We know that lots of you are using paid and free zoom accounts, we just wanted to send out some advice around the use of these. The College has very clear guidance that they do not support the use of Zoom and are encouraging all students to use MS teams as we have seen a few incidents where zoom has been targeted by attacks called “zoom-bombing”. But we recognise that for some groups using Zoom is your preferred method of engaging with your members and so we just want to make sure all groups and members are safe within their activities. Here is the University’s guidance on the safe usage of video conferencing software - https://intranet.royalholloway.ac.uk/staff/it-services/flexible-education/advice-on-the-use-of-online-video-conferencing.aspx

 

If you are going to use Zoom then please take a look at the advice below for a safe zoom experience:

 

  • Ensure that meeting passwords are required to join and that they are not published in an uncontrolled manner. The National Cyber Security Centre (NCSC) recommends using three random words to create passwords (ie. you just put them together, like 'coffeetrainfish' or ‘walltinshirt’).
  • Don’t use social media to share conference links as malicious groups can search social media for these meeting ID/links.
  • Use the “Waiting “Room” feature to have participants wait until the host arrives and vet participants prior to entering the meeting.
  • Limit screen-sharing ability to the host. Using the host controls at the bottom.
  • Turn off file transfer: In-meeting file transfer allows people to share files through the in-meeting chat. Toggle this off to keep the chat from getting bombarded with unsolicited pics, GIFs, memes, and other content.
  • Disable private chat: Zoom has in-meeting chat for everyone or participants can message each other privately. Restrict participants’ ability to chat amongst one another.  This is really to prevent anyone from getting unwanted messages during the meeting
  • Allow only Signed-in/Registered users to join. If someone tries to join your meeting and isn’t logged into a Zoom account, they will receive the message ‘This meeting is for authorised attendees only’.
  • “Ask any unknown participants to identify themselves. If unknown participants are unable to appropriately identify themselves, they should be disconnected by the meeting host.”
  • “Lock meeting” once a meeting begins to prevent additional attendees from joining.
  • Zoom meeting host logging does have IP logging that can record attendees and that IP data can be used to report abuse.
  • Be careful when using links with Zoom "An attacker can inject a link such as \\attacker.computer.com\company_salary.xlsx into the chat, should anyone click on the link it will expose their Windows username, domain name -or- computer name and a hashed version of their Windows password".  
  • "ZoomBombing" has become the term for guessing the meeting ID's through a brute-force attacks.
  • The National Cyber Security Centre, part of the intelligence agency GCHQ, has stated that Zoom should only be used for public business.

 

If you have any questions or would like to discuss the use of conferencing software please get in touch with the team.