Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Zoom Announces Better Encryption, Other Security Improvements

Zoom rolling out more security improvements

Zoom rolling out more security improvements

Zoom on Wednesday announced a series of security improvements designed to address many of the concerns raised in recent weeks.

Researchers warned in early April that Zoom had been sending the keys used to encrypt and decrypt meetings to servers in China, even if all participants were located in other countries. Zoom has now announced that account administrators will be able to choose which data center regions they want to use for real-time meeting traffic. Data center regions include Australia, Canada, China, Europe, Hong Kong, India, Japan, Latin America and the United States.

The same researchers also warned that Zoom meetings were encrypted with an AES-128 key used in ECB mode, which is not recommended. The vendor says the upcoming Zoom 5.0, scheduled for release within the next week, will introduce AES 256-bit GCM encryption, which should provide better protection for meeting data.

“This provides confidentiality and integrity assurances on your Zoom Meeting, Zoom Video Webinar, and Zoom Phone data. Zoom 5.0, which is slated for release within the week, supports GCM encryption, and this standard will take effect once all accounts are enabled with GCM. System-wide account enablement will take place on May 30,” Zoom said in a blog post.

The company also told customers that it has grouped security features under a Security Icon that can be found in the meeting menu bar.

Many of the steps described by Zoom on Wednesday are in response to Zoombombing, where an unauthorized individual joins a video conference in an effort to cause disruption. Many Zoombombing incidents have been reported after Zoom’s popularity skyrocketed due to the COVID-19 coronavirus outbreak.

Hosts will be able to report users to Zoom, and they can also prevent meeting participants from renaming themselves.

The Waiting Room feature has been one of the most effective measures against Zoombombing as participants first enter a virtual waiting room before they are allowed to join in. The Waiting Room is now enabled by default for education, Basic, and single-license Pro accounts, and hosts can now enable the feature even while a meeting is in progress — hosts previously had to enable Waiting Room before creating a meeting.

Advertisement. Scroll to continue reading.

Meeting passwords and cloud recording passwords are now on by default for most users, and administrators can define how complex the passwords have to be.

Other improvements include secure account contact sharing for larger organizations, more information in the admin dashboard, and measures meant to make it more difficult to accidentally share meeting IDs.

Zoom also announced recently that it has teamed up with Luta Security to revamp its bug bounty program.

Related: Flaw Could Have Allowed Hackers to Identify All Zoom Users in a Company

Related: Zoom Working on Security Improvements Amid More Bans

Related: Zoom’s Security and Privacy Woes Violated GDPR, Expert Says

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.