NYC Schools Ban Zoom – Cybersecurity/Privacy Experts Comment

By   ISBuzz Team
Writer , Information Security Buzz | Apr 08, 2020 04:23 am PST

Over the weekend, it was reported that Schools in New York City are moving away from using the video conference app Zoom after a review of security concerns. The city’s Department of Education is directing schools to “move away from using Zoom as soon as possible,” Danielle Filson, a department spokeswoman, told CNN in a statement.

Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Paul Bischoff
Paul Bischoff , Privacy Advocate
InfoSec Expert
April 8, 2020 12:37 pm

Zoom has a couple of issues that make it tough to secure in a school environment. The problem isn\’t really with Zoom\’s security, but more with operational security among those who use it. Teachers might not configure their Zoom settings correctly, allowing third parties to enter virtual classrooms, for example. Invite links and codes are tough to keep private. Zoom also collects a fair amount of personal information about its users, who in this case are a captive audience required to attend class. Something like Microsoft Teams allows for more top-down control wherein an IT administrator can set the rules and verify participants. It\’s much less ad hoc and easier to secure from an operational perspective.

Zoom also lacks end-to-end encryption, despite what it\’s marketing would have you believe, though I don\’t think Microsoft offers this either for group video and voice conferencing. That means Microsoft could snoop on video and voice content.

All that being said, I don\’t think average users should be dissuaded from using Zoom, so long as they take certain precautions. It\’s under a microscope right now due to a huge increase in users, so more vulnerabilities are bound to surface, but it\’s been proactive in patching security flaws and improving user privacy.

Last edited 3 years ago by Paul Bischoff
Chris Rothe
Chris Rothe , Co-founder and Chief Product Officer
InfoSec Expert
April 8, 2020 12:35 pm

Ultimately, the concerns raised with Zoom in the last few weeks are a great illustration of the balance of usability and security. From the start Zoom was built to be a video conferencing platform that \”just works.\” In order to get that \”it just works\” user experience, they did some things that are questionable or just wrong from a security perspective. You might ask why these issues are coming to light now rather than for last 9 years while Zoom was growing like wildfire? This is a natural occurrence when an application all of a sudden gets a lot more usage, which leads to more eyes on it and more scrutiny. That leads to vulnerabilities and design flaws being identified at a faster rate.

From my perspective, of the issues identified, the home-rolled encryption scheme, and possibility that some calls were routed through China, are the most concerning. If NYC forbids schools from using Zoom because of those issues and their assessment of them as being high-risk, that makes sense. If they did it based on some of the more pedestrian issues like \”anyone can join a meeting if they have the meeting ID\” then I would say it is probably an overreaction because there are relatively simple ways to mitigate them like adding a meeting password. Again, the big benefit of Zoom is that it \”just works\” which is a massively important benefit in the impossible IT environment created by students being at home. It does pose a security risk but, then again, all computers and applications do.

Last edited 3 years ago by Chris Rothe
Mark Bower
Mark Bower , Senior Vice President
InfoSec Expert
April 8, 2020 12:29 pm

Looking behind the concerns over collaboration tools uncovers very real reasons organizations ban them swiftly. There should be no surprise organizations like SpaceX and NASA banned it immediately: they are regulated under ITAR rules, with extremely harsh violation risks including executive jail time for data leakage outside very tightly controlled ecosystems for national security control, data protection and access. Inadvertent leaks while collaborating live, especially to non-US servers or using encryption keys for data protection originating in China as reported, would be a serious compliance red flag and risk nation-state compromise with huge ramifications.

In the case of the school systems, real problem is the much publicized history of open-access default settings, serious vulnerabilities and mis-representation of end-to-end encryption, leading to exploits and attack tools, like zWarDial to automate compromise, and reputational mis-trust amplified by FBI warnings. Even with statements of compliance to COPPA (children’s privacy rules regulated by the FTC) and FERPA laws (education data and student privacy), a breach or exploit can result in major reputation compromise and bans. Data security is tough to get right, but organizations need to take it extremely seriously more than ever before, respond quickly to vulnerabilities, and go well beyond compliance checklists and look at the full spectrum of data leakage risk. Lastly, they should never use defaults for convenience that leave the door open to attack – especially to vulnerable children online. That’s security 101.

Last edited 3 years ago by Mark Bower

Recent Posts

Would love your thoughts, please comment.x