Governments, private companies, and Departments of Education are pivoting away from using virtual conference platform Zoom.
As of today, the United States Senate sergeant-at-arms (the Senate’s chief law enforcement officer) warned offices not to use the virtual conferencing platform; citing a high risk of "potential compromise of systems and loss of data, interruptions during a conference, and lack of privacy".
In ordinary times the urgency behind this announcement would reverberate well beyond Washington D.C., but with so much else going on these days, everyday Americans may not get the message in time.
So, here are two reasons why you might want to reexamine your use of Zoom.
The ordinary person does not routinely change their login (credential) information. Because of this fact, hackers usually will use stolen sets of usernames and passwords to try and "stuff" into other login pages of other online platforms and popular services. This then allows one or two pieces of stolen credential information to unlock multiple accounts.
A database discovered on a dark web forum by threat intelligence firm, IntSights, displayed full sets of Zoom customer details, including PIN codes into all open sessions. If hackers have access to the URL, the ID number and the PIN code, they can both enter a video conference and take it over.
Business Email Compromise
The credentials now available in the identified database ranges from personal accounts to corporate accounts for banks, third-parties, educational facilities, healthcare providers, and software vendors.
Let’s for a second imagine a scenario where a cyber criminal has access to a large number of compromised accounts from the above groups. Using just a relatively small amount of what’s called (OSINT) open source intelligence to verify said data, perhaps via Facebook or LinkedIn, for example – they could rather quickly locate high value account targets; i.e. CEOs, CFOs, CTOs and others within an organization's corporate structure.
With operation verification successfully completed, the sky’s the limit as to what happens next. There would however be one thing sure to follow though, and that's highly targeted phishing campaigns. And not if but when this does take place, it’ll be done using tools, techniques and procedures that will prove infinitely harder to detect, trace and or even prevent.
Virtual Conferences and Security
Today there are no shortages of virtual conferencing platforms. Zoom, unfortunately, just had the opportunity of being one of first ones through the post Corona-door. But before you settle on any Zoom alternative(s), of which there are many, below are three key security paces that you might want to put them through.
Does the alternative platform offer end-to-end encryption for meetings and team chats for both desktop and mobile devices?
How will your meeting credentials be generated, managed and validated on the alternative platform? And what other permissions will you need to grant?
Are your current (home or office) security defenses set up to withstand cyberattacks on or against the new video conference platform?
If you’re especially unsure about the current state and/or capability of your existing home-office security, we can help with that. Contact us to set up a free security assessment.