By Dustin Gawron, Martin Waleczek and Vanessa Weidler, EDUCV
Introduction
Business communication has considerably changed in the past few years and in many areas it is already pretty common to send a quick chat message instead of writing an email or calling someone, but videoconferencing still was a limited occurrence for most users. Now with the COVID-19 pandemic restrictions basically everyone has come across videoconferencing one way or another. For many employees, it has quickly become a regular communication channel to replace the face-to-face contact with other colleagues, especially for the education sector where communication not only between employees, but also with students is vital. The sudden need for additional technologies and resources for video communication forced many institutions to come up with viable solutions in a very short time. Often different solutions were set up and used in parallel, each with their own features, but also flaws, making it difficult for administrators as well as users alike to stay informed and safe.
This article tries to shed some light on the topic of safe videoconferencing from different perspectives. For one thing from the user’s point of view, where it sometimes it is not as straight forward as it seems to keep sensitive information out of a video chat. On the other side, from the administrator’s, or in general the institution’s point of view, where it comes to providing a secure service for their users.
Safe Usage
Many solutions make it pretty simple to start a video chat, but warnings about possible security implications from using them are rare. You sit down in front of your webcam, accept the video call and your screen fills with lots of faces, some obviously working from home, some from their office, some seem to work from a tropical beach or even a space-station. Technology sure can be magical! But have you checked what else is visible on your video stream? Accidental exposure of sensitive information on video can be a common pitfall and happens more often than you think. A famous example could be a typical whiteboard in the background with some drawings and notes spread around on it. Maybe someone wrote down their password or sensitive details about a network structure or system? Not as easy to spot but also possible could be reflections on certain surfaces, like mirrors or glass, exposing the user’s screen or items on their desk. Sensitive business information is one thing, but also details about one’s private life could be accidentally revealed that way. For safe video calls plain backgrounds should be used and always checked for items that could be too revealing.
But wait, what about working from a tropical beach? Yes, virtual backgrounds can be used to hide the real background but without a professional setup this can lead to a false sense of safety. The techniques used to replace the background are mostly based on chroma key compositing, often called green screen technique. It is based on the differences in colour hues between the user and the background. If the background does not uniformly have the same colour hue, the algorithm cannot reliably distinguish between certain elements and can accidentally display parts of the background. This sometimes can be seen when parts of clothing with a similar colour hue are suddenly replaced.
Another way to accidentally share sensitive information is via screen sharing. Since sharing your screen during a videoconference is often necessary or at least very useful on many occasions, just make sure that you do not share more than what you’d like to share. One way to avoid accidentally sharing stuff is sharing just one window and not the whole screen. If this is not reliable and you need to share the whole screen, close all windows which could leak information or move them to a different monitor. It can be a good idea to check your background and task bar for things you do not want to show to other people and switch notifications off before sharing your screen.
Many videoconferencing tools also include some form of chat. Like with any online chats copy and paste can be useful; just make sure that you don’t accidentally paste sensitive data, e.g. passwords, into the chat.
Another thing you should always be aware of is that a videoconference could be recorded at any time. Some tools inform all participants when a recording is started; but a local recording by an arbitrary participant can be started at any time without notification. Of course, this is not appropriate behaviour, but there is no technical way to avoid such recordings on some participating client. Keep in mind that this also applies for chat messages. On the other hand, if you ever want to start a recording (locally or via the conferencing software) of audio, video or even the chat log, you should definitely ask the other participants for their consent.
When joining a videoconference often your camera and microphone are deactivated at the beginning. This is a good way to give all participants control over when they want to start sharing audio and video with other people in the conference. But be careful – you can’t rely on this behaviour. Sometimes conferencing tools are not configured this way and your camera and microphone are automatically activated when you join a meeting. So just make sure that you are ready, fully dressed and not chewing the rest of your lunch when joining the meeting. You can also cover your camera and mute your mic in the operating system to generally avoid this problem.
If the conferencing tool offers some filesharing options you should definitely be careful with downloading and opening stuff shared during a conference. Just think of the files being the attachment of an email from an unknown sender and treat them accordingly.
You survived a videoconference and everything went well? Congratulations! Just make sure you really left the conference and video and audio is no longer shared before enjoying your well-deserved pizza for lunch or starting some personal conversation with a colleague or family member.
Hosting Videoconferences
If you are not only a participant but the host of a videoconference, there are some additional things to keep in mind:
The first decision to make is which conferencing tool or platform you want to use. This of course depends on which tools are available in the given setting. Generally, it is a good idea to choose a solution which is offered and commonly in use by your organisation. Some tools are more suitable for big audiences, while others may offer better security options. If you are unsure which tool to use for hosting a conference, your local admin may give you some advice. They can also help you with the configuration of the meeting, e.g. setting room passwords or muting all participants by default.
Make sure to secure your meetings with password protection or moderated entry when you are the one hosting, so only legitimate users may enter. Keep in mind that the all-time favourites “password” and “12345” are no good way to protect your meeting – better use some random string. It also can be a good idea not to use one password for all of your meetings and conferences but to generate them individually.
When distributing invitations to the conference you are hosting, make sure not to embed them in a wider context to avoid accidental sharing of login information (e.g. do not distribute them in a monthly newsletter).
If your meeting has especially sensitive or even classified content, you should review all participants and make sure nobody has sneaked in.
It also can be an extremely good idea to make some technical check-ups before hosting your videoconference. Just make sure all settings apply as expected, e.g. no one can enter the meeting without a password and screen sharing shows only what should be shared to participants.
In part 2 of this blog, you will learn more about the obstacles administrators have to deal with regarding safe videoconferencing.
About the authors
The authors, Dustin Gawron, Martin Waleczek and Vanessa Weidler, are members of the EDUCV (EDUcation CERT-Verbund). EDUCV is a working group consisting of incident response teams (especially CERTs/CSIRTs) of institutions of the german academic sector. The purpose of EDUCV is sharing information and advanced training for the participating security teams. The teams are supporting each other with security analyses as well as with conception, development and operation of security solutions.
Also this year GÉANT joins the European Cyber Security Month, with the 'Cyber Hero @ Home' campaign. Read articles from cyber security experts within our community and download resources from our awareness package on https://connect.geant.org/csm2021