Keeping troublemakers out your meeting
An education session on anti-xenophobia hosted by the Living Water Community and hosted by the Catholic Education Board of Management (CEBM) for four RC primary schools, came to an abrupt end on Thursday, January 28, after unknown persons displayed pornographic material.
There were 799 attendees at the Zoom meeting. Racial comments were also left in the chat box after the meeting was halted. Unfortunately, this episode is not unusual. News reports have told of intruders or students disrupting online classes with pornography and verbal abuse of teachers.
The Catholic News contacted junior head of Information Communications Technology (ICT) at the Chancery (The Diocesan Curia of the Archdiocese of Port of Spain), Nathan Low Foon about precautions against what has been termed ‘Zoom bombing’.
Firstly, he said, when dealing with large meetings with hundreds of participants “it becomes difficult to control how the meeting link is shared”. He suggested one or a combination of factors could have occurred that allowed “malicious actors to get hold of the meeting link”.
1. A recipient of the link has a device: PC, laptop, tablet, or phone that is compromised with malware/spyware that leaks personal data online or to a specific group/person.
2. A recipient of the link has a compromised email account and is being accessed by a malicious actor who is stealing information and posting it online.
3. A recipient of the link intentionally posted the link to an online space/shared with a party who then made the link publicly available.
4. Someone who was supposed to be a participant in the meeting perpetrated the actions themselves.
Low Foon said “Zoom bombing” was coined early in the pandemic with the shift to online settings for businesses and schools. He noted that the platform was not as secure initially but it has since implemented several features to curb Zoom-bombing occurrences. He identified two common ways in which a meeting can be disrupted in similar manner as to what happened.
A malicious actor or a group of them gets hold of the meeting link and joins, by one of the methods stated previously. If they can get into the meeting because the Waiting Room feature is not enabled or a host/co-host in the meeting unknowingly lets them in from the Waiting Room, “they now have access to the meeting”. If they can use the chat, unmute their microphone, share their screen and are allowed to have their webcam on, they are able to disrupt the meeting by sharing explicit content or shouting into the microphone.
Low Foon said, “The less common method would be the administrator’s Zoom account is compromised i.e., someone gets hold of their email and password through a compromised email or device which allows the malicious actor to log in with the Host account and hijack the session.”
As the Administrator for the account used for the meeting, Low Foon received an automated email from Zoom notifying that the meeting link was posted online, on Twitter.
“A link to the tweet was also provided. The tweet itself did not get much attention as the account it was posted from had less than ten followers, but it still allowed for persons who should not have been in the meeting to access it.”
He elaborated that Zoom has a system in place that constantly scans the web for Meeting Links and then alerts the administrators of accounts that they detected a meeting that doesn’t have security features enabled. Low Foon added that in the case of the meeting on Thursday the Waiting Room feature was not enabled for this session but the other recommended security features were on.
What should the public be mindful of in hosting meetings using platforms such as Zoom and Teams?
Persons should be versed in or have someone who is versed in the platform of choice available to them. Each platform has specific ways of dealing with security. Low Foon said, “If they have neither the personal experience nor someone available to them, they should be diligent and learn the platform whether it be Zoom, Teams, Cisco WebEx, Google Meet, Discord etc”
Using Zoom to illustrate, as it is the most used platform, he highlighted the registration feature for attendees of the meeting, and the registration can be accepted or denied. After registration is confirmed a “specific” link is sent to the attendee. Low Foon added, “Using other features like the Waiting Room also allows for a level of control so you can vet the persons trying to enter the meeting.” These two features can be time comsuming because they require manually approving registration and then manually admitting participants into the session. This can be a drawback when dealing with a large meeting. On the other hand, Low Foon said, “you run the risk of possible disruptions if you don’t go through this process.”
He advised that in meetings there should be one or two persons as host, host/co-host, to act as moderators. They will be charged with muting when someone’s microphone is on, turning off videos if they deem that the participant is showing inappropriate content and removing the person from the meeting if necessary. Hosts have the option of preventing persons from using the chat, unmuting themselves, sharing their screens, or showing their video.
“It really depends on the context,” Low Foon said. The need for a host/co-host may be unnecessary for internal meetings with users who practise good online meeting etiquette. For external participants from many different groups and whose technical competency or behaviours are unknown then, he suggested, moderators to assist or consider using the registration and Waiting Room features.
Should meetings be limited to smaller groups?
Low Foon said, “As it pertains to IT security, my recommendation will always be to have smaller groups to reduce the risk of your meeting link getting out. You cannot control the actions of others nor can you be certain their devices or accounts have not been compromised”. He acknowledged that for the Church and school setting, “the norm is and depends on large gatherings”.
“The purpose of these institutions is to reach and impact as many people as they can and given that we are still dealing with COVID-19, this is really the only way to accomplish that safely while maintaining accessibility and audience sizes.”
SECURITY AND SAFETY ONLINE
Low Foon had these tips:
1. Two-factor authentication—2F or multi-factor authentication is one of the best features to have if it is available. It provides alerts when a stranger tries to access an email account and adds an extra layer of security “that even the most complex security passports cannot compensate for if your device has been compromised”.
2. Practise safe internet use—Do not use sketchy websites like video-streaming sites for movies and television series or download pirated software. Clicking on ads can also be detrimental on an unsafe website.
3. Use paid anti-virus software—Free versions are available, if you’re not someone who is versed in the use of IT then it may be worth your while but they are affordable today and they work.
Low Foon’s final comment was this: “Our daily lives are becoming increasingly connected to the digital world and our digital identity. What is your personal data and peace of mind worth to you?”