How to keep your Zoom meetings safe from hackers

Zoom’s privacy and security issues have been in the headlines for a number of weeks now, causing concern for lots of users. But many people have no option but to use the software after it has been selected by the company they work for.

If you find that you have to use Zoom, there are steps you can take to ensure your experience is as safe as possible.

Zoom has already taken some steps to address concerns that have been raised in recent weeks, and the company says that it will continue to make improvements to the video conferencing software. But even when this happens, there is a lot you can do to lock things down.

Protect your account

A Zoom account is just another account, and in setting yours up, you should apply the basics of account protection. Use a strong and unique password, and protect your account with two-factor authentication, as this makes your account harder to hack and means it is better protected, even if your account data leaks.

There’s at least one more Zoom-specific catch: After you register, in addition to your login and password you get a Personal Meeting ID (PMI) – avoid making it public. As Zoom offers an option to create public meetings with your Personal Meeting ID, it’s quite easy for that ID to be leaked. If you do, anyone who knows your PMI can join any meeting you host, so look to share this information prudently.

If possible use your council e-mail to register with Zoom

A weird glitch in Zoom (which at the time of this writing wasn’t yet fixed) causes the service to consider e-mails of the same domain — unless it’s a really common domain such as @gmail.com or @yahoo.com — as belonging to one company, and it then shares their contact details with each member of that group. For example, users who registered Zoom accounts using e-mails ending with @yandex.kz, which is a public e-mail service in Kazakhstan experienced this. It may happen again with e-mail addresses belonging to smaller public e-mail providers.

So, to register with Zoom, use your council e-mail.

Don’t fall for fake Zoom apps

The number of malicious files incorporating the names of popular video conference services (Webex, GoToMeeting, Zoom, and others) in their filenames has roughly tripled in comparison with the numbers he found month by month over the previous year. That most likely means malefactors are ramping up their abuse based on the popularity of Zoom and other apps of its kind, trying to disguise malware as video conference clients.

Don’t fall for it! Use Zoom’s official website — zoom.us — to download Zoom safely for Mac and PC, and go to the App Store or Google Play for your mobile devices.

Don’t use social media to share conference links

Sometimes you want to host public events, and in many places online events are the only option available these days, which means Zoom is attracting more and more people. Even if your event is truly open to everyone, you should avoid sharing the link on social media.

If you knew anything about Zoom before reading this post, you’ve probably heard about so-called Zoombombing. This is a term to describe trolls disrupting Zoom meetings with offensive content.

Where do the trolls get information about upcoming events? That’s right, they find them on social media. So, avoid publicly posting links to Zoom meetings. If for some reason you still want to, make sure you don’t enable the Use Personal Meeting ID option.

Protect every meeting with a password

Setting up a password for your meeting remains the best means of ensuring that only the people you want in your meeting can attend it. Recently Zoom turned password protection on by default — a good move. That said, don’t confuse the meeting password with your Zoom account password. And like meeting links, meeting passwords should never appear on social media or other public channels, or your efforts to protect your call from trolls will be in vain.

Enable Waiting Room

Another setting that gives you more control over the meeting, Waiting Room — recently enabled by default — makes participants wait in a “waiting room” until the host approves each one. That gives you the ability to control who joins your meeting, even if someone who wasn’t supposed to participate somehow got the password for it. It also lets you kick an unwanted person out of the meeting — and into the waiting room. We recommend leaving this box ticked.

Pay attention to screen-sharing features

Every normal videoconference app offers screen-sharing — the ability of one participant to show their screen to the others — and Zoom is no exception. Some settings that are worth keeping an eye on:

  • Limiting screen-sharing ability to the host or extending it to everyone on the call. If you don’t need other people to show their screens, you know which option to choose
  • Letting multiple participants share screens simultaneously. If you can’t immediately see why your meetings would need this capability, you’ll probably never need it; just keep it in mind in case you ever need to enable it.

Stick with the Web client if possible

The various Zoom client apps have demonstrated a variety of flaws. Some versions let hackers access the device’s camera and microphone; others let websites add users to calls without their consent. Zoom was quick to fix the aforementioned problems, as well as other, similar ones, and it stopped sharing user data with Facebook and LinkedIn. However, given the absence of a proper security assessment, Zoom apps are likely to remain vulnerable, and they may still employ shady practices such as data sharing with third parties.

