As classes and jobs begin to transition from classroom settings to virtual meetings with teachers and coworkers, it is important to be wary of the vulnerabilities that are connected to switching online.
September 23, 2020
Author: Nurit Elber
Zoom and Google Meets is one easy way that schools and employers are turning to keep connected. While it is convenient and relatively easy to use, both require a 10-11 digit meeting ID that is subject to something called a “brute force attack”.
Brute Force Attack
A brute force attack is when a hacker tries every possible number or letter combination to gain access to a password protected server or site. It is the same as banging down a door till it breaks, instead of using a key to get inside.
Zak Doffman from Forbes says malicious individuals guess numerous 10-11 digit meeting IDs until one ID gets them into a Zoom call. There is no easy way to tell what call they enter into, but there is a risk of sensitive information being accessed by the wrong people.
This specific vulnerability has been patched with passwords, according to Zak Doffman, where users need to enter a predefined password to enter the call. For meetings that hold sensitive information, or users just don’t want to risk being listened in on, if the platform allows it, set a password. Remember to make sure that the conference code is not displayed somewhere public like Facebook, but sent privately, such as a Canvas announcement, where the students only have access to, or a separate work email.
Set Passwords
However, since many K-12 schools are switching to online learning to resume classes in a virtual setting, malicious attackers are taking this opportunity to exploit children, according to Jeffrey S. Solochek from SecurityInfoWatch. Attackers will send out links to “Zoom calls” as a phishing link to unsuspecting children, this could lead to sensitive information about them being compromised as well as other forms of exploitation.
Phishing Attacks
To combat this, NEVER click links from an untrusted source. Double check the email sender to make sure that it is a username that can be trusted and people are always able to double check if it is the real sender by messaging the person on another platform (Discord, texting, Whatsapp, etc.).
Another preventative is to make sure that the link actually leads to the desired call. To make sure that the link is directing the user to where it claims, plug the link in URLScan.io or VirusTotal, which are both trusted platforms with the intent to help users avoid malware and malicious links. URLScan.io tests the link in something called a virtual sandbox, or a contained environment, to show the user where the link actually leads to without forcing the user to access the link themselves. VirusTotal deploys the link and runs many malware and virus databases against the link’s website or endpoint to make sure that the link is safe.
Another safe general rule is to protect children data from being leaked online. Avoid having kids sign up for websites, including Zoom accounts, with their real names and do not list other information like addresses or schools. This posted and soon public information could become a base for another attack that focuses on the child. Remember to stay safe online and in real life!