Box 2,Unit 4, Crown Quay Lane Trade Centre, 1 Eurolink Way, Sittingbourne ME10 3DY

Registered in England: Nr: 07356014

03333 44 5921 info@gammascience.co.uk

Gamma Science

To Zoom, or not to Zoom?

By now, you have probably heard the news that the popular Video-Conferencing App, Zoom, has fallen victim to some security vulnerabilities, and if, like me, you have been Zooming here there and everywhere, you are wondering if it is still safe to use?

Well, the Geek answer is, as always, yes, and no! Part of the problem with Zoom is that it has been a victim of its success. Zoom's blog says "as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid." I would guess that a fairly large proportion of those users fall into the free category. With people from the UK Cabinet, to schools, to your local Knit and Natter group turning to Zoom to stay in touch, it's security vulnerabilities are News!

Vulnerabilities have included so-called "Zoom-Bombing" where people obtain links to meetings and join to harass participants, insecure sharing with both Facebook, and Linkedin and security vulnerabilities in the way both Microsoft and MAC-OS handle video conferencing links.

I asked the head of the Geekforce what folk could do to stay safe!

And he said "Don't tweet a picture of your Meeting Code," before pointing out that other Video-Conferencing solutions were available.

He likes Jitsi because it is Open Source. So we tried it, with him upstairs and me downstairs, and I like it too. It works right in the browser, you don't have to sign in, or download anything, and you can name your meeting anything you want. Jitsi does suggest strings of nonsense words, which are cute, and supposedly hard to guess, but a secure gobbledygook password is probably better. You then share the link with participants, and you can also schedule your meeting in either Google calendar or Microsoft 365. Click the link, and you are in! To work on your phone, you do need an App, but it is pretty intuitive.

We also liked the intuitive file-sharing, so you could collaborate on a document, or show someone a web page you are looking at. But is it any more secure than Zoom? Well, yes and no!

It's Open Source, which means you can download and install it on your computing infrastructure, like your server, or one provided by a hosting company that you trust. This means that for most intents and purposes, your video conferencing is hosted on your own secure network and doesn't need to go anywhere near a third party server you do not control or have an appropriate contract with. The other Open Source Advantage is that developers like the Geekforce can make it do clever things, like embed it in a Web App, link to your phone system, add your branding, your own defaults for meeting security etc., none of which comes with the free "out of the box" version.

For an affordable paid for videoconferencing solution, he says you could do worse than Iomart's hosted Jitsi offering, which is available from £5 a month.

But bear in mind that with all video conferencing apps, there are two obvious problems, and they are not unique to Zoom.

Firstly, your meeting is exactly as secure as the way you set it up, and particularly the way you share your link. So if you paste it all over a public platform like Twitter, or in a public Facebook Group, you have, effectively, invited every troll and hacker on the internet into your home office, and that of your meeting participants. Which, if your meeting is the UK Cabinet, is probably a bad idea!

But, with the choice of Video-conferencing Application being down to your employer or your meeting organiser, and with Zoom being the one that has caught the public imagination, for everything from after-work drinks, to Cabinet meetings, should you be worried, and, and how do you keep yourself safe?

To be fair, Zoom seems, after a shaky start, to be taking its vulnerabilities seriously, which is good news for my local Knit and Natter group, who are more familiar with Yarn-bombing than Zoom-bombing!

Some of the vulnerabilities, like the Windows one that allowed attackers to steal your operating system credentials, and the Mac OS one that potentially allowed hackers to take over your webcam without your permission have been patched in the latest versions.

Zoom has also disabled their "Log in with Facebook" and "Linked-in Sales Navigator" features which sent unnecessary data to those companies, though to be fair, if you are going to lose your calm about all the issues with "Log in with Facebook", you are going to be very angry for a very long time!.

Zoom was originally designed as a Video-conferencing platform primarily for enterprise customers – large institutions with full IT support, firewalls, and security protocols for home working, and in this context, using the paid version, with an appropriate SLA, on your own VPN, is probably no more or less secure than any other videoconferencing application available under contract. We know of organisations who use it while remaining HIPAA compliant, but again, they use it on a VPN, controlled by them.

What none of were expecting was that, with only a couple of week's notice, everyone in the workforce who possibly could, would be having to work from home on systems cobbled up on the fly, over the public internet, much less, that little old ladies would be using it because they missed their weekly Knit and Natter down the Library.

And that didn't go unnoticed by the bad guys or, indeed, by security researchers, who have piled on to Zoom find more security bugs. It's unclear if other platforms have had the same level of attention. If they have, then Zoom probably has some questions to answer about their coding and management practices of code quality, but if not their competitors could be even less secure, and we just don't know. What we do know about Zoom is that they came clean and took action, and I personally like their "We messed up, but we're fixing it approach".

