Zoom rolls out new measures to tackle security breach as MHA warns against its use

A day after the Ministry of Home Affairs (MHA) issued an advisory saying video-conferencing application Zoom "is not a secure platform" for private individuals and advised against use, Zoom is rolling out a number of measures in view of the security breaching. Zoom has faced flak worldwide for data hacking amid coronavirus pandemic.

On Friday, the chief executive of the platform Eric Yuan laid out steps that the company is taking against problems such as data hacking and harassment by individuals who crash sessions in what is referred to as "Zoombombing." By week's end, paid account holders will be able to select which regions their data is routed through during their sessions in a move apparently aimed at concerns over information passing through China where it might be subject to snooping, said Yuan.

The Silicon Valley startup also said that it is working with cyber-security firm Luta Security to overhaul processes and its "bug bounty" program that pays rewards to researchers who find security flaws in its operations. Zoom also addressed a recent report that users' log-in information was being sold by criminals on the "dark web." Zoom's advisor Alex Stamos, former chief of security at Facebook said that the credentials were likely stolen elsewhere on the internet, or by malicious code slipped into people's computers. He added that it is not uncommon for hackers to take passwords and account names pilfered in data breaches and then check whether people use them for other online services.

READ | MHA says Zoom 'not a secure platform'; issues advisory on usage

"As a reminder, meeting servers in China have always been geofenced with the goal of ensuring that meeting data of users outside of China stays outside of China," Zoom said in an online post.

Zoom said it is building systems to "detect whether people are trying out username and password pairings and block them from trying again." Improvements to Zoom security also include a toolbar to easily access features such as locking chats from strangers and making meeting password requirements a default setting. "To successfully scale a video-heavy platform to such a size with no appreciable downtime and in the space of weeks is literally unprecedented in the history of the internet," Mr Stamos said in a post. "The related security challenges are fascinating."

Apart from India, Singapore suspended the use Zoom by teachers, and the New York school system banned the videoconferencing platform based on security concerns.

MHA Says Zoom 'not A Secure Platform'

Amid concerns over security flaws and privacy breach of users, the Ministry of Home Affairs has issued an advisory saying video-conferencing application Zoom "is not a secure platform" for private individuals and advised against use by government offices/staff for official purposes. The popularity of the video conferencing platform skyrocketed after the lockdowns and stay-at-home orders owing to the COVID-19 pandemic which laid bare the security flaws of the application.

READ | Video Calling App Zoom Sued By Its Shareholder For Hiding Security Flaws

MHA gave the following guidelines to be followed in the app's settings:

• Create a new user ID and password for each meeting
• Create a waiting room in the app so that a user will be able to enter the meeting only when the host gives him permission
• Disable Join feature before hosting
• Allowing Screen sharing by Host only
• Disabling "Allow removed participants to re-join"
• It is recommended to restrict or disable file transfer
• When all participants have joined, it has been advised to lock the meeting
• Restrict the recording feature
• To end meeting (not just leave, if you are an administrator)

Hacked data for sale

A recent report on the Zoom app has revealed that the hackers of the social platform are selling user data online on the Dark web for ₹23 lakhs. The exploits that are being sold include webcam data, microphone and all the incorporated data in between. such as passwords, emails and device information. The vulnerabilities of the video app have led to this major privacy issue for its users. The San Jose, California based company has come under intense scrutiny from authorities in the United States, Germany and Singapore over security concerns. 

READ | German Foreign Ministry Restricts Use Of Zoom App Amid Reports Of Security Flaws

Zoombombing

Zoom is also charged for 'Zoombombing' its users where random people joined a video conference. The social platform is also being blamed for selling its user data to Facebook without the users’ consent. The users have also reported that the video app has an unpatched bug that lets hackers steal Windows user data and passwords.

Reports of “Zoombombing” flooded the internet where the users complained about interruptions by uninvited guests and posting hateful messages during online sessions. On April 1, Zoom CEO Eric Yuan apologised to its users saying the company fell short of clearly conveying the encryption practices and incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.

READ | Singapore Stops Zoom For Online Education As Hackers Strike

(inputs from agencies)