The increased use of video conferencing platforms caused by COVID-19 has given cybercriminals the opportunity to open a new bag of tricks and launch attacks in a brand new manner.  And, because many of us aren’t used to working with these on-line conferencing platforms, the bad guys are making some inroads.  Let’s take a look at the issue.

What is Video Conferencing Software?

There are a number of software packages or “platforms” in the market that are focused on hosting video conferences.  They all share some common features:

• You join a meeting or conference by clicking on a link you get in an email or from registering via an on-line form.
• A “presenter” or “host” shares their screen and goes through a PowerPoint presentation, videos, talks to a camera, etc. or, in a meeting scenario, a group of people take turns sharing screens, talking, etc.
• You may have a Chat window where you can exchange messages with other participants
• You may have the option to turn on your video camera and share whatever it’s picking up. (note: this is a good reason to NOT wear your pyjamas to a video conference)
• You may be able to use your microphone to participate in discussions.  Like sharing your video camera, you want to be careful here.
• You may be able to download files from the presentation; and
• The platform may allow the session to be recorded.

Popular video conferencing platforms include:

• Zoom (currently experiencing a tremendous rise in popularity)
• Blue Jeans
• Go To Meeting
• WebEx
• Microsoft Teams
• Adobe Connect
• Blackboard Collaborate

Video Conferencing Privacy and Security

The RRU Community is pretty cybersecurity-savvy and I’m sure as many of you read the features list above you noted a few items that could be the source of cybersecurity or privacy issues.  Let’s have a look at some do’s and don’ts.

Meeting Hosts and Moderators

• Choose privacy settings carefully. Meeting hosts can choose settings that respect the privacy wishes and requirements of participants. Hosts are responsible for notifying participants and getting their permission if they are going to record the meeting.
• Record respectfully. Strive to provide notice to participants when you are going to record a video session. In general, do not record meetings that involve sensitive data.
• Protect sensitive data. For privacy / FIPPA reasons, do not share sensitive / personal data over a video conference.
• Share with care. Be aware that the content you share in a video conference meeting is made available to all participants and share appropriately.
• Use a unique meeting ID for each meeting and require authentication and a passcode for participants.  Cybercriminals are scanning the Internet looking for unsecured meetings. 
• Limit reuse of access codes and guest links. If you’ve used the same code for many meetings, others will have access to your meetings using that same passcode.
• Control your meeting. You may want to set up your meeting so that all participants join with their microphones muted, especially in a large or public meeting. Similarly, set screen sharing to Host Only unless there is a need for participants to share their video.
• Meeting invitations / links. Do not publish meeting URLS in public communication channels and remind participants not to share meeting details.

Meeting Participants

Joining a video conference?  Here’s a few things to consider:

• Mute your microphone.  This is more of an etiquette item than a security issue. Muting your microphone until it’s needed will make for a more pleasant meeting.  (and prevent something you didn’t intend to share from being broadcast to the meeting. )
• Disable your camera.  Unless it’s needed or appropriate for the meeting we strongly recommend you disable your camera.  Not only does it give you some additional privacy, it reduces the bandwidth used by the meeting and can help improve your experience.
• Be careful with links!  Not surprisingly, the cybercriminals are finding ways to use meeting links to cause you grief:
  • Look at meeting invitation links carefully.  Cybercriminals are making slight changes to meeting links to point you at their own site for a variety of malicious purposes.  An example of this is “googleclassroom.com” being replaced with “googloclassroom\.com.
  • Dangerous links.  Under no circumstances should you click on a link that looks like: \\myservername.com\ReallyCoolFile\   The “\\” without any “http” or “https” at the beginning is the clue.   
  • Be skeptical of links shared in meeting chat windows. Links shared in a chat window by the meeting host are likely to be fine; links shared by a meeting participant need to be treated with a high degree of skepticism.
  • Shared files.  Much like links shared during the meeting, exercise extreme caution when it comes to downloading files during a video conference.

In Summary

The mass migration to video conferencing as a way to work remotely has been a big help to companies and users worldwide.  It has also attracted the attention of cybercriminals who are always looking for new ways to conduct their “business”.  By being skeptical of what we see  on-line and taking some basic precautions we should be able to leverage this marvellous technology to enable us to work efficiently and collaboratively no matter where we are.

REMEMBER: STOP! THINK! CONNECT