April 8, 2020
The new normal of adapting to working from home and shelter in place is no small task. Let alone if one of the most common remote collaboration methods, Zoom, is equated to Malware. The goal of Zoom, founded in 2011, is to help organizations collaborate as efficiently as if they are together. In response to the COVID-19 pandemic schools, churches, exercise classes, and even happy hours have resorted to Zoom’s incredible convenience to remain connected to their communities. The result has opened these communities up to vulnerabilities. Vulnerabilities now unveiled since the pandemic has forced the world to socialize through a screen.
The Windows version of Zoom has a vulnerability in the chat feature that converts networking UNC paths into clickable links in the messages. By converting to links, when the user clicks on this linked path, Windows attempts to connect to it using a specific set of protocols. These send the user’s login name and their password in an easily translatable hashed format. The result of this is Windows sends the user’s credentials in a hashed format that bad actors can easily crack, giving anyone access to your Windows Credentials.
As of 4/2/2020, the most up to date version of Zoom Software has a patch to better protect users from this.
Zoom- bombing is when a person gains unauthorized access to a zoom meeting and harasses participants, typically spreading antagonistic, threatening, and hate-filled messages. This week the FBI- Boston Field office released an advisory related to these types of attacks. These attacks occur because Zoom’s default settings err on the side of convenience and not security making, meeting IDs easy to guess and access with no need to verify further.
Zoom boasts that its meetings are End-to-End (E2E) encrypted- but by their standards, not the universal norm. With universally acceptable E2E, only the members of the meeting would be able to gain access. Zoom relies on a version of encryption (AES-128) that by all cryptography standards creates short keys, using easy to guess patterns. Further, these keys are sometimes delivered by servers in foreign countries, even when the participants are all located in other areas making this process even more vulnerable. Zoom’s version of E2E could also allow Zoom, or another unwanted entity, to intercept, decrypt, and gain access to a call if they wanted. Although it could be much worse, Zoom’s current encryptions standards do not meet the minimum requirements to claim their video calls are E2E encrypted.
Do not use Zoom...Why use Zoom when there is a secure alternative?
At RADER, we encourage our partners to take advantage of Microsoft Teams and their capabilities for remote working. Not only does Teams have collaboration and meeting features comparable to Zoom, but there is also direct messaging and external calling capabilities, file sharing, and storage available, allowing you to work from anywhere through the app efficiently. Because Teams is bundled with most Office 365 licenses and managed by your IT provider, Teams relies on a company’s Active Directory- a catalog created by Microsoft for IT providers to manage users and resources- to deliver encryption keys. This makes Teams substantially more secure than Zoom. Microsoft Teams is even compliant with HIPPA standards proving they take privacy seriously.
Microsoft is offering free, extended trial licenses of Teams until the end of the year in response to the COVID-19 shelter in place directives. For more information on these, and to set them up call us!
Safety Precautions if you still use Zoom
If you still decide to use Zoom, follow these suggestions to make the most of an insecure environment.
Remember, the Host can record a Zoom meeting, including video, audio, and group chat history. Although convenient for future reference, recorded sessions or chats will never really disappear.
Do not fall for the Zoom impersonators. There are countless phishing emails requesting people to download Zoom for phony meetings to install Malware and steal credentials. Always double-check the sender’s email address, and if there’s even a shadow of a doubt, CALL the sender to verify.
The most prominent exploit hackers are taking advantage of are those that are relaxed, default policy options meetings hosts are using, which allow anyone entry. Ensure the meeting host is taking proper precautions when creating and configuring meetings—specifically requiring a password to enter the meeting.
Zoom meeting passwords are created and issued by the meeting host. Meaning if a random person did come across a meeting invitation, they still wouldn’t be able to infiltrate it because they wouldn’t have all the necessary keys to gain access. Think of the Meeting ID as the key to your house and the password as the alarm code, that extra layer of security is what really allows you to sleep at night. Meeting hosts can easily add a password when scheduling their meeting by checking the “require meeting password” box and inputting a password. This password must personally be shared by the host to the attendees.
Hosts should also avoid relinquishing control of the screen. This step prevents any unwanted or inappropriate content from appearing on the screen mid-meeting and allows the host to utilize the screen to keep members focused, making the most of everyone’s time. This feature is a part of the Advanced Sharing Options in the Share Screen drop-down of the meeting.
These security precautions will be moot if you’re not running the most updated version of Zoom software. Software Companies, Zoom included, regularly release patches and updates to their services that mitigate or remove an attack vector entirely. Without the most up-to-date version of Zoom installed, it opens you- and meeting members- up to enhanced and unnecessary risk.
Times are hard, and RADER is here to try to put your IT and information security concerns to rest. As always, we are available 24/7 to answer any question you might have and to assist in your transitions. We will get through this!
RADER is a local IT Company based out of Lafayette, LA, servicing companies throughout the United States. Find out more about us or how we can seamlessly manage and integrate all of your technological needs.