For this reason, we recommend using Zoom’s Web interface instead of installing the app on your device, if possible. The Web version sits in a sandbox in the browser and doesn’t have the permissions an installed app has, limiting the amount of harm it can potentially cause.

In some cases, however, even if you want to use the Web interface, you may find that Zoom has gone ahead and downloaded the installer, and there’s just no other option to connect to the meeting but to install the client. In that case, you can at least limit the number of devices on which Zoom is installed to just one. Let it be your secondary smartphone or, say, a spare laptop. Choose a device with next to no personal information. We know that sounds somewhat paranoid, but it’s better to be safe than sorry.

 

Fake Ransomware Bitcoin Scam Claims “Your Site Has Been Hacked”

A fake ransomware scam is going around that targets website contact forms. It sends an email to the site owner with the subject “Your Site Has Been Hacked.” The body of the email claims the hackers have exploited a vulnerability to gain access to the site’s database and “move the information to an offshore server.” The email threatens to ruin the site owner’s reputation by selling the site’s database, notifying customers that their information has been compromised, and de-indexing the site with search engines using blackhat techniques.

Within the past few weeks, website owners have reported having received this email on various support channels, including WordPress.org, stackoverflow, and reddit. The sites in question have not been defaced, nor do they show any other evidence of tampering.

The Bitcoin Abuse Database has seen a surge of reports regarding this scam in May and June, logged under various Bitcoin addresses. The scammers send the email out indiscriminately, even targeting sites that do not have a database. So far the campaigns have not been very successful at convincing site owners to pay the ransom.

The Bitcoin Abuse Database advises visitors that extortion emails are 100% fake and those who receive them should not pay ransoms.

If you or one of your clients receive an email like this, rest assured that it is a scam that requires no action. If you want to be extra cautious you can change your passwords and use a security plugin to scan your files for changes. Otherwise, simply delete the email.

An example of this scam email is below for reference:

PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!

We have hacked your website [website URL] and extracted your databases.

How did this happen?
Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.

What does this mean?

We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your site [website URL] was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.

How do I stop this?

We are willing to refrain from destroying your site’s reputation for a small fee. The current fee is $2000 USD in bitcoins (BTC).

Send the bitcoin to the following Bitcoin address (Copy and paste as it is case sensitive):

12KLZzgrNX2DvbWQM7yQ1V9vPwy9JPvUKM

Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment within 5 days after receiving this notice or the database leak, e-mails dispatched, and de-index of your site WILL start!

How do I get Bitcoins?

You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM. We suggest you https://cex.io/ for buying bitcoins.

What if I don’t pay?

If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers.

This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we will stop what we were doing and you will never hear from us again!

Please note that Bitcoin is anonymous and no one will find out that you have complied.

How to publicise your new website

So you have got a shiny new website. How do you go about letting people know it’s there and building up your numbers of visitors?

The first thing is to make sure it is appearing in Google when you search for your town or parish council name. We’ve written an article about how to optimise your content so that you get a prominent listing in Google (and other search engines) that you can read here: How to improve your search engine ranking

The next step would be publicising it to your parishioners who may not even know that you have a website. Ways to do this is include:

  • adding the web address to your email signature so that it appears at the bottom of each email you send out
  • putting posters in your village noticeboard, shop and/or pub
  • including the web address on all council documents such as minutes or notices
  • you could also deliver flyers around your village advertising the site

Another way to keep visitors coming back it to keep publishing lots of news items and useful information.

Other councils publicise their site or information on social media – usually Facebook or Twitter. We’ve published a series of guides about setting up social media here: https://parish-council.website/category/marketing/social-media/

It is also good to get incoming links to your site. This will have the effect of bringing more visitors to your site and will also help with your search engine ranking. These could come from your local and district council, neighbouring parish councils or local institutions such as the church or the WI. If you set up links to them, you can ask them to return the favour and set up a link back to you.

I’m still running Windows 7 – what shall I do?

On Tuesday 14th January, Windows 7 came to the end of its supported life. Don’t worry, this doesn’t mean it will stop working, but Microsoft will stop providing security updates from now on.

Windows 7 was launched in 2009 and currently still has a couple of hundred million users, many of them individuals or small businesses.

The problem for users is that holes in the security of Windows will no longer be patched and the malware industry will be able to exploit any vulnerabilities without protection from now on. This could include ransomware, where your computer is locked unless you provide payment.

