Work still means meetings, and meetings still mean people.
But with the coronavirus pandemic having caused many countries to define a “group” as a maximum of two people, and prohibiting people from meeting up face-to-face anyway, even with friends and family, then meeting with people means an online meeting.
For very many of us, that means Zoom, not least because many of us were using Zoom already, and happily, and…
…or so we thought, safely.
But Zoom has had a bunch of security scares recently, as huge numbers of new users flock to it, and as crooks and miscreants try to take advantage of that.
Fortunately, a lot of the problems and risks people are having can be reduced enormously just by getting the basics right.
Unfortunately, a lot of the habits that existing Zoom users have fallen into need to change.
Insecure shortcuts – ways of using Zoom that the old-timers have inadvertently been teaching to the Zoom newcomers – didn’t seem to matter that much before, but they do now.
So here are our top 5 “things to get right first” – they shouldn’t take you long, and they are easy to do.
1. Patch early, patch often
Zoom’s own CEO just wrote a blog post announcing a “feature freeze” in the product so that the company can focus on security issues instead. It’s much easier to do that if you aren’t adding new code at the same time.
Why not get into the habit of checking you’re up-to-date every day, before your first meeting? Even if Zoom itself told you about an update the very last time you used it, get in the habit of checking by hand anyway, just to be sure. It doesn’t take long.
By the way, we recommend you do this with all your software – even if you have been using your operating system’s or an app’s autoupdating for years and it’s always been on time, a manual cross-check is quick and easy.
Zoom’s guide is here: Where do I download the latest version?
2. Use the Waiting Room option
Set up meetings so that the participants can’t join in until you open it up.
And if you suddenly find yourself “on hold until the organiser starts the meeting” when in the past you would have spent the time chatting to your colleagues and getting the smalltalk over with, don’t complain – those pre-meeting meetings are great for socialising but they do make it harder to control the meeting.
Zoom has a dedicated article on the Waiting Room feature.
3. Take control over screen sharing
Until recently, most Zoom meetings (or at least the ones we attended in the not-too-distant era before coronavirus) took a liberal approach to screen sharing.
But the term ZoomBombing entered our vocabulary very forcefully about two weeks ago, when a public “Happy Hour” meeting that was supposed to buoy everyone’s morale turned into an HR nightmare when one of the participants, who had entered under a false name, started sharing pornographic filth. (Unhappily for the organiser of the meeting, he’d chosen that day to invite his parents along as guests of honour.)
Actually, it’s not just screen sharing that can cause trouble. There are numerous controls you can apply to participants in meetings, including blocking file sharing and private chat, kicking out disruptive users, and stopping troublemakers coming back.
Zoom has a dedicated article on Managing participants in a meeting.
4. Use random meeting IDs or set meeting passwords
We know lots of Zoom users who memorised their own personal meeting ID long ago and have fallen into the habit of using it for every meeting they hold – even back-to-back meetings with different groups.
But that convenience is handy for crooks, too, because they already have a list of known IDs that they can try automatically in the hope of wandering in where they aren’t supposed to be.
We recommend using a randomly generated meeting ID, or setting a password on any meetings using your personal ID that are not explicitly open to all. You can send the web link by one means, e.g. in an email or invitation request, and the password by another means, e.g. in an instant message just before the meeting starts. (You can also lock meetings once they start to avoid gaining unwanted visitors after you’ve started concentrating on the meeting itself.)
Zoom has a dedicated article on Meeting and webinar passwords.
5. Make some rules of etiquette and stick to them.
Etiquette may sound like a strange bedfellow for cybersecurity, and perhaps it is.
But respect for privacy, a sense of trust, and a feeling of social and business comfort are also important parts of a working life that’s now dominated by online meetings.
If you’re expected or you need to use video, pay attention to your appearance and the lighting. (In very blunt terms: try to avoid being a pain to watch.) Remember to use the mute button when you can.
And most importantly – especially if there are company outsiders in the meeting – be very clear up front if you will be recording the meeting, even if you are in a jurisdiction that does not require you to declare it. And make it clear if they are any restrictions, albeit informal ones, about what the participants are allowed to do with the information they learn in the meeting.
