How to Use Zoom Securely
Since my last article, the world has massively changed. Some changes are for the better; some, not so much. On the bright side, people have suddenly realized that we’re all “internet locals” now, so we can hang out together virtually and do some really cool stuff! Musicians are doing free concerts or assembling distributed recordings into neato ukelele videos; adults are attending virtual game nights, artists are creating cool artwork, teachers are porting their classwork into virtual classes and much, much more.
And what do most all of these activities have in common right now? That’s easy: Zoom. Zoom is the name of the application that helps folks to meet-up virtually, video chat, and broadcast webinars. It’s kind of like Skype but on steroids and it’s suddenly very, VERY popular.
Recently, it’s also VERY criticized. A growing chorus of security professionals and educators are reporting that Zoom is, among other things: “ malware”, a “privacy risk”, lying about their meetings being end-to-end encrypted and worse. Here’s a scathing article from CNET. Here’s another from The Washington Post. And one from NPR. And another from Vice.
You get the point.
People are fearful, worried and protective of their privacy and it sure does seem like Zoom is trying to undermine it if you read the press and the articles written by security professionals. While I don’t think Zoom is malware, I can’t argue with most of the criticism I’ve linked to. These folks all have a legitimate beef with Zoom and the problems they’ve discovered with the company’s software are real. However, that doesn’t stop me from using the software to teach my improv classes.
Malicious Software Vs. Sloppy Software
All of the worthy criticism being leveled at Zoom is, honestly, right on schedule. Prior to the pandemic hitting, Zoom was more of a nitch player in the video conferencing market. Then, as soon as millions of people started using their software, it became a target for hackers.
Only, that’s not unique to Zoom: it happens to ANY popular software title or platform. Frankly, it’s a rite-of-passage and considered a mark that you’ve arrived on the world stage.
As hackers started to pick apart the Zoom software and exploit its weaknesses and as security researchers began to uncover some of the application’s shortcomings, it gave the public a chance to see how the company would respond. If it wasn’t clear before — and it should have been — it’s certainly clear now clear from the company’s most recent responses: Zoom didn’t create malicious software designed with malice to harvest user data or expose their users’ privacy. Instead, they took a different, far-less-evil path:
They just made sloppy software that was designed for speed.
It’s a huge difference and something that’s important for the public to keep in mind. Also — and this is key — they didn’t design their software to be used by every school district and work-from-home employee in the world nearly overnight. But that happened as well. And that kind of explosive growth puts a tremendous strain and spotlight on a company.
So, how did the company respond in the face of all of this pressure?
Exactly as security-minded people might have hoped. The company shifted quickly and began deploying security updates and improvements to its product on a regular basis to address their software’s shortcomings. The CEO went public with his desire to hear the complaints, listen to them, and then pivot to address them. The company’s new changes include new security controls, changing their iOS app to not interface with Facebook, hiring Facebook’s previous and well-respected security chief, and a rather massive and transparent update about security from the CEO. I’m guessing more is coming.
Which is to say: the company is listening. And they’re demonstrating by their actions that they’re doing all of the right things. For now.
Privacy Vs. Security
Before we get to how to lock down your Zoom meetings, it’s really important to remember that security and privacy aren’t the same things:
- Privacy, as defined by Mirriam Webster, is freedom from unauthorized intrusion. In tech, I’d describe privacy as the desire to feel safe from others monitoring what we’re saying or doing.
- Security, as defined by Mirriam-Webster, is measures taken to guard against espionage or sabotage, crime, attack, or escape. In tech, I’d describe security as the hardware, the software, and the behaviors we adopt to help keep our affairs private.
In other words, privacy is a feeling or a state of being and security is list of actions we take to achieve that privacy.
Enacting good security measures to achieve our privacy isn’t a one-size-fits-all approach for those around us. In fact, it’s rarely a one-size-fits-all approach for ourselves: there are many situations in my own life where I need higher levels of security and others where I’m comfortable with less. It’s always a balancing act.
Sometimes, I need to be productive and efficient, so I’m willing to work with lower levels of security. Much of my basic email falls into this category as I use Google, a company renowned for harvesting data. Other times, I need higher levels of security, because certain aspects of my life require it. Much of my medical and financial affairs fall into this category so I use much more secured forms of communications.
And as my long-time readers know, I use a VPN to protect my web browsing privacy from my ISP.
But teaching improv classes on Zoom? Privacy isn’t so important in that, specific context. Neither what I’m teaching, nor the activities I’m undertaking, nor the discussions I’m having with any my students require high-levels of privacy. If hackers were able to watch or overhear my class, all they’d observe would be a bunch of happy people doing fun and silly games with one another.
I’m fine with that!
But it doesn’t mean I’m not interested in the security of my Zoom meetings. So let’s now take a look at how I implement security on Zoom and how you should as well…
The Zoom Hacks & How to Prevent Them
Part I: The Basics
Hackers try to find loopholes and exploit weaknesses in any popular software. It’s what they do and they’re very good at it. So expect that. As users, it’s our responsibility to learn how to find and use our software’s security protocols and then set them tightly. It sounds harsh but it’s true:
If you’re hacked and there was an easy way to prevent that hack, then you should have taken the time to learn more about your software before implementing it, especially if you’re using your software to supervise children. Think of security preferences like you would think of seatbelts in your car: they should ALWAYS be on.
In fact, before using any piece of software, you should always — ALWAYS! — take the time to explore the preferences to see what’s offered. Start with the Security/Privacy preferences. Many times those preferences get their own category as shown below in the Chrome and Brave browsers and the Discord desktop application:
Additionally, turn off ANY feature in your software unless it’s proven safe to use and you’ve taken the time to verify that yourself.
