Saturday, June 11, 2022

Slack Is Becoming The Dominant IM Tool - But It Is Not The Safest To Use

 


As I was out walking last night to take a break from looking at my computer screen, I had a rather long conversation with a neighbor of mine.  We talked about what we do for a living, and he said that actually does the geometrical layouts for the railroad tracks here on the UP-W in the western burbs of Chicago.  Naturally, my ears perked up . . . math? 

I’ve got to hear about this.  He said that there was really nothing that you had to understand about geometry to do his job, as he said everything was done on the computer.  But still I said, you have to have some background.

So the conversation went about as to what I did, and after that, we brought out a book that we has reading, which was all about the Web 3.0 and the metaverse.  I told him that it was amazing how far we have come in terms of technology, and what more is yet to come. 

Then I posed to him this question:  How did we do it in the 80’s and 90’s when there was no Google or wireless devices?  He gave out a very candid answer:  We were forced talk to each other face to face, and communicate that way.

That statement got me really pondering, and kept me up for the good part of the night.  Really, how did we do it?  What was the first form of digital communications that we used?  I remember getting my first cell phone back in 2001, but the first true digital communications I have ever used was Yahoo Messenger. 

I used it for a very long time, as well as my other geek friends, until Yahoo discontinued it a few years ago.

Why they ever did that, I don’t know.  It was really a great tool, albeit clunky.  Well, since then, hundreds of other Instant Messaging (IM) tools have propped up, of many now come bundled with Zoom, Microsoft Teams, Web Ex, etc.  The only standalone IM tool that I now of which is available is what is called “Slack”.  I used that for brief stint I had as a Proposal Writer.

My first impressions of it were that it was rather cumbersome to set up and use at first, but when I was forced to use it (as you can tell, I am not a lover of technology) it seemed to OK.  I really saw no difference from it as opposed to Yahoo Messenger, but it came with a lot of bells and whistles.  Honestly, I would much rather use the IM chat agent in Teams than Slack.

But one thing I did not realize, which was until today.  While many IM platforms are built off proprietary technology, Slack has actually been created using an Open-Source platform.  While this is a good thing, it can  also be a bad thing as well, because now the Cyberattacker has a much easier way to get in. 

Although I am unaware of any large-scale attack against Slack, the following are some examples of what could possibly happen:

*It is quite easy to send spoofed messages to lure in unsuspecting on the receiving side (other IM platforms that I know of at least send you some kind of alert if a message looks suspicious in nature).

*It has a ton of public channels that go unmonitored, this is also a wide-open terrain to penetrate into.

*Slack allows you to create your own customized apps to meet your IM requirements. But the problem here is that you have to use their APIs, which are largely open sourced.  Therefore, nobody has really checked if the source code is secure, or even upgraded with the latest patches and upgrades.  This can trigger yet another large-scale supply chain attack, perhaps even greater than that of Solar Winds.

*The log files that are kept can only be accessed by the owner of the account.  The IT Security team at Slack has no access to this (which is really surprising), and once any conversations are deleted, they are gone forever (though there is a way to get them – nothing is ever truly deleted in the digital world).

*Many of the other forms of authentication and authorization (such as MFA) are only available in their Pro plan and on up.

So now, this comes to the question:  Given these flaws of Slack, should you not use it anymore, and use something else like Zoom or Teams.  Ultimately in the end, the decision is yours and what will work best for your team in the end.  But if you do continue to use Slack, keep this pointers in mind:

1)     Clearly define the public and private channels:

For example, if you have to have a proprietary meeting with your software development team, then the choice is obvious:  Use a private channel. Make use that this channel is using an SSL means of Internet connection, and only restrict your meetings to those who have exclusively been invited.  Any body else should be booted out, without question.  Also, any sensitive material should be shared on a private channel, not on a public one.

2)     Keep apps down:

Yes, apps make our lives a lot easier (or at least we like to think that they do), but given the open-source nature of Slack, keep your app development for usage of it to the barest minimum possible.  If you have to create any apps using Slack APIs, make sure you test the final product in a sandbox environment, and that APIs used have been upgraded with the latest patches.

3)     Backup, Backup, Backup:

This is probably one of the oldest mantras spoken in the world of Cyber, but it is so true. Backup everything, most especially those conversations that you are having.  In this regard, consider using full, incremental, and differential backups.

4)     Allow additional layers of security:

 

This means that you are going to have get a paid plan.  When you get this, you can then throw the additional layers of security, most notably that of encryption.  But keep in mind that at first glance, the pricing for Slack seems to be very reasonable, which can be seen at the link below:

 

https://slack.com/pricing

My Thoughts On This:

I forgot to mention this earlier in this blog, I also use another chat mechanism, when ever I have to communicate with my ISP for any issues.  I am forced to here, as that is the only, they will communicate (other than Email).  I look at this way:  If you are going to spend 30 minutes on Slack, why not just simply call the person on the phone and go over what you need to with them?

But then again, I am very old fashioned in my ways . . . .

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...