The FCCN team clarifies cybersecurity details regarding the use of Colibri, following several news reports of security flaws in the Zoom platform..
Over the past few weeks, several news stories have been circulating in the media reporting problems with cybersecurity related to the Zoom platform. Currently, the privacy of this application is also at risk due to high usage traffic. To circumvent these issues, sessions have begun to require passwords to access meetings. Users are also advised to apply security measures provided by the platform itself. Some include not using a personal ID for meetings, but rather using the option that automatically generates one. The waiting room feature should be enabled and closed once all participants are present. Finally, screen sharing should be disabled for non-hosts and the file download and annotation features should be disabled. chat.
Since the Colibri collaboration service is based on the Zoom platform, the FCCN Unit clarifies the following regarding the security levels of this service:
▪ The manufacturer reacted quickly by making available seven new software updates during the month of April, and changed default settings to address identified gaps. It's important that users perform these updates on their devices.
▪ The Colibri platform offers access via federated authentication (RCTSaai). This allows users accessing Zoom to use their institutional account through federated authentication. This access is safeguarded by the fact that credentials are validated within the institution itself, not in the ZOOM database.
▪ The FCCN unit took several measures to mitigate the reported problems and reinforced information to the community, so that they adopt the security measures available for protection while using the platform.
▪ During March and April, more than 203,000 sessions took place on COLIBRI and only two cases of unauthorized entry into meetings were reported, both of which could have been easily avoided by following the instructions listed above.
▪ Many of the situations reported can occur on any collaboration platform and do not exempt users from taking care.
▪ Users of personal ZOOM accounts should be extra vigilant and change their passwords frequently. Using the same password to access multiple services should be avoided as much as possible.
The protection of personal data is a very relevant value in the current legal system, as clearly results from the GDPR and also from the Code of Conduct of GÉANT on data protection. These documents constitute the standard for user protection and privacy in the higher education and research sector.
The service's privacy policy can be consulted at: https://videoconf-colibri.fccn.pt/doc/service-policy
As a source of constantly updated information on this topic, we suggest consulting the following page: https://videoconf-colibri.fccn.pt/doc/secure. Through this, all problems can be reported immediately to FCCN. Any questions or support requests regarding the platform can also be made to colibri@fccn.pt and security incidents must be reported to info@cert.rcts.pt.
FCCN has responded to all requests for support related to these cases, addressing the issue in the webinars and publishing best practices. A webinar from Metared Portugal, exclusively dedicated to this topic. Whenever intrusions occur, they must be reported to the appropriate authorities, so that those who enter meetings inappropriately to boycott them, commit crimes that promote violence, or steal private and privileged information can be identified and punished.
