» Zoom Bombing Prevention

What is Zoombombing?

A new form of trolling in which a participant uses Zoom’s screensharing feature to interrupt and disrupt meetings and classes. 

Interested in training? The Chapman Teaching Remotely team is offering "Zoom Bombing Prevention" classes (Mon., Wed., Fri.) on zoom bombing prevention. Fore more information about training, please visit the Training Schedule on the Course Continuity Plan for teaching remotely.

Students, staff, and faculty who are impacted by protected class (like race, sex, gender, religion, or national origin) misconduct during Zoom or other videoconferencing sessions should be referred to dos@chapman.edu (students) or joycechen@chapman.edu (staff and faculty) for supportive resources and reporting options.

Tips for preventing Zoombombing?

Below are some simple tips and tricks for preventing unauthorized users from accessing Zoom meetings.


Toggle Section

Avoid Using Your Personal Meeting ID In Meeting Links

When you schedule a meeting, a Meeting ID link is generated. If you are going to share your Meeting ID link (especially on social media), we strongly recommend using the default “Generate Automatically” option, which creates a random link to your meeting. If you switch to the “Personal Meeting ID” option, anyone seeing that link can take note of it and use it to pop in and out of your meetings at any time in the future.

Lock the Meeting

When you lock a Zoom Meeting that’s already started, no new participants can join, even if they have the meeting ID and password (if you have required one).

  1. In the meeting, click Participants at the bottom of your Zoom window.
  2. Click the "More" drop-down menu on the bottom-right site of the Participants window.
  3. In the pop-up, click the button option that says Lock Meeting.

 

For more information Host meeting controls, see Host and Co-Host Controls in a Meeting (VIDEO)

Restrict Screen Sharing

  1. Log into the Zoom web portal with your Chapman Username and password
  2. Select Settings at left
  3. Click Meeting > In Meeting (Basic)
  4. Scroll down to Screen Sharing
  5. Change Who can share? 
    1. Select Host only

 

During a call

  1. At the bottom of the meeting window, click the arrow next to Share Screen
  2. In the popup menu, select One participant can share at a time.

Don't Click Untrusted Links in the Chat Window

Just as with any email, avoid clicking links in the chat window unless you know explicitly what they are and who is providing them. Malicious links could lead to your device or account being compromised and personal information stolen.

Enable the Waiting Room Feature

Just like it sounds, the Waiting Room is a virtual staging area that stops your guests from joining until you’re ready for them. 

Meeting hosts can customize Waiting Room settings for additional control, and you can even personalize the message people see when they hit the Waiting Room so they know they’re in the right spot. This message is really a great spot to post any rules/guidelines for your event, like who it’s intended for. 

Controlling and Disabling in-Meeting Chat and File Transfer

Zoom has an in-meeting chat for everyone, or participants can message each other privately. Restrict participants’ ability to chat amongst one another while your event is going on and cut back on distractions. This is really to prevent anyone from getting unwanted messages during the meeting.

 

See Controlling and Disabling in-Meeting Chat

Zoom Security

The following are a series of questions that we have received and responded to on the topic of device security where the Zoom application is used.

Toggle Section

Does Zoom allow my password to be stolen?

This concern primarily stems from news coverage of how the in-meeting chat could be used to obtain the hash of a user's credentials from a Windows computer.

Update: On April 2, 2020, Zoom has updated their client software to address this issue. Users must have the latest version to receive this fix. Original information has been kept below.

First, the credential hash is not the username and password of a user in plain text. Instead, it is an encrypted form of that information. Second, while there are techniques to reverse the encryption of such hashes, password complexity and length mitigate this by increasing the amount of time required.

There are techniques where a stolen hash could be used as-is against other systems and grant access. This is commonly called Passing-the-Hash. Attacks of this nature tend to be very targeted and are not often a concern for our users.

Zoom has not yet released a public statement, but they have responded to news agencies and acknowledged that they are working to address this issue.

We have two key recommendations to mitigate the risk of this attack method:

  1. Use a pass phrase instead of a password.
    1. This increases the length and overall technical complexity of a password while still being easy to remember for the user.
  2. Do not click on links in the Zoom meeting chat that look suspicious.
    1. This method requires a link that starts with two backslashes
    2. Example: \\attack.website.com\file.jpg (notice the missing http: or https:)

Does Zoom allow someone to use my webcam without my knowledge?

