The FCCN unit team clarifies cybersecurity details regarding the use of Colibri, after several news reports of security flaws in the Zoom platform.
Over the past few weeks, there have been several news reports in the media reporting cybersecurity issues related to the Zoom platform. At this moment, the privacy of this application is also put in question by the high traffic of use. To circumvent these problems, sessions began to have passwords to access meetings. Users are also advised to apply security measures made available on the platform itself. Some of these include not using a personal identification for meetings, but rather the option that automatically generates an identification. The waiting room functionality should be activated and closed as soon as all participants are present. Finally, disable the screen sharing feature for non-hosts and disable file download and annotation features from the chat .
Since the Colibri collaboration service is based on the Zoom platform, the FCCN Unit clarifies the following regarding the security levels of this service:
▪ The manufacturer has responded swiftly by making available seven new software updates during April, as well as changing default settings to address identified shortcomings. It is important that users perform these updates on their devices.
The Colibri platform provides the functionality of access via federated authentication (RCTSaai). Thus, users who access Zoom use their institutional account through federated authentication. This access is safeguarded by the fact that the validation of credentials is done in the institution itself and not in the ZOOM database.
The FCCN unit took several measures to mitigate the reported problems and reinforced the information to the community, so that they adopt the security measures available for protection during the use of the platform.
During March and April, more than 203,000 COLIBRI sessions were held and you were only informed of two instances of abusive entry to meetings, both of which could have been easily avoided by using the indications listed above.
▪ Many of the reported situations can happen on any collaboration platform and do not exempt users from exercising caution.
ZOOM personal account users should exercise extra caution and change passwords frequently. The use of the same password to access multiple services should be avoided as much as possible.
The protection of personal data is a very important value in today's legal system, as is clear from the GDPR and GÉANT 's Code of Conduct on data protection. These documents set the standard for user protection and privacy in the higher education and research sector.
The service's privacy policy can be consulted at: https://videoconf-colibri.fccn.pt/doc/service-policy
As a source of constantly updated information on this topic, we suggest that you consult the website: https://videoconf-colibri.fccn.pt/doc/secure. Through this page, all problems may be reported immediately to FCCN. Any question or request for support on the platform may also be made to colibri@fccn.pt and security incidents should be reported to info@cert.rcts.pt.
FCCN has responded to all support requests related to these cases, addressing the topic in webinars and publishing best practices. It is also planned a webinar of Metared Portugal, exclusively dedicated to the topic. Whenever situations of intrusion occur, these should be reported to the competent authorities, to identify and punish those who abusively enter meetings to boycott them or to commit crimes of apology for violence or steal private and privileged information.
