ASD issues warning over cheap and nasty video conferencing

The Australian Signals Directorate has issued an urgent warning to businesses over the use of insecure videoconferencing apps as the use of free or cheap products explodes due to millions of Australians working from home.

The diligently product-agnostic advisory comes as desperate corporate staff separated from their work networks or struggling with skinny VPNs pile onto Zoom, with new Optus chief executive Kelly Bayer Rosmarin citing a thousandfold increase in usage of the app on Optus’ network alone.

On Wednesday iTnews revealed security research concerns over the potential for the Windows version of Zoom to leak credentials, an issue which Zoom has now acknowledged.

A primary concern of the Australian Cyber Security Centre, which is now officially part of ASD, is whether video conference traffic is headed offshore where it could be intercepted and harvested by foreign spy services and hostile actors.

“The use of offshore web conferencing solutions introduces additional business and security risks. For example, laws in other countries may change without notice and foreign-owned service providers that operate in Australia may still be subject to the laws of a foreign country,” ASD said.

“In addition, service providers who are located offshore may be subject to lawful and covert data collection requests and access an organisation’s data without their knowledge.”

The head of the ACSC, Abigail Bradshaw, said it was “critical that organisations correctly configure their selected service to maximise the security of conversations and data.”

“In deciding on a platform for teleconferencing, close attention should be paid to whether a service provider claims ownership of any recorded conversations and content, metadata, or files that are created or shared when using their web conferencing solution," Bradshaw said.

That, says the ACSC, comes down to reading the fine print in the often epic-length terms and conditions contained in licensing agreements.

There’s also a warning on conference call squatting, where unknown users might join early or not hang up after prior calls, a routine collision point in what used to be shared work space meeting rooms.

Many conference call users often seek to bypass congested fixed line services by using only the audio portion of video conferencing apps. The ACSC reckons that’s an accident waiting to happen, too.

“Consider locking the meeting so no one else can join. However, in some cases, it may not be possible to identify individual participants, such as when they join via a telephone call,” the warning says.

“In such cases, take note of sounds or visual notifications indicating that participants are joining the meeting, and ask any unknown participants to identify themselves.

"If unknown participants are unable to appropriately identify themselves, they should be disconnected by the meeting host.”

But let’s face it. With people couped up and living on-top of each other some Chinese walls – a poor expression if ever there was one – are going to be difficult to maintain.

The working from home challenges are many.

At what stage does one tell the kids to bugger-off during a meeting? Is it now appropriate to take early or late conference calls from bed?

And how do you remove adhesive tape residue from a webcam so you don’t get unintentional Vaseline lens?

Perhaps the best advice iTnews heard on that front was from a former cyber intelligence warrior who spoke at the once mighty Security in Government conferences organised by the late Mike Rothery.

Operatives had complained that it was unpleasant to watch targets slurping down noodle soup wearing a singlet.

At a second track meeting on the sidelines of a conference, an officer noted to another nation’s officer that dress standards seemed to be slipping and perhaps collared shirts were more preferable attire.

The collared shirts appeared. Matter of professional courtesy were taken seriously by the other side, the audience was told.