We have all used web conferencing tools at some time. Some of use use them a lot, but does anyone other than me worry about the security and privacy of these solutions? Examples of these services are Webex and Gotomeeting, but there are dozens of these tools, at least.
Brian Krebs wrote a piece a while back that was sufficiently worrying to Webex that they sent out an all client alert.
In that case, the problem was not a bug, but rather poor security practices.
Krebs searched for Webex meetings that were not password protected. I guess if you are using a Webex-like tool to advertise or promote your product, you are probably OK if everyone and anyone – especially your competitors and the Chinese – to lurk in your meeting and steal whatever information they find useful, but if your meetings are more sensitive than that…..
For many of these companies, Brian simply went to the company’s Webex event center and found the non protected recurring meetings sitting there. Not very hard. The event center very conveniently shows you time, subject, host and duration.
A few of the companies that Brian found had recurring, non-protected meetings included Charles Schwab, CBS, The Department of Energy, Fannie Mae, Jones Day, Orbitz and many others. When Brian reached out to Webex, they contacted their customers, so, hopefully, at least these Webex customers have tightened things down a bit.
Here are some general tips to making your web conference meetings more secure. Since every product has different features, some methods may not work on every product.
- Make your meeting UNLISTED in the portal. Unless you need the meeting to be publicly known, make it unlisted. At least then only people who have been told about the meeting will know about it. Of course, this is only a very light touch on security because security by obscurity is not very strong. Still, no sense advertising.
- Require a complex password. This won’t improve security if someone has the email with the link in it, but it will help protect you from people barging in to your meeting.
- Disable JOIN BEFORE HOST. That way the host can control who joins the meeting. More work for the host but more secure.
- Webex has the concept of a meeting lobby. You can lock you meeting and leave everyone in the lobby, granting access to just those people that you want in the meeting. This is kind of like the difference between leaving your front door open and locking it. When the door is locked, you greet each person who knocks on the door and can choose whether you want to let them in.
- Exclude the meeting password from the invite email. This requires you to get the password to them via a different method, but this may be useful if the meeting is sufficiently sensitive. Assume that email is already compromised unless you have some type of special, secure email. Generally, I would say that normal corporate email is only somewhat secure and any given person’s email (and their phone or computer) may definitely be compromised.
- Make sure that the system generates a tone every time someone enters or exits the meeting and requires them to provide a name. Of course, the name could be a fake, but still it is another piece of data that you have.
- Request that attendees do not forward their invitations to others. Of course you are counting on people to do what you ask, but sometimes people don’t realize that their coworkers or friends are not invited.
- Lock down the meeting once everyone you expect to be in the meeting is already there. This stops people from joining after the meeting starts while your attention is on the meeting and not on who is joining late.
- Regarding the phone portion of a meeting, at least Webex and maybe others, does not require you to have a password. All you need is the dial in number and conference ID. For many web conferencing platforms, you can SEE how many people have dialed in. Count the number of people who should be dialed in and the number of people who show up in the portal and if they are not the same, you have a potential problem.
- Kick off anyone that you don’t recognize or isn’t authorized. Skype for business does this well. Just boot them out. If it turns out to be someone who should be there they will let you know. Security wins or at least should win in many cases.
- Share ONLY the application that you want to share and not your desktop. This avoids accidental security breaches. If you share a Powerpoint, for example and something pops up in eMail or messaging that is confidential, only you will see that.
- If you are recording the meeting, put a strong password on the recording. For attackers, in many cases the recording is better than the original because their odds of getting caught are lower.
- Delete your recordings when they are no longer needed.
- Change your PIN periodically. Just like a password, PINs do not age well.
These are just a few ideas and they will not make things bulletproof, but bullet resistant is a good thing.