According to Zoom’s website, here are the security possibilities on Zoom:
- Secure a meeting with end-to-end encryption (recent source investigated that this isn’t that true)
- Expel a participant or all participants
- Lock a meeting
- Screen share watermarks
- Enable/disable a participant or all participants to record
- Temporary pause screen-sharing when a new window is opened
- Password protect a meeting
- Only allow individuals with a given e-mail domain to join
Zoom Privacy Flaws
- Zoom is able to monitor the activity on your computer
- Zoom collects info about which programs are currently running
- Zoom captures which window you have in focus
- Zoom gives administrators full power to track attendees’ attention with an indicator that points out when a participant isn’t in focus for more than 30 seconds
- Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user
- Zoom exposes users to the risk of remote surveillance, unwanted video calls, and denial-of-service attacks
- Zoom sells, and will sell your data when needed.
How to Use Zoom More Securely
- Use two devices during Zoom calls: If you are attending a Zoom call on your computer, use your phone to check your email or chat with other call attendees. This way you will not trigger the attention tracking alert.
- Do not use Facebook to sign in: It might save time, but it is a poor security practice and dramatically increases the amount of personal data Zoom has access to.
- Keep your Zoom app updated: Zoom removed the remote web server from the latest versions of its apps. If you recently downloaded Zoom, there’s no need to be concerned about this specific vulnerability.
- Take care when screen sharing. Ensure there are no applications, images or videos visible that might expose personal or confidential business data. Check which tabs are visible in the top bar of your browser.
- Be aware of the privacy policies and features of the software you’re using. For example the attention tracking feature and other policies on data collection and sharing.
- As the host, turn on the 2FA and require authorized email addresses for any in-house meeting.
- Restrict screen sharing without permission, remove unwanted or disruptive participants from a Zoom meeting, and mute participants or turn off their video.
- Keep the meeting secure from those outside the call. Account managers should ensure that end-to-end encryption is enabled to prevent snooping of traffic, particularly if remote workers are connecting to meetings from outside of the company’s secure VPN network.
- Remember that video meetings can be recorded by any participant, and that raises issues of confidentiality and leakage.
- Ensure that endpoints are protected by a security platform that can protect against malware, malicious devices and network compromise. Source link
For a full list of more secure tools to use when working from home alternatives, scroll to the end of the article.
According to Slack’s website, here are their security measures:
- Ensure that only the right people and approved devices can access your company’s information in Slack with features like single sign-on, domain claiming and support for enterprise mobility management.
- By default, Slack encrypts data at rest and data in transit for all of our customers. We further protect your data with tools like Slack Enterprise Key Management (Slack EKM), audit logs, and integrations with top data loss prevention (DLP) providers.
- Slack offers governance and risk-management capabilities flexible enough to meet your organization’s needs, no matter what they are. This includes global retention policies, custom terms of service, and support for eDiscovery.
Slack Privacy Flaws
- It is relatively trivial for an attacker on a compromised machine to exfiltrate all of a user’s entire Slack workspaces, chat messages, files and history.
- Attackers can gain current access to the workspace by stealing the stored session cookies on the user’s machine. Having acquired the data, the attacker can then start up a virtual machine instance, install the Slack app, and copy the stolen data to the same location on the VM from where it came (the user name need not be the same). Launching Slack will then log the attacker into the user’s workspaces and give them full, live access. Although this activity will be recorded in the workspace Access Logs on the server-side, it will not be obvious to the user unless the attacker actively tries to impersonate the user in the workspace.
- It’s possible for a malicious app to exfiltrate this data without the victim’s awareness.
- When using Slack, businesses have to delegate their most private data and communication to Slack.