HackerOne offers security tips for video conferencing

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

Aaron Zander, head of IT at HackerOne, the hacker-powered security platform, on what security measures to take when using video conferencing tools such as Zoom

Weekly, Online ‘Ask-Me-Anything” sessions. Defaulting to Disclosure is in the DNA of HackerOne. Quite literally, it’s one of our values. We hold weekly online Ask-Me-Anything (AMA) meetings via videoconference to bring together our global workforce of 285 and have an honest, transparent conversation. People present lightning talks on key initiatives, folks present on announcements and OKR progress, we welcome new employees and celebrate anniversaries, and anyone can ask any question to anyone on leadership or others. An honest question gets an honest answer. This open and transparent conversation keeps a culture of “why not share?” top of mind for everyone and consistent in the culture of all HackerOnies.  

·       Virtual Happy Hours. The marketing team at HackerOne launched its first virtual happy hour back in early 2019 as a way to stay connected with distributed team members. Designed to be fun, casual engagements, they’ve served to be an effective and fun way for distributed teams to connect and foster the casual conversations that occur during traditional, in-person happy hours. Bring a beer, coffee, or a mimosa (whatever your time zone) and have casual chats with your colleagues. 

·       Digital Water Cooler: Just like the office, but now it’s virtual, the idea behind the digital water cooler is to create a channel or opportunity where employees can catch-up with each other, socialize and play out their personal and human sides. Jokes, high-fives, celebrations, gossip, community, family, personal interests, attention to the humans behind the professional persona—all these things need to be brought over to the digital world and given a worthy place and channel that allows for spontaneous and randomized encounters. No alcohol required. 

·       Office Hours. For high-visibility projects like our website redesign or an increased volume in data requests, project owners often hold office hours to use as an open Q&A or feedback sessions for anyone who is curious. This way, all stakeholders or curious parties can have a voice or get walkthroughs of complex processes. 

·       Online Rooms. During this time where all employees are working from home, we think it’s vital to stay connected. Creating online rooms allow people to create personal rooms for ease of collaboration between locales, departments, and teams.

Tips for avoiding ZoomBombing

  • Don’t share your online meeting IDs or meeting URLs on social media. Online meetings are increasingly productive tools that allow people to work from anywhere. But they come with a caveat: Sharing the meeting ID or URL can allow people to drop in and listen to sensitive conversations, record your voice or video, and infiltrate your new virtual workplace. With the Zoom boom taking over social media, be careful how much you share in your screenshot. Zoom has started to help with this by adding new features and changing their user interface to decrease the risk of being Zoom-bombed. For example, the Meeting ID is no longer displayed on the title toolbar and the title will simply be “Zoom” for all meetings, preventing others from seeing active Meeting IDs when, for instance, when Zoom screenshots are posted publicly.  But regardless, it’s a good practice in general to NOT share Meeting IDs or URLs on social media.
  • Ensure your meetings have a password. Zoom, for example, allows admins to turn this on for entire Zoom organizations, but you can also turn it on yourself when making a new zoom meeting. If you’re especially worried about Zoombombers, the password is normally encoded in the URL, starting with “?pwd=”. Delete this part, and share the password directly with the people you want to join.
  • Restrict Access. Zoom allows meeting hosts to prevent unauthenticated users from joining the meeting (though dial-in still works). You can restrict access by either forcing users to login in with any Zoom account or better yet, specifically with Zoom accounts using specific email domains. This is especially important for school educators who are concerned about their students sharing the Zoom meeting details with other persons that are not part of the class. Using authenticated meetings is the best solution, and helps ensure everyone is joining from a @<insert-school>.edu email. 
  • Enable the Waiting Room feature.  Available through the security menu, this functionality adds a gate before people joining your meeting can see or participate in it. This feature requires new joiners to be approved by a Host or Co-Host of the meeting. 
  • Lock Your Meeting. If all your attendees are present at the meeting, use Zoom’s security menu to lock your meeting, preventing new people from joining at all.
  • Be Careful with Presentation Mode. While Zoom allows multiple people to present at the same time, if you do not need this functionality, do not use it. It’s off by default and should stay off.
  • Be Careful when screen sharing. When screen sharing, opt for sharing a specific window, rather than your whole display. This can prevent accidentally sharing too much information, or having pesky notifications interrupt your meeting. Additionally, when sharing browser content, make a new window with just the tab or tabs you wish to share.