Inopportune racist speech, dissemination of pornography in progress; online courses are easy prey for those who want to disrupt the classroom.
Since a stranger interfered in his first online course on September 3 to throw nonsense, Eric Kirouac requires that his students open their cameras a few times during the session to see who they are dealing with.
The professor in the psychology department at Cégep Garneau, in Quebec, as well as several of his colleagues were victims of “Zoombombing”, that is to say an intrusion aimed at “polluting” a videoconference. The name comes from the Zoom software, popularized for meetings during the pandemic.
“The students there were laughing a bit, but at one point I was afraid it would escalate, so I was trying to figure out how to eliminate him from the group,” he recounts.
With the IP address, the college's IT services were able to determine that the individual was not a student, but rather a Laval citizen.
Learn on the job
He had probably put a name that was not his, believes Mr. Kirouac, who did not know that he could withdraw permission for participants to rename themselves.
“It's business you learn on the job,” he says.
It is also possible to activate a waiting room to filter participants, to set up a password or to control screen sharing, specifies Sébastien Combs, professor of computer science at UQAM, specializing in privacy.
While some have had to deal with racist remarks or rowdy people, others have had to exclude strangers because they presented pornographic material to students.
Last Monday, UQAM teachers who were taking part in a training course on how to safely use Zoom software in the classroom were the target of people who stuck into the session to bombard them with porn material – presumably juvenile – shouting. Strangely, the security conference was not secured with a password.
“We could hear a background noise, people talking together in another language […] Then the sound went up, they started screaming and flashing pornographic images. It was really aggressive and traumatic for me, ”laments a participant for whom the event revived memories of a violent criminal act experienced. The teacher, who asked to preserve her identity, then hastened to shut down her computer, in shock.
She hopes that the measures presented before the training escalates will prevent this kind of situation.
Training to prevent these cyber attacks
More investment should be made in training in schools, believe cybersecurity experts after these cyberattacks.
Steve Waterhouse. Cyber security expert
“[The intruders] don't use too advanced methods to enter conferences, because they are misconfigured!” exclaims Steve Waterhouse, a former computer security officer at the Department of National Defense. The use of tools is poorly understood. ”
According to him, uniformity should be established in teaching tools as well as general training to facilitate their mastery.
Sébastien Combs, professor of computer science at UQAM, believes that this training should even be extended to companies.
“Someone could also break in, turn off their microphone and camera, just to listen. […] There could be confidentiality risks, ”he underlines.
Not just for fun
Last week, students and staff at HEC Montréal fell prey to phishing emails appearing to come from the institution's director and security.
Two days later, the Cégep de Saint-Félicien, in Saguenay – Lac-Saint-Jean, announced the suspension of its courses for a week after being the victim of a cyber attack.
“When the operations of an institution are stopped suddenly and without explanation, it is for me indicators of a ransomware that has frozen all operations,” says Mr. Waterhouse.
Ransomware is software that takes data on a system hostage while it demands a ransom.
“One click and the damage is done”, continues the expert, convinced that the education system would benefit from training to raise awareness among staff.
However, some malice are difficult to intercept, he says, explaining that he received one in the form of an Excel file presented as a CV.
“Despite all the investment in security architecture, protection, and antivirus, the last link in this security chain remains people. And this is the weakest link in the absence of adequate awareness, ”he concludes.