OPEN INVITATION - JSE MAGAZINE

OPEN INVITATION

The rising popularity of video conferencing during lockdown has given cyberhackers ample access

OPEN INVITATION

Danny Kibel, CEO of access management firm Idaptive, put it best. Summing up the delicate balance organisations have to strike when it comes to cybersecurity, Kibel said that ‘there are two extremes with security. On one end, you can unplug everything from the internet while constantly requiring physical and digital verification. That’s maximum security, but it’s also maximum inconvenience. On the other side, you can create a totally frictionless user experience, but leave your employees and systems completely exposed to malicious actors’. Kibel said that during a Q&A session hosted by Quora in May 2019. In the three very long years since then, the sentiment has remained true, but the option of simply unplugging from the internet has become all but impossible.

When Old Mutual published its Savings and Investment Monitor in August last year, it noted that 56% of respondents were still working from home – at least some of the time. For most of them, working from home meant logging into virtual meetings… And during that sudden, massive worldwide shift to video conferencing, the cybercriminals, hackers and other bad actors came out to play.

They played, in one particularly infamous example, during a Zoom meeting of the SA National Assembly’s programming committee in May 2020. No sooner had the meeting begun, than hackers started displaying pornographic images to the gathered lawmakers, prompting Speaker Thandi Modise to exclaim that ‘this is exactly what I said about Zoom’.

By late 2021, the phenomenon of outsiders hijacking Zoom meetings and displaying pornography, racist language or other disturbing content – by now known as ‘Zoom-bombing’ – was so commonplace that it was barely interesting anymore. Last year, a meeting between newly elected US assembly member Jenifer Rajkumar and the New York Police Department was Zoom-bombed. According to news reports, Rajkumar shrugged off the interruption, saying ‘greetings to all, happy to be here. I’m sorry for the hack that we seem to have right now, but stay focused on the matter at hand’.

For Zoom, the matter at hand was the continued notoriety of its security flaws. In April 2020, Zoom CEO Eric Yuan had issued a statement vowing to improve the safety, privacy and security of the platform. ‘We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying and socialising from home,’ he wrote. ‘We now have a much broader set of users who are utilising our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.’

He had a point. But then so did the subscribers in a proposed US class-action lawsuit, which culminated in Zoom agreeing to pay a $85 million settlement. The lawsuit claimed Zoom had violated users’ privacy rights by sharing personal data with Facebook, Google and LinkedIn, and that its weak security had enabled Zoom-bombing.

‘Zoom had a responsibility to ensure their platform was performing with the highest level of security,’ Richard Blech, CEO of security firm XSOC, told news site Threatpost. ‘But instead, they were learning from mistakes through the platform’s persistent vulnerabilities, threats and hackings. Their lack of preparation and, frankly, negligence, is unfortunately what caused this privacy lawsuit, and now they will have to pay the consequences.’

It’s unfair, though, to single Zoom out. The truth is, most video-conferencing platforms weren’t all that secure to begin with. They were designed – as Yuan said, in not so many words – to facilitate online meetings during a time when face-to-face meetings or phone calls were the norm. It’s also churlish to suggest that all the people using video-conferencing software are taking the necessary security precautions. Pravat Lall, VP of product at cybersecurity giant McAfee, highlights one such PICNIC (‘problem in chair, not in computer’) security bug. ‘It’s easy to click “Install later” when software updates pop up on your screen,’ he writes in an online post. ‘However, these updates often come with security patches for vulnerabilities like the ones mentioned above. To ensure that your software and apps have the latest security fixes, update them immediately or select the option update automatically if available.’

And as cybersecurity firm Kaspersky points out, ‘where do the trolls get information about upcoming [online video-conferencing] events? That’s right, they find them on social media. So, avoid publicly posting links to Zoom meetings’. Kaspersky also recommends using messaging and video-conferencing apps that have end-to-end encryption. ‘Zoom claims to have implemented end-to-end encryption, but the claim is not quite justified. With end-to-end encryption, no one other than the sender and the recipient can read transmitted data, whereas Zoom decrypts video data on its servers, and not always in your company’s home country, either.’


Switching to another platform may be a solution, but even then it depends on the platform. WhatsApp, for example, offers true (and highly robust) end-to-end encryption; but Slack, infamously, doesn’t offer end-to-end encryption at all.

Users – including team leaders and corporate IT heads – also need to be aware of security glitches across platforms, which are being discovered and patched almost every day.

In the early days of lockdown, for instance, security experts spotted a strange glitch in Zoom that caused the service to consider emails of the same domain as belonging to the same company. It then shared those users’ contact details with each member of that group. ‘For example, that happened to users who registered Zoom accounts using emails ending with @yandex.kz, which is a public email service in Kazakhstan, and it may happen again with email addresses belonging to smaller public email providers,’ says Kaspersky.

Throughout the lockdown period, many businesses – understandably unnerved by Zoom’s well-publicised security flaws – have shifted to other platforms, such as Microsoft Teams. Yet Teams isn’t perfect either. On 23 March 2020, the day the UK began its first COVID-19 lockdown, researchers at security firm CyberArk found a chink in the Teams armour that allowed cybercriminals to steal user data across entire companies through the backdoor of a humorous GIF.

Like many video and chat systems, Teams allows meeting participants to share cute, animated GIF images. This particular security flaw involved a compromised subdomain that hosted the infected images; and once shared in the video’s chat stream, users only had to view the file to allow hackers to access data from their account. Microsoft moved quickly to patch the hole (and CyberArk says there is no evidence it was ever exploited by cybercriminals), but the point remains that the flaw existed in the first place.

Few, if any, users knew about it at the time – and even now, most of the security bugs related to video-conferencing software go under-reported or unnoticed. But as Lall warns, consumers and enterprises need to understand the risks related to remote working.

‘While the security community encourages developers to write software code with security in mind, software apps tend to struggle with bugs and vulnerabilities in their early days,’ he says. ‘Consumers should by all means download and enjoy the hottest new apps, but they should also take steps to protect themselves from any undiscovered issues that might threaten them. Until a patch is created, you should operate under the assumption that a hacker could compromise your video calls. Avoid using vulnerable apps until developers make a software security update available to help protect your calls from being infiltrated.’ (In October, Zoom started requiring users to be no more than nine months behind in their software updates. If you’re using an older version of the app, you can’t join any meetings.)

Zoom, Webex, Google Meet and Microsoft Teams are, by now, by no means new to the millions of people who’ve been working or studying remotely since March 2020. But the security concerns related to those video-conferencing platforms are not going away, and should not be ignored.

Just ask Roy Finkenbine. A history professor at the University of Detroit Mercy in the US, Finkenbine wrote about the dangers of Zoom-bombing after a Black History Month event that he hosted in February 2021 was attacked by racist hackers. ‘About 40 minutes into my presentation, 12 new participants abruptly joined the Zoom session,’ he says. ‘Within seconds, the N-word appeared superimposed in red over one of my PowerPoint slides. When the session host removed the racist language, a pornographic video emerged. After those disturbing images were eliminated, the 12 perpetrators hijacked the chat function to serially post racist and anti-Semitic remarks, each of which popped up momentarily on the computer screen. We were forced to abbreviate the event rather than further compromise and offend our other participants.’

In November, Finkenbine hosted a follow-up event focusing on ‘racist Zoom-bombing’. That event, too, was disrupted by a Zoom-bomber.

By Mark van Dijk
Images: Gallo/Getty Images