Cyber Threat Report: Zoom Security Exploit
Video Conferencing giant, Zoom, keeps running into security issues. Tom Anthony, the Product VP at SearchPilot, revealed that cybercriminals were able to easily hack Zoom private meeting passwords in a matter of minutes. This was due to Zoom’s web client not rate-limiting the attempts to enter the default 6-digit passcode. Because of this, cybercriminals had the opportunity to brute-force their way into any password-protected meeting. After testing his theory, Anthony reported the bug to Zoom and it has been fixed. In an official statement, Zoom reported that it “improved rate-limiting, addressed the CSRF token issues, and relaunched the web client. The issue was fully resolved.“ You can read Anthony’s full report on the Zoom Security Exploit here.
Previous Zoom security issues include: a security loophole that allowed anyone to remotely eavesdrop on unprotected active meetings (January), an exploit for a zero-day remote code execution (April), more than 500,000 Zoom accounts were put up for sale on the Dark Web (April), and a zero-day vulnerability in the web conference client (early July).
In the wake of the coronavirus pandemic, there has been a sharp increase in the use of video conferencing platforms for both business and personal purposes. According to TrustRadius, “the web and video conferencing category for business technology saw a 500% increase in buyer activity since the Covid-19 outbreak began. 67% of companies increased their spending strategy for video conferencing too.”
The way we are communicating is undeniably changing and video conferencing is proving to be a powerful tool. However, it is also proving to be a security risk. With smart defense, you can keep your information, systems, and data safe. Here are our Best Practices for Video Conferencing:
Implement staff training
Your organization should require adequate training and provide educational resources to all employees when it comes to video collaboration. Be sure to cover: security settings, what equipment should be switched on and off at the beginning and end of each call, video conferencing etiquette and expectations, etc.
Password protect your meetings
Passwords should be mandatory for every meeting in order to protect your video conference from unwanted guests as well as protect all information that is shared. If your video conferencing software allows you to create a password, make it lengthy and complex with numbers, letters, and special characters. Make sure you are using different passwords for each account.
Verify your attendees
When sending a meeting invite, make sure you double check your list of attendees. When it’s time for the meeting, utilize the ‘waiting room’ so you verify each user that is logging on before your video conference begins. If there is an unauthorized user, kick them out immediately. Make sure you lock your meetings once everyone has joined.
Be wary of shared links
Before accepting an invitation to a meeting, verify that you know and trust the sender. Always double check the link before you click on it. Do this by hovering your mouse over the link. The correct URL will be displayed in the bottom left corner of your browser.
Use a Random Generated ID
Using a generated ID for the meeting will keep your personal meeting ID safe and not allow it to be impersonated.
Do not allow file share (when applicable)
File sharing can be a great tool, but can also be a way for an attacker to send a malicious document to unsuspecting users. Just be diligent before opening any documents you do not trust.
Review your security settings
If you’re using video conferencing for business related meetings, you should be using an enterprise plan, not a free-consumer friendly service. These basic plans often lack necessary administrative tools which provide extra security.
Check for updates to your conference platform
New vulnerabilities are always being found and the more up to date that your application is, the more you are able to safeguard against these.
Report suspicious activity
Make sure you report all suspicious activity to your IT team, that includes every phishing email. Prompt and detailed reporting of suspicious behavior can help prevent future attacks on your network.
If you have any questions regarding video conferencing security, do not hesitate to reach out. You can contact The Augusta IT Guys at 706-426-6313 or firstname.lastname@example.org.
4332 Wheeler Road #105, Augusta GA 30907