During these COVID-19 times, personal interaction with colleagues and customers is no longer straightforward. Lots of companies are therefore looking into video conferencing solutions. One of the most popular out there, Zoom, recently hit the news with multiple security and privacy issues.
Although this definitely needed to be fixed by Zoom (a first update addressing some of these issues was released yesterday) a lot can be overcome by adhering to some main security principles. We list the most important ones below.
1. Review default configuration and adjust where necessary
In Zoom, a lot of features can be configured. One of the recommended settings is to require a password for all meetings and to not use Personal Meeting ID’s, as these are easy to guess and could be brute forced. Disabling the use of PMIs will prevent unknown / bad actors from entering your online meeting and you could even configure that all attendees need to wait in the waiting room and are only allowed in the meeting after approval of the host.
Another feature that can be configured, is recording of a meeting (in cloud or local). In Zoom you can choose to automatically record meetings as they start, allowing hosts and participants to record meetings. Recordings can also be fully disabled.
2. Harden your environment
One of the vulnerabilities that was discovered this week, is the possibility to send clickable UNC paths in the chat. If someone clicks on such a link, a program could be executed or hashed Windows credentials could be transmitted to the attacker. (reference: https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-run-programs-via-unc-links/)
Although this definitely needs to be fixed by Zoom, the risk can be mitigated by applying basic hardening to your workstations. With a GPO it is possible to define that NTLM credentials are not automatically sent to a remote server when using UNC links. Regardless of the vulnerability in Zoom, it’s best practice to disable this in your environment to prevent attackers from harvesting NTLM credentials.
Next to this, when applying the first principle (restrict access to your Zoom meetings with the available settings), attackers won’t be able to join a meeting and send out links in the chat.
3. User awareness
As with most security issues, user awareness is one of the most important and most difficult actions to prevent security incidents. If Zoom is used in a company, send out a communication to users to make them aware of the risks. As with phishing mails, but also in these chats, the rule applies to only click on links from trusted senders and if you know where the URL is pointing to. When you use your video in a Zoom call, make users aware of what the other attendees can see, e.g. when you have a whiteboard behind you with confidential information of your company.
Although we are all heavily dependent on remote video conferencing tools to have some personal interaction these days, we should not forget about security. Attackers will focus more on exploiting these tools, but at the same time, these tools are also being thoroughly investigated by security researchers. In the next few months, more security issues with these tools will hit the news, and it won’t all be about Zoom. However, this also means that vulnerabilities that may have existed for some time, will now become known and can be fixed by the suppliers. If we look to the bright side of the COVID-19 situation, we could say that it will improve security in an area that has been in the shadows for some time.
As for now with Zoom, keep it up to date and have a look at the settings and the security of your environment. Based on the outstanding risks, you can still decide whether you still want to use Zoom or not.