Security

Zoom-bombing and the Park Bench

Zoom is the new darling of the Internet, and with good reason.  It allows really simple video conferencing, in a much more simple way than their competitors seem to have managed.  But what is this Zoom-bombing which has been circulating the tech press recently?  And what has a park bench got to do with anything?  Zoom-bombing and the Park Bench:

The Rise of Zoom

Zoom quickly became the go-to video conferencing tool for co-workers, families, and pub quizes in March 2020 following the almost global Coronavirus lockdown.  It’s clean and easy to use interface, quick and simple installation, and excellent call quality left nothing left to be desired.  People could join a conference by doing nothing more than click a link they had been emailed.  But just like we talked about only a few weeks ago in our post This Is Why We Can’t Have Nice Things, if something can be exploited, it will be.

That link you click on the email invitation to the zoom call you’re about to join works by passing the Zoom system a meeting code at the end of the web link.  The meeting code follows a certain pattern, which isn’t difficult to work out, even by the most casual of user.  So if you were to change the 2 for a 3 in your meeting invitation, you might connect to someone else’s meeting.  Now imagine automating this and having the computer guess Zoom meeting codes until it finds one to join.  Well, it turns out that’s easy.

Pick your battles

But we’re not here to talk about guessing Zoom conference codes.  As a security nutter, I’m not even concerned that Zoom conference codes work like that.  It seems like a sensible trade-off between security and ease of use.  Especially when the meeting organiser must admit each new attendee to the meeting.

I’m not even that concerned about the great number of security vulnerabilities uncovered in recent weeks.  If you’re interested, CNet has a brilliant rundown of them.  I mean, when something gets as popular as Zoom has in as short a space of time as has happened, it’s going to garner lots of attention from bad actors.  Hackers are super clever folks in the main, and will find a way in.  And that’s a good thing!  It’s not like these security bugs are new – it’s that they have just been discovered.  Now they have been discovered, they can be fixed.

And in fact, Zoom have reached out to a well renowned security expert, the ex Chief Security Officer of Facebook, Alex Stamos, to help.  Alex wrote a post on medium.com describing how he will be helping address some of the security concerns at Zoom last week.  I certainly feel safe in the knowledge that Alex has a view of Zoom’s security in future.

The bit I want to talk about today concerns you, not the software you use.  What you choose to do with your data has a direct impact on how secure you are online.

The Park Bench

A good friend of mine once described cloud storage as a park bench.  Admittedly this was a few years ago, and this same friend does use lots of cloud services now, but his cynicism has stuck with me.  I think it’s useful and helpful to carry a degree of this questioning nature.

He said that he would only use cloud storage if he could encrypt everything himself.  That way, if someone were to get hold of his encrypted data, they wouldn’t be able to do anything with it.  The only things he would entrust to the cloud would be stuff he would happily leave on a park bench.

Park benches are public, and we all understand that.  You wouldn’t conduct a high-stakes business meeting there.  But cloud software like Zoom and others don’t feel like public spaces.  We’re at our kitchen tables with the kids’ latest masterpiece just in the frame of our webcam, as it hangs from the Corfu fridge magnet behind us.  We’re inviting people into a little part of our home.

So if you post the Zoom meeting link on a public facebook group, all of a sudden, you may as well be conducting the whole meeting from the park bench.  You have chosen to make that information public.  What any member of the public does with that information is now out of your hands.

Things I Would Tell My Nan

Another great mental tool I use is to imagine telling my Nan the thing I’m about to post publicly on the Internet.  If her ginger snap would melt off into the bottom of her brew as she tries to put away her shocked face from the thing you just told her, you probably shouldn’t post it online.

The Nan test is great for personal stuff, and social media in particular, but can be adapted for business.  If you would be happy to say something in the coffee shop next to the office, chances are you don’t need to be too concerned how you handle that information online.  But what if you would only say it to someone in the board room with the door closed?

The Right Tool For The Job

I’m not saying I never send personal data or messages over the Internet, and I’m not saying you shouldn’t.  What is important, though, is that you understand the audience your information has when you post it online.

If you’re sending sensitive business information to a colleague, there’s a really good reason that IT folks get upset if you don’t use the company solutions.  An IT department has control over those solutions, and they can limit the “blast-radius” of a potential data breach in a way that just isn’t possible if you conduct business on the cloud equivalent of a park bench.

So next time you’re about to post or send some information online that you might not want certain groups of people to know about, take a seconds to think about the medium you’re using and who could access it.

Similar articles you may be interested in…

Menu