Tuesday, 14 April 2020

Latest Zoom Leaks: What it means and how can you be more secure?



500,000 accounts leaked makes for good headlines on sale on the dark web makes for good headlines, so why exactly are they being sold for less than a penny each? 

Firstly as a school, most teachers and students should sign in using their Google ID, so that Zoom does not get your passwords.  These were NOT part of any leak.

Secondly, this does not appear to be as exciting as it first appears, because a lot of the data appears to be meeting IDs or sign-ins rather than the actual sign-ins with usernames AND passwords.  In many cases these USER IDS have been matched to passwords stolen from Google, Microsoft, Facebook et al in previous attacks.

Right now, Zoom is a hot target, because it provides the service everyone wants.  Two pieces of advice to ensure you stay more secure:

1. If you sign up for any online service that's free, be sure to use passwords that you don't use for banks, payments etc. 

2. If you have a choice, use your Google or even Facebook ID, because that's one more layer a hacker has to get through.

Remember that it costs a lot of money to keep a service secure and Zoom has definitely been experiencing growing pains.

Stay safe everyone!

About James Abela

Before becoming a teacher, James Abela used to work as a web-developer and was responsible for the security of several million pounds worth of intellectual property. Also fought against Russian hackers.

Sunday, 5 April 2020

Zoom Video Conferencing Security for the non-technical

Tl;dr Make sure you use passwords, use and read waiting room IDs, give students meeting ID only just before the meeting.

The new focus on Zoom has meant hugely increased scrutiny from incompetent journalists who know nothing about cyber-security and competitors highlighting features that apparently make them more secure! In this article, I take you through the security Zoom has and how to make sure you are comfortable with that security.

There has been a lot of discussion over which is the best conferencing software for classrooms and all of the solutions I have seen have flaws. All of the conferencing software has been developed with corporate meetings in mind.  So for classroom purposes, there are features missing.

Zoom is the most feature rich from a teacher point of view.  It has key features that teachers love:

  • Waiting Room - students are admitted into the room by a teacher. Also prevents unwanted guests
  • Thumbnail video of everyone - Everybody can be seen in Zoom up to 49 people, which is enough for you to see all your class at once.
  • Breakout rooms - You can send students to smaller rooms, so that they can talk with each other.
  • Built in whiteboards - Not unique, but helpful.
However until this crisis Zoom was a small player and so went down a route of user convenience, meaning that you could just send out a link and join a meeting.  With the spotlight on them, this has now changed, by default you need a meeting ID, password and the waiting room is on by default.


Why are all of these features important?

When there were relatively few meetings, 9 numeric digits seemed like plenty, but now there are  200 million meetings every day with zoom. Even with a simple brute force attack you might be able to guess a number to zoom-bomb.   

However the password is a good deal more difficult to guess, so it is essential that this is ON.

Secondly, although a stranger might be able to come into your room by random they are unlikely to have the name of one of your students and so it is important to read every name in the waiting room.

With these three features setup, security from a teacher point of view is good.

The Odds

For the mathematically inclined your odds of guessing are: 
Chances to guess meeting ID: 200,000,000 : 999,999,999
Chances to guess password:    1:9999999999

Once you combine these then the odds of a simple brute force attack are tiny and actually smaller than using a leaked Office 365 account or Google ID to get into a meeting.


Students complicit

In some cases students have been giving away their personal information and meeting codes.  Therefore an additional security measure is to not give meeting IDs out too long before the meeting.  You can still schedule them, but only share with the students shortly before the meeting,  

Note if students misbehave, it is easy to enough to put them back into the waiting room. Be wary of kicking students out completely, because depending on your setting they will not be able to come back to the meeting.

Student Guidelines

Like anything else students need to know the rules that will keep them safe and have a smooth classroom. Here are the guidelines I use to run my lessons smoothly:
  • I assign a monitor every lesson to let me know if my video and presentation is smooth. They stay on audio for the whole time I am presenting
  • In Google Classroom, I ask a question to ensure everyone is active in the class and it helps to make registration smoother (This reduces the time I need to take a registration, because I can see instantly who is not there and ask directly) 
  • Students are told to be fully dressed and in a public space in their house.
  • Students must use their real names.

Teacher Tricks

I use these to help students, but also to reduce frustration because that's the surest way to ensure a student doesn't cooperate: 
  • I still use Google Classroom for students with weaker internet. 
  • I assign one Google Doc for the whole lesson with all the instructions in it, so that students have less screen flicking to do and can follow the flow even if their internet drops out mid-lesson. (Be sure to encourage use of offline docs.) 
  • I use Google Slides with the captions function to help students who are EAL
  • I record the lesson locally and upload to an unlisted youtube area. (In Malaysia, students can use Youtube data with 3G very cheaply).  If there is not an incentive to use YouTube, then use Drive instead.
  • I use a second screen so that I can see the student thumbnails at all times. (One good feature of Zoom is that even on a single screen you can see active students when screen sharing)
It might be obvious, but please don't share your Zoom classrooms on Social media... Notice how there's no picture of zoom in use here!

Alternatives to Zoom

There are quite a few alternatives to Zoom. Internet infrastructure varies and you might find one of these alternatives suitable for you.
  • Google Meet - Fully integrated into Gsuite, but lacks many of the features of Zoom
  • Microsoft Teams - Great for people with Office 365, but teachers who are not used to it have complained that the interface is cumbersome
  • CISCO Web-Ex most secure platform, but video performance is variable
These are more for specific purposes, but useful tools none the less: 
  • Streamyard - This enables up to 6 people on the call and you can broadcast directly for youtube. A good choice for assemblies and other events where you are going to give information to a larger gathering.
  • Flipgrid - A good way to be able to teach asynchronously
  • YouTube - Consider doing your presentations directly on YouTube. Don't forget you can add questions with TED ED Lessons or EdPuzzle


About James Abela

Before becoming a teacher, James Abela used to work as a web-developer and was responsible for the security of several million pounds worth of intellectual property. Also fought against Russian hackers.