14 DAY TRIAL // Numerous corporate meetings relying on the WebEx collaboration platform from Cisco are not properly protected against snooping from the outside.
WebEx provides applications for communication over the web, and it is widely used by enterprises for video conferences.
Configuration settings exist for the purpose of protecting the information discussed during the meeting, but oftentimes they are not used, giving an outsider the chance to access inside details of a company.
Security blogger Brian Krebs found that these private meetings are oftentimes left unguarded and details for accessing them are encountered on public Internet locations.
Basic protection practices are not followed
Krebs has discovered that spying on the private sessions of major organizations is not too difficult, especially since the details of the meeting are provided on the publicly available Webex.com website.
Joining these sessions is restricted to certain individuals that have been invited to participate at the conference, and who are admitted based on a password given by the organizer.
However, prominent organizations do not enforce this basic type of security, allowing anyone with the link to the conference to join.
Charles Schwab, CSC, CBS, CVS, the U.S. Department of Energy, Fannie Mae, Jones Day, Orbitz, Paychex Services, and Union Pacific have all been spotted by Krebs to host meetings unprotected by passwords. According to him, in some cases, an uninvited third-party would also be able to view archived event recordings.
The obvious risk is disclosing sensitive details to individuals outside the company.
Mitigating the risk of information leak
Cisco released an alert to its customers, touching on the best practices for holding a web conference private, when intended.
The notification brings to the attention of the customers (WebEx site admins and meeting hosts) that the details present on the meeting site of a company are public and that the meeting can be unlisted if it is intended for a limited number of individuals.
Password protection is turned on by default, but in some cases, the admins and the hosts can turn off the feature. Aaron Lewis, from global social media marketing department at Cisco WebEx, says in a blog post that a strong countersign does not affect the quality of the conference.
Another useful option is to ensure that the host is the first one to join the session. The reason behind this is that they can monitor the guests joining in.
In order to filter the information shared by the guests, the “host as presenter” option should be enabled.