zoom Recordings

In spring 2020 there were reports of Zoom meeting recordings showing up in online searches. These seem to have involved recordings that were posted to streaming services such as YouTube using filenames that searchers were able to guess.

If you need to create and share recordings of Zoom meetings, LITS recommends:

  • Informing meeting participants that you are recording and how you intend share/publish the recording.
  • Sharing through Panopto, rather than Zoom Cloud. We have set up a connection between Zoom and Panopto, so that when you choose “record to Cloud” in Zoom the recording is automatically transferred to Panopto and only shared with meeting participants.
  • No matter you store recordings, always delete them once you no longer need them. The longer a file remains on the Internet, the more opportunities there are for it to be hacked.

Keep Your Zoom App Up-to-Date

Like most software publishers, Zoom provides regular software updates, which may include fixes for security issues.

  • If you are prompted to install an update with you open or close the Zoom app, do it!
  • In the desktop app (Mac or PC), you can click on your user icon and choose Check for Updates to manually check for and install updates.

Third-Party Integrations and Privacy Concerns

The College is being very careful and conservative about third-party integrations with our institutional Zoom license:

  • We have disabled the options to log in with Google and Facebook.
  • We will only enable integrations for platforms with which the college has a contractual relationship that included a review of data security and privacy policies, and then only if integration provides substantial functionality benefits.

See Zoom’s Security page for information and updates about about what the company is doing to improve security.

Filed under: Zoom Tags: by Jenny Spohrer

Comments are closed.