Regarding security and privacy concerns with Zoom teleconferencing software

Page created by Dan Garrett
 
CONTINUE READING
Regarding security and privacy concerns with Zoom teleconferencing
software
During the voluntary and, since Monday Apr 6 at 12:01 am, state-mandated Stay-at-Home Order, the Alliance
Française de St. Louis is committed to making every effort to ensure that our students are able to continue their
studies of French language and culture during the COVID-19 pandemic. Further, it is important to us to make
certain that we can retain our teachers and continue to pay them as they are the tied-for first-most important asset
to the organization: there’s a “convenient but necessary” symbiotic relationship between teachers and students.

Many of you have already engaged in our distance classes, initially via Skype. However, the quality of sound and
video suffered when Skype calls included 4 persons or more. This prompted us to look at the four most highly-
rated teleconferencing apps including Cisco, Webex, Zoom, and GoToMeeting. Of those, Zoom rated #1 in
overall customer reviews and rated highest in all categories, including for ease-of-use, quality of support and ease
of setup. As of Fri afternoon, just 24 days, in 302 meetings with 1419 participants spanning 64589 minutes
(>1075 classroom-hours), we have had a much better experience than with Skype and Zoom includes two-way
interface tools that are valued highly in educational environments.

Every e-communications company knows that the industry faces the very difficult balancing act of providing for
adequate security with user-friendly features in their products. Zoom was built to be feature-rich but also easy to
use with little technical expertise to install and operate. The user reviews of Zoom indicate that the product was
beating out its competitors.

Zoom has experienced, as the number of people afflicted with COVID-19 explodes, similar exponential growth,
going from 10 million users a day in Dec 2019 to well over 200 million a day in April as adults telecommute and
students engage in distance-learning all over the world. Any program or app that experiences that kind of success
becomes a target for attention-seekers. Over the last 2 weeks, you may have heard and/or read numerous media
reports about the safety, privacy, and security of Zoom. As with all crisis-related stories, think “COVID19”, there
often is negative hype that pushes to the top what might otherwise be well below our “radar”.

I’m responding to you, teachers, students and members, to reassure you of our concern with those issues and
what we are doing to reduce the chance that you and your family will have a troubling experience while on Zoom
with us.

That’s the short-and-sweet version of “Here’s what we’re doing to keep you, your data, and your children safe
while taking online classes with the Alliance Française de St. Louis using Zoom.” If you just need to know that’s
our priority, then the only thing left is to remind you to update your Zoom software whenever it prompts you to
do so; that’s YOU protecting YOU. Otherwise, you can stop here. You may click here to find a variety of critical
articles as well as published items about Zoom’s largely constructive and responsible reaction to the criticism.
Some are very readable but others may be of more interest to those with a geekish bent.

If on the other hand, you’re more curious about the details of how we’re protecting you, please read on for the
“semi-geek” version. If you want to be more informed, my original draft of this “note” was way too long for most
readers so I’ve condensed it below. The longer version is available here. I want to communicate to you, our
students and members, my response as the AF’s (volunteer) IT guy because there are so many changes happening
with Zoom. Let me summarize the concerns and provide Zoom’s responses to those in no particular order.

1)    Probably the most concerning and most misleading article was published in The Guardian (a British
newspaper) entitled “Zoom is malware”. Issues that some security researchers called “privacy disasters” and
“fundamentally corrupt” due to the mishandling of user data (unauthorized sending to Facebook and LinkedIn)
had already been addressed by Zoom’s CEO Eric Yuan. The privacy and security issues identified in the Guardian
article were addressed in a publication authored by three security experts unaffiliated with Zoom that refuted the
“malware” designation noting that Zoom isn’t paying lip service to the problems, but had already fixed some,
rewriting the software so Zoom no longer violated those privacy concerns by unwarranted user data sharing. The
CEO of Zoom has publicly stated that no data has ever been and will never be sold. He attributed security risks to
not having anticipated the rapid growth of Zoom. Similar abuses occurred with Twitter, Reddit and YouTube as
their userbase grew.

2)   On Wednesday April 8, Bloomberg News quoted CEO Yuan as stating “Zoom is safe” compared to its
competitors and that the company has never sold user data and never will. He attributed the security risks to not
having anticipated the rapid growth of the platform and the broadening of the user base outside the business
world even though the same abuse issues occurred with Twitter, Reddit, and YouTube among others.

