As I was out walking last night to take a break from looking
at my computer screen, I had a rather long conversation with a neighbor of
mine. We talked about what we do for a
living, and he said that actually does the geometrical layouts for the railroad
tracks here on the UP-W in the western burbs of Chicago. Naturally, my ears perked up . . . math?
I’ve got to hear about this.
He said that there was really nothing that you had to understand about
geometry to do his job, as he said everything was done on the computer. But still I said, you have to have some
background.
So the conversation went about as to what I did, and after
that, we brought out a book that we has reading, which was all about the Web
3.0 and the metaverse. I told him that
it was amazing how far we have come in terms of technology, and what more is yet
to come.
Then I posed to him this question: How did we do it in the 80’s and 90’s when
there was no Google or wireless devices?
He gave out a very candid answer:
We were forced talk to each other face to face, and communicate that way.
That statement got me really pondering, and kept me up for
the good part of the night. Really, how
did we do it? What was the first form of
digital communications that we used? I remember
getting my first cell phone back in 2001, but the first true digital
communications I have ever used was Yahoo Messenger.
I used it for a very long time, as well as my other geek
friends, until Yahoo discontinued it a few years ago.
Why they ever did that, I don’t know. It was really a great tool, albeit clunky. Well, since then, hundreds of other Instant
Messaging (IM) tools have propped up, of many now come bundled with Zoom, Microsoft
Teams, Web Ex, etc. The only standalone
IM tool that I now of which is available is what is called “Slack”. I used that for brief stint I had as a Proposal
Writer.
My first impressions of it were that it was rather cumbersome
to set up and use at first, but when I was forced to use it (as you can tell, I
am not a lover of technology) it seemed to OK.
I really saw no difference from it as opposed to Yahoo Messenger, but it
came with a lot of bells and whistles. Honestly,
I would much rather use the IM chat agent in Teams than Slack.
But one thing I did not realize, which was until today. While many IM platforms are built off proprietary
technology, Slack has actually been created using an Open-Source platform. While this is a good thing, it can also be a bad thing as well, because now the
Cyberattacker has a much easier way to get in.
Although I am unaware of any large-scale attack against Slack,
the following are some examples of what could possibly happen:
*It is quite easy to send spoofed messages to lure in unsuspecting
on the receiving side (other IM platforms that I know of at least send you some
kind of alert if a message looks suspicious in nature).
*It has a ton of public channels that go unmonitored, this
is also a wide-open terrain to penetrate into.
*Slack allows you to create your own customized apps to meet
your IM requirements. But the problem here is that you have to use their APIs, which
are largely open sourced. Therefore, nobody
has really checked if the source code is secure, or even upgraded with the
latest patches and upgrades. This can
trigger yet another large-scale supply chain attack, perhaps even greater than
that of Solar Winds.
*The log files that are kept can only be accessed by the
owner of the account. The IT Security
team at Slack has no access to this (which is really surprising), and once any
conversations are deleted, they are gone forever (though there is a way to get
them – nothing is ever truly deleted in the digital world).
*Many of the other forms of authentication and authorization
(such as MFA) are only available in their Pro plan and on up.
So now, this comes to the question: Given these flaws of Slack, should you not
use it anymore, and use something else like Zoom or Teams. Ultimately in the end, the decision is yours
and what will work best for your team in the end. But if you do continue to use Slack, keep this
pointers in mind:
1)
Clearly define the public and private channels:
For example, if you have to have a
proprietary meeting with your software development team, then the choice is obvious: Use a private channel. Make use that this
channel is using an SSL means of Internet connection, and only restrict your
meetings to those who have exclusively been invited. Any body else should be booted out, without
question. Also, any sensitive material
should be shared on a private channel, not on a public one.
2)
Keep apps down:
Yes, apps make our lives a lot
easier (or at least we like to think that they do), but given the open-source
nature of Slack, keep your app development for usage of it to the barest minimum
possible. If you have to create any apps
using Slack APIs, make sure you test the final product in a sandbox environment,
and that APIs used have been upgraded with the latest patches.
3)
Backup, Backup, Backup:
This is probably one of the oldest
mantras spoken in the world of Cyber, but it is so true. Backup everything,
most especially those conversations that you are having. In this regard, consider using full, incremental,
and differential backups.
4)
Allow additional layers of security:
This means that you are going to have get a
paid plan. When you get this, you can
then throw the additional layers of security, most notably that of encryption. But keep in mind that at first glance, the pricing
for Slack seems to be very reasonable, which can be seen at the link below:
My Thoughts On This:
I forgot to mention this earlier in this blog, I also use
another chat mechanism, when ever I have to communicate with my ISP for any
issues. I am forced to here, as that is
the only, they will communicate (other than Email). I look at this way: If you are going to spend 30 minutes on
Slack, why not just simply call the person on the phone and go over what you
need to with them?
But then again, I am very old fashioned in my ways . . . .
No comments:
Post a Comment