Etiquette isn’t about keeping the bad guys out. But respectful rules of engagement for remote meetings help to make it easy for everyone in the meeting to keep the good stuff in.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Dave Wain
Thank you.
I’m sharing this with my workforce.
Paul Ducklin
No worries. Glad you found it useful – sometimes it’s the simple things that make the biggest difference! (And cost the least :-)
Philip
Excellent advice aimed at business and private personal meetings, but on Sunday we’ll be broadcasting our church service. Public worship is by definition public and we really want it to remain so as much as possible. When we meet in church, very occasionally we have to deal with a disruptive element but online, anyone worldwide on the Internet could pose a threat, and they can hide behind anonymity. Furthermore, we can surely expect bots to be developped to seek out open meetings or exploit vulnerabilities in order to inject advertising, propaganda, rickrolling or porn. Whilst Zoom will undoubtedly do everything they can technically to prevent that, if you have an open meeting there’s a limit to what they can do.
However, it seems we should be fairly safe if we (a) prevent screen sharing except by the host, (b) mute all except the host and others officially taking part, and (c) disable participants’ ability to un-mute themselves.
On Sunday we have 15 people taking part in a dramatic reading so it would place a heavy burden on the host to control that many mutes whilst also managing screen sharing and music. As far as I can see, unfortunately you can only share the hosting and hence the meeting management by paying double the licence fee.
Paul Ducklin
As we implied in the article, some of the tips aren’t relevant if you want to have a public meeting. So in your case, you want to publicise the metting ID and you don’t want a password.
I’d suggest using the Waiting Room, if only to make it obvious when the service has officially starts. BTW, it sounds to me as though you have this well figured already – an open meeting but in what you might call “read only” mode. I can’t think of anything I’d add here, so your comment is much appreciated as a real-world example of how to solve the problem of not being allowed to gather in public, yet still to have public gatherings.
Turning the option to unmute off for partcipants who don’t need to be heard is a very good idea even if you trust everyone 100% – when you have lots of participants, the background noise and distraction that everyone hears is the *sum total* of the background noise of everyone on the call. Every chair creak, every siren going past every house, every breathy noise from people with bad mics and high gain, every background remark thay anyone assumed would not be broadcast because they were *so sure* they were muted, and every bit of tuneless humming that people innocently come up with when they are in what you might call “private public”…
If you have the time, we’d love to hear how it went and what, if anything, you’ll do differently next Sunday. You can comment back here if you like, or just email us: tips@sophos.com.
Stan
You should upgrade your church account to a webinar account. That way you can keep all the memebers in a as attendees (and not worry about their mics/cameras/sharing). The presenters (zoom calls them panelists) can then mute/unmute at will.
Graham King
Always interesting
Justin
Everyone is worried about zoom, but I would think they have become safer to use with all the scrutiny. What about apps like doxy.me that is small and serving a nitch market? Are these apps getting looked at hard, or simply being passed over since the media isn’t talking about them?
anon
I have a 10-year-old laptop which still works perfectly adequately, and use an old operating system. I refuse to add to the pile of electronic waste in vain (that is to say, I am not getting rid of my old laptop), and I refuse to upgrade my operating system because I hate the layout and setup of the more recent versions, which would undo years of customising my setup to optimise what *I* want to do with my computer. This means that I *cannot* use the latest version of Zoom (but can use an earlier version), because it is not compatible with my hardware and operating system. Software companies should design their code to allow backward compatibility or, failing that, ‘graceful degradation’ or, failing that, they should at least provide security patches that can be applied to *any* past version.
Paul Ducklin
Seems you’re asking an awful lot from other people, and from the software companies, to keep retro-fitting patches to versions that have already been replaced – typically free of charge – with ones reimplemented in more secure ways…
…just because you refuse to adapt to a new visual design in modern operating systems and apps.
To be fair, you *could* use the latest version of Zoom if you wanted (I’m willing to bet that a modern Linux – with an old-style interface if you want – would work just fine on your laptop), but you don’t want to. So don’t be surprised if other people say they’re unwilling to let you join their calls because they think your computer might be the weakest link in the chain.