Dubai: Schools and parents lack awareness on secure practices that limit hackers from intruding video classes or stealing data, cybersecurity experts warned.
Though video conferencing applications used by schools are generally safe, the experts said, low alertness about “security hygiene” has left the door open for “bad actors”.
There have been reports in media internationally of unsolicited people joining video classes and showing inappropriate content to children before vanishing. One parent in the UAE told Gulf News a man joined his son’s video class recently and displayed an obscenity in his window on the computer screen.
Millions of classes have been held over live internet video applications since remote education began in March in the UAE as a precaution against coronavirus.
Schools had to build a distance learning infrastructure in record time since it was announced that all teaching and learning must move online after the recent spring break.
"Majority of the risks have been caused by the rush to adopt these video conferencing solutions in order to maintain communications in these difficult times."
“That did not leave educational institutions – or any other business for that matter – with the precious time needed to organise proper trainings, conduct tests and run user awareness sessions for users who never used these solutions before,” said Marco Rottigni, Chief Technical Security Officer-EMEA, Qualys.
“Recent news headlines raised more than one concern around a combination of misconfigurations and vulnerabilities that allowed bad actors to carry out some malicious actions such as illegally accessing recordings, intruding meetings and displaying inappropriate content. While these events don’t render the technology as insecure, they certainly highlight the need for more awareness on a proper security posture.”
These “postures” include setting the meeting as private vs public, password protecting the sessions, setting up the screen sharing for the host only, controlling the admission to the meeting with a waiting lounge, and restricting the attendance only to certain mail domains, Rottigni added.
Video conferencing is a “valid” enabler of remote education but nobody foresaw how widely and quickly it would be used, with awareness on security falling behind.
“COVID-19 has changed the world. It has changed, at least in the short term, how we educate our children… The tool of choice is video conferencing to meet these demands but there are risks. These risks are well understood and if we provide teachers, students, and administrators basic guidance on how to safely use video conferencing, regardless of the use case, we will all be better off,” Haber added.
The risks are not critical in nature for the most part but there are special concerns given the involvement of children, Chris Morales, Head of Security Analytics at Vectra, said.
“An outside party joining a video conferencing session that is a class lecture is not endangering anyone’s lives or leading to data theft per say. The biggest risk has been the ability for an outside party to join a session and disrupt or eavesdrop,” he added.
“For a class lecture, eavesdropping will simply lead to that outside party learning the same lesson as the students. This is not a private conversation. It is a lecture. The risk here is the disruption of a class session with graphic images or conversation inappropriate for children to see or hear. They could derail the lecture. For a private teacher-to-parent or internal staff conversation, an outside party might glean information deemed to be private and confidential about the parties in discussion.”
The popularity of video conferencing software has surged since the coronavirus pandemic shut down schools and offices.
There are several options on the market, including Zoom, Google Hangouts, FaceTime, and WebEx.
Experts say video conferencing is largely safe, but there have been cases of intruders gatecrashing e-meetings or classes online.
For example, according to reports in some sections of the media, teachers in Singapore were asked to stop using Zoom after hackers disrupted, in what is called “Zoombombing”, live video classes. A few other governments have reportedly also limited its use. Singapore has since resumed Zoom lessons and Zoom has added password protection.
Zoom is one of the most popular applications, with daily meeting participants rising from 10 million to 200 million since December 2019.
Zoom says on its blog it has already taken several steps to address issues, including school-specific ones, and launched a further 90-day plan.
Morales, speaking about the level of protection for schools, said: “The simple fix, which Zoom has not made standard, is to enforce default passwords for all video conferences. How strong that password is will still impact the ability for someone to access a current session but is much better than no password at all. That password should not be posted publicly and should be shared in some private manner with a class. The teacher can also by default enable mute on all participants and disable screen sharing features. These tips apply to both education as well as any organisation using video conferencing.”
Security hygiene for schools, as advised by Morey Haber, CTO and CISO, BeyondTrust:
The URL for a class should change frequently. It should not be the same link for the entire course.
The video conferencing classroom session should have a password to join. Classes should not be available to join based on a URL alone and the password should be changed frequently and sent to students in a separate correspondence; not the same email as the initial URL.
Tips for students and parents, shared by Quentyn Taylor, Director of Information Security at Canon for Europe, Middle East and Africa.
Phishing for trouble
“According to new reports, there has been a significant rise in bogus emails, claiming to offer important updates on safety, which instead infect the user’s device with malware. Make sure to be cautious of emails offering this kind of advice, ensure you check who the sender is and that their email address exactly matches an expected recipient. And if someone is asking you to click on an unknown link, think twice.”
Lock up your devices
“An occupational hazard of working from home is that your kids now have access to you while you’re meant to be at work. They might well be curious about what mum or dad does all day, or just want to Google how to make slime. Either way, they probably don’t know that your corporate PC is connected to your company via VPN. So ensure to set boundaries – certain PCs and phones are off limits to kids.”