So what can you do to protect yourself? The easiest option is to upgrade to Windows 10 but if you can’t afford that there are still a few things you can do.

If you can’t patch Windows, you can still make sure that other software you use is updated. In particular, your browser is somewhere that malware can infect your computer. Google has committed to fully supporting Chrome on Windows 7 computers at least until 15 July 2021.

Another way to protect yourself it to try to avoid untrusted or insecure websites. The websites of large organisatons are usually safe.

Running good firewall and anti-virus software is essential. Which recommends Avast as the best free anti-virus software or you may prefer to pay for one that includes a firewall such as Kaspersky Total Security.

Emails are another common source of infections. Never click an unsolicited attachment and beware of phishing emails that claim to come from a trusted source such as your bank or PayPal and ask you to click on a link or button to log into your account. Do not click the link, instead go directly to the organisation’s website and log in the way your normally would.

Finally, the best defence against ransomare is to have all your information – files, pictures backed up or stored in the cloud. There are free cloud storage sites such as Dropbox that will allow you plenty of space to store your files.

How to clear your cache

Sometimes your site just doesn’t display as you would expect it to. It could be that it’s not showing the latest updates you have made or it could be giving you odd redirects. A good idea is to clear out your cache and see if that fixes the problem.

Everybody’s browser stores a copy of any sites visited so that it can load them more quickly if they revisit the same site. Exactly how this is set up depends on the browser and the settings on the user’s computer.

How you clear your cache depends on which browser you are using. For information about how to clear the cache in your browser, click on one of the links below:

Checking your website can be viewed using screen magnifiers

Users with visual impairments will often need to enlarge the text on your site in order to read it. It is important that they are able to do this without the website appearing so large that they have to scroll sideways to see all the page content. The WCAG 2.1 Accessibility Guidelines state that you must be able to magnify the text to 200% without there being any problems for users to view it.

To check your website, works correctly when zoomed in or magnified, you can change your browser settings to magnify the page. To do this in Chrome, select ‘Settings’ then ‘Font size’ and change it to ‘very large’. If you use Firefox you can click on the 3 horizontal bars icon at the top right of your browser and click the ‘+’ in the Zoom section.

If you would prefer to use keyboard shortcuts, you can hold down the ‘Cmd’ or ‘Ctrl’ key and the ‘+’ key on your keyboard at the same time. Click the ‘+’ key repeatedly to enlarge the text. The %size will show at the top of the browser next to where the website address is showing. If you need more details about your particular browser, click one of the links below.

You need to check that you can complete all tasks with the font magnified to 200% for your website to be accessible (WCAG 2.1 level AA).

Help! I can’t see my website updates

How to reload or refresh your page if you can’t see your updates

Sometimes you may find that you have made changes to your web page and you have a look at the page on the live site and can’t see the changes you have made. The reason you aren’t seeing the latest version of the website is most likely because you are viewing a ‘cached’ version.

Everybody’s browser stores a copy of any sites visited so that it can load them more quickly if they revisit the same site. This is called the cache. Exactly how this is set up depends on the browser and the settings on the user’s computer.

The way to make sure you are seeing the latest version of the web page is to reload or ‘refresh’ the page.

You can either reload the page by clicking the CTRL + F5 at the same time (or Cmd + R in Mac) buttons on your keyboard. Alternatively you can click the icon that appears to be an arrow going round in a circle that is usually on the top bar of you browser. We’ve outlined the button in red on the screenshots below.

Reload your web page in Google Chrome

reload page - chrome

Refresh your web page in Firefox

reload page - firefox

Reload web page in Internet Explorer

reload page - internet explorer

Another way to check if the changes you have made have been applied is to have a look at your site using a different browser, or a different device, for example your phone. If you can see the changes then they have been applied and it is because your most commonly used browser is showing you a previously stored version.

Very occasionally, you may need to clear the cache on your browser to see your changes. How you do this depends on which browser you are using. You can read about how to do that here: https://wiredimpact.com/blog/clear-cache-see-website-updates/

Website accessibility for local councils: 4 things to start doing now

Compliance with website accessibility regulations (WCAG 1.2 AA standard) will become mandatory for all town, parish and community councils in September 2020. This is going to mean changes in the way you publish information online, as well as in the way you write your web pages and documents such as minutes and agendas.

