Electronic communications has made meeting up with others via conference calls and web conferencing quite convenient and very commonplace today. It is important, though, to be aware of the security concerns and vulnerabilities for all types of conference services.
During an inspection we performed at a financial services company we found that their brand new boardroom conferencing system had been left with “auto-answer” enabled. This allowed anyone to call in and listen to everything taking place in the room, not only from any phone extension on the property, but also from any outside phone line. A caller just needed to know the “DID” or direct inward dial number (which happened to be the room’s extension number with the common prefix).
That incident involved the hardware based conference system built into the corporate boardroom. More common, though, and used by all levels of employees, is conference calling using either a corporate conference number (conference bridge on the pbx), a telephone conference service (such as freeconference.com) or a web based service such as WebEx or Go To Meeting.
When using conference services, whether an internal or an outside service, you want to be able to control who can join your call. It could bring serious consequences if the content of a confidential call were to be leaked to the wrong parties. In 2012, the group Anonymous hacked into an FBI conference call and posted the contents of the call on YouTube. Brian Krebs, security researcher from krebsonsecurity.com, recently alerted Cisco to vulnerabilities that existed within their WebEx service. Most were due to poor security practices by the corporate users. Cisco quickly sent a memo to their WebEx users telling them of the vulnerabilities, explaining that many of their customer sites were publicly displaying meeting information online, including such details as time, topic, host, duration, and often a direct “join meeting” link. Cisco then posted tips on their WebEx blog on ways to protect meeting information. A summary of Cisco’s key points are: 1. Make your meeting unlisted (unless it is truly open to the public) Read the details on the WebEx blog [here]. Brian’s blog is also good to read [here]. These recommendations are worth considering for all conference calls. A parting tip, when you end your call, use the host command to disconnect all parties. A common eavesdropping trick is to hang on at the end of a call and see who leaves their mic open, or see if anyone might continue to use the conference circuit for a private conversation.
2. Require a complex password
3. Choose posted meeting information carefully, don’t advertise more than necessary
4. Disable “join before host” when possible (don’t let someone unknown sneak in before the meeting starts)
5. Set “host as presenter” (block others from sharing content without permission)
6. Learn about other best practices.
If you will be hosting a confidential conference call, learn the features that are available to the host position. Many companies with a web interface, such as Uber Conference, and FreeConferenceCalling.com, have management portals that give extra host features such as allowing you to see the incoming caller id of participants and giving the ability to mute individuals and lock access when all participants have arrived.