May 30, 2020

May 30, 2020

Subscribe to Latest Legal News and Analysis

May 29, 2020

Subscribe to Latest Legal News and Analysis

May 28, 2020

Subscribe to Latest Legal News and Analysis

COVID-19 and Cybersecurity: Combating “Zoombombing” and Securing Your Remote Working Videoconferences

As COVID-19 has prompted a massive shift by organizations to the implementation and use of remote working solutions for their employees, there has been an unfortunate, but not surprising, corresponding rise in malicious actors seeking to exploit remote working solutions.

Over the past few weeks, the most notable and prevalent “digital hijacking” has occurred on the Zoom teleconferencing application. Since the start of the COVID-19 pandemic, there has been an explosion in the number of individuals using the Zoom application. Prior to the pandemic, Zoom averaged approximately 10 million users per day. However, Zoom now estimates that approximately 200 million users per day utilize its videoconferencing application. These users not only include remote workers, but also many school children and teachers who utilize the Zoom application for remote learning.

The phenomenon commonly known as “Zoombombing” involves the infiltration of Zoom videoconferences by hackers. Once they have infiltrated a videoconference, hackers have undertaken a variety of malicious acts including, among other things, posting hate speech, stealing personal identifying information, and posting pornography or other offensive or inappropriate content to the other participants in the videoconference. Typically, hackers look to exploit Zoom conference links that are posted publicly and/or open to the public without the need for a password or access key. In response to the increase in Zoombombing attacks, some governments and organizations have restricted or prohibited the use of the Zoom application by their employees. Recognizing the threat that hackers pose to their platform, Zoom recently added new default security features and recommended that users employ additional security safeguards.

Of course, it is not only Zoom that has been targeted by malicious cyber actors. Similar attacks have occurred on numerous other commonly use videoconferencing platforms. Attacks on these other platforms exploit similar flaws or security vulnerabilities that are seen in Zoombombing attacks.

Given the rise of attacks on videoconference applications during the COVID-19 pandemic, the FBI recently issued a warning discussing Zoombombing and other similar attacks aimed at remote working employees and students. The FBI advised that videoconference application users take the following steps:

  • Do not make meetings public and, if the option is available, utilize passwords for access to meetings;
  • Do not share links for meetings publicly;
  • Only allow meeting hosts to have the option to share their screens with other participants;
  • Ensure that you are using the most recent version of the application; and
  • Ensure that your organization’s remote working policies address requirements for videoconferencing security.

Other important security tips include:

  • Ensure that your teleconferencing sessions have active password protections in place;
  • Keep password protection on by default to prevent unauthorized users from joining or hijacking your sessions; and
  • Use a unique, one-time ID number for large or public teleconferencing calls.

The COVID-19 pandemic has made remote working a reality for many in a world handcuffed by social distancing. It is more important now than ever to understand the power, and the corresponding dangers, these new remote connection technologies hold in order to ensure that you maintain the safety and security of your organization’s data and information.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Counsel

Jason G. Weiss is an attorney and award-winning law enforcement and cybersecurity professional who served with distinction for over two decades at the Federal Bureau of Investigation. He is Counsel in Drinker, Biddle and Reath’s Information Governance and E-Discovery group, where his practice focuses on cybersecurity incident preparedness and response, compliance with CCPA and other information governance laws and requirements, as well as data analytics, investigations, and e-discovery.

Prior to joining Drinker Biddle, he was most recently a Supervisory Special...

310-203-4062
Peter Baldwin, Securities lawyer, Drinker Biddle
Partner

Peter W. Baldwin, a former federal prosecutor, defends clients facing white-collar criminal and internal investigations, securities enforcement actions, cybersecurity issues, and other complex civil and criminal litigation matters. Prior to joining Drinker Biddle, Pete spent over eight years as an Assistant United States Attorney in the U.S. Attorney’s Offices for the Eastern District of New York and Central District of California. In this role, he supervised all aspects of criminal investigation and prosecution, first as a member of the Major Frauds Section in the Central District of California and then in the National Security and Cybercrime Section in the Eastern District of New York. Prior to his work as an Assistant U.S. Attorney, Pete practiced commercial litigation at a major international law firm in Los Angeles, handling matters including securities fraud, derivative actions and business disputes.

As a federal prosecutor, Pete worked extensively with numerous federal law enforcement and regulatory agencies to oversee grand jury investigations, criminal charging decisions, plea negotiations, motions practice, evidentiary hearings, trials, sentencing proceedings, and appeals. Pete has served as lead trial counsel in multiple criminal jury trials.

(212) 248-3147