Here are 4 things to start doing now.

Structure your documents correctly

Make sure that you are using proper markup to style your headings. You need to do this because some users with visual impairments use ‘screen readers’ to read out the text for them. These screen readers will often jump through the list of headings so that they can quickly find the information they are looking for – in the same way non visually impaired users will quickly scan the headings on a page.

If you style your headings just using the normal font but making it larger or bold, the screen readers will not recognise them as headings.

If you are using WordPress, you can tell if the headings are styled correctly by opening up the page in the editor and clicking on the headings. The drop-down box at the top of the screen should show ‘Heading 2’ or ‘Heading 3’, rather than ‘Paragraph’ when you have a heading selected. If it doesn’t, simply select the heading that you would like to apply to the text, then click ‘Publish’ to save your changes.

Use descriptive links

Check that links clearly state what they are linking to. This is important because users viewing your site using screen readers will frequently scan through just the links on the page. This means that they don’t have the surrounding text to explain where the link is going to. So for example instead of a link saying ‘Agenda’ you should set up a link saying ‘Agenda 3 March 2019’.

How to write good link text

  • Put the most important words at the front of the link for example use ‘website accessibility – further information’ instead of ‘click here for more information about website accessibility’
  • Make sure the links make sense if viewed in isolation
  • For links that lead to information, use text about that information in the link
  • For links that take visitors to a page where they will complete a task, begin the link with a verb. For example: ‘contact us’
  • Where possible use the title of the page you are linking to as the link text
  • Don’t use the same link text to link to different places
  • Think about visitors with reduced motor skills and don’t make the link too small as it will be difficult to select. One word links aren’t ideal for these users.

Save files in accessible PDF/A format

All office files that were created after 23rd September 2018 need to be accessible. This means that if you have saved them as PDF files, they must be saved in the accessible version of PDF which is PDF/A. You can read more about how to do that here: How to save Word documents in accessible PDF/A format

PDF/A format is a version of PDF. In order for a document to be accessible by screen readers it needs to have ‘tags’ and ‘searchable text’.

  • Tags are elements that structure the page. For example there are tags for paragraphs, headings, lists, table and images. These tags enable users using screen readers to quickly and easily navigate the page content.
  • Searchable text means that text is embedded in the pdf, rather than the text existing as an image (for example a scanned form). If you’re not sure, open your pdf and try to drag and select the text. If you can do that it is searchable.

Older documents that were published before September 2018 do not need to be accessible unless they are essential for the council’s services. However you should state this in your accessibility statement and provide an alternative means of users being provided with that information on request.

Write in simple language

When you are writing it is important to think about making your information – whether it’s web pages or pdf minutes – accessible to users with cognitive impairments. These include visitors who may have difficulties with memory, comprehending and reasoning or users with adaptive behavior impairments. For example users with dementia, dyslexia, autism.

You should:

  • Write in plain English
  • Use short, simple sentences
  • Do not use long or complicated words
  • Break up long blocks of text into headings/bullets/short paragraphs
  • Don’t use figures of speech
  • Don’t use footnotes
  • Don’t expect users to remember information from a previous pages
Social Media

How to set up a Twitter Account

Twitter is a very good way to keep in touch with your local community. It enables to you post messages to your followers and keep them informed about what is happening in your town, parish or community council.

These messages are called ‘Tweets‘ and are limited to 280 characters. You can also post pictures or short videos.

To set up a Twitter account, go to https://twitter.com and click the blue button on the right of the screen that says ‘Sign up‘.

On the next screen you will be asked for your name and phone number. You should use the name of your council as the Name. If you don’t want to add your phone number, you can use your email instead. Don’t worry these won’t be displayed publicly.

The next screen ‘Customize your experience‘ has some options that are optional.

Step 3: Create your account – just click the blue ‘Sign up ‘ button at the bottom of this screen to set up your account. You will be sent a verification code, either to your phone or email, depending on which one you used to register in step 2. Enter the verification code and click the ‘Next’ blue button at the top right of the screen.

Note: if you copy and paste the verification code, be careful not to pick up any spaces at the end of the code – if you do, you will get a messages saying the code was incorrect.

On the next screen you will be asked to add a Password.

The following screens will let you pick a profile picture and add a short description. You can click the ‘skip for now’ link you don’t have one and add this later.