With that in mind, let’s dive in…
Part II: How to Minimize or Prevent the Hacks
The Zoombombing Hack
This hack works when malicious hackers join your meeting and use the “screen share” feature of Zoom to share inappropriate content with the rest of your attendees. Not cool.
Much has been made of this exploit which surprises me because the controls to prevent this have always been available. Click this link, log into your Zoom account if asked, and then click the “In Meeting (Basic)” link as shown. Scroll down to your Screen Sharing preferences and ensure that it’s either deactivated or only turned for YOU (the host) and not for all of your participants. You’ll note that, in my preferences, I’ve not activated the “Disable desktop/screen share for users” preference because I sometimes DO share my screen when I’m hosting a meeting and that preference would prohibit my doing so. Instead, I’ve simply and easily ensured that I’m the only one that can share my screen.
The Virtual Screen Hack
This hack works when malicious hackers join your meeting and use the “Virtual background” feature of Zoom. This feature allows users to change their background to ANY image. Malicious hackers can then alter what appears behind them on-screen to share inappropriate content with the rest of your attendees. Also, not cool.
Once again, the controls to prevent this hack have always been available. Click the same settings link as above, log into your Zoom account if asked, and then click the “In Meeting (Advanced)” link as shown. Scroll down to your Virtual background preferences and ensure that it’s turned off.
The Chat Hack
This hack works when malicious hackers join your meeting and use the chat feature of Zoom. If turned on, malicious hackers can send chat messages to you, to some specific person in your meeting or to everyone in your meeting. This also includes the ability to attach any images into the chat room, including those which are inappropriate. Again, super not cool.
To prevent this kind of abuse, click the same settings link as above, log into your Zoom account if asked, and then click the “In Meeting (Basic)” link as shown. Scroll down to your Chat preferences and ensure that it’s turned off.
In my case, you’ll see chat is ON, but that’s because I use it a lot in my virtual improv classes.
Bonus #1: if you’d like to keep the chat room active but ONLY allow participants to chat with you and not with each other, you can do that by following the instructions here.
Bonus #2: if you’d like to keep the chat active but turn OFF file-transfer, you can do that by following the instructions here.
The “Your Meeting is Public” Hack
This hack works when malicious hackers join your open meeting because you’ve made the god-awful mistake of publishing your link to the general public. Once in your meeting, hackers then do anything possible to disrupt or attack.
There are two ways to prevent something like this from happening.
- NEVER make your meeting link freely available online. Don’t put it on your website, a bulletin board, or in a group email to everyone you know. If you do that, you’re only asking for trouble. Instead, only provide your meeting link to those you know or have vetted in advance. One simple way to do this is to have your attendees register to attend your meeting on another website. I use and love TicketSpice for this very reason.
- Use Zoom’s “Waiting Room” feature to prevent anyone from joining your meeting until you allow them in. Click the same Zoom settings link as above, log into your Zoom account if asked, and then click the “In Meeting (Advanced)” link as shown. Scroll down to your Waiting room preferences and ensure that it’s turned ON. Then, if someone attempts to join your meeting and you don’t recognize the name: don’t let that person in.
The My Account Info Got Stolen Hack
This hack works when malicious hackers manage, through a variety of efforts, to gain access to your Zoom account username and password. If this happens, all of the work you’ve done to protect your users and lock down your account is undermined.
Therefore, use the same advice I mentioned in an earlier Medium article: add two-factor authentication (or “2FA” for short) to protect your Zoom account. Doing this will eliminate nearly every hacker’s ability to log into your account.
Zoom has an easy-to-follow help page on how to do this here but here’s the short version: click this link to visit your Zoom account’s security preferences and scroll down to the 2FA preferences as shown below and turn it on. Make sure to select the “All users in your account” radio button. That will force ANYONE in your organization who shares your Zoom account — something that’s common with business accounts — to also apply 2FA to their login.
Then, the next time that you — or anyone on your shared account logs in — you’ll be met with the following screen:
If you’re not familiar with how 2FA works, I highly recommend learning about it more. Here’s a link to my Medium article which does a deeper dive on the topic. The quick overview is this: 2FA uses an application on your smartphone (I use the amazing and free “Authy” app) which provides you with a different 6-digit-code every 30 seconds. This means that, in order for hackers to be able to log into your account, they’d not only need your username/password but they’d also need access to your smartphone.
The I’m Lazy Hack
This hack works when a software company releases newer, better, and safer versions of their applications but you’ve not taken the time to download and install those updates. When hackers note this — and they can and will — they can leverage security holes in older versions of your software against you.
This is, literally, the laziest mistake of all, so start by downloading the newest version of Zoom here. If you’ve already got the app installed, always click yes if it prompts you to update. If you’re not sure, check: click on your profile pic in the Zoom application and select “Check for Updates” as shown:
The Lessons Learned
We’re responsible for the technology we use. In a few rare examples — CleanMyMac & MacKeeper come to mind — the applications we use are designed with malice to hurt our computers and livelihoods. In nearly every case — including Zoom’s! — the software might be buggy, outdated, or require updating but it’s not designed or intended to harm.
You, not the software company, are your last line of defense. Get educated, learn about your apps, and lock them down in ways that protect you and those you serve. That’s true for ANY application on any operating system.
Annnnnnnnnd… that’s a wrap for today’s article, everyone. Thanks for reading. Did I miss a preference you prefer to keep active? Do you disagree or agree with me? Let me know your thoughts & questions in the comments section.
As always… surf safe.
Click here for my guide on how to choose a privacy-focused VPN.
If you’re looking to set up a VERY secure iPhone, click here.
To learn how to remove your personal data from the web, click here.
For a super cool way to NOT give your personal email address to everyone, click here.
Click here for a crash course on how to keep your devices updated.
Originally published at https://techtalk.substack.com.