HHS tech official warns feds, contractors on virtual meeting risks

On the heels of a recent FBI alert on Zoom bombing, federal agencies are warning staff to be on the lookout for signs that their remote collaboration tools are being attacked or compromised by hackers.

In an April 3 email obtained by FCW, a divisional CIO at the Department of Health and Human Services notes that the surge of telework among federal agencies following the coronavirus outbreak has created a wide attack surface for malicious third-parties to exploit in numerous ways. The agency warned both employees and contractors that such security concerns go beyond Zoom and other web conferencing software.

"Pay special attention to any voice or video conferencing software or other remote collaboration tools for the duration of the coronavirus pandemic as these present an enticing target for hackers," the office wrote.

Video teleconferencing services are widely used in healthcare and related industries and a memo flags a number of potential attacks, such as interruption and disruption, using fake web addresses to trick conference attendees into downloading malware and exploiting newly discovered zero-day vulnerabilities.

Conference managers were asked to be mindful about who they authorize to attend web meetings, institute controls on who can share their camera, microphone or screen, and configure password protections for all meetings. It also advises against posting about upcoming web meetings on social media or configuring them to be accessible to the public "unless necessary."

Other recommendations include restricting physical access to work devices and using separate accounts on personal computers and utilizing root administrative access sparingly. Even with these controls, the office advises employees to operate as if their discussions will reach others.

"Assume that information shared in a [video teleconference] conference will be disseminated beyond the authorized attendees," the email states.

As the use of tools like web conferencing software has exploded over the past month, policymakers are increasingly scrutinizing the security and privacy features put in place by companies.

On Apr. 6, Sen. Michael Bennet (D-Colo.) sent a letter to Zoom founder and CEO Eric Yuan criticizing the company for a series of issues that "consistently stem from Zoom's deliberate decision to emphasize ease of use over privacy and safety." Those issues include reports of widespread Zoom bombing, leaking the personal data of more than 1,000 users, misleading claims on its use of end-to-end encryption and widespread sharing of user data with Facebook and other third-party data miners.

Most troubling, he said, were reports that a lack of safeguards instituted by the company along with predictable naming convention for video recordings and storage have resulted in thousands of private videos being posted freely on the internet and streaming platforms.

"It is clear that many users in these videos did not intend whatsoever for their videos to become publicly available," Bennet wrote to CEO and founder Eric Yuan. "Yet thousands of Zoom calls are now viewable on widely-used websites such as YouTube and Vimeo."

Bennet and other senators have inquired about how the company tracks who is recording and storing video and transcripts of meetings hosted on their platform and how proactive the company is about notifying attendees.

Agencies like the National Institute for Standards and Technology have raced to develop updated guidance to agencies and the private sector for how to conduct their work safely in a remote environment.

A note posted last month by Jeff Greene, Director of the National Cybersecurity Center of Excellence warns users to immediately report "unusual web meeting requests" to their IT managers and get confirmation over the phone or other means before accepting.

Greene said his agency quickly flagged virtual meeting security as a top concern going into the lockdown. Whether using video teleconferencing or phone meetings, he advised groups to examine their default settings around recordings or cloud storage, login information and attendee access to ensure their choices are deliberate and use one-time identification numbers for high sensitivity discussions.

"With respect to approaching anything more than a routine call…we suggest that you think about the sensitivity of the information you're going to discuss, think about the privacy implications if it came out and group it in your mind…in a low, medium and high [risk] context," Greene said during a Mar. 23 webinar hosted by the Cybersecurity Coalition.

Such oversights are common, Greene said, even for those who deal with cybersecurity issues on a regular basis.

"I can't count the number of times in my last job that I reused the same call-in phone number and passcode, and it was easy because I memorized it and could type it in quickly, but from a security perspective it was not probably the best practice," he said.