Who’s Zooming Who?

In early April, it was disclosed that over 500,000 Zoom passwords were put up for sale on the dark web. If you have a Zoom account, change your Zoom password and consider taking the steps outlined below to mitigate some risk in using Zoom.

If you do choose to use Zoom for a meeting, here are some steps you can take to improve the security:

  • Be sure of the audience – verify that no unintended participants have joined;
  • Be sure to use the latest updated version of Zoom, that way the meeting cannot be recorded without your consent;
  • Require passwords for all Zoom meetings and use a password that isn’t easily guessed;
  • Require users to be logged into Zoom accounts to join meetings; and
  • Consider using multifactor authentication for meetings dealing with privileged information.

Although Zoom is very popular, here are some of its security and privacy shortcomings:

  • Encryption – Zoom claimed to offer end-to-end protection, but does NOT actually do it;
  • Privacy – Zoom collects and shares data including meeting transcripts, which has resulted in three class action lawsuits;
  • Zoombombing – As a result of their very lax security defaults, many users found themselves in meetings with uninvited guests, sometimes showing pornographic and other offensive images;
  • Malware – Several instances were found where Zoom software from third party sources was bundled with bitcoin mining software;
  • Lack of protection – Earlier versions of the software allowed users to post malicious links in meetings;
  • Lack of notification – Users and meetings could be recorded without their knowledge;
  • Infrastructure issues – Several meetings were found to be inadvertently routed through censorship/tracking servers in China; and
  • Immature software – the recently developed software has not been vetted as thoroughly as other mature conferencing products such as GoToMeeting, Microsoft Teams, Webex, etc.