Homeland Security: Preventing “Zoombombing” of Meetings

The Terre Haute Chamber of Commerce has communicated with numerous federal and state authorities in the wake of COVD-19. The federal Cybersecurity and Infrastructure Security Agency has provided information on how local businesses and individuals can prevent “Zoombombing” or hacks of Zoom meetings. 

An overall resource of general information on protecting virtual meetings.

Situational Awareness
Most of this information focuses on Zoom.  Zoom is a great tool but it does not get used without risk.  The  downloader and installation requires escalated privileges.  Zoom also has the ability to remotely monitor the users desktops and activities.  Zoom is currently getting sued as it shared this data with Facebook.  See NY Post article:  https://nypost.com/2020/03/31/lawsuit-claims-zoom-illegally-shared-user-data-with-facebook/

When Zoom is being used, there have been numerous instances reported nationally of people crashing or “Zoombombing” a virtual meeting that had posted a public link or invitation.

Zoombombing Article: https://forward.com/news/442568/anti-semites-zoom-hackers-video-swastikas-zoombombing/

Safeguards for use of virtual meetings
Virtual meetings or events that require pre-registration via a public link allow you as the host to somewhat vet registrations and only send the link to those participants who registered.  That alone may be enough of a deterrent to keep someone with ill intentions from crashing the meeting.

Check for security recommendations from whatever software you are using.  For example, Zoom has put a list of security recommendations on their web-page https://zoom.us/security) along with screenshots of the administrative controls/settings available.

Best Practices/Considerations for Virtual Meetings with Public Links

  • Regardless of whether it is a public meeting, private meeting, or the virtual meeting required a special link or password to join, the host should be alert and on guard for virtual intruders.
    • Assign someone with administrative privileges (that is not the presenter) to scan for and expel intruders, inappropriate background images, etc.
  • Be familiar with the administrative Settings and Controls of the program you are using, prior to scheduling a meeting. Decide which controls will be in place prior to the meeting and which ones will be enacted if an intruder tries to disrupt the meeting.
    The following are controls that can be set in Zoom.
    • Know how to lock a meeting.
    • Know how to expel someone from a meeting.
    • Disable participants ability to record the meeting.
    • Disable “Allow Removed Participants to Rejoin” so expelled attendees can’t slip back in.
    • Disable File Sharing/Transfer.
    • Only the Host should be able to screen share.
    • Disable the Chat feature prior to the meeting.
    • Put all attendees in mute mode and suspend privileges for participants to unmute themselves.
    • Pin or Spotlight Speaker Video. https://support.zoom.us/hc/en-us/articles/201362743-Pin-Video

Pinning a video allows you to disable active speaker view and only view a specific speaker.

This article covers pinning videos on the Zoom Desktop Client. Learn how to pin in Zoom Rooms.

Alternatively, you can spotlight a video. Spotlight video puts a participant as the primary active speaker for all participants. All participants will only see this speaker as the active speaker.
These features will keep others from seeing an intruder’s screen or background.

  • Consider not publishing the link on your web-page and emailing the link to congregants/attendees.
    • Consider requiring a password to enter.  This too would have to be emailed to congregants/attendees.

Response if a virtual intruder tries to disrupt your meeting

  • Lock the meeting (no new participants will be allowed to join).
  • Remove disruptive participant(s). If you have disabled “Allow Removed Participants to Rejoin” they won’t be able to rejoin the meeting.
  • Be sure that the Speaker is pinned or spotlighted.

Other Options:

Many of the software programs promote a sense of togetherness & community that we so desperately desire at this point in time.  If it becomes necessary to enable the majority of the safeguards listed above, it becomes pretty much a one-way conversation.  If it gets to that point, then you may want to consider using other programs that allows you to live-stream services, a presentation, or a talk without participant interaction or the possibility of disruption.