3)    On Wednesday, April 8, I attended an online webinar with Zoom’s CEO, in which he reiterated the issues
that were being addressed. On the same day, a new release of Zoom dropped and everyone is encouraged to
download and install it by launching Zoom and following the prompts about 5 minutes before your next class.
Please make sure it’s on all your devices with which you connect to your classes.

4)    On Thursday I attended, and will continue to attend in the future, the teleconference meetings on updates
to the Zoom software.

5)    Additionally, the Guardian piece pointed out the most well-known issue, that of video hijacking, nicknamed
“Zoom-bombing”, in which an intruder, usually unknown, infiltrates a legitimate meeting with varying degrees of
malicious intent aiming to disrupt the event. This kind of disturbance can be automatically prevented by several
already-available security tools built into Zoom. Most of the “security lapses” which allow a
malicious/mischievous individual to intrude in a Zoom session are block-able from the administrator’s global
settings for hosts (our teachers) as well as host-selectable invite settings. In order to reduce the potential for a
Zoom-bomb during AF classes, we have instituted (on Sunday April 5th) the use of a “password challenge”. Many
of you will need to enter a password (you will see this new window) after clicking “join a meeting” but some
classes are still using the previous links that do not require passwords. Beginning next session, ALL classes and
private lessons will require passwords. You will see this in your Zoom invitation.

6)    The responsibility also falls on the users; you should NEVER share a meeting link (and password) with
ANYONE, even a classmate and especially not over social media. Teachers will set up Zoom classes once per
session, using the same meeting link and password for every class until the next session, so retain the invite and
password in your email.

7)    In addressing the Zoom-bombing vulnerability, the FBI offered the following advice to hosts and
participants in a press release:
      a. Hosts should not make meetings or classrooms public but should require a password. (We are doing this
          for all new meetings as of April 5. 100% implementation starting Session #4, June 6).
      b. Implement the “waiting room” feature preventing new participants from joining until admitted by the
          host who admits only guests recognized as having been invited. (We have always implemented “waiting room”).
      c. Hosts and guests should never share the meeting ID, link, or password on social media or unsecured
          media but only by direct email to the invitee. (This is the cause of most Zoom-bombing incidents, whether
          “innocently deliberate”, malicious, or inadvertent).
      d. Host should not allow screensharing by others until inside the meeting. (This is now a default setting since
          April 5).
      e. Update both host and user software whenever updates are released. (As of this message, April 11, the latest
          update was released on Apr 8).

8)    Other security measures suggested both by Zoom and various security experts include:
a. Disable the “one-click join” feature and use randomly-generated meeting IDs. (The AF global settings
        implemented this as of April 5).
     b. Enable two-factor authentication for secure entry. (At this point in time, we are not implementing two-factor
        authentication but should it become necessary, we will turn this feature on globally).
     c. Host (teacher) should take active measures to control participants (students) by using “mute mic” and
        camera control options. (Our teachers have been trained to use this feature as of April 5).
     d. Once all guests are admitted, engage the “Lock Meeting” session. (This feature will be included in the next
        round of one-on-one teacher training).
     e. Disallow file transfer by participants. (This feature was implemented on April 5).
     f. Prevent “booted” bad actors from rejoining by disabling the rejoin meeting option. (This feature will be
        included in the next round of one-on-one teacher training).
     g. Do not enable video recording unless essential. (This feature has been disabled globally as of April 11).
     h. Employ the virtual background option or engage the “blur screen” feature to keep private information
        from being gleaned from your surroundings or shared computer screen. (This feature will be included in the
        next round of one-on-one teacher training).
     i. Disable private chat. (We have allowed teachers to do this at their own discretion).
     j. Turn off shared screen annotation. (We have allowed teachers to do this at their own discretion).
     k. Put attendee on-hold. (This feature will be included in the next round of one-on-one teacher training).
     l. Disable participant’s video. (This feature has been disabled as of April 11).
     m. Prevent meeting recordings. (We have prevented this in the admin global settings but the topic will be discussed with
        AF Exec Director).
     n. Prevent video from being uploaded to cloud storage. (This feature has been disabled as of April 11).
     o. Disable live-streaming. (This feature has been disabled as of April 11).
     p. Remote camera control by participants. (This feature has never been implemented.)

