Zoom Still Addressing Security, Privacy Concerns

Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

Governments, Organizations Rethink Use of Teleconference Platform

Zoom Still Addressing Security, Privacy Concerns

As governments and organizations around the globe rethink their use of the Zoom teleconference platform as a result of ongoing privacy and security concerns, the company is making more system changes and has formed a CISO advisory board.

See Also: Webinar | Can Medium-Sized Companies Automate Access to Critical Multi-Cloud IT Environments?

On Thursday, the U.S. Senate sergeant-at-arms sent an advisory to senators and their staff raising concerns about Zoom’s security, The Financial Times reports. And while the advisory did not recommend a total ban on Zoom, the sergeant-at-arms encouraged staffers to look at other platforms, such as Skype for Business, CNN reports.

Meanwhile, Germany’s government advised its employees to stop using Zoom because of security concerns, according to the news agency Handelsblatt. And several companies, including Google and SpaceX, have either stopped using Zoom or have asked employees to limit use, according to CNET.

The COVID-19 pandemic has forced millions worldwide to work at home, which has led to a spike in the use of such collaboration platforms as Zoom, WebEx, Skype and Microsoft Teams, according to the Wall Street Journal.

Cutting Down on ‘Zoom-Bombing’

Zoom is trying to make technical fixes to its platform to cut down on so-called Zoom bombing, where an intruder interrupts a video conference (see: The Cybersecurity Follies: Zoom Edition).

This week, Zoom updated its client platform to remove the video conference meeting identification number from the title bar, according to a company blog post. When screenshots of meetings appeared online, pranksters and others could use those numbers to interrupt or eavesdrop on meetings.

In a screenshot of U.K. Prime Minister Boris Johnson holding a Cabinet meeting earlier this month, the meeting ID number could be clearly seen in the upper left-hand corner.

A U.K. video cabinet meeting screenshot exposed the Zoom meeting ID number.

The removal of the number from the title bar should improve the platform’s security, according to Zoom. “The title will simply be ‘Zoom’ for all meetings, preventing others from seeing active meeting IDs when, for instance, Zoom screenshots are posted publicly,” according to the blog post.

Earlier, Zoom CEO Eric Yuan noted that the company is addressing other privacy and security concerns by implementing geo-fencing and meeting encryption (see: Zoom Promises Geo-Fencing, Encryption Overhaul for Meetings).

But other security issues continue to arise. On Friday, for example, security firm Intsights said it had discovered an underground forum where cybercriminals were looking to rent or share a database that contained over 2,300 Zoom usernames and passwords. It’s not clear whether the data came from a breach of Zoom or a third party, Intsights says.

Advisory Board

In addition to updates to its platform, Zoom has created a CISO advisory board to help it address security issues. Initial members include security leaders from VMware, Netflix, Uber and Electronic Arts, according Yaun’s latest blog post.

In a separate move, Alex Stamos, the former CISO of Facebook and currently an adjunct professor at Stanford University, will serve as an outside adviser to Zoom.

In a post on Medium, Stamos says he’ll work with the company to improve its platform’s security as well as increase the use of encryption to protect user data.

“Zoom has some important work to do in core application security, cryptographic design and infrastructure security, and I’m looking forward to working with Zoom’s engineering teams on those projects,” Stamos says.