This concern primarily stems from news coverage of how a macOS computer with Zoom installed could have its camera and microphone enabled without knowledge of the user.

The security researcher that identified this vulnerability shares that it requires the device to already be compromised in some fashion. The attacker must either have physical access to the macOS computer or have remote access through some other means.

Zoom has not yet released a public statement.

We recommend users ensure their devices are physically safe and not compromised with malicious software to mitigate this attack method.

Zoom Data Privacy

The following are a series of questions that we have received and responded to on the topic of data privacy when the Zoom application is used.

Toggle Section

Does Zoom share my personal data with Facebook?

This concern primarily stems from news coverage of a since removed feature.

Prior to a change on March 27, personal data about a device was being shared with Facebook. Zoom was using a common software development kit (SDK) from Facebook to enable login functionality using a Facebook account. That Facebook SDK included default data collection.

As a direct result from the public concern, Zoom investigated the situation and recognized the issue. They opted to re-engineer their application to no longer leverage the Facebook SDK. They do still allow for Facebook accounts to be used, but the device data is no longer shared and no data is shared if Facebook login is not used.

Zoom released a public statement on their blog. 

See: Zoom's Use of Facebook's SDK in iOS Client

Are Zoom sessions encrypted?

This concern primarily stems from news coverage of how Zoom describes their security for meetings and webinars.

Update: On April 3, 2020, a research group at the University of Toronto identified a vulnerability in Zoom's approach to technology. Original information has been kept below and a new FAQ item has been added.

In documentation, as well as their applications, Zoom makes references to "end-to-end encryption" (also known as "E2E encryption"). As with many aspects of technology, commonly understood terms or phrases can also have highly specific technical requirements to be valid. Many felt that Zoom's description was disingenuous when comparing the technical specifications of E2E encryption with the approach Zoom takes to encryption.Zoom does enlist encryption in many ways and some do in fact achieve the end-to-end (Zoom app to Zoom app) encryption.

Zoom released a public statement on their blog about this. 

See: The Facts Around Zoom and Encryption for Meeting/Webinars

Does Zoom sell/share data from meetings?

This concern primarily stems from news coverage of the privacy policy Zoom had published on their website.

In general, users should always be aware of the privacy policies for services they access. However, University members should also be aware that when we license a service such as Zoom, we enter into a contractual agreement that provides additional protections to data and privacy beyond those public policies. While Zoom already does not sell or share data from meetings, they also cannot use other data that we have provided them.

"We are in the process of writing a few awareness articles on our data security practices and procedures. These will include details about the steps we take to analyze and assess third-parties when they will receive University data." (Zoom's Privacy Policy)

Zoom released a public statement on their blog about this. 

See: Zoom's Privacy Policy

Is Zoom safe for confidential meetings?

This concern primarily stems from an assessment conducted by The Citizen Lab, a research entity at the University of Toronto.

Update: On April 3, 2020, Zoom released a statement responding to these findings. They indicated that there is now geo-fencing to prevent communication with Chinese servers. They also state that they are working with experts to implement best practices for their approach to encryption. A copy of the statement has been added below.

The research that was conducted by members at The Citizen Lab, examined the encryption technology that the Zoom service uses. In their findings, the researchers identified a method in which they could possibly compromise the encryption that secures the audio and video of Zoom meetings. They also shared that the encryption keys that are created by Zoom for each session can come from servers located in China.

The technical steps to compromise the encryption of Zoom requires a specific skill set and access to a network where a meeting session is occurring.

At this time, the University continues to recommend Zoom as an acceptable tool to deliver University instruction. The University is continuing to monitor this issue, will closely follow Zoom’s response, and provide updates as information becomes available.

Out of an abundance of caution, the Information Security Office has issued specific recommendations regarding use of Zoom to specific University departments/units to protect communications that may be at risk due to this vulnerability. If you have questions please contact the Information Security Office for additional information.

Citizen Lab: Moving Fast & Roll Your Own Crypto

Zoom: Response to Research From University of Toronto's Citizen Lab