Advertisement
Like many professors, "Karen Wilson" (not her real name) was teaching a college class online for the first time in late March, since the COVID-19 outbreak had sidelined in-person classes. She was using the videoconferencing platform Zoom for her presentation.
"Ten minutes into my lecture, I started hearing laughter and giggling. Then a voice drops into the classroom asking, 'What class is this?'" she says via email. When Wilson asked what was going on, "a couple of girls answered in unison that they were supposed to be in a high school online class, and they were confused. They asked a few questions and they promptly left."
But things were just getting started.
"A while later, another anonymous person, this time a male, started commenting about smoking marijuana and the kind of great weed he'd found last week. Only the audio was heard and he wasn't seen. I asked him to identify himself. When he would not, I asked him to leave which, thankfully, he promptly did."
She says that because she was brand-new to Zoom, the experience was confusing and disorienting.
"I wasn't sure where the audio was coming from and thought it might be background noise from one of my students," she says. "If I had been more familiar with Zoom, I would have immediately muted everyone's audio, but I was a newbie using it online. I had never considered other people could get the Zoom number and 'drop into' a classroom."
Wilson had just been Zoom bombed. Zoom bombing is shorthand for when strangers intrude on others' meetings on Zoom. Sometimes, these folks might just listen in without anyone knowing they're there. Other times, they totally disrupt the meetings in silly or even threatening ways.
Ultimately, Wilson was lucky. Other victims of Zoom bombing have been subjected to hate speech, profanities, threats and pornographic images.
But how could someone just "drop into" a private meeting?
"Zoom bombing is nothing more than enumerating different URL combinations in the browser," says Dan Desko, a cybersecurity expert from accounting firm Schneider Downs, in Columbus, Ohio.
He gives an example: To find a Zoom meeting, you enter the URL Zoom.us/ plus a string of numbers, which serves as the meeting identification number (e.g., https://zoom.us/j/55555523222).
"The problem becomes when people don't have their meetings protected by passwords, and just by flipping a couple of numbers," you could potentially get lucky and suddenly enter someone else's meeting, he says. "Now obviously, you'd have to do that at the right time [when] the meeting's taking place," he adds.
Just to test the flaw, he tried it himself. Within just a minute or so, he stumbled onto a legitimate meeting ID but the meeting wasn't happening at that particular moment. "It's technically sort of like wiretapping or being able to spy on somebody," says Desko.
But why would Zoom have this particular flaw? It was exposed partly because Zoom exploded exponentially in popularity during the coronavirus pandemic, going from 10 million daily users in December 2019 to 200 million daily users in March. The company simply wasn't prepared for the rush of people wanting to use it for classes, meetings and virtual happy hours with friends.
"Zoom is primarily a corporate collaboration tool that allows people to collaborate without hindrance. Unlike social media platforms, it was not a service that had to engineer ways to manage the bad behavior of users until now," says David Tuffley, a lecturer in Applied Ethics & SocioTechnical Studies at Griffith University in Australia, in an email interview. "Their user base has grown enormously, and there [is] bound to be bad behavior."
The sudden traffic surge exposed other security flaws, too, like dark web accounts and lack of encryption. The FBI put out an advisory warning of Zoom bombing on March 30. Some organizations have opted to ban Zoom. Google won't let its employees use it on their laptops. It's all fallout because Zoom failed to address its flaws quickly enough, says Desko.
"In information security and cybersecurity, we talk about three things: We talk about confidentiality, integrity and availability," says Desko. People want to keep their meetings (especially in business) extremely confidential.
Furthermore, he says, the Citizen Lab at the University of Toronto "showed that the encryption technology that Zoom purported to use wasn't as strong as they say [it was]. They're actually using an encryption technology that was fairly crackable."
It's something, he says, that will take months to fix. (Zoom hopes to do it in the next 90 days.)
And as for integrity?
As Zoom has expanded its server capacity, it has begun to use servers based in China, with Chinese employees. "There are a lot of people calling the confidentiality of the tools into question," Desko says. That's one reason the U.S. Senate asked members to refrain from using Zoom. The Pentagon also followed suit on April 10.
Since Zoom bombing became a problem, Zoom has changed its default settings so that every meeting is automatically assigned a required password to enter it; also, the "waiting room" feature is now automatically enabled when you set up a meeting. This prevents users from joining a call before they've been screened by you, the host. Finally, the meeting ID code is not shown in the title bar during a Zoom meeting.
Desko thinks these measures will go a long way to stopping Zoom bombing. "It's good to keep the meeting ID private so that people can't associate your meeting ID with you or your company," he says. "Or if you are a high-profile person like Boris Johnson, sharing his meeting ID [as he did on a tweet as part of a Zoom screenshoton March 31] was like sharing the address to the bat cave. Even though the bat cave is secure, it is now a specific target. The password is then key to keeping the meeting secure."
He adds that "If you want to be super-secure you should change up your meeting ID with every call and password too. There is a setting to generate a new meeting ID automatically and you can also set the password personally as well."
At the very least, make sure that Zoom's new security features have actually been enabled on the meetings you're setting up.
"If you have a [recurring] meeting set up already that used the old default, you have to go back into Zoom and update those," says Desko. "That's easy enough to do."
Another way to prevent outsiders from hijacking your meeting is to make the "share screen" option only available to the host. You also can mute the microphones of everyone but the host or the speaker and lock the meeting when everyone has joined to prevent break-ins. These features can be done on the Zoom toolbar. And finally, don't post a public link to your meeting that may invite unwanted guests to try to enter.
