Advertisement
  1. News
  2. /
  3. Health

Schools using Zoom should be careful, security expert warns

Trespassers are taking advantage as schools and other organizations use the online platform to meet during the coronavirus crisis. Some simple steps can help protect teleconferences.

Stories about the coronavirus pandemic are free to read as a public service at tampabay.com/coronavirus. If this coverage is important to you, consider supporting local journalism by subscribing to the Tampa Bay Times at tampabay.com/subscribe.

• • •

Admit it. Before social distancing and COVID-19, you never heard of Zoom teleconferencing.

Yet now it’s all the rage in your schools.

Teachers are using it for live lessons with students. Trainers are relying on it to prepare those teachers. Districts are turning to it as a way to support parents.

“We’ve been using Zoom for conferencing” in place of in-person staff meetings, said David Salerno, principal of Rushe Middle School in Land O’Lakes. “We met twice last week.”

As the platform has grown in popularity, so, too, have the problems associated with it. A new term, Zoom-bombing, has surfaced to describe the hijacking of these virtual meetings by participants and, occasionally, outsiders with ill intent. The platform, experts say, can leave children vulnerable to predators.

The Hillsborough County school district scheduled a Zoom meeting to help parents learn about remote learning. [ Hillsborough County school district ]

Much of it can be avoided.

“Where does the insecurity lie? It’s with people,” said Social-Engineer founder Chris Hadnagy, an expert in online stalking and cybercrime. “With proper management, it can work. But it takes some effort.”

Hadnagy, who also runs the Innocent Lives Foundation that combats child exploitation on the internet, had plenty of stories about the students who took over a teacher’s lesson and kicked the teacher out. And the teenagers who provided too-intimate views, having forgotten their webcams were on. And the kids who posted inappropriate comments and links into the middle of a course conversation.

And those were just from those who were supposed to be in the meetings.

Other concerns include course crashers who got hold of a Zoom code they weren’t supposed to have, and scammers who sent out fake “phishing” links in hopes of luring unsuspecting children into possibly compromising situations.

“These things are happening,” he said. “They could definitely present a massive problem for schools.”

And not just K-12 schools. University of Florida president Kent Fuchs tweeted Tuesday that the school’s student government Zoom meeting was hacked into with “horrific messages of hate.”

Zoom is the program that’s getting the most attention on this front, because it is openly accessible through an app and website with a free signup regardless of email or service provider. Other programs, such as Microsoft Teams, require additional layers such as having an Outlook account that many people don’t have.

The Pinellas County school system prefers Teams and trains its teachers to use it, in part because of the concerns, spokeswoman Isabel Mascareñas said. But teachers still may conduct lessons on Zoom, she added, so long as they take precautions.

Zoom has taken some steps to at least advise its users of ways to protect themselves. It recently posted a blog article on how to keep crashers out of an event. It also updated its privacy policy for K-12 schools and districts, though it continues to share some data.

“We take the security of Zoom meetings seriously and we are deeply upset to hear about the incidents involving this type of attack," the company stated via email. “For those hosting large, public group meetings, we strongly encourage hosts to review their settings and confirm that only the host can share their screen. For those hosting private meetings, password protections are on by default and we recommend that users keep those protections on to prevent uninvited users from joining.”

Users can report problems or incidents directly to support.zoom.us/hc/en-us/requests/new.

Related: Get Florida education news delivered to your inbox. Sign up for the Gradebook newsletter.

Hadnagy said he did not view Zoom itself as unsafe, and said the company had done a good job of handling problems while also ramping up for an unexpected surge in demand.

But because children’s security is in question, he said, educators, parents and students using such teleconferencing systems need to take steps to prevent unwanted situations.

He focused first on the meeting organizers, which in the school environment generally means teachers.

One of his primary recommendations was to have a session administrator separate from the host. That person would be able to “pay attention to the room” by monitoring what’s on the cameras, muting microphones and kicking out anyone who doesn’t follow the rules.

“That keeps it smooth and problem free,” Hadnagy said. But “you can’t do that if you’re running the meeting. Most people don’t think of that.”

He suggested using a trusted co-worker or parent, not a student.

The session rules must be spelled out clearly in advance, he continued, so participants know what’s expected. That includes acceptable dress, a recommended plain background and general demeanor guidelines, such as keeping language clean.

The teacher also must keep the conference code private, and not post it in places like an open Facebook page. Adding a password that’s emailed to participants further protects the session, Hadnagy said, noting that “brute forcing” into a Zoom event by guessing a random nine-digit code is next to impossible.

When the meeting begins, the administrator should make sure everyone who joins has their camera off and microphone muted, with annotation off except for the teacher. That person also would control who can screen share.

“You’ve now taken care of 90 percent of the problems that exist,” he said.

Parents have a role to play, too, he said.

If they’re concerned about their children’s information being distributed, they can set up the Zoom account in their own name for their kids, he said. That way, the parents protect the data, and get the added benefit of being able to track who is participating in all the conversations.

They also should pay attention to who is hosting the conference call, and that the invitation comes from a legitimate source.

As sites like Zoom become more popular, Hadnagy said, scammers send out fake, or phishing," invitations with links that look like the real thing. There are people out there who try to gain access to devices, turn webcams on and capture images of teens in compromising positions, then exploit those.

“You don’t want your kids just clicking every link that comes in, thinking it’s from their teachers,” he said. “Be really cautious with the links.”

JoAnne Glenn, principal of Pasco eSchool — one of Florida’s largest virtual education programs — said all of these precautions are important to consider. She said she hadn’t seen major troubles with Zoom yet, but recalled a similar situation about five years ago with the Blackboard system that Florida Virtual School and others used at the time.

Kids would gain access to class codes and log in under false names, then make obnoxious comments and disrupt courses, she said.

“It reminded me of Bart Simpson making those prank calls to Moe’s bar,” Glenn said.

The schools investigated who did it, using IP addresses to weed out the offenders. Remember, she said, just because the classes are taking place remotely doesn’t mean that disciplinary action can’t be issued.

Then the school changed its practices. New policies included actions such as locking the “door” five minutes after the class began, and using the class “administrator” idea that Hadnagy suggested.

She expected similar tactics to come into play with the latest programs.

“It’s not going to prevent us from holding school,” Glenn said. “We will do the things we can do to keep those virtual classroom as protected as possible.”

Contact Jeffrey S. Solochek at jsolochek@tampabay.com.

• • •

Tampa Bay Times coronavirus coverage

GET THE DAYSTARTER MORNING UPDATE: Sign up to receive the most up-to-date information on COVID-19 and Tampa Bay, six days a week

ISOLATED ENTERTAINMENT: Lists of ideas to help entertain yourself and your kids at home

NEED TAKEOUT?: Here’s the Tampa Bay restaurants offering curbside pick-up or delivery

FOLLOW OUR COVERAGE ON SOCIAL MEDIA: Facebook. Instagram. Twitter. Reddit.

LISTEN TO THE CORONAVIRUS PODCAST: New episodes every week, including interviews with experts and reporters

HAVE A TIP?: Send us confidential news tips

We’re working hard to bring you the latest news on the coronavirus in Florida. This effort takes a lot of resources to gather and update. If you haven’t already subscribed, please consider buying a print or digital subscription.

YOU MIGHT ALSO LIKE

Advertisement
Advertisement