Preventing Zoom Bombing
The growing use of video conferencing tools has seen an uptick in hacking activities. Zoom is a foundational tool for video telecollaboration within the California State University system and is supported by the SDSU IT Division. Many Zoom users have experienced "Zoom Bombing," which is a tactic employed by Internet trolls to disrupt Zoom meetings that have been posted publicly or, otherwise, have reached a public audience. The trolls join your meeting and disrupt your session with the goal of causing disorder by saying offensive comments or displaying explicit images or videos.
There are several recommended security settings that will prevent unauthorized guests from attending your Zoom meetings. For more information, please visit SDSU's Best Practices to Prevent Zoom Bombing.
Frequently Asked Questions
Zoom-bombing is when an unauthorized/authorized attendee joins a Zoom meeting session in order to cause disorder by saying offensive things and/or sharing unwanted images such as pornographic and hate filled images.
SDSU has published a guidance document detailing tactics that will minimize "Zoom Bombing" attacks.
Yes. Zoom has become one of the most popular online conferencing and collaboration platforms. Zoom usage jumped from 10 million at the beginning of March to over 200 million now, and it is still growing. With its growth in popularity, a greater number of scrutiny has been introduced. Zoom has, however, worked to quickly respond by fixing several of the reported vulnerabilities.
SDSU has compiled a number of best practices recommendations to protect your Zoom meetings from "Zoom Bombers."
In addition, Zoom offers a number of security options to prevent unwelcome participants from joining your meeting or to limit their ability to share inappropriate content.
To learn more, visit How do I secure my Zoom meeting? If you are using a personal computer you must update the client as the latest clients are available.
To check the version of the Zoom client installed on your computers or mobile device see the “Viewing the Zoom version number” article.
There are additional settings that can be enabled to further secure your Zoom meetings. They are provided here for guidance:
Create a waiting room
Another way to avoid Zoom-bombing is by creating a waiting room. Managing meeting participants is key: by enabling the waiting room feature, participants can’t get into the call until you — the host or co-host(s) — lets them in.
Disable Private Chat
Zoom has in-meeting chat for everyone or participants can message each other privately. Restrict participants’ ability to chat with each other during your meeting. This prevents anyone from getting messages during the meeting.
Restrict sceen sharing to host only.
Ensure that only the meeting host can share their screens. Select "Host Only" by default. If during the meeting screen share is needed, it can be easily enabled.
Disable removed participants from rejoining
When you kick someone out of your meeting for any reason, they should not be able to come back in. Turn this setting off.
Use the Security Toolbar Icon
Zoom's security features, which had previously been accessed throughout the meeting menus, are now grouped together and found by clicking the Security Toolbar Icon in the meeting menu bar on the host's interface.
When in doubt, kick them out
If a disruptive participant manages to get into your meeting, you have the option to kick them out. To do so, click the “Participants” button, then mouse over the participant’s name and select “Remove.” Once removed, they won’t be able to rejoin.
Prevent participants from renaming themselves
Upon entering a Zoom meeting, participants are automatically given names based on their Zoom account or their computer’s username. These names are displayed in the participant panel and on the video thumbnails. By default, participants can opt to change their names in the Zoom meeting, and the host can choose to rename participants too. Click the “Security” button on the Zoom control bar. Under the heading “Allow participants to:” click on “Rename Themselves,” and ensure there is no checkmark next to "Rename Themselves."
Beginning May 30, 2020, all Zoom clients must be on 5.0+ in order to join any meeting, as GCM Encryption will be fully enabled for all Zoom meetings.
No, the basic functionality is the same, however, the CSU has a contract with Zoom, which obligates Zoom to protect CSU data beyond what would be found in a free or personal account. SDSU faculty, staff, and students should use your SDSU Zoom Educational account to help secure FERPA protected communications. More information on Zoom and FERPA can be found at Zoom and FERPA Compliance guide.
The limits and benefits of the Zoom Pro account vary, and include the following:
- No limit to the number of meetings you may host.
- Hosting is permitted involving up to 300 people for an unlimited time.
- One-to-one video calls are unlimited.
- A customized Personal Meeting ID is allowed.
- Available for all SDSU faculty, staff, and students with an @sdsu.edu email address.
The Health Insurance Portability and Accountability Act (HIPAA) lays out privacy and security standards that protect the confidentiality of patient health information. In terms of video conferencing, the solution and security architecture must, among other controls, provide encryption and meeting access controls so data in transit cannot be intercepted.
Zoom Meetings for HIPAA provides an option for health care providers at SDSU and faculty whose course content is clinical and requires this degree of compliance. You must follow all other HIPAA requirements, including training and audit.
To use the Zoom Meetings for HIPAA, your SDSUid needs to be connected to the Zoom meetings for the HIPAA account. Your SDSUid can only be connected to one instance of Zoom - either regular Zoom or Zoom Meetings for HIPAA.
To request a Zoom HIPAA Subaccount, for clinical or health care work, please please submit a request using SDSU ServiceNow.
No, Zoom had a feature called “attention tracking” which put a small icon in the list of participants indicating that they had moved out of the app. As of April 1, 2020, this feature was removed.
Yes, The CSU Chief Information Officer and Chief Information Security Officer noted in their Zoom Message to CSU Campuses: "On balance, as long as campus users have the information they need to use Zoom with appropriate safeguards, we don't believe that it's necessary for the CSU community to be concerned about communicating with Zoom." To read the full message, please visit "CO's Zoom Message to CSU Campuses." (SDSUid login required)
- Please visit the “Web Conferencing with Zoom” page for more information or contact ITS Support.
- To report a security incident, please visit "Reporting an Incident."
For Faculty and Staff
- Submit a Ticket - If you are having problems, please submit a ticket through SDSU ServiceNow.
- Help Desk - You can visit the Help Desk.