9)   In response to future development, Yuan made several promises to current, former, and future clients.
     a. Commitment to resolve reported security issues;
     b. Implement security constraints by default on certain users;
     c. Ceased all work on new features, committing 100% of software engineering resources to resolving
         security issues for the next 90 days;
     d. Expand Zoom’s third-party security audits and penetration tests, bounty program (pay outsiders rewards
         to find security holes), prepare a transparency report on requests for data sharing from outside entities
         (governmentt and law enforcement);
     e. Removed Facebook and LinkedIn feature to prevent unnecessary data disclosure previously;
     f. Provide live weekly web conferences to disseminate updates and take up concerns about further
         security/privacy issues;
     g. Resolving the practical disconnect between the industry’s use of the term “end-to-end encryption” and
         the compromised version presently utilized by Zoom;
     h. The biggest change the establishment of a collaboration of security and privacy consultants to advise
         him on the path forward to better meet the demands of the customer base. In addition, Yuan hired one
         of the world’s most-respected and -qualified digital security consultants, Alex Stamos, currently on
         faculty at Stanford, having been involved in various advisory capacities with Facebook (Chief Security
         Officer), Harvard’s Defending Digital Democracy Project, UCal Berkeley’s Center for Long-Term
         Cybersecurity, the Council on Foreign Relations, and NATO’s Collective Cybersecurity Center of
         Excellence.

As the administrator of the AF Zoom account, I will be attending weekly tele-conferences with the Eric Yuan in
which privacy and security issues will be discussed. Additionally, when new versions of the software are
introduced, I will attend the webinars addressing the improvements and pushing a message out to teachers,
students and members about the update via the AF newsletter. Finally, I will be implementing the appropriate
software settings on the host side of the meeting scheduling tool for the best ongoing experience and security of
our students, making sure our teachers understand the changes, and providing helpful information to our students
by issuing notices when Zoom software is updated and providing the link to the most recent version for each
device (PC, Mac, iPad, iPhone, and Android tablets and phones).

Below is a Strategic Plan Action Grid for each area of concern and how each stakeholder (Account Administrator
[Dave]; Teachers, and Students) can safeguard their security, privacy, and safety to maximize the benefit of the
learning environment not just for themselves but also for other students.

If you have any concerns or questions, please don’t hesitate to contact Dave Mount, IT Director for the
AF: it@alliancestl.org. For urgent connection issues, please call Dave Mount: 806.236.7323.

Here is Zoom’s FAQ page: https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions
Area of           Problem              Zoom Account                     Teachers’                  Students’
    Concern                               Administrator’s*                Responsibilities          Responsibilities
                                          Responsibilities
    Security     Data sharing            Lock default settings for all   Set up meetings w/      Proper set-up of Zoom
                                         hosts (teachers)                passwords               preferences
                                                                                                 Contact Alliance IT* if
                                                                                                 concerned about security
                                                                                                 compliance awareness

     Privacy     Sale of user data by    Implement updates as            Inform students of      Update Zoom as soon as
                 Zoom (CEO claims it     released and notify             need to update Zoom     advised
                 never was sold;         teachers
                 inadvertently shared)
                 End-to-end              Implement updates as            Inform students of      Update Zoom as soon as
                 encryption              released and notify             need to update Zoom     advised
                                         teachers

     Safety      Sharing Meeting ID      Implement updates as            Properly label course   Do NOT circulate meeting
                                         released and notify             info on meeting title   URL (link) on social media
                                         teachers and students           (teacher name, day,
                                                                         time, session)
                                                                         Do not “advertise”      Retain email invites with
                                                                         meeting details on      meeting link for entire
                                                                         social media            session
                                                                                                 Do not “advertise” meeting
                                                                                                 details on social media
                                         Attend Zoom CEO                 Attend host training    Seek training for Zoom if
                                         webinars for security           on new Zoom features    needed
                                         updates
                                         Attend Zoom software
                                         update webinars
                                         Provide training for            If training needed,     If training needed, contact
                                         teachers                        contact Dave Mount*     Dave Mount*
                                         Install all updates on          Keep device OS
                                         account management tool         updated on all Zoom
                                                                         devices
                                                                         Encourage students to   Keep device OS updated on
                                                                         install Zoom updates    all Zoom devices
                                                                         Restart device at       Restart device before class
                                                                         beginning of the day
                                                                         Implement waiting
                                                                         room feature
                                                                         Do not admit anyone     Ensure that name is
                                                                         whose name does not     identified when logged in
                                                                         appear on their
                                                                         account screen
                                                                         Properly manage
                                                                         attendees
*Alliance Française IT: Dave Mount 806.236.7323 or it@alliancestl.org to set appointment or for help
Bibliography

