Zoom security: getting the settings right

Here’s how you can greatly improve your Zoom privacy and security in a few simple steps

By Tony Anscombe

Zoom is attracting a lot of attention in the media due to the mass uptake of videoconferencing services during the near global lockdown due to COVID-19. They are adapting to sudden global overnight demand and success, something most companies can only dream of. Companies, like Zoom, offer free products and services to attract new users; making it free removes the barrier of that payment imposes and hopefully locks the user in to a service long term. Then at some stage the user may become a paying customer, either for additional functionality on the service they use or for other products offered by the company.

We all use free services – search and email being great examples; in reality, though, there is no such thing as free. Companies need to monetize usage to enable them to provide the service or product for free; this typically involves some form of advertising or the collection of data through use. A company providing free services typically has a business model and privacy policy that reflects the way they make money. Zoom’s sudden success caught them with their pants down … they had a business model and privacy policy to support a free, slick and frictionless service, and then they suddenly became the default go-to place for millions of organizations requiring videoconferencing in a rush.

I am not defending Zoom; they have had and continue to have numerous privacy- and security-related issues – I am just providing a perspective that they may need time to adapt their business model and privacy policy to reflect their sudden success. This can be witnessed in the recent product updates released to fix issues and the recent changes made to their privacy policy.

Some organizations are now reflecting on their hasty decision to use Zoom and are migrating away to other videoconferencing services that suit their needs more appropriately. According to TechCrunch, New York City banned schools from using Zoom, citing security concerns –  but a city spokesperson also did not rule out returning to Zoom. The reason organizations fled to Zoom as a de-facto standard is due to the simplicity or the user experience and that it offers a free solution. This enabled organizations to adopt the service quickly with no training and removed the need to raise purchase orders.

Not all organizations may be in a position to evaluate other options or commit to paying for a service, especially in the small business sector where companies are struggling just to survive, or education districts that are strapped for cash. If you have made the decision to use Zoom, below are my suggested recommended settings that are best used in tandem with our article from yesterday on how to password-protect your Zoom meetings.

Setting up a Zoom meeting

Find the complete article on:

https://www.welivesecurity.com/2020/04/10/zoom-security-getting-settings-right/?utm_source=newsletter&utm_medium=email&utm_campaign=wls-newsletter-100420

600,000 people affected in email provider breach

The users' personal data are now up for grabs on the dark web for anywhere between US$3,500 and US$22,000 worth of Bitcoin

Amer Owaida 

The personal details of more than 600,000 Email.it users have been stolen and put up for sale on the dark web. The incident surfaced on Sunday after the perpetrators took to Twitter to spread the word about the website that sells the data.

“Unfortunately, we must confirm that we have suffered a hacker attack,” confirmed the Italian email provider in a statement to ZDNet, which broke the story.

The hacker collective that claimed responsibility goes by the moniker “No Name”, or “NN” for short. The group said that the breach occurred way back in January 2018. They went on to claim on their website that they contacted Email.it about loopholes in the firm’s infrastructure and asked for a “little bounty”, but the Italian email provider refused to communicate with them.

Another message on their website stated that they tried to extort the company on February 1^st of this year. An Email.it spokesperson confirmed as much, but the company refused to play ball and contacted the authorities instead.

According to the hackers’ claims, they now have control of 46 databases that contain plain text passwords, email content, and email attachments of users who signed up for a free Email.it account between 2007 and 2020.

RELATED READING: Cybercrime black markets: Dark web services and their prices

The collective additionally claimed that it was able to access plain text SMS messages that were sent out using the company’s text sending service, as well as get a hold of the source code of all of Email.it’s web apps.

On the bright side, no financial data were stored on the hacked servers, nor were any business accounts impacted by the breach.

As of now, the affected servers should be patched and the relevant authorities, including the local data privacy regulator, have been notified.

The incident may bring echoes of an unrelated attack at a US-based email provider VFEmail last year, where the bad actors went even further and wiped out almost two decades’ worth of data from the firm’s servers.

What to do you if your phone is lost or stolen

Losing your smartphone can be expensive, but the cost of the device may not be the final price you’ll be paying

According to a Prey study of 2018 reports from its customers of lost mobile devices, 69% are misplaced and 31% are stolen in various ways. Since smartphones have become a centerpiece of our digital identities, where we check our emails, stay connected on our social media, use them as our diaries, and pay with them, it is especially unnerving if we lose them. Essentially, these devices hold a virtual truckload of sensitive personal information that can exploited should it fall into the wrong hands.

Securing your device starts well before it goes missing, so what steps should you take before and after your phone goes missing?

Back up your phone, store the data somewhere safe

This step should be a no-brainer but if you haven’t gotten around to it yet, then you should do it as soon as possible, like: now. There are multiple ways to go about it, and we looked at backup options for smartphones in greater detail last week.

In a nutshell, you can save a local backup file that includes all the bare necessities, such as contacts, messages, and photos on your computer. Doing that once a month will probably save from a headache, in the long run.

Alternatively, you can enable the auto-backup feature on your phone that will regularly back up your data onto the cloud, or you can back up your files to the cloud manually. To be safe: the best way is to do both and make multiple copies; in case your computer fails you or your files get wiped. The cloud option is also convenient since if your phone is stolen, you can easily set up a new phone using your stored data.

Lock it up like Fort Knox

Nowadays, smartphones offer myriad ways to lock them down tight. The best option is to go with a combination of a strong passcode and a biometric lock, such as a fingerprint.

RELATED READING: 20 tips for 2020: Be smarter with your smartphone

Biometrics add an extra layer of security, which is always helpful. As for the passcode itself, don’t just go with the default option: make it more complex. Some systems allow you to increase the length of the passcode, while some give you the option to choose an alphanumeric code. The more complicated the password, the harder it is for a thief to break it.

Find my phone

Depending on your phone brand or system you’re running, it almost certainly has a "find my phone" option installed on it. iPhones have the oddly named Find My app, Samsungs have Find My Mobile and Androids in general have Find My Device. All of them have to be enabled to work, of course, so if you haven’t done it yet, you know the drill. Regardless of the brand you’re using, we can’t stress this enough: you should have this option turned on. It not only helps you find your device, but the app usually has multiple security features included as well.

You can log into the associated service through a browser and use the features from the menu. If you just misplaced the phone, you can choose the ring option. This will make the phone emit a sound, so you can hear it if you’re in the vicinity. If you haven’t properly secured your device, you can do that as well as display a message on the lock screen to a good Samaritan willing to return the phone.

Finally, you have the nuclear option of erasing your phone remotely. If you do that, you might not be able to track your phone any longer, so only use this option as a final resort. You will lose your phone, but at least your data will remain private and nobody with malicious intent can exploit it. Reputable security software, too, often includes lock, locate and remote-wipe functionalities.

If you’re certain that you’ll never see your device again, you should contact your carrier and report that your phone has been lost or stolen, they will deactivate your SIM card, so it won’t be misused. If your phone is insured, you can also file an insurance claim and hopefully that will cover at least some of your losses.

Be prepared

Planning ahead can save you from a lot of headaches in the event you do misplace your device. To sum it up – secure your phone, back up all the data, and set up the ‘find my phone’ feature. Should your device be stolen or lost, you can at least be certain that you’ve done everything possible to secure it and facilitate its return.