My recent blog post: Is Secure Video Conferencing Achievable? How To Improve Security for Your Video Conferencing App covered the basics of video conference application security and touched on Zoom’s security and privacy issues. Well, it seems the doubts are becoming much more widespread, a recent report by Citizen Lab finds issues not only with Zoom’s encryption (aside from the fact that it is not end-to-end as marketed) but also notes that the keys for the partial encryption that it does have are generated at times in China, even for U.S. clients, which makes they discoverable by Chinese authorities. I think I can speak for the bulk of the information security community when I say this: Don’t post or share confidential documents or discuss confidential or personal information on Zoom. Use the standard that anything you say could be picked up by precisely the people you don’t want to have access to that information. The fact that hackers have a ton of information about the Zoom flaws now, makes it a high value target. Be forewarned….Zoom’s problems are only going to increase. So, if convenience trumps confidentiality, then go for it. Otherwise, use Teams, Skype, GoToMeeting etc. Sorry Zoom, sometimes that happens when you fly too close to the sun.
On April 1st, FBI released an alert: Cyber Actors Take Advantage Of Covid-19 Pandemic To Exploit Increased Use Of Virtual Environments warning against cyber actors exploiting increased use of virtual environments as a result of the COVID-19 pandemic. Such exploits would include exploitation of vulnerabilities to steal sensitive information, target individuals and businesses performing financial transactions, and engage in extortion. To date, the FBI’s Internet Crime Complaint Center (IC3) has received and reviewed more than 1,200 complaints related to COVID-19 scams. The claims relate to phishing campaigns against first responders, DDoS attacks against government agencies, ransomware at medical facilities, and fake COVID-19 websites that quietly download malware to victim devices. Based on recent trends, the FBI assesses these same groups will target businesses and individuals working from home via telework software vulnerabilities, education technology platforms, and new Business Email Compromise schemes.
- Select trusted and reputable telework software vendors; conduct additional due diligence when selecting foreign-sourced vendors.
- Restrict access to remote meetings, conference calls, or virtual classrooms, including the use of passwords if possible.
- Beware of social engineering tactics aimed at revealing sensitive information. Make use of tools that block suspected phishing emails or allow users to report and quarantine them.
- Beware of advertisements or emails purporting to be from telework software vendors.
- Always verify the web address of legitimate websites or manually type it into the browser.
- Share links to remote meetings, conference calls, or virtual classrooms on open websites or open social media profiles.
- Open attachments or click links within emails from senders you do not recognize.
- Enable remote desktop access functions like Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC) unless absolutely needed.
Tags: #Telework_Security #Security_Warning #Zoom_Security #FBI_Issues