A human is by nature a social animal

“Man is by nature a social animal; an individual who is unsocial naturally and not accidentally is either beneath our notice or more than human. Society is something that precedes the individual. Anyone who either cannot lead the common life or is so self-sufficient as not to need to, and therefore does not partake of society, is either a beast or a god. ”

Aristotle

We need connection, we don’t just thrive on it – we survive by it.

With so many of us in various forms of lockdown due to Coronavirus (or COVID-19 if you’re all technical and stuff), we are turning to communication apps to stay in contact and hold virtual meetings – both for business and pleasure.

The app that has proven most popular is almost certainly Zoom (Stock: ZM) as evidenced by their roaring stock!

What is Zoom

Zoom is a collaboration platform that provides individuals and enterprises a simple and easy way to connect via voice and video. You can dial in with your phone – both landline and cell / mobile – and treat it like a traditional voice bridge. You can also connect via video.

Additionally, your meetings can be recorded, have chat, and screen sharing. All in all – a fabulous collaboration platform.

For companies, Zoom Rooms is just simply amazing.

In terms of how it works, it’s a cloud based peer to peer architecture. This means that each participant connects directly to the others in your Zoom call – no sending traffic through central servers. On top of that, you get encryption.

What is the problem?

Zoom has had some recent security problems. Partly due to it’s sudden explosion in growth – the proverbial startup hockey stick – partly due to some product design decisions.

Zoom has both been the beneficiary of helping us connect in these times of disruption and on the receiving end of some, but not all, well deserved negative press about security.

They’ve taken the responsible step of hiring a high profile and well known security expert as an advisor. Alex Stamos has joined Zoom from Facebook to help them deal with the PR problems, and fix the actual issues.

Problem One – The Meeting URL

The first problem is that Zoom makes things dead easy for people to create, share, and join meetings. A simple zoom url typically in the form https://zoom.us/j/123456789 where 123456789 is unique to each meeting.

Now, this is great because it makes it super simple for humans to share, read, and understand the meeting URL.

The problem is that it makes it super simple for humans to share, read, and understand the meeting URL – even more simple for a computer to generate and test these meeting ids and try to join them without permission.

They’re incredibly simple to guess and find a meeting that is in progress.

Problem Two – Correctly Configuring Security

The second problem is people not understanding what their options are with respect to privacy and security settings.

By default, most people are fairly trusting and we don’t expect people to be an ass – and definitely not deliberately. Sadly, many people are. Whether it is for fun or more malicious reasons.

Outcome – The Dreaded Zoom Bomb

What is a Zoom Bomb?

Zoombombing, Zoom-bombing or Zoom raiding^[1] is the unwanted intrusion into a video conference call by an individual, which causes disruption

Wikipedia

Basically, it’s unwanted people dropping in on your virtual meeting and doing something nefarious. The most common example is sharing unwanted explicit images and porn.

Sadly, people can be horrible. Which is sad, because people can also be amazing – just look at how we have come together in this time of need.

How To Secure Zoom and Stop The Dreaded Zoom Bombing

Step 1 – Don’t Use Personal URLs for Meetings

Zoom gives you some customisation for your meeting URL. You have two options, a “Personal Meeting ID” and a random URL for each meeting.

Navigate to your Profile Settings

Here you can see your Personal Meeting ID.

Now hit the Edit link on the right of your screen and untick the “Use Personal Meeting ID for instant meetings”.

Next, go to Settings and ensure that Use “Personal Meeting ID (PMI) when scheduling a meeting” and “Use Personal Meeting ID (PMI) when starting an instant meeting” are both disabled.

You can see the settings below

When you do this, you will also be prompted to ensure you set a password on your Meeting.

Now, whenever you create an Instant Meeting, it will be a random URL. Meaning, each meeting will have a unique URL. While a small increase in security, it does make it just that little bit harder for someone to target you specifically.

Step 2 – Use a Meeting Password

Stil in Settings, scroll down until you see the Use Password settings

All meetings will now require a password to be shared with your attendees ahead of time.

Of course, take care when sharing passwords and where possible don’t send them over unencrypted email. If you can’t tell someone in person or physically give them the password – use a secure instant messaging platform or password sharing tool.

Also – don’t use easily guessable passwords – make it complex. The Random Password Generator is your friend.

Step 3 – Waiting Room Makes People Wait

Finally, you can enforce a waiting room so you can selectively let people into your meeting.

This helps to identify obvious people who shouldn’t be in the meeting. Now, some of these naughty boys and girls have already done some phishing and worked out some reasonable names of who should be invited and pretend to be them. Use your judgement when allowing people in.

Bonus Round – Additional Settings

There are some more settings you can change to help increase the security and privacy of your meetings and make it that much harder to zoom bomb.

Bonus 1 – Mute on Entry

If a naughty person does still manage to get in, by default you can force them onto Mute. This gives you that extra bit of time to qualify that they ARE indeed who you think they are.

Bonus 2 – Disable File Transfer

File Transfers can be dangerous and allow the spread of viruses – the irony of virus transfer during Coronvirus isn’t lost!

Bonus 3 – Far End Camera Control

Make sure you disable Far End Camera Control – you certainly do not want to let anyone control someone else’s camera!

Bonus 4 – Don’t Allow Participants to Rename Themselves

A small but helpful tip is to not let people change their zoom name once they’ve joined a meeting. This helps detect duplicate attendees who maybe aren’t actual duplicates!

Bonus 4 – Stop Booted Attendees From Rejoining

If you do find someone in your meeting and boot them out – you don’t want them being able to rejoin seconds later and cause all that trouble all over again.

Bonus 5 – Authenticate Before Joining

Enforcing authentication before attendees can join is a strong way to help prevent those spammy users from accessing your meetings without your permission.

Bonus 6 – Disable Joining Before Host

Disabling your attendees from joining before the host can be a helpful tip – but it cuts both ways. It also means you need to be on time and join the meeting before anyone can start.

Sometimes you want this, other times you may not. For example, if you have a recurring meeting with your team, or a Happy Hour every 5pm, you may not be able to make it but don’t want to prevent the meeting from happening.

I mean – who wants to be the one to stop your friends celebrating another day in #lockdown!? *cough* Or… you know, being productive at work 🙂

Conclusion

Zoom is an amazing tool, and we’ve all been using it a LOT more. Yes, they’ve had some security and privacy hiccups, but they’re working hard to resolve those.

They also have a heap of settings to help you control your meetings and ensure attendee privacy and security. Many of them have sensible defaults.

While we’re all in lockdown or Shelter in Place, let’s keep up the massively increased productivity and social connectivity.