These incidents are called Zoombombing, or when an uninvited person joins a Zoom meeting, and they were increasing at the start of the fall semester. So much so, in fact, that Von Welch began looking for ways that CACR and UITS could help address the issues of Zoom security.
I feel much more confident that we will be able to host professional, respectful, and uninterrupted events via Zoom thanks to Will’s help.
Carl Pearson, associate director, IU Center for the Study of the Middle East
Welch, IU’s acting associate vice president for information security and director of the Center for Applied Cybersecurity Research (CACR), tapped Will Drake, CACR senior security analyst, since Drake has experience presenting on Zoom security at CACR’s Security Matters Cybercamps.
Drake reached out to the Learning Technologies (LT) team in charge of Zoom at IU. Zoom had seen the issues with Zoombombing and had developed tools that scrape social media to look for Zoom links to open meetings. When they see Zoom links with the iu.zoom.us URL, they let IU’s LT team know about them.
The LT team started forwarding those emails to Drake. Additionally, Rebecca Schmuhl from Public Safety and Institutional Assurance (PSIA), who monitors social media for concerns to IU, also informs Drake when she sees insecure Zoom meetings shared publicly. Drake consolidates this information, but rather than a simple warning email, he has been offering immediate mentoring with Zoom security tips and how to create Zoom registration links instead of using open meeting links.
In addition to all these efforts, a couple of LT staff from Digital Education Programs and Initiatives (DEPI) have been reaching out to student groups to present on Zoombombing and how to avoid it in their meetings and other events.
Meanwhile, Gary Browning and Matt Estell with the University Information Security Office (UISO) volunteered to help Drake with the project.
“They helped me consolidate information into the KB doc, and also helped make improvements to the emails I was sending out to departments and student groups,” said Drake. “I started by following up with direct emails to student and faculty groups that sometimes post their Zoom links on social media. I also offered the ability for those groups to set up meetings with me for one-on-one consultations.”
Along with CACR, UISO, and the LT team, another key partner was the IU Knowledge Base (KB) team. Now, Drake can simply point his contacts to thorough information that includes what he has learned through his consultations: Prevent Zoombombing using Zoom privacy and security features. The IT Communications Office has also been a big help in getting out the word to students, faculty, and staff.
“Some folks were a bit curious how we found their Zoom meeting link out there,” said Drake. “One time there was just a couple minutes after the tweet had gone out that I got the notification from Zoom and reached out to the Zoom meeting organizer. A lot of them have been thankful. A handful of them have requested a consultation.”
One time there was just a couple minutes after the tweet had gone out that I got the notification from Zoom and reached out to the Zoom meeting organizer.
Will Drake, CACR senior security analyst
Another key recommendation that is also documented in the KB doc is how to set up a registration link so that individuals can’t attend unless they have registered. Those links are safe to post to social media.
Drake said he’d seen an improvement in the number of links posted to social media. Now, instead of seven to ten notifications from Zoom, IU is seeing only a couple per day.
“Will contacted the Center for the Study of the Middle East before our first faculty panel of the semester,” said Carl Pearson, associate director of the Center for the Study of the Middle East. “He pointed out that we might be particularly susceptible to Zoombombing considering the heightened passions that can arise with topics in contemporary Middle Eastern politics. We were very grateful for his suggestions on how to secure our panel and showed us particular security features which I did not know existed and others which I knew about but wasn’t sure how to implement.
If students aren’t aware of these tips, they won’t be able to prevent disruptions that can not only derail their agenda, but also can be hurtful or traumatic for members of the group.
Jeannette Lehr, student engagement and outreach consultant
“We did not have any problems with our panel, but it was reassuring to know how to handle tricky situations should they arise. I also appreciated Will’s follow-up after our panel to make sure things went smoothly. I feel much more confident that we will be able to host professional, respectful, and uninterrupted events via Zoom thanks to Will’s help,” Pearson said.
In addition to all these efforts, a couple of LT staff from Digital Education Programs and Initiatives (DEPI) have been reaching out to student groups to present on Zoombombing and how to avoid it in their callout meetings and other org events. Michele Kelmer, manager of DEPI, and Student Engagement and Outreach Consultant Jeannette Lehr have been leading this effort.
“If students aren’t aware of these tips, they won’t be able to prevent disruptions that can not only derail their agenda, but also can be hurtful or traumatic for members of the group,” said Lehr.
This short presentation to student leaders can still be given virtually for any IU campus group and will continue being available throughout the course of the move to online education. If a student organization or group would like to hear this presentation, they can contact firstname.lastname@example.org to schedule.