In recent days, new reports have emerged about hackers attempting to sell zero-day exploits targeting Mac OS X and Windows users, with price tags for the vulnerabilities as high as $500,000.
With millions turning to remote working and signing up for cheap and free videoconferencing services, earlier this month, the Australian Signals Directorate issued an urgent warning to businesses over the use of insecure videoconferencing apps.
ASD says “Web conferencing solutions (also commonly referred to as online collaboration tools) often provide audio/video conferencing, real-time chat, desktop sharing and file transfer capabilities. As we increasingly use web conferencing to keep in touch while working from home, it is important to ensure that this is done securely without introducing unnecessary privacy, security and legal risks.”
You can read the full ASD advisory here: https://www.cyber.gov.au/publications/web-conferencing-security
The ASD advice came amidst reports from news sources like the New York Times about Zoom. A NYT article said, “What many people may not know is that, until Thursday, a data-mining feature on Zoom allowed some participants to surreptitiously have access to LinkedIn profile data about other users — without Zoom asking for their permission during the meeting or even notifying them that someone else was snooping on them.
The undisclosed data mining adds to growing concerns about Zoom’s business practices at a moment when public schools, health providers, employers, fitness trainers, and others are embracing the platform.
An analysis by the New York Times found that when people signed into a meeting, Zoom’s software automatically sent their names and email addresses to a company system it used to match them with their LinkedIn profiles.”
The NYT article said that, “After Times reporters contacted Zoom and LinkedIn with their findings on the profile-matching feature, the companies said they would disable the service.”
Similar reports from Motherboard relate to Zoom’s data sharing with Facebook. In a post Motherboard claims that the “Zoom app is sending some analytics data to Facebook, even if
Zoom users don't have a Facebook account.”
Krebs on Security told its readers about password protecting Zoom meetings, and concerns that the feature which Zoom has enabled as a default may not be as effective as you might expect. And this report from TechCrunch outlines even more of the concerns with Zoom.
In its advisory, the ASD poses the following questions for choosing a web conferencing service:
- Where is the service provider based?
- What is the service providers track record?
- Are privacy, security and legal requirements being met?
- What information and metadata does the service provider collect?
- Does the service provider use strong encryption?, and
- What is the reliability and scalability of the web conferencing solution?
When using a web conferencing solution, ASD recommends that users:
- Configure the web conferencing solution securely,
- Establish meetings securely,
- Be aware of unidentified participants,
- Be aware of surroundings,
- Be mindful of conversations, and
- Only share what is required.
The FBI have released similar guidelines, and the German government have reportedly imposed controls on the use of Zoom as well, with a Reuters report claiming “The decision is directed at use of Zoom on mobile devices using the company’s app,” and that “confidential conversations were not to be carried on video conferences because they were not comprehensively encrypted.”
For anyone thinking that these reports may simply be a media beat up or conspiracy, even its own shareholders are escalating concerns. This month Zoom Video Communications Inc. was the subject of a class action suit by one of its shareholders, accusing the company of overstating its privacy standards and failing to disclose that its service was not end-to-end encrypted.
In a statement from Zoom, CEO & Founder, Eric Yuan said “We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users. We take them extremely seriously. We are looking into each and every one of them and addressing them as expeditiously as we can. We are committed to learning from them and doing better in the future.”
In an interview with NPR.org, Mr Yuan said "When it comes to a conflict between usability and privacy and security, privacy and security [are] more important – even at the cost of multiple clicks.
If you asked me this question one year ago, I would hesitate to say yes. But now, absolutely yes," Yuan answered. "We're going to transform our business to a privacy-and-security-first mentality."
As we all adjust to living and working remotely, web or video conferencing services have become a must have part of our lives to stay connected personally and professionally. So while millions of us around the world are finding and relying on some of these services for the first time, as a cybersecurity specialist, we simply suggest that you take a moment to think about the platform that you’re using, and the data that you’re sharing.
For full disclosure, our firm is a Gold Microsoft Partner, and we use Microsoft Teams for collaboration with colleagues, customers and partners.
Video conferencing, like email and other digital communications, can be transformative for your business. Just take a moment to consider the privacy and security of your users before jumping in.
