Is Your Live Video At Risk of Being Hacked?
You are 40 minutes into a teletherapy call with one of your clients. Just as you start to make some emotional headway, you notice something strange. On the video screen someone is drawing obscenities and scribbling. You can't figure out how or what is going on and are forced to end the session abruptly.
How does that make you feel as the professional?
How does your patient feel after a session like that?
Just last week in a video meeting dedicated to cyberattacks, that same nightmare happened.
When the presenter started covering COVID19 a Zoom Bomber scribbled all over the screen, forcing the meeting to end early.
With so many people now home using video conferencing as a way of communication, businesses and students alike are become victims of what is known as Zoom Bombing.
What is Zoom bombing?
Many Zoom bombing incidents have amounted to a form of trolling. Hackers gain access to a Zoom meeting and attempt to disrupt the video chat and upset participants by shouting profanity or racial slurs, or putting disturbing or offensive images in their video feed. Laguna Beach officials are investigating how a person accessing a Zoom video-conference City Council meeting was able to hack a live sex act into the meeting.
Now think if that were to happen to a one on one therapy session?
Makes your stomach sink a little right?
How is this happening?
The majority of Zoom Bombing attacks appear not to be the product of flaws in Zoom’s code, but rather of users’ overall cybersecurity hygiene and their imperfect command of Zoom’s privacy settings.
If a Zoom meeting is set to public, it can be accessed by anyone with the correct link. According to Roy Zur, cofounder and CEO of cybersecurity firm Cybint, bad actors can find these addresses simply by searching for “zoom.us” on social media sites like Facebook, where public meeting links are often posted.
Dedicated forums have also cropped up on sites like Reddit, where r/Zoombombing was described as “dedicated to the posting of Zoom Classroom Meeting IDs."
It looks to be almost all coming from a venerability linked to PC users versus MAC. We are looking into confirmation and if this is being seen outside of PC users at this time.
A quick break from your regularly scheduled blog for some tech talk and jargon:
BRING IN THE NERDS:
It's not just screens. We are seeing passwords being taken and other malicious behaviors happening.
Hacking Zoom to Steal Windows Passwords Remotely
Confirmed by researcher Matthew Hickey and demonstrated by Mohamed Baset, the first attack scenario involves the SMBRelay technique that exploits the fact that Windows automatically exposes a user's login username and NTLM password hashes to a remote SMB server when attempting to connect and download a file hosted on it.
To steal Windows login credentials of a targeted user, all an attacker needs to do is sent a crafted URL (i.e., \\x.x.x.x\abc_file) to a victim via a chat interface.
Once clicked, the attack would eventually allow the attacker-controlled SMB share to automatically capture authentication data from Windows, without the knowledge of the targeted user.
As you can see from our friends Matt and Mohamed - this is not hard to do.
Besides stealing Windows credentials, the flaw can also be exploited to launch any program already present on a targeted computer or execute arbitrary commands to compromise it remotely, confirmed by Google security researcher Tavis Ormandy.
How can I prevent Zoom bombing of my meetings and video calls?
There are several important, mostly straightforward ways to protect your meetings. Based on recent information posted on Zoom's website, the company recommended users read this detailed guide, which covers precautions for keeping their meetings safe.
Most importantly, Zoom users should not share meeting links publicly. This is perhaps the single most obvious precaution you can take. Rather than posting a meeting link to a Facebook group or in a promotional tweet, distribute information via a more private method, such as email.
Second, set your meetings to “private.” Zoom now sets all new meetings to “private” by default, requiring attendees to provide a password for access. Every registered Zoom user has a personal meeting ID, linked to what is essentially a permanent virtual meeting room. Because that ID doesn’t change, sharing it publicly increases the chance that future meetings using your personal ID might be Zoom bombed.
Last but not least, restrict video sharing. If the meeting host is the only person who needs to share video, such as in a seminar or presentation, the host should change Zoom’s screen-sharing setting to “Host only.” Zoom has already made this change by default for K-12 classes using the software.
What Should Zoom Users Do?
Zoom has already been notified of this bug, and they have released patches to fix the issues. Zoom apologies for falling short of privacy and security expectations and released an updated version if it software to patch recently reported multiple security issues.
Besides using a strong password, Windows users can also change the security policy settings to restrict the operating system from automatically passing their NTML credentials to a remote SMB server.
We Have Chosen a Different Path
No doubt, Zoom is an efficient online video meeting solution that's helping people stay socially connected during these unprecedented times, but for us, we really care about client and patient privacy and security.
TherapyScout has implemented a HIPAA complaint solution for all client video calls under the Cisco Webex platform. For the past 15 years in corporate America we used this enterprise tool to conduct business. They are a proven name that we trust and have already implemented across our platforms.
Some other great alternatives for video conferencing and video chat:
CiscoWebEx: Cisco Webex is the leading enterprise solution for video conferencing, online meetings, screen share, and webinars. Web conferencing & cloud calling.
TheraPlatform: HIPAA Compliant Video Conferencing and Practice Management Software, supporting both teletherapy and office visits!
Doxy: By incorporating standard clinical workflows such as patient check-in and waiting room into the design of Doxy.me, healthcare providers and their patients experience a familiar and natural visit.
VSee: We’re people who believe in the power of telemedicine to save money, save lives, and improve healthcare. Our mission is to make telehealth an everyday experience, and we’re committed to helping our partners succeed at this.
What video platform are you using for your practice?
Does this Zoom security concern impact your business?
Please feel free to share your thoughts below!
Kolby & The TherapyScout Team