Frequently Asked Questions About Security and Privacy When Using Zoom@Mines

What is ZoomBombing, and are we at risk?

ZoomBombing is a term that has come to describe the practice of uninvited individuals joining a video session and then disrupting the session. The disruptions have ranged from annoying to hurtful and threatening. This is not unique to zoom, as any video sharing service is vulnerable to this form of harassment. It is also reasonably simple to prevent through proper session management. ITS has adjusted the default settings for Mines Zoom meetings to help, and you can learn more about what you can do on our website:

ZoomSquatting is a variation of traditional phishing campaigns, and it can represent a serious threat. Criminals are sending emails that look similar to legitimate Zoom meeting requests, but are using links subtly altered (for example zo0m.com or zoom.csm.com). Individuals who click on these links are either tricked into submitting their password or they are placed in a meeting with the scammer who then tries to get credit card or other personal information. Continuing to critically look at emails, report unusual activity, and not click links in emails will help Mines fight against phishing attacks.

To protect yourself you should:

• As an instructor -only post your zoom meeting invitation to your Canvas course. Make sure your students know this is the only place for trusted Zoom links.
• Anyone: Only start meetings from inside the Zoom application –never click on a link in any email (Zoom or otherwise). You can always join a Zoom meeting by entering the Meeting ID in the Join dialog box.

There has been some concern voiced about Zoom’s encryption policy and their documentation that states they provide end-to-end encryption. Some in the information security community believe that the term end-to-end encryption should only be used to describe the situation where the communication is encrypted all the way from one participant to another. When this form of encryption is used the vendor has no ability to decrypt the traffic and the user’s privacy is protected from accidental exposure by the company. Zoom does not provide this type of encryption. Rather, when Zoom says end-to-end encryption, they mean the signal is encrypted between the user’s computer and Zoom’s datacenter. This style of encryption prevents others from eavesdropping on the conversation, but it does allow Zoom to access the video. Zoom asserts they have strong privacy practices in place to protect our information, and that they need access to the video stream to provide some features (i.e., they need to know who is talking when, who has joined or is leaving the video etc.).

Those who are concerned about Zoom’s use of the term end-to-end encryption do not believe that Zoom’s encryption is broken, rather they feel that their use of the marketing term end-to-end is misleading and would like Zoom to be more explicit about their architecture. In response OIS/Office of Compliance, Policy, and Risk Management would remind everyone that there is always the possibility that what we share on-line could be leaked to the public and to exercise appropriate caution, but we do not believe that Zoom represents any unique risk.

Recently individual (rather than corporate) users reported that their contact list within the Zoom app contained names and email address of users they did not know, something that was a significant violation of the privacy of those users. Research revealed that Zoom places users into “companies” based on their email address. For example, everyone who subscribed to Zoom with an account from JoesISP.NET was grouped into a logical group and their address book was populated with everyone else in that group.This only happened to users with domain names that Zoom did not recognize as service providers (i.e., it did not happen if the email address was something like gmail, yahoo, comcast etc.).

Zoom’s CEO has acknowledged this represented a significant privacy issue for individual users and are working to address these issues, including mechanisms designed to improve the distinction between corporate and service providers.

Everyone using their Mines account to access Zoom is placed into the Mines company directory. While no one outside the Mines community can see this directory the OIS and Compliance would remind everyone that the directory exists. Members of the community who have elected to keep their directory information private should change their profile to display the name “Anonymous”.

Zoom includes a feature that allows commercial users to use their Facebook account to log into the Zoom service. Security researchers recently discovered that the iOS version of their App was sharing more information with Facebook than what was necessary for this feature to work. Zoom has acknowledged the error and published an update to the iOS App that addressed the issue. Details of the issue can be found here: https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-in-ios-client/

Security researchers recently identified a mechanism through which a malicious participant in a chat session could post a link that, if clicked on, could give the malicious user access to a user’s resources, most notably their file. The link would not allow someone to see or steal a password. Rather than allowing someone to see your password it would display a token (i.e., a seemly random string of characters) that could be used to access resources shared from the Windows servers. In order to use this token, the malicious user would have to have access to the Windows system. At Mines this means the user would need to be (1) allowed into the meeting or chat and (2) physically on campus or have access through a VPN.

Zoom removed the ability to post these types of links in version 4.6.9 (released Thursday April 2nd). However, this should act as a reminder to everyone that you should never click on any link unless you are absolutely certain that it comes from a trusted source