The screen asking ‘What are you interested in‘ will show different options you can select. Twitter will show you suggestions of accounts to follow based on your choice here. Again you can click the ‘Skip for now‘ link.

The ‘Suggestions for you to follow‘ screen will show popular accounts that you may wish to follow. If there are any that interest you, just click the ‘Follow‘ button next to the account. Don’t worry, you can add more people/accounts to follow at a later date, or can ‘unfollow’ accounts you have followed. Click the ‘Next‘ button when you are ready to move on.

The next screen allows you to turn on notifications. This will allow Twitter to send you an email or phone notification when certain events happen, such as when someone follows you or comments on you tweets. You have the option to ‘Allow notifications’ or ‘Skip for now‘. Again, you can change these settings at a later date.

Finally you will be directed to your home screen. This has Home at the top and a box that says ‘What’s Happening‘. To write you first tweet, just click in the box. When you are happy with your tween, click the blue ‘Tweet‘ button.

In the next couple of months we’ll go into more detail about how to optimise your account and how to grow your following.

Website Accessibility (WCAG 2.1 AA) for Town and Parish Council Websites

What is WCAG 2.1 AA website accessibility?

WCAG 2.1 AA is the minimum standard of website accessibility that public sector websites must meet.

Making a website accessible means ensuring that it can be used by as many people as possible. At least 1 in 5 people have an impairment or a disability including those with:

  • Impaired vision – for example, blind or partially blind
  • Motor difficulties – for example, users who may have problems using a mouse
  • Cognitive impairments – for example, users with autism or learning disabilities
  • Impaired hearing – for example, deaf or hard of hearing

As website editors for local councils, the two main groups you need to consider are those with impaired vision who may be reading your site using a screen reader or magnification and users with cognitive impairments. Your website designer should make sure that your site works for users with motor difficulties. Users with impaired hearing will not have problems using your site, unless your town, parish or community council website uses sound or video.

We go into more detail here: Website accessibility – what is it and why does it matter?

We have also published some handy pictorial guides here: Website Accessibility Dos and Don’t s – a pictorial guide

Who needs to comply?

All local authorities need to meet the regulations unless they are exempt. That includes all town, parish and community councils.

If you feel that full compliance would be a disproportionate burden on the council, you need to explain why in an accessibility statement and state how users can obtain the information in an accessible format.

So, for example, a local council that has already published a lot of historical minutes in PDF format might find that converting them all to accessible PDF/A format presents a disproportionate burden. However, going forward, you need to make sure that all information is published in an accessible format as soon as you are able.

You can read more about applying for exemption here: Website accessibility regulations – applying for exemption

When must you comply by?

For new websites that were created on or after 23 September 2018, you need to meet accessibility standards by 23 September 2019.

For websites that were created before 23 September 2018 you need to ensure that your website meets accessibility standards by 23 September 2020.

What do you need to do?

Ensure your web pages are accessible

Make sure you writing is easy to understand, that your information is well structured and that your pages don’t use complicated layouts. That includes writing in short sentences and structuring your pages using headings or bullet points, for example. You can read more here:  How to write accessible web pages

Accessible formatting for web pages

You should make sure that the way you style your pages does not make them less accessible. Common issues that make pages harder to read and therefore less accessible include writing in uppercase, using underlining (other than for text links) and centered text (unless used sparingly – as an example, for headings.)

Other parts of your web pages

If you publish images on your site or have links to other pages in your site or other websites, you also need to make sure they are accessible. We’ll be writing more about that later.

Ensure your file attachments are accessible

Most councils publish a lot of documents in PDF or Word format. These might include minutes, agendas, financial information and other documents. Making these files accessible is twofold – you must write and structure the document in an accessible way and you must then save it in an accessible format. You can read more here:

Guide to writing documents that are accessible

Making PDF files accessible

How to save Word documents in accessible PDF/A format

Accessibility statement

You need to have an accessibility statement that details how your website complies with accessibility regulations. You can read more about it here: Developing an Accessibility Statement/

Accessibility of your website framework

As well as what you need to do to make sure your website content is accessible, there are also lots of things your web designer needs to do to ensure the framework and design of your site is accessible. This includes making changes to the coding of the pages to enable them to be read more easily by screen readers, making sure the design works for users with impaired vision and that it is flexible enough to be viewed with the text enlarged and ensuring the coding of the contact form is accessible.