Email is still the primary medium of communication between individuals, businesses, and organizations – so it’s hardly surprising that cyber-criminals look to email as their major channel for conducting phishing and social media scams, or distributing malicious software such as ransomware.
It’s been estimated that the world will have to foot the bill for $6 trillion annually, by 2021 – this being the financial damage due to cyber-crime – with ransomware expected to account for over $5 billion in damage this year (2017) alone.
Aware of the dangers posed by email attacks, many organizations are looking to alternative messaging systems to cope with their confidential or sensitive data. One of the most widely used of these is Slack. But in the nature of things, it has its own issues of security, which we’ll be considering in this article.
What is Slack?
Slack is a cloud-based suite of collaboration tools and services, which was developed by Slack Technologies under Stewart Butterfield.
Originally part of the communications channel used in the development of an online game, the application suite includes instant messaging functionality which many organizations now use in preference to standard email.
Slack currently boasts around 6 million daily active users.
How is Slack Used?
The Slack environment consists of discrete workspaces, each created by a Workspace Owner who then recruits Admins (administrators) to help organize and manage the team for which the workspace has been designed. The Workspace Owner and Admins can then invite people to join, and guide them through whatever processes they’ve decided on for on-boarding team members.
Team collaboration and communication are organized through Channels, which are essentially chat rooms dedicated to particular topics, projects, business units, and so on. Within each Channel, team members may chat with each other individually or as a group.
Users are also able to upload and share files, collaborate on projects, and integrate with other apps and services such as Skype or Salesforce.
Instant communication and the ability to share knowledge and information enable team members to get rapid feedback and follow-up actions on vital projects. The platform’s newly announced channel collaboration feature also looks set to improve working practices by allowing team members in a workspace to combine their efforts in a single virtual location.
The Slack platform was designed to allow its users to easily add new applications, and this enables businesses to integrate with popular tools such as the Customer Relationship Management platform Salesforce or the Human Resources (HR) management system Workday.
In fact, it’s the very flexibility and ease of integration with external apps of the Slack platform that makes it vulnerable to cyber-attack. And it’s because of it’s popularity with commercial enterprises that it presents potential attackers with a range of high-value targets.
With its roots in software development for online gaming, Slack was originally designed for use by experienced coders and technology professionals – people with a greater awareness of what actually happens “under the hood” when different applications and platforms integrate with each other.
On the consumer market – even though those consumers may be business professionals of one kind or another – allowing the addition of external applications to Slack workspaces may introduce risks, as users may not know how these third-party applications work internally, and what kind of data they demand access to in order to function.
For example, a business software tool might make queries to a database housing sensitive company records or intellectual property. And some external applications may have been tainted with malware or (if a cyber-attacker manages to gain access to a workspace and smuggles their own software in) they may be malware, plain and simple.
The Trouble with Bots
In 2016, Slack Technologies was forced to issue a fix for a security vulnerability that came to light on the GitHub software development community. The flaw concerned some companies use of bots or automated scripting mechanisms developed using the Slack Application Programming Interface or API.
Though typically used to automate simple business functions like frequently used sets of commands or to return information typed into a text field, these bots contained Slack tokens – API information which (unknown to the user) could give third parties access to private Slack networks and the data that’s stored on them.
Sites like GitHub are commonly used for sharing the code behind these bots for other developers to use or adapt for their own purposes. The security flaw meant that defective Slack bots were uploading their host company’s unique API keys inside the bot code.
Slack tokens belonging to Fortune 500 companies, health-care providers, payment services, individuals, and ISPs (Internet Service Providers) were among the bots affected by the flaw.
The Slack API and Cryptocurrency Communities
Like email, information exchanged on the Slack platform can also be subjected to ransomware attacks and other forms of message-related assault.
Within Slack communities dedicated to the trade and development of cryptocurrencies, the Slack API has also been attracting malicious activity in the form of phishing attacks. Fraudulent schemes perpetrated through mail and instant message phishing and social engineering have netted the attackers some $115m in revenue in 2017, affecting 30,000 victims.
For users, the most effective solution is to disable the Slack API. This can’t prevent phishing attacks entirely, but it will give the fraudsters an additional hurdle to overcome. And installing security software inside Slack will increase the level of protection even further.
For cryptocurrency workspaces, if a Slack instance invites users to “Create token”, the community is exposed, and steps should be taken to disable the API. If an instance says to “Request token”, then access to the API is restricted, and the community should be safe.
Measures to tighten Slack security and avoid attack address issues specific to the platform, but also include strategics borrowed from email security. They include:
- Tighten the permissions governing which application integrations are allowed, and who has control over them. This will assist in preventing malware attacks.
- Third-party organizations and services have emerged, specifically dedicated to security. The ones to seek out will conduct real-time analysis of hacking activity, and issue reports when relevant issues are detected.
- Use email security best practices for governing user behavior and methods of handling suspicious messages or file attachments.
And about those Slack bot tokens? Slack Technologies is now proactively searching for instances of affected tokens in the wild, disabling them, and sending notifications to their customers reporting on this activity.
In addition, there are third-party websites now offering free downloads of security chatbots to community members and cryptocurrency enthusiasts in Bitcoin, Ethereum, and other currencies. The tools will scout ahead on the web to check suspicious links before opening them.
Share this Post