Save web conference from prying eyes of cyber criminals, says CERT-In; MHA also warns

Organisations and individuals taking the help of web conferencing to work from home should guard against the "prying eyes" of cyber fraudsters as attacks engineered by them could lead to compromise of sensitive information, a CERT-In advisory said on Thursday.

The advisory said fraudsters prowling over the internet have found web conferencing "an opportunity to conduct unauthorised activities resulting in obtaining of sensitive information of individuals and organisations such as employee information, product knowledge, trade, secrets, among others".

"It is necessary to protect confidential data from prying eyes," the recommendation accessed by PTI said.

The Computer Emergency Response Team of India (CERT-In) is the federal agency to combat cyber attacks to guard the Indian cyber space.

A Home Ministry spokesperson also issued a statement, saying the Cyber Coordination Centre (CyCord), under the Ministry of Home Affairs (MHA), has issued an advisory on secure use of Zoom meeting platform by private individuals.

This advisory states that the platform is not for use by government officers for official purposes.

The document makes reference to earlier advisories of CERT-In and states that Zoom is not a safe platform. The guidelines have been issued to safeguard private individuals who would still like to use the platform for private purposes.

The broad objective of this advisory is to prevent any unauthorised entry into a Zoom conference room and prevent the unauthorised participant to carry out malicious attacks on the terminals of other users in the conference.

It added that the COVID-19 outbreak has led organisations, educational institutions and many others "to incorporate" web conferencing for communication from home to break the chain of the virus spread.

Web conference is a service which enables users to conduct meetings, conferences, presentations, training through the internet without being physically present at one location.

The facility allows real-time communication and offers streams of data through text messages, voice and video calls.

The federal agency underlined some potent threats in this context and said the attackers can join a web conference if no password is required to join it or if they get to know the access code and then they can send malicious links in chat to extract information.

It said vulnerabilities of a web conference platform, if not patched on time, could also allow attackers to exploit the target system.

CERT-In suggested some counter-measures to check these instances and install the web conferencing system through a distinguished vendor, which allows encryption of data and provides intrusion control and permits non-persistent flow of data.

Update the system regularly for any vulnerabilities with the latest software and patches.

Information about the meeting should be given only to concerned individuals via authorised email and sharing of access codes with participants to join the meeting will lead to restriction of data flow.

It asks users to consider using waiting room features, which means that an individual places participants in a separate virtual room before the meeting and allow the host to admit only those who are supposed to be in the room.

This will allow the user to keep an eye on uninvited guests during the web conference and the meeting may be locked for others to join once all valid participants have joined.

The advisory said if such a meeting is recorded it should be made sure by the host to get permission from all participants and give the recording a unique name while saving it.

Children who have classes through web conferencing should be advised to use the system in a safe and secure manner and they should discuss only on the topic mentioned by a teacher and not divulge any personal information.

Once the web conference is over, the provider should erase all data from its server, the advisory said.