Security vulnerabilities and exploitation of the Zoom conferencing platform (Zoombombing, Link exploits, etc) have been spotlighted in recent news. This write-up is to inform and clarify the position that the University of Alaska holds with Zoom. 

Backstory and Context

Due to the global increase of remote work, and distance education, the web conferencing platform, Zoom, has found its way into the spotlight. In March alone Zoom’s daily user base dramatically increased from 10 million users to 200 million users. Across the nation, many higher education and K12 systems adopted Zoom as the platform to transition from face-to-face classes to online instruction in a very compressed time frame. It is Zoom’s intuitive interface and ability to scale the cloud infrastructure to meet the rapid growth that provides a very inviting and accommodating online environment. 

The University of Alaska chose and adopted Zoom after an extensive and inclusive RFP process across the UA system in 2018. The Zoom implementation replaced the aging video conferencing infrastructure and provides projected savings of ~$100K in FY20 over FY19 costs.

Unfortunately, the ease of use and rapid rise in popularity of Zoom presents opportunities to maliciously exploit the very same features; like screen sharing, standing meeting ID’s, screen sharing,  that enables its ubiquitous popularity; like screen sharing and standing meeting URLs that are reused as a convenience practice. Zoombombing is the notorious exploit making recent headlines that takes advantage of these conveniences and enables malicious actors to intrude a Zoom session and post disruptive content through screen sharing. This type of invasion has caused several educational systems to abandon the platform altogether.

---

Actions UA has Taken To-Date

Configuration changes have been made to enhance the security of UA’s Zoom environment in an effort to block Zoombombing:

• UA Zoom has always been accessed via standard UA authentication protocols using UA Username and password.
• Global screen sharing default settings have been changed to “Host-Only” 
• To ensure a good Zoom session experience, it is important to know how to use the meeting controls and employ best practices. OIT has developed and posted  Zoom Best Practices.
• Articles have been developed and circulated to UA News, UAF Cornerstone, Green and Gold, and UAS IT Help Desk.
• UAF Cornerstone - Best practices for remote meetings
• UA News - How to avoid Zoombombing
• UAA Green and Gold - How to Avoid Zoombombing
• UA News - Optimize your remote experience

---

Zoom Security Concerns and their response

Zoom has announced a plan to conduct an extensive external security review of the Zoom platform over the next 90 days. 

Zoom has patched and addressed vulnerabilities to address the security concerns, the details are:

• Zoom Message from CEO - A Message to Our Users
• Zoom update on its 90-day plan to bolster privacy and security
• The Facts Around Zoom and Encryption for Meetings/Webinars
• How to Keep Uninvited Guests Out of Your Zoom Event
• Zoom Product Updates: New Security Toolbar Icon for Hosts, Meeting ID No Longer Displayed
• Response to Research From the University of Toronto’s Citizen Lab
• Zoom privacy and security issues: Here's everything that's wrong (so far)
• Zoom Isn’t Malware
• Zoom is showing how to respond to criticism the right way
• Security Tips Every Teacher and Professor Needs to Know About Zoom
• How to protect your Zoom calls

UA Office of Information Technology will pay close attention to all Zoom technical announcements to ensure the best Zoom experience for UA.  For the latest in Zoom information during COVID-19 response, visit the Zoom Resources page on UA Virtual Campus.

---

Questions about Zoom?

As always, your local service desk is here to help!