See the original post here:
Have You Been Zoom Bombed? Here's How to Stop It - HowStuffWorks
- Report: NSA building comp to crack encryption types [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Report: NSA looking to crack all encryption with quantum computer [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Sound Advice: Explaining Comcast cable encryption [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- NSA Building Encryption-Busting Super Computer [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- NSA researches quantum computing to crack most encryption [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Advanced Encryption Standard - Wikipedia, the free encyclopedia [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- How Encryption Works - HowStuffWorks "Computer" [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Email Encryption - MB Technology Solutions - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Email Encryption - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Reversible Data Hiding in Encrypted Images by Reserving Room Before Encryption - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Toshiba WT8 Full Disk Encryption, Miracast, Easy Stand - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Australian Encryption | Text encryption software for the protection of your privacy - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- njRAT v0 6 4 server Clean Encryption - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- AlertBoot New Encryption Compliance Reports Prepare Covered Entities For HIPAA Audits [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- BlackBerry denies using backdoor-enabled encryption code [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- What Is Encryption? (with pictures) - wiseGEEK [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- HowStuffWorks "How Encryption Works" [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Gambling with Secrets Part 5 8 Encryption Machines - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- The Benefits of Hosted Disk Encryption - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Quill Encryption - what's that? - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- WhatsApp Encryption - Shmoocon 2014 by @segofensiva @psaneme - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- encryption demo2 - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- encryption demo - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Seven - Encryption Official Lyric Visual - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Quantum Computers - The Ultimate Encryption Backdoor? - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Eric Schmidt: Encryption will break through the Great Firewall of China [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- From NSA to Gmail: Ex-spy launches free email encryption service [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Tennessee bill takes on NSA encryption-breaking facility at Oak Ridge/SHUT. IT. DOWN. - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Substitute for:Measurements. 1 Episode. Strength of the encryption algorithm - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- RSA Encryption Checkpoint - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Gambling with Secrets 8 8 RSA Encryption 1 - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Google chairman says 'encrypting everything' could end China's censorship, stop NSA snooping [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- Ex-spy launches free email encryption service [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- 3 2 The Data Encryption Standard 22 min - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- RSA Encryption step 3 - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- RSA Encryption step 2 - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- aes tutorial, cryptography Advanced Encryption Standard AES Tutorial,fips 197 - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- Townsend Security Release First Encryption Key Management Module for Drupal [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
- RSA Encryption step 5 - Video [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
- Lavabit case highlights legal fuzziness around encryption rules [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- A Beginner's Guide To Encryption: What It Is And How To Set It Up [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- How App Developers Leave the Door Open to NSA Surveillance [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- Intro to RSA Encryption step 1 - Video [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- “Honey Encryption” Will Bamboozle Attackers with Fake Secrets [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Encryption - A Life Unlived (DEMO) - Video [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Baffle thy enemy: The case for Honey Encryption [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- New AlertBoot Encryption Reports Make Dental HIPAA Compliance Easier [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- Encryption - The Protest - Video [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- Encryption - New Life - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Encryption - Intro - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Encryption - Blank Canvas - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Security First SPxBitFiler-IPA encryption pattern for the IBM PureApplication System - Video [Last Updated On: February 3rd, 2014] [Originally Added On: February 3rd, 2014]
- Revolutionary new cryptography tool could make software unhackable [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- viaForensics webinar: Mobile encryption - the good, bad, and broken - Aug 2013 - Video [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- K.OStream 0.2 File Encryption Test - Video [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- Tumblr adds SSL encryption option, but not as the default [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
- Latest Java Project Source Code on Chaotic Image Encryption Techniques - Video [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
- Encryption - University of Illinois at Urbana–Champaign [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- A Beginner's Guide to Encryption: What It Is and How to ... [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- Real Data Encryption Software is More Important than Ever ... [Last Updated On: February 8th, 2014] [Originally Added On: February 8th, 2014]
- Caesar Cipher Encryption method With example in C Language - Video [Last Updated On: February 8th, 2014] [Originally Added On: February 8th, 2014]
- Hytera DMR 256 bit encryption - Video [Last Updated On: February 9th, 2014] [Originally Added On: February 9th, 2014]
- Townsend Security Releases Encryption Key Management Virtual Machine for Windows Azure [Last Updated On: February 10th, 2014] [Originally Added On: February 10th, 2014]
- Unitrends Data Backup Webinar: Utilizing The Cloud, Deduplication, and Encryption - Video [Last Updated On: February 10th, 2014] [Originally Added On: February 10th, 2014]
- Main menu [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- Use of encryption growing but businesses struggle with it – study [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- SlingSecure Mobile Voice Encryption Installation Video for Android - Video [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- Data breaches drive growth in use of encryption, global study finds [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Darren Moffat: ZFS Encryption - Part 2 - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Darren Moffat: ZFS Encryption - Part 1 - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- How do I configure User Local Recovery in Endpoint Encryption Manager 276 - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Symmetric Cipher (Private-key) Encryption - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- SafeGuard File Encryption for Mac - Installation and Configuration - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Fundamentals of Next Generation Encryption - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Tutorial: Einrichten der EgoSecure Endpoint Removable Device Encryption - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- 'PGP' encryption has had stay-powering but does it meet today's enterprise demands? [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- Fact or Fiction: Encryption Prevents Digital Eavesdropping [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- RHCSA PREP:answer to question 20 (Central Authentication Using LDAP with TLS/SSL Encryption) - Video [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- Protect+ Voice Recorder with Encryption - Video [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]