Posted on 25 Mar 2020 by Ray Heffer
In recent weeks we have all had to adapt to changes that the COVID-19 pandemic has inflicted on us. With the increase of people working from home, it is no surprise. With the influx of home workers, many organizations, schools, and communities are switching to video conferencing apps like Zoom, to bring their teams and students closer together. Even IT certification providers are allowing people to take exams from home, using dedicated testing software linked to a webcam and microphone.
The immediate need of home working solutions is overshadowing good privacy practices. Most of my colleagues in the IT industry think I take a very aggressive stance to privacy at the best of times. I admit that I am inclined to wear the tinfoil hat most days!
In just the last few days, I have seen several posts on Twitter of virtual happy hours and team meetings taking place at organizations around the world. As someone that has worked from home for the past 10 years, it is only in these recent circumstances that webcams are being enabled on almost every conference call. While I understand (and fully endorse) the importance of virtual meetings with webcams, we all need to be very careful about posting these on social media. I am sure my concerns are reflected at various IT security departments right now.
Note: If you are used to me posting about End-User Computing, Cloud Computing, AWS, and VMware, then don’t abandon my blog just yet! While I feel very strongly about good security and privacy practices, I’ll be blogging about these other topics again very soon! - with Privacy & Security included :)
I get it. It’s exciting to share your virtual happy hour and team get-togethers, but before posting screenshots on social media think of the consequences. I found the image above by searching Google. I also found dozens of others in my Twitter feed in just the past week alone. The problem is that every single one of these screenshots contain full names, faces, and often phone numbers for anyone that dialed into the conference. These all get scraped by various services, many of which you have probably never heard of.
What is even worse is that many of these screenshots include the Zoom Meeting ID at the top of the screen. Now anyone can listen in to future calls. The fact it has just been posted on Twitter also reveals which day and time the meeting takes place each week. Bad idea. Back in 2012, Anonymous hacked into an FBI WebEx conference call, then posted the entire call to YouTube. Next time you join a conference call, just be careful who else is listening in.
In July 2019, a major security flaw in Zoom allowed any website or email to forcibly join a user to a Zoom call with their webcam enabled, without requiring the user’s permission. Just last year in 2019, even if you decided to uninstall the Zoom client on your Mac, a web server will remain behind, running on your local machine as
localhost. The idea behind it was, if you click on a Zoom meeting invite, then Zoom will re-install the Zoom client for you, with zero user interaction. Apple stepped in to remove this
malware functionality, and Zoom have since resolved it. In fact, another CVE (CVE-2019-13567) states that ZoomOpener, which is the hidden web server service, is removed by the Apple Malware Removal Tool (MRT).
If you are thinking, “Well who cares that was an old version and it doesn’t effect me anyway”, then think again. CVE-2019-13450 was bad enough, and other vulnerabilities may exist. I am not saying for a moment that you shouldn’t use these apps. I just want people to be mindful, and aware that vulnerabilities do exist. The best advice here is to update Zoom to the latest version.
If you all really need that virtual team photo then go ahead, but consider sharing via corporate email or other internal systems rather than social media. I’ve also seen many people on conference calls showing family photos in the background, with their wife, kids, pets, and other family members. All there ready to be scraped by search engines, and facial recognition databases. Again, this might not be a problem for you personally, but others on the call might want this information to remain private.
One of the reasons I personally do not want a screenshot of my webcam during a conference call, is because I don’t want that being indexed by Google, Bing, and all of the other search engines. Twitter posts ARE indexed by search engines, and they will be used for facial recognition databases. Once this happens, it is incredibly difficult to remove. Trust me, I am trying to get a cached image of me removed from Google, and after several months it has been very problematic. As long as those Tweets are out there, search engines will keep snapping them up.
Clearview AI is a startup that has collected billions of photos for their facial recognition app, and continue to do so. Their business model is to provide a face search engine to law enforcement and government agencies. I love that technology like this can catch criminals, and I am all for that. What I don’t like is, like with many internet companies, the decision on who to provide access to these capabilities falls in the hands of the start-ups founder, Hoan Ton-That.
According to this video by ThreatWire, they also provide their service to banks, casinos, cellphone providers, and even Walmart. Aside from the fact they suffered a breach, exposing their entire client list recently, Clearview AI and other services will save your image once it’s posted to social media. If they can’t keep their client list secure, what about the billions of photos they have scraped? According to Forbes, Clearview AI collected 3 billion photos early last year, and that number is increasing dramatically.
As mentioned on Tripwire, sites like LinkedIn are a virtual phonebook for social engineers. The same applies to Twitter, and posting images of team calls is another source of valuable information to hackers and social engineers. Any screenshots taken of team video calls will contain the names and photos from everyone on that team. Taking a copy of that image will allow hackers to print fake ID badges, create fake social media accounts, or worse. You can see why IT security policies take this kind of thing seriously.
If you are using a personal device to work from home, even temporarily, then don’t install video conferencing software on your personal device. The same advice goes for any other software needed for business purposes. If you can use a web browser for anything work related, this avoids having to install additional software. Zoom for example, can actually be used from the browser.
When you don’t have the luxury of using a dedicated corporate device, then the best thing is to deploy a virtual machine on your personal device. If you use a Mac, then VMware Fusion is around $79 (expense it!), which will allow you to install a Windows virtual machine to your Mac. You can buy VMware Workstation for Windows and do the same thing. Anything you install for work remains inside of the virtual machine, and stays separate from your personal data.
This should go without saying, but in the recent weeks I’ve heard about some interesting and unintended sights on video conference calls! Cover or unplug the webcam when it’s not in use. Be intentional about using webcams, and only connect them when you need it. It still amazes me when I see other people’s laptops with no sticker or privacy filter over the webcam. I have personally experienced the webcam of my 2015 MacBook Pro being activated without my permission, while sitting in my hotel room. To this day I don’t know exactly what caused the green light to go on, but it was activated.
Personally I prefer to join without a webcam connected, and only enable it when it is required. I get it, everyone else has their webcam turned on, and you don’t want to be the oddball. I will often turn it off later in the call.
Finally, don’t display family photos in the background. When you are using the webcam, have a plain background with no personal items on display.
Finally, my third tip is to use cloud hosted desktops. Many of us have suddenly been thrust into a situation where we need to work from home, and pay the bills. Luckily, it seems that 2020 is finally the Year of VDI! Virtual Desktop Infrastructure (VDI) and Desktop-as-a-Service (DaaS) have been around for decades now, but it is an ongoing meme in the community that the year of VDI never actually comes. I had always said that we don’t need a year of VDI, since I’ve been designing VDI solutions since Citrix WinFrame in the late 1990s. But amidst the COVID-19 pandemic, I eat my words. This truly is the year of VDI.
For this final tip, it satisfies not only the privacy concerns of the most tin foiled hat wearer I can think of, but it genuinely provides a fast and viable solution for organizations needing to support a remote workforce, securely and efficiently. Given my background with AWS and VMware, I’d recommend that you ask your employer about Amazon Workspaces and VMware Horizon on VMware Cloud on AWS.
Cloud-based VDI solutions provide thousands of remote workers with everything they need, working from home. In many cases, no third party software needs to be installed on your personal device, and it meets some of the highest security standards in the industry.
Finally, stay safe! There are many people now working from home that would usually have been protected by company threat detection, firewalls, and other security services. These are difficult times, but I’d hate to see anyone having to deal with privacy issues during all of this.
Keep the conversation going on Twitter!Reply with Twitter