The recent COVID-19 pandemic has created an expanded remote work environment for all of us. In some instances, we’ve been able to work using applications and systems in the cloud. In other instances, we’ve been able to use VPN (virtual private network) technology that allows us to access our environment outside the office.
Although these technologies have not totally replaced the one-on-one and team interaction, we are learning how to use them and make them work as employees conduct business from home.
We are leaning on video conferencing solutions more than ever to conduct meetings and share information with multiple team members productively. In addition to using them for meetings, these tools also allow us to communicate with family, educate our children, and practice the recommended social distancing.
But expanded use of this technology has, unfortunately, attracted the malicious element of the cyber world and some vulnerabilities have been exposed. Zoom, a company offering free 40-minute video conferencing sessions, has been a primary target of these attacks.
A firm dedicated to identifying technical security vulnerabilities, Rapid7, identified a number of issues which are detailed below:
What you need to know about the workings of Zoom
- In the past, Zoom sent personal information from Apple/iOS users to Facebook, even if you were not a Facebook user. This has been resolved by Zoom, as they have removed the “Login with Facebook” feature on Apple platforms.
- There are weak encryption controls when conducting meetings on Zoom. Meeting transmissions may be intercepted by malicious actors and eavesdropping may occur. Additionally, encryption certificates were issued by Chinese servers which raises confidentiality concerns. Zoom is working to address this, but the platform remains vulnerable in the interim.
- In the past, your Windows passwords may have been exposed via UNC (Universal Naming Convention) links. Since this was discovered, Zoom has released a fix for the UNC path rendering issue.
- Zoom impersonates system prompts to trick users into installing the application. This was reported to Zoom and, as of the date of this briefing, has not been addressed.
- It was discovered that local attackers can leverage Zoom to install malware. Since the discovery of this vulnerability, Zoom has released an update that addresses these issues.
If you have the ability to use an alternative platform for conducting online, virtual meetings, it is highly recommended. If Zoom is your only option, be aware of these potential threats until they are resolved.
Be aware of your Information Security Policies and Procedures and contact the experts at BCN Services with any questions.
From ATMP Solutions (edited and reprinted with permission) http://www.atmpgroup.com. The opinions, representations and statements made are those of the author and not of BCN Services or any affiliate companies and does not constitute any representations, warranties or guarantees. All content provided is for information purposes. The company accepts no liability for any errors, omissions or representations.