As the current pandemic crisis hits an all-time high, more countries are going into partial or complete lockdown. This has resulted in many employees being forced to work from home and rely heavily on video conferencing tools such as Zoom. CTM360 has briefly summarized recently known security issues related to Zoom and listed down recommendations for both remote and non-remote working staff.

RISKS & CONSIDERATIONS

As most communication technologies come with an array of vulnerabilities and inherent risk, it is worth noting that some rogue actors may breach confidentiality. Once we accept the ‘legal interception’ risk, the other risk to consider is ‘Industrial Espionage’ or ‘Cybercriminals’. To minimize these risks, the following should be considered:

  1. Understand and minimize the technical risks by identifying and applying security controls and recommended best practices.
  2. Follow secure behavior when conducting online meetings and ensure to not discuss ‘highly confidential’ information. Discussion of confidential or sensitive data is best done in a combination of indirect and encrypted formats rather than a discussion on online calls which are not encrypted.

Security Issues:

  • Zoom-bombing takes advantage of Zoom’s system of randomly generated ID access codes and the lack of required passwords to join a call. Bad actors may join random Zoom calls that aren’t their own and broadcast offensive material, like pornography.
  • Zoom has an issue with its “Company Directory” setting that could leak user emails and photos. Zoom automatically puts everyone sharing the same email domain into a "company" folder where they can see each other's information.
  • Video calls on the app aren’t end-to-end encrypted as claimed by Zoom.
  • There are versions of Zoom installer bundled with cryptocurrency-mining malware, i.e. a coin-miner.
  • Zoom meeting chats don't stay private. If the meeting's chat app is used to communicate privately with another person in the meeting, that conversation will be visible in the end-of-meeting transcript the host receives.
  • Zoom meeting recordings can be found online as meeting recordings saved to the host's computer generally get a certain type of file name.
  • Zoom has been recently a victim of credential stuffing attacks, where threat actors attempt to login to Zoom using accounts leaked in older data breaches.

 

For further details, click the download button below!

DOWNLOAD ATTACHMENT