WBJ: With the massive switch to remote working across the globe, concerns have arisen whether some of the conferencing software is secure enough for employees and officials to use for crucial meetings and briefings. Taiwan, for instance, has banned official use of Zoom by its state agencies for fear that some conferences may be “overheard.” Is this a new threat and how serious do you think it maybe?
Mateusz Olejarka: This is nothing new. Concerns about the security and privacy of different communicators like Messenger, Skype, WhatsApp, etc. were discussed widely in the media in recent years. The current situation just puts the video conferencing tools in the spotlight. It is hard to decide which tool is less secure than others without running extensive security tests on all of them. One way to do it is to compare security features available in those tools. I believe though that from the end user’s perspective tool configuration is crucial. If it is insecure, there will be unwanted guests disturbing important business meetings. I recommend taking time to make sure everything is set up with best security practices in mind – recently there were plenty of new publications on this topic. If your real concern is Orwell’s “1984” Big Brother watching, maybe you should not be doing video conferencing at all. Zoom received a lot of press coverage lately due to its vulnerabilities, but serious security flaws were also found in other conferencing software (e.g. Microsoft Teams in April, Cisco Webex in January). If you are anxious about using an external video conferencing tool, you may want to consider hosting a video conferencing tool on a company’s server internally, behind a corporate VPN. Unfortunately, there are only a few options available here and it can be used only for employee meetings (no external guests).
For decades since teleworking became a possibility, companies resisted it for several reasons, including e.g. data security (client data, sensitive information). Now, being forced to adapt to remote working, these concerns seem as valid as ever. Do you think we may see a new wave of cybercrime, using the vulnerabilities of telecommuting? What are the possible vectors of attack?
Topics like Covid-19 and teleconference tool setup are already used in ongoing phishing campaigns. [Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in an email or other communication channels.] Vishing [voice phishing] will be also on the rise, where an attacker during a video meeting or simply on the phone will try to mimic the voice of a CEO or senior manager and force some action or decision profitable for the attacker.
Some tools allow you to input whatever name you want and join a meeting, and nobody verifies it. Moreover, we will see more automated attacks trying to exploit known security misconfiguration or vulnerabilities in various video conferencing tools like the recent Zoombombing attack, where students were sharing URLs and passwords to meetings online and the internet trolls invaded and disrupted online classes.
On the bright side – there will be more security research and serious security testing of various video conference tools and platforms, so they will all become more secure in time.
Where should companies’ priorities lie in terms of cybersecurity now? How should they educate their employees?
Phishing attacks will definitely increase in frequency, so companies need to train their employees on how to detect such attempts and alert their peers about ongoing attacks. We as humans generally trust others. When working remotely, we will extend that trust to our virtual contacts with people, so we all should stay cautious and double-check each email we get.
I recommend employees take a free Phishing Quiz provided by Google. If a company is considering more advanced tests that simulate real, targeted phishing attacks, it should consult a security company such as the one I work for. Moreover, I recommend companies do security testing of the video conferencing tool used, including its setup – to make sure all security mechanisms available are used properly.
How much damage can being “overheard” cause? What should we remember?
Let me emphasize it again: as a meeting host, make sure you have used all security mechanisms available in a certain tool during setup. As a meeting’s guest, make sure that you know all other participants and report your concerns and doubts to the meeting’s host from the very beginning. Ask a suspicious guest to show camera feed, if disabled for example, and make sure that this is the person you expect.
When a meeting has unwanted guests, I see three consequences. First, you may be eavesdropped on, your meeting may be recorded and leaked online. Second, you may have to end and reschedule the meeting due to the bad behavior of unwanted guests (either audio – abusive language, curse words, noise, etc. or video – use your imagination). At SecuRing, we created a free guide for teachers who conduct online classes to prevent such scenarios. Third, the chat which is available available in some tools may be used to send some phishing links or share files infected with malware.
Are there any other risk factors that have been exacerbated by the global pandemic and the switch to teleworking?
There is an idea of moving a company’s assets from internal network to the cloud, of a rapid build-up of the company’s infrastructure to handle an increased number of VPN connections, as well as the issue of total remote onboarding of a new employee just to name a few.
We, as a security testing company, see a spike in customers’ requests regarding not only web applications security tests but also requests regarding IT infrastructure security and security tests of various video conferencing and collaboration tools, which give us the big picture of today’s security needs. Speed is the enemy of security so we should remember to follow best security practices also when facing rapid changes.
Mateusz Olejarka is a Senior IT Security Consultant at SecuRing – a Kraków-headquartered security testing firm founded in 2003. Olejarka is one of the speakers at Infoshare 2020 – the biggest tech conference in CEE – that will be streamed online from Gdańsk on September 23-25 and 28-30.