Because of COVID-19 and its widespread effects on businesses, obviously many people have had to turn to remote technology for any kinds of meetings that were normally held in person.
One of the most popular apps for this purpose is Zoom, as you may know if you’ve already used it.
Unfortunately, a side effect of this is that many Zoom accounts have already been compromised, and some are even being sold on Tor, as well as hacking forums. According to an article at DanielOnSecurity:
Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free. These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches.
The compromised accounts are then used in “Zoom-bombing attacks,” where the attacker uses the stolen credentials to harass the participants and other types of assaults. As a matter of fact, one of these attacks even hit a recent U.S. House Oversight Committe meeting, according to threatpost.com.
Some of Zoom’s features, unfortunately, make it more susceptible to these kinds of attacks. Initially, for instance, Zoom had security options that were available, but not to free accounts (which a majority of people are probably using at this time). They have since changed this option after the widespread use of these assailments.
Zoom’s developers have advised the following to help prevent such attacks:
- Update Zoom apps when available – whenever Zoom notifies you that an update is available, always do it (especially right now). This will add any of the latest patches, including the security options.
- Use authentication profiles – authentication profiles allow hosts to prevent unauthorized users from easily breaking into meetings. They restrict meetings to either users who are logged into Zoom or even prevent users whose email addresses use a certain domain (e.g. firstname.lastname@example.org)
- Chat encryption – encryption secures communications so that messages only go to the intended recipient (if done properly). The algorithms used are H323/SIP. To enable chat encryption, in Settings, turn on the “Require Encryption for 3rd Party Endpoints” option.
- Secure Zoom meetings with passwords – you can require a password to log into an individual meeting, or at the user, group, or account level. In order to do this:
- Log in from the Zoom web portal at zoom.com.
- Go to Settings.
- Find the Meeting tab and check to make sure that the password settings that you prefer are enabled. ZDNet recommends using passwords on “…new meetings, instant meetings, personal meetings, aka PMI, and people joining by phone.”
- You can simplify the process of having to use passwords by embedding the password within the meeting link (so that your participants won’t have to memorize the password). The caveat to this is that you must make sure that only your participants have access to the meeting link.
As such, you can also help prevent users from overtaking the screen by blocking all participants except the host from screen sharing. As above:
- Sign into the Zoom web portal.
- Go to the Settings page in the menu on the left-hand side of the screen.
- Click on the “Meeting” tab.
- Scroll to the section that says “Who can share?” and select “Host Only.”
Jitsi (and its teleconferencing app JitsiMeet), by design, is somewhat more secure than Zoom, although it still requires you to take precautions. Even so, one example is that JitsiMeet rooms only exist while the meeting is taking place and evaporate once the meeting is over (not unlike Signal’s “disappearing messages” feature).
Also, the process of naming your chat room can greatly increase or decrease its vulnerability. According to their FAQ:
If you start a meeting with the name “Test”, “Yoga” or “FamilyMeeting” for example, chances of having some random uninvited people joining are very, very high. How does one pick a good room name then? Our random meeting name generator is a great start. It offers names that are easy to remember and read out loud on a phone call, and come from a set of over a trillion possible combinations. Picking out one of the auto-generated names is therefore quite safe.
Similar to the process of using diceware for passwords, the auto-generated names look like this:
As a matter of fact, you could use Diceware to generate a room name, such as “SownProveCandyBottle.” Jitsi.org states that if you don’t like the way their randomly generated room names sound, and you don’t want to use a UUID (universally unique identifier) such as “4b4e0720-5347-4ebc-abeb-2e295bf39b3c” (made using uuidgenerator.net), then you can make something up with a twist, but also try to make it hard to guess, such as “Monkey Face Test Tube.”
Jitsi meetings can operate in 2 ways: peer-to-peer (P2P) or via the Jitsi Videobridge (JVB). This is transparent to the user. P2P mode is only used for 1-to-1 meetings. In this case, audio and video are encrypted using DTLS-SRTP all the way from the sender to the receiver, even if they traverse network components like TURN servers.
In the case of multiparty meetings all audio and video traffic is still encrypted on the network (again, using DTLS-SRTP ([datagram transport layer security]). Packets are decrypted while traversing Jitsi Videobridge; however they are never stored to any persistent storage and only live in memory while being routed to other participants in the meeting.
Jitsi is built on top of WebRTC, which is an open source project that allows web browsers and mobile apps to communicate via simple APIs. The media is decrypted with Jitsi Videobridge because, according to their FAQ, it is not possible to work without this in WebRTC at the present time. Even so, they state that the WebRTC team is working on adding the necessary APIs to the browser so that applications can incorporate an additional security layer while still allowing Selective Forwarding Units (SFUs) to function.
At the moment, Signal doesn’t seem to have a video option, but they may be working on one. Other alternatives include BlueJeans (which is owned by Verizon), Riot.im, Tox, and Wire. These may be covered in a future post. What are your thoughts?