Published on April 16th, 2020 📆 | 2778 Views ⚑0
Zoom to let you report Zoom-bombing attackers crashing meetings
Zoom’s efforts to improve the video conferencing platform’s privacy and security will continue next week with the introduction of a user report feature aimed at helping prevent future zoom-bombing attacks.
Eric S. Yuan, Zoom’s CEO, announced on April 8 that the company will change its long-term focus on addressing the current security and privacy issues as part of a 90-day security plan.
Zoom also formed a new CISO council and an advisory board that collaborate, share ideas, and directly advise Yuan with the end goal of maintaining the main focus of Zoom’s development process on privacy and security issues.
“Starting April 18, account admins will have the ability to choose whether or not their data is routed through specific data center regions, giving users more control of their interactions with Zoom’s global network,” Zoom said today.
Zoom’s bug bounty program will also be revived with the help of Luta Security led by founder and CEO Katie Moussouris who previously started the Microsoft and Pentagon bug bounty programs.
“Luta Security will be assessing Zoom’s program holistically with a 90-day “get well” plan, which will cover all internal vulnerability handling processes,” Zoom explained.
However, the highlight of next week’s incoming improvements is the addition of a new ‘Report a User’ feature to Zoom’s video conferencing platform, accessible via the newly introduced Security icon added to the lower toolbar.
This new feature will make it a lot easier and faster to report hijackers that take part in zoom-bombing attacks, allowing Zoom to block them from using the platform for future attacks.
BleepingComputer has reached out to Zoom for additional details on the new user report feature works but had not heard back at the time of this publication.
What Zoom did so far
Starting with April 8, meeting security has been drastically improved by enabling waiting rooms and meeting passwords by default for free Basic and single licensed Pro users. K-12 users will be required to enter a password on join by default.
Users with Basic accounts now have secure passwords with support for alphanumeric characters enabled by default and Zoom also was updated with a new setting that will disable renaming meeting participants.
Zoom meeting hosts and co-hosts now also have a Security icon in the toolbar that provides them with one-click access to several Zoom security features, including but not limited to ‘Enable the Waiting Room’ and ‘Lock Meeting’.
Complex passwords of at least 8-char lengths are now also on by default for cloud recording starting with April 10, while third-party file-sharing was re-enabled on April 12 following a security review.
“Additionally, we’ve fixed issues related to missing data and delay on the Zoom Dashboard,” the company said on Tuesday.
Widespread Zoom-bombing attacks
The user report feature Zoom is planning to add next week and the newly included improvements to meetings’ security couldn’t have come any sooner as Zoom-bombing attacks are highly prevalent.
The Department of Justice and Offices of the United States Attorneys also said that Zoom-bombing is illegal in early-April and warning that those involved will be charged and fined and/or imprisoned.
The US Federal Bureau of Investigation (FBI) warned on March 30 of hijackers who join Zoom video conferences used for online lessons and business meetings to cause disruption or to prank participants and sharing the results later on social media platforms.
In one such event disclosed by Jim Jordan, a ranking member of the House Committee on Oversight and Reform, in a letter sent on April 10 to Carolyn B. Maloney, the Committee’s Chairwoman per The Hill.
Despite Zoom’s hijacking issues and previous warning from the FBI, “on April 3, 2020, you held a Zoom-hosted Member briefing on women’s rights in Afghanistan with the Special Inspector General for Afghanistan Reconstruction (SIGAR),” Jordan said.
“During this important briefing, the session was ‘Zoom-bombed’ at least three times. The impact of hacking and malware on Member and staff devices is still being determined.”
If you want a list of steps needed to properly secure online meetings from Zoom-bombing attacks, BleepingComputer provides an exhaustive guide here.