Update: Media response to web conferencing tool Zoom

Increasing safety

2020/04/17

Once again, many reports on the security of Zoom have been read and heard in the media. To increase the security of web conferences via Zoom, the provider of the cloud service has already adapted the relevant settings as well as the software.

The latest news is now about data offered in the net, which originates from a hack that is already known and was not taken directly from the user database of Zoom. The perpetrators probably collected the data as part of a so-called “credential stuffing attack”. In such an attack, log-in data already circulating on the net from old hacks of other websites are used to automatically apply them to a new target, in this case Zoom. Whenever an already known combination of e-mail address and password is found to work, it is included in the new data set created in this way. Thus it is a fundamental problem. It is therefore recommended to change your passwords regularly.

In addition, since April 15, two security holes in the Zoom video chat app have been pointed out, which allow attackers to execute malware on their victims' computers. This could be used to spy on Zoom calls and possibly other private information on the computer. This vulnerability can only be exploited if the attacker is also part of the video conference. The HRZ therefore recommends that you always assign a password for your video conference so that no unauthorised persons can access your video conference.

The HRZ keeps a very close eye on the news and technical developments at Zoom and regularly adapts default settings and recommendations for users.

Configurations already made
The HRZ had already made additional configurations to increase security. For example, a PIN is mandatory when dialling in via telephone; authentication and integration of contacts/calendars into the Zoom system is not possible. It is still possible and sometimes useful to change security settings as a user. Please only make such changes if you know exactly what and why you are changing it!

If you have set up further free Basic Licenses at Zoom in addition to the fee-based licenses distributed by HRZ, you are responsible for not storing your TU-ID password there, for example, to load contacts and data from the groupware into the Zoom system.

In a further step we will soon be able to transfer your Bbasic-licenses to the administration by the HRZ, then the extended settings by the HRZ will also apply to these licenses. A mandatory prerequisite for such an administration by the HRZ is that you have registered your licence with your e-mail address of the basic service (vorname.nachname@tu-darmstadt.de).

More information about the topic can be found in our FAQ.