August 10, 2021
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
What’s hiding in your screen share?
As we all continue to spend time on video conferencing, whether Teams or Zoom or GoToMeeting … the basic security principles remain the same:
- use a unique link for each meeting
- secure it with a password
- use the waiting room feature when available
Hopefully you all know these basics, but have you paid attention to what you are inadvertently showing when you share your screen? I routinely log into virtual meetings early, because I hate being late when the app has to be updated before I can get in. Logging in early is sometimes quite illuminating! Whether it’s a live video conference, or saved screen capture images you are sending to colleagues or to tech support, you need to be sure you know what’s hiding in that screen share!
Here are a few things I’ve seen during the pandemic:
Home wifi network password Yep, this was a webinar hosted by a well-known security company, and the president started the meeting about 10 minutes ahead of time. He started sharing his screen, and I saw a pop-up box with the name of his wireless network, asking for the password. He hit the “Show” button so he could see what he was typing, instead of the dots that usually mask passwords, and there it was. Dozens, potentially hundreds, of total strangers got to see the password to his wifi network. Not hard to find out where he lives, super simple to hop onto his network and potentially compromise it. How much you wanna bet he uses that same or similar password on some of his Internet accounts? I’ll take that bet!
Email inbox Salesperson for a software company set up a sales meeting for me. As usual, I logged on a bit early. She had started the meeting and shared her screen, and then decided to answer some emails to kill time. I saw her open and begin responding to emails. I could see all the saved folders in the left pane -- sorted by customer name. At the same time, she had her sales team around a speaker phone and they were discussing how to price two current deals. No one noticed I was there, able to see & hear, until I spoke up.
Not the first time I’ve seen someone’s email! I was on a software migration project with a client a few years ago, and there were multiple online training sessions that we attended together. Every time the trainer gave us a short coffee-and-potty break, he would open up his email and start reading & responding. I was VERY careful about what I put in emails to him after the first time I saw that!
Browser bookmarks & recent places Awhile back, I was sent some videos of websites I needed to review for a client. The person who made the videos used a screen capture software to record his web browsing. I realized pretty quickly that the videographer worked in the networking department of [Company X], because he had bookmarked logins for various network equipment, and the company intranet. I also saw the six most recent places he had visited (Google kindly provided that in his browser window at the beginning of each video) – and some of them were NOT business-related!
I’ve seen partial financial statements on screen captures from bookkeepers. I’ve seen (damning) employee fitness reports. I’ve seen job applications, and personal tax returns.
Practice Safe Screen Sharing
Don’t capture the whole screen. If you get an error message that you need to screen capture and send to tech support, use the option to capture only that window, or use the crosshair feature to draw out the space on the screen to capture. (Instructions for Windows and Mac)
Don’t screen share ahead of time. If you want to test it, close all other applications on your computer, test the screen share, then turn it off. Or leave it on, but keep your fingers to yourself! Read email on your phone, if you must, but don’t do it on the computer after you have joined a meeting. Don't open any other software, only what you are sharing for this meeting.
Consider having a special login only for video conferences. This is my personal favorite. I have a standard (not admin!) user account on my laptop just for video conferencing. That user account doesn’t have any other software installed. No email app, no access to the server, nothing. It’s Internet and video conferencing only. I live my life by the saying “Make the right thing easy and the wrong thing hard.” Limit opportunities to accidentally share more than you intended to!
Have a great week!
Talk to you again soon!
Security Awareness Training Goes Live Again!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Thankfully, live training is making a comeback! So wherever you and your employees may be, I can deliver a fun and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