With COVID-19 continuing to cause uncertainty in our world and the need to self-isolate, many employers are turning to video conferencing for job interviews. The 2 most popular tools for businesses are Skype for Business (generally used by larger companies) and Zoom (most popular with small businesses).
With Zoom’s rise in popularity, a type of attack called ‘Zoom-bombing’ has also seen more and more activity. Zoom-bombing is when someone gains unauthorized access to a Zoom meeting to harass the meeting participants in various ways to spread and hate and divisiveness, show porn, or to record pranks that will be later shown on social media. This article will focus on how you can minimize being ‘zoom bombed in the middle of an interview (or anytime you use Zoom for a meeting).
Privacy considerations when using Zoom
Before we get into learning how to secure your Zoom interviews/meetings, it’s important to know the privacy ramifications of participating in Zoom meetings.
One of the most important things to remember is that a Host can record a Zoom session, including the video and audio, to their computer. Therefore, be careful saying or physically ‘revealing’ anything that you would not want someone else to potentially see or know about.
Meeting participants will know when a meeting is being recorded as there will be a ‘Recording…’ indicator displayed in the top left of the meeting as shown below.
It is also important to remember that a user can download their chat logs before leaving a meeting. These logs will only contain messages that you could see, but not the private chat messages of other users.
Finally, it has been reported that there is no true end-to-end encryption (E2E) between Zoom users’ endpoints.
What this means is that only the communication between a meeting participant and Zoom’s servers is encrypted, while the related meeting data traversing over Zoom’s network is not.
This means that a Zoom employee can monitor a meeting’s traffic and snoop on it, but Zoom states that there are safeguards in place to prevent this type of activity.
Securing your Zoom meetings
Now that you know the potential privacy risks of using Zoom, before scheduling a meeting with friends or coworkers, you can familiarize yourself with the various ways you can secure Zoom meetings using the steps below.
Add a password to all meetings!
When creating a new Zoom meeting, Zoom will automatically enable the “Require meeting password” setting and assign a random 6 digit password.
You should not uncheck this option as doing so will allow anyone to gain access to your meeting without your permission.
Use waiting rooms
Zoom allows the host (the one who created the meeting) to enable a waiting room feature that prevents users from entering the meeting without first being admitted by the host.
This feature can be enabled during the meeting creation by opening the advanced settings, checking the ‘Enable waiting room’ setting, and then clicking on the ‘Save’ button.
When enabled, anyone who joins the meeting will be placed into a waiting room where they will be shown a message stating “Please wait, the meeting host will let you in soon.”
The meeting host will then be alerted when anyone joins the meeting and can see those waiting by clicking on the ‘Manage Participants’ button on the meeting toolbar.
You can then hover your mouse over each waiting user and ‘Admit’ them if they belong in the meeting.
Do not share your meeting ID
Each Zoom user is given a permanent ‘Personal Meeting ID’ (PMI) that is associated with their account.
If you give your PMI to someone else, they will always be able to check if there is a meeting in progress and potentially join it if a password is not configured.
Instead of sharing your PMI, create new meetings each time that you will share with participants as necessary.
Disable participant screen sharing
To prevent your meeting from being hijacked by others, you should prevent participants other than the Host from sharing their screen.
As a host, this can be done in a meeting by clicking on the up arrow next to ‘Share Screen’ in the Zoom toolbar and then clicking on ‘Advanced Sharing Options’ as shown below.
When the Advanced Sharing Options screen opens, change the ‘Who Can Share?’ setting to ‘Only Host’.
You can then close the settings screen by clicking on the X.
Lock meetings when everyone has joined
If everyone has joined your meeting and you are not inviting anyone else, you should Lock the meeting so that nobody else can join.
To do this, click on the ‘Manage Participants’ button on the Zoom toolbar and select ‘More’ at the bottom of the Participants pane. Then select the ‘Lock Meeting’ option as shown below
Do not post pictures of your Zoom meetings
If you take a picture of your Zoom meeting than anyone who sees this picture will be able to see its associated meeting ID. This can then be used uninvited people to try and access the meeting.
Do not post public links to your meetings
When creating Zoom meetings, you should never publicly post a link to your meeting.
Doing so will cause search engines such as Google to index the links and make them accessible to anyone who searches for them.
As the default setting in Zoom is to embed passwords in the invite links, once a person has your Zoom link they can Zoom-bomb your meeting.
Keep your Zoom client updated
If you are prompted to update your Zoom client, please install the update.
The latest Zoom updates enable Meeting passwords by default and add protection from people scanning for meeting IDs.
With Zoom being so popular at this time, more threat actors will also focus on it to find vulnerabilities. By installing the latest updates as they are released, you will be protected from any discovered vulnerabilities.
Be on the lookout for Zoom-themed malware
This includes malware and adware installers being created that pretend to be Zoom client installers.
To be safe, only download the Zoom client directly from the legitimate Zoom site and not from anywhere else.
Follow the steps we have identified and you can minimize issues when using Zoom.