Zoom has improved cyber-security with 3 fresh disruption controls.
Zoom has once again upped its security controls to prevent “Zoom-bombing” & other cyber-attacks on meetings. This is under a week after Zoom settled with the US Federal Trade Commission (FTC) over false encryption claims.
2 of the new features let moderators to act as “club bouncers,” giving them the ability to remove & report disruptive meeting participants.
The “Suspend Participant Activities” feature is enabled by default for all free & paid Zoom users; &, meeting participants can also report a disruptive user directly from the Zoom client by clicking the top-left “Security” badge.
Separately, the video-conferencing giant also rolled out an internal tool that acts as a filter, preventing meeting disruptions (like Zoom-bombing) before they happen.
Removing Disruptive Participants
Under the Security icon, hosts & co-hosts now have the option to temporarily pause their meeting & remove a disruptive participant or Zoom-bomber, according to a Monday Zoom blog posting.
“By clicking ‘Suspend Participant Activities, all video, audio, in-meeting chat, annotation, screen-sharing & recording during that time will stop, & Breakout Rooms will end,” the company explained.
“The hosts or co-host will be asked if they would like to report a user from their meeting, share any details & optionally include a screenshot.”
When the reporter clicks “Submit,” the offending user will be removed from the meeting, & hosts can resume the meeting by individually re-enabling the features they had like to use.
Trust & Safety
“Zoom’s Trust & Safety team will be notified,” according to the host. “Zoom will also send them an email after the meeting to gather more information.”
As for the 2nd enhancement, account owners & admins can enable reporting capabilities for non-host participants, so that they can report disruptive users from the Security icon (hosts & co-hosts already have this capability).
Both of the new controls are available on the mobile app, & for Zoom desktop clients for Mac, PC & Linux.
Support for the web client & virtual desktop infrastructure (VDI) will be rolling out later this year, the company outlined. VDI is a server-based computing model used by applications like Citrix or VMware; Zoom’s app for this allows meetings to be delivered to a thin client.
At-Risk Meeting Notifier
The internal tool, dubbed the “At-Risk Meeting Notifier,” scans public social-media posts & other websites for publicly shared Zoom meeting links – an exposure that can lead to Zoom-bombing.
Zoom-bombing is a trend that began earlier in 2020 as coronavirus lockdowns led to massive spikes in the video-conferencing service’s usage. Zoom saw its user base rocket from 10m in Dec. 2019 to 300m in April during the ramp-up of the COVID-19 pandemic & a shift to remote work.
These attacks occur when a bad player gains access to the dial-in information & “crashes” a Zoom session – often sharing adult or otherwise disturbing content.
To prevent these sorts of attacks, the new tool can detect meetings that appear to have a high risk of being disrupted, Zoom explained, & it automatically alerts account owners by email of the situation, providing advice on what to do.
That advice includes deleting the vulnerable meeting & creating a new one with a new meeting ID, enabling security settings, or using another Zoom solution, like Zoom Video Webinars or On Zoom.
“As a reminder – one of the best ways to keep your Zoom meeting secure is to never share your meeting ID or passcode on any public forum, including social media,” according to the company’s post.
FTC Encryption Settlement
Last week, the Federal Trade Commission (FTC) announced a settlement with Zoom, requiring the company “to implement a robust information security program to settle allegations that the video conferencing provider engaged in a series of deceptive & unfair practices that undermined the security of its users.”
The FTC alleged that since at least 2016, Zoom falsely claimed that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, & secured its Zoom Meetings, in part, with a lower level of encryption than promised.
While “encryption” means that in-transit messages are encrypted, true end-to-end encryption (E2EE) occurs when the message is encrypted at the source user’s device, stays encrypted while its routed through servers, & then is decrypted only at the destination user’s device.
No other person – not even the platform provider – can read the content.
Zoom has now agreed to an FTC requirement to establish & implement a comprehensive security program, a prohibition on privacy & security misrepresentations, & “other detailed & specific relief.”
“The fines imposed by the FTC are a prime example of the type of actions companies are going to face when they do not take security in their products seriously,” Tom DeSot, Executive VP & CIO of Digital Defence, observed. “Zoom unfortunately ended up being the poster child for how not to handle things when vulnerabilities are found in commercial products.”
Zoom has faced various controversies around its encryption policies over the past year, including several lawsuits alleging that the company falsely told users that it offers full encryption. Then, the platform came under fire in May when it announced that it would indeed offer E2EE — but to paid users only.
The company later backtracked after criticism from privacy advocates, who argued that security measures should be available to all. Zoom will now offer the feature to free/”Basic” users.
The 1st phase of its E2EE rollout began in mid-Oct., which aims to provide initial access to the feature with the hopes of gaining feedback when it comes to its policies. Users will need to turn on the feature manually.
“We’re pleased to roll out Phase 1 of 4 of our E2EE offering, which provides robust protections to help prevent the interception of decryption keys that could be used to monitor meeting content,” commented Max Krohn, Head of Security Engineering with Zoom, in a post then.