NCSC SK CERT advices to stay away from utilizing your conference calls on risk platforms
The spread of COVID – 19 has forced many companies and organizations to work remotely. While this precautionary measure is a good measure to care for employee’s health while maintaining good productivity, it also opens up opportunities for cyber attackers to exploit successful attacks.
There are several ways to abuse the current situation:
- Unauthorized access and disruption of conferences (Bombing)
- Vulnerabilities in teleconference softwares
- Weaknesses and errors due to the implementation and operation of conference software
- DoS and DDoS attacks on ongoing video conferences
Bombing and interception
The FBI warned about disrupting videoconferences that were used for online training or business meetings by attackers. While some conferences were interrupted only with disruptive but largely inoffensive jokes, others contained pornographic or hateful content involving threats and verbal attacks. Such incidents have also been reported by American high schools, where an unknown attacker has joined online learning through the Zoom platform and disrupted the course.
Modern videoconferencing platforms often allow anonymous name users, with the camera and microphone turned off, or dial-in, or from the public telephone network. Such participants can listen to a large number of videoconferences without notice.
Abuse of vulnerabilities
Vulnerabilities do not avoid video conferencing platforms, and the principles of safe software use, such as prompt installation of security patches, are applicable here as well.
For example, popular Zoom videoconferencing tool updates from March and April removed several serious vulnerabilities that could lead to more possible attacks.
Vulnerabilities enabled:
- listening to video conferences without the participants’ knowledge due to poor implementation of end-to-end encryption
- exfiltrate passwords from the Windows operating system towards the attacker
- bypass operating system privileges when installing the application
- to install malicious code
Although patches have been released, attacks continue to exist as many users have not updated the applications.
Weaknesses and errors due to the implementation and operation of conference software
Introduction of any new technology and it accessibility to the organization also entails changes in the configuration and set up of the infrastructure. The most significant changes take place at the perimeter of the organization in firewalls and other security features. Administrators often allow exceptions to the rules that are often at the expense of security. The opening of specific ports as well as common protocols such as RDP (where we see an increase in open RDP protocols in recent weeks) and VNCs and their lack of security open the way for an attacker inside the organization. Weaknesses can also be caused by incorrect implementation of the videoconferencing solution itself, installation of outdated versions or insufficient security of the server, which can lead not only to its compromise, but also to the attacker’s penetration into the other infrastructure of the company.
Also, administrators often facilitate implementation by opening IP address communications to all ports on which a video conferencing solution resides, rather than having to look for specific ports through which the solution communicates. Even some solutions directly require such a procedure. However, this leads to a great deal of risk and should never happen in an implementation – whether opening all ports or implementing a solution that requires a large number of ports to be opened.
DoS and DDoS attacks
Another way of disrupting or completely preventing a video conference call is to attack the actual operation of an ongoing video conference call. An attacker can choose from several options – attacking the victim’s infrastructure directly or attacking the ISP’s infrastructure where the videoconference call takes place.
Cloud solutions
Most video conferencing applications (for example Zoom, Webex, Skype) provide mostly cloud-based capabilities, without having to own the infrastructure to run such a service. The cloud-based video conferencing solution is a great attraction, as it is an inexpensive solution from an operational point of view, and from the user’s point of view. The advantage is speed and ease of use. However, the cloud-based mode of operation also has its considerable disadvantages – the confidentiality of conversations can never be guaranteed, since the operation is provided by an external operator who can record and store individual calls. Attacks on cloud services are also not unique – the more used the service, the more attractive the target for attackers.
Video safety recommendations
Video conferencing systems make work easier and can be a good tool for maintaining work efficiency. However, unsecured video conferencing on risky platforms carries a great security risk. Therefore, the National Cyber Security Centre SK-CERT recommends:
- For video conferences, use familiar software with good reputation and adequate security features such as network encryption, two-factor authentication etc.
- Especially in the case of public administration, we do not recommend using Zoom platform. We recommend using other, safer alternatives
- Use only updated software and do not postpone the installation of security updates
- Protect your software account with a comprehensive password and, if possible, multiple authentication (avoid SMS authentication)
- Protect every videoconferencing call with a comprehensive and hard-to-guess password. Do not use the same password in multiple video conference calls
- Verify each videoconference participant, preferably by controlling and managing access to the videoconferencing environment (“waiting room” function)
- Make video conferences private and not public
- Do not share the link to the video conference publicly via social networks, and the like, only share the link with the specific people you want to participate in the video conference
- If you want to communicate sensitive data with teleconference participants, do so by splitting some of the information and saying a part during the call and sending the other part in a message through another application
- If you have any suspicion of compromising videoconferencing, or your device is behaving strangely, inform your employer and the person responsible for cyber and information security in your organization immediately.
Given the fact that not all companies have established work from home, they do not even have security guidelines and regulations on how to approach the home office from a security perspective. Against this background, on March 30, 2020, the National Cyber Security Center SK-CERT issued recommendations to employers on how to set up work safely at home:
« Späť na zoznam