The team at FCCN has clarified the cybersecurity details regarding the use of Colibri, following the various news reports of security flaws in the Zoom platform.
Over the past few weeks, there have been several news reports in the media reporting cybersecurity issues related to the Zoom platform. At this moment, the privacy of this application is also put in question by the high traffic of use. To circumvent these problems, sessions began to have passwords to access meetings. Users are also advised to apply security measures made available on the platform itself. Some of these include not using a personal identification for meetings, but rather the option that automatically generates an identification. The waiting room functionality should be activated and closed as soon as all participants are present. Finally, disable the screen sharing feature for non-hosts and disable file download and annotation features from the chat .
Since the Colibri collaboration service is based on the Zoom platform, the FCCN Unit would like to clarify the following regarding the security levels of this service:
▪ The manufacturer has responded swiftly by making available seven new software updates during April, as well as changing default settings to address identified shortcomings. It is important that users perform these updates on their devices.
The Colibri platform provides the functionality of access via federated authentication (RCTSaai). Thus, users who access Zoom use their institutional account through federated authentication. This access is safeguarded by the fact that the validation of credentials is done in the institution itself and not in the ZOOM database.
The FCCN unit has taken various measures to mitigate the problems reported and has reinforced information to the community so that they adopt the security measures available to protect them when using the platform.
During March and April, more than 203,000 COLIBRI sessions were held and you were only informed of two instances of abusive entry to meetings, both of which could have been easily avoided by using the indications listed above.
▪ Many of the reported situations can happen on any collaboration platform and do not exempt users from exercising caution.
ZOOM personal account users should exercise extra caution and change passwords frequently. The use of the same password to access multiple services should be avoided as much as possible.
The protection of personal data is a very important value in today's legal system, as is clear from the GDPR and GÉANT 's Code of Conduct on data protection. These documents set the standard for user protection and privacy in the higher education and research sector.
As a source of constantly updated information on this subject, we suggest consulting the website: https://videoconf-colibri.fccn.pt/doc/secure. All problems can be reported immediately to FCCN. Any questions or requests for support on the platform can also be sent to email@example.com and security incidents should be reported to firstname.lastname@example.org.
FCCN has responded to all requests for support related to these cases, addressing the issue in webinars and publishing best practices. A Metared Portugal webinar exclusively dedicated to the topic is also planned. Whenever situations of intrusion occur, they should be reported to the competent authorities, in order to identify and punish those who abusively enter meetings to boycott them or to commit crimes of condoning violence or stealing private and privileged information.