Zoom Download Center: https://zoom.us/download?zcid=1231

FBI Warning (FBI Boston): https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-
warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic

Zoom Frequently Asked Questions (FAQs): https://support.zoom.us/hc/en-us/articles/206175806-Top-
Questions

Alex Stamos biography (Stanford University): https://cisac.fsi.stanford.edu/people/alex-stamos-0

Preventing Zoom-bombing: https://blog.zoom.us/wordpress/2020/03/20/keep-uninvited-guests-out-of-your-
zoom-event/

Keep Zoom Chats Private and Secure (WIRED.com): https://www.wired.com/story/keep-zoom-chats-
private-
secure/?bxid=5cec247d3f92a45b30e5ac12&cndid=48167209&esrc=AUTO_OTHER&source=EDT_WIR_NEWSLETTER_0
_DAILY_ZZ&utm_brand=wired&utm_campaign=aud-
dev&utm_mailing=WIR_Daily_040620&utm_medium=email&utm_source=nl&utm_term=list1_p2

How to protect your Zoom calls (Washington Post):
https://www.washingtonpost.com/technology/2020/04/03/zoom-video-set-up/

The Zoom Privacy Backlash is Only Getting Started (WIRED.com): https://www.wired.com/story/zoom-
backlash-zero-days/

Update on Zoom’s 90-Day Plan to Bolster Key Privacy and Security Initiatives (Zoom Blog):
https://blog.zoom.us/wordpress/2020/04/08/update-on-zoom-90-day-plan-to-bolster-key-privacy-and-security-
initiatives/

Use Zoom? Here Are 7 Essential Steps You Can Take To Secure It (Forbes.com):
https://www.forbes.com/sites/kateoflahertyuk/2020/04/03/use-zoom-here-are-7-essential-steps-you-can-take-to-
secure-it/#2f3cc8cd7ae1

Working on Security and Safety with Zoom – Alex Stamos (Medium.com):
https://medium.com/@alexstamos/working-on-security-and-safety-with-zoom-2f61f197cb34

Zoom adds new security and privacy measures to prevent Zoombombing (TheVerge.com):
https://www.theverge.com/2020/4/3/21207643/zoom-security-privacy-zoombombing-passwords-waiting-rooms-
default

Zoom boss apologizes for security issues and promises fixes (BBC.com):
https://www.bbc.com/news/technology-52133349

Zoom Has A Dark Side – And An FBI Warning (NPR.org): https://www.npr.org/2020/04/03/826129520/a-
must-for-millions-zoom-has-a-dark-side-and-an-fbi-warning

Zoom is showing how to respond to criticism the right way (TheVerge.com):
https://www.theverge.com/interface/2020/4/3/21203720/zoom-backlash-apology-zoom-bombings-eric-yuan

Zoom isn’t Malware – Amit Serper (Medium.com): https://medium.com/@0xamit/zoom-isnt-malware-
ae01618e2046
Zoom privacy and security issues – Here’s everything that’s wrong (so far) (TomsGuide.com):
https://www.tomsguide.com/news/zoom-security-privacy-woes

Zoom Product Updates – New Security Toolbar Icon for Hosts, Meeting ID No Longer Displayed
(Zoom Blog): https://blog.zoom.us/wordpress/2020/04/08/zoom-product-updates-new-security-toolbar-icon-
for-hosts-meeting-id-hidden/

Zoom Says Platform Is as Safe as Peers, Boosts Privacy Tools (Bloomberg.com):
https://www.bloomberg.com/news/articles/2020-04-08/zoom-ceo-says-platform-is-as-safe-as-peers-boosts-
privacy-tools

Zoom video meetings have become the way to deal with social distancing mandates. But it still
come with risks. (WashingtonPost.com): https://www.washingtonpost.com/

Zoom videos exposed online, highlighting privacy risks (WashingtonPost.com):
https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/

Zoom-Zoom – We Are Watching You (CheckPoint.com): https://research.checkpoint.com/2020/zoom-
zoom-we-are-watching-you/

Zoom’s Big Security Problems, Summarized (Forbes.com):
https://www.forbes.com/sites/marleycoyne/2020/04/03/zooms-big-security-problems-
summarized/#291c6b294641
You can also read