The MHA mentioned that "those private individuals who still would like to use Zoom for private purposes" should follow certain guidelines
Zoom app has apparently become a favorite and famous tool among people during the lockdown and it is being used by schools and many private players.
The Cyber Coordination Centre (CCC) of the Ministry of Home Affairs has warned people that the Zoom video conferencing app for meetings is not a safe platform for government and official use, IANS reported.
In the advisory, issued on April 12, it said that "secure use of Zoom meeting platform is for private individuals and not for use of government offices or official purposes". The government said that CERT-In on the same lines had been informed on February 6 and March 30 this year clarifying that "Zoom is not a safe platform".
In a set of guidelines for the safety of private users, the CCC division of the MHA mentioned that "those private individuals who still would like to use Zoom for private purposes" should follow certain guidelines like prevention of unauthorized entry in the conference room and unauthorized participants to carry out any malicious activity on terminals of others in the conference. The advisory also suggested to "avoid 'DOS' attacks by restricting users through passwords and access grant". Zoom app has apparently become a favorite and famous tool among people during the lockdown and it is being used by schools and many private players.
"Most of the settings can be done by logging into users Zoom account on the website, or installed application at PC/Laptop/Phone and also during conducting a conference," the guidelines from MHA mentions.
Officials in the Home Ministry told IANS that the app has some specific weaknesses so it is necessary to avoid its use for official purposes as it can encrypt meeting data.
A report had recently claimed that Zoom is also prone to hacking. The 'Zoom client for Windows' is vulnerable to the 'UNC path injection' vulnerability that could let remote attackers steal login credentials for victims' Windows systems, TheHacckeNews had reported.
As businesses, schools and colleges and millions of SMBs use video conferencing tool Zoom during the work-from-home scenario, the US Federal Bureau of Investigation (FBI) had warned people about porn material being popped up during the video meetings. The Boston branch of the law enforcement agency had also said it received multiple reports of Zoom conferences being disrupted by pornographic and/or hate images and threatening language.
With privacy concerns looming, Zoom app yet to appear on Indian radar
On Friday, Canada-based independent research organisation Citizen Lab found that Chinese servers were being used to distribute encryption and decryption keys for video conferences on Zoom
Even though there have been increasing reports of videoconferencing app Zoom being vulnerable to hacking, and a recent investigation revealed the company sends some encryption keys to China, alarm bells are yet to ring in India.
On Friday, Canada-based independent research organisation Citizen Lab found that Chinese servers were being used to distribute encryption and decryption keys for videoconferences on Zoom. “We suspect that keys may be distributed through these (Chinese) servers. A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” the Citizen Lab researchers noted. In addition, it also found that the company’s claims about being end-to-end encrypted were misleading.
Zoom has become extremely popular in the past few weeks, with most parts of the world under lockdown due to the ongoing Covid-19 pandemic, and people working from home.The app even surpassed WhatsApp and TikTok in the number of downloads on Google Play store last week.
In response, Zoom Chief Executive Officer (CEO) Eric Yuan said in a blog post the same day, that in its haste to support the vast number of users it was adding, the company failed to fully implement its usual geofencing best practices. “However, in February, Zoom rapidly added capacity to our Chinese region to handle a massive increase in demand. In our haste, we mistakenly added our two Chinese data centers to a lengthy white list of back-up bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them,” he said.
The blogpost also said that the error had no impact on its Zoom for Government Cloud, a separate cloud service for government customers. Several Indian enterprises and even government meetings take place on Zoom.
Coupled with these revelations and earlier privacy concerns, including sharing user data with LinkedIn and Facebook and ‘Zoom bombing’, where people can enter Zoom meetings uninvited and share hate speech or pornographic images, the San José-based company has lost clients like Tesla and the New York City Department of Education.
In India, however, as Zoom gains popularity, there hasn’t been any large-scale impact; a large number of businesses and governments continue to use the platform.
The Indian Computer Emergency Response Team (CERT-In) put out an advisory on March 30 about ‘secure usage of Zoom videoconferencing application’, detailing the steps users should take to ensure their data remains protected.
“There is nothing as such that we have done. We checked with Zoom and they assured us that Indian data is not being sent to Chinese servers,” said a government official.
Similarly, companies which use Zoom extensively for meetings have been telling their employees to be more careful with the use of the software. A large firm in the information technology sector has been sending emails to its employees educating them on the proper and safe use of Zoom.
Cyber security experts, however, say that for more sensitive meetings, users should consider moving to alternative, more secure applications. “I recommend using other end-to-end encrypted video platforms to ensure privacy. Also, I would not recommend free software for sensitive or private meetings. For example, Cisco’s Webex, Signal, etc ensure the maximum level of security by adjusting the platform’s settings. To avoid being ‘Zoombombed’, users should avoid sharing the link or meeting ID on social media or other public websites,” said Manan Shah, founder and CEO of cyber security firm Avalance Global Solutions.
Rajshekhar Rajaharia, an independent cyber security researcher, said Zoom passwords for private meetings can also get indexed on Google. He cautioned users that while starting a meeting on Zoom, one should not share an invitation URL that is already having a password. “You can share a meeting ID and password separately because people can misuse the URL or they may be indexed by Google. Previously invitations to WhatsApp group chats were being indexed by Google,” he said.