I guess this exposes a wider issue across the entire field of commercial Software as a Service Development. As with Zoom, a lot of these types of faults don’t show up until the service gets a massive surge of users. Then all the convenient shortcuts they took building their systems in the name of 'just get it done so we can sell it already' start showing.

So, the second issue comes with applications that are hosted on the wider Internet. This means you have no control over what routes your communications take between your device and those of your meeting participants. While some communications are sent with encryption to which you and the end participants hold the decryption key, (known as End to End Encryption) Zoom has an interesting definition of this, which excludes their own servers, in most cases, which means in theory, a Zoom employee could listen in to your meeting or chat. Knowing what we know about end to end encryption, we wouldn't bet our lives that all of Zoom's competitors are significantly better, in their free or low-cost versions, and nor are many Social Media platforms with a lot more traction than Zoom. A good adage to remember with any SAAS product which is free to you at point of use is "if you are not the customer, ask yourself how you might conceivably be the product?"

So, unless you control the routing from end to end, it all boils down to whether you trust the company serving the Application. A good start to making up your mind about that is to read that long complicated document that flashes up briefly on the screen before you click OK with a breezy "you own my soul". (The Head of the Geekforce has instructed me to clarify that it's just me who does this, he is a professional, and actually reads them.)

The COVID-19 crisis has revealed these vulnerabilities because more and more people are using video-conferencing, and other electronic ways of staying in touch, than ever before, and just like learning to wash our hands properly, we may all need to up our internet-hygiene game too.

So here, without further ado, is our light-heartedly serious version of those viral Posters that demonstrated correct handwashing to the accompaniment of the musical lyrics of your choice.

1. Update your system routinely. There's no point them patching it if you run an old version. Get into the habit of checking you’re up-to-date every day, before your first meeting.

2. Use the Waiting Room option Set up meetings so that the participants can’t join in until you open it up. That way the meeting organiser can check that everyone is who they say they are, and open the meeting when everyone is in.

3. Learn to use the controls over screen sharing There are numerous controls you can apply to participants in meetings, including blocking file sharing and private chat, kicking out disruptive users, and stopping troublemakers coming back. It's a shame we never had those back in the days of live meetings!

4. Use random meeting IDs and set meeting passwords As with that old password with your birthday or your childhood phone number bolted on to the name of your cat, lots of people use the same meeting ID for everything, because they can remember it. We don't need to tell you that this is a dumb idea, do we? And if we do, please consider using a password manager while you are about it!

You can send the web link by one means, e.g. in an email or invitation request, and the password by another means, e.g. in an instant message just before the meeting starts. (You can also lock meetings once they start to avoid gaining unwanted visitors after you’ve started concentrating on the meeting itself.) These things should really have been defaults from the get-go in Zoom, as they are in the latest version, rather than opt-in options for greater security and less convenience. But whatever Videoconferencing service you use, learn to use the application's security features before hosting a meeting.

5. Have a good meeting etiquette. Respect for privacy, a sense of trust, and a feeling of comfort are as important for online meetings, as they are for face to face ones.

When using video, pay attention to your appearance and the lighting, think about what's in the background and make sure there won't be any interruptions. Mute your mike when not speaking, so that participants can't hear unwanted "noises off". Particularly if you share your home with kids, pets, or a partner who swears a lot!

Unless you are absolutely sure that the meeting is securely encrypted end to end, it is probably best to avoid discussing sensitive data, like personally identifying information or anything covered by an NDA. "If you wouldn't say it in public, don't say it on the Internet" applies to video conferencing as well as posting on Twitter!

Be very clear upfront if you will be recording the meeting, and make it clear if they are any restrictions, albeit informal ones, about what the participants are allowed to do with the information they learn in the meeting.

Think long and hard about file-sharing, and whether sensitive data could be in those files.

As with anything on the net, don't click any links whether in chat, or the meeting invitation itself, unless you are absolutely confident that they are what they purport to be, and be sure you know where a meeting invite has come from before joining.

All this means thinking long and hard about how you invite people to your video-conference, and whether you trust the channel you have chosen to share meeting invitations only among trusted and known individuals. It means taking some time to learn about the tool you are using to run your meetings, and any access features such as password protection, waiting rooms, and the facility to lock meetings after everyone is in. It means giving thought to what meeting attendees can see and hear, both in the background, and in screen sharing, and being mindful about what young children share in their screen time, whatever platform they are using.

Ironically, since all the publicity, Zoom has now risen to the challenge, with new blog posts, useful features, like the aforementioned password protection, and easily accessible training and guidelines on how to use the system safely.

Oh well, I'd best be off! There's a Knit and Natter happening shortly, and it wouldn't do to keep everyone waiting!