Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Businesses Government Privacy

Slack Warns Investors It's a Target For Nation-State Hacking (vice.com) 57

Slack said it faces threats from "sophisticated organized crime, nation-state, and nation-state supported actors" in an S-1 securities registration form published online Friday. An anonymous reader shares this report from Motherboard: The document says that these threats from organized crime and nation-states actors and affiliates are alongside "threats from traditional computer 'hackers', malicious code (such as malware, viruses, worms, and ransomware), employee theft or misuse, password spraying, phishing, credential stuffing, and denial-of-service attacks."

These threats are impossible to entirely mitigate, according to the document.

The S-1 filing does not claim that an attack from organized crime, nation-state, or nation-state affiliate actually happened. Rather, it just says that threats from these actors present an active risk to the company. Slack was breached in March 2015, as the company points out in its S-1 filing. For four days, an unknown person or group of people had access to Slack information that included "user names, email addresses, encrypted passwords, and information" and phone numbers stored by the company. Slack introduced two-factor authentication to its services following the incident.

The article also points out that Slack doesn't have end-to-end encryption, and that "in some cases, it's possible for your boss to download and read your entire Slack history without your knowledge."
This discussion has been archived. No new comments can be posted.

Slack Warns Investors It's a Target For Nation-State Hacking

Comments Filter:
  • by Anonymous Coward

    Bad wording there.

    Then again, I'm very happy I never have to use Slack again.

  • The main complaint about IRC vs. Slack/Discord/whatever seems to be that IRC doesn't support persistent, server-side chat history. But I've not heard any compelling justification for why that's so important, only that it's nice to have context for a conversation after joining a new channel. So... lurk a few minutes to see what's being discussed? Chit-chat is inherently transient, persistent logs of everything is just a bad idea for privacy, protocol complexity, resource requirements, ...

    Personally I think i

    • In our (small) organization, Slack has completely supplanted internal email. Sure, there are some channels for idle chit-chat that really don't need persistent history, but most private conversations and many technical-oriented channels need their full history.

      Your use-case is not the only one.

      • by reanjr ( 588767 )

        I'm in a small organization (50 or so people). It's got to the point where the persistent history is worthless because I can never find anything in it. Everyone just assumes I know every bit of knowledge they ever dropped on Slack over the last two months. So, now I can go on Slack and ask them about it, adding even more noise to problem and making the whole system worse. Or I can just get up and walk to their desk and ask them, which is what I usually end up doing.

        A messaging app that compels me to get

        • I'm in a small organization (50 or so people). It's got to the point where the persistent history is worthless because I can never find anything in it.

          This is more-or-less why Wikis were created. Persistent discussion threads inevitably fill with too many questions and cruft to be meaningful resources.

  • It's almost as if software should be built around security instead of the other way around. -_-

  • by guruevi ( 827432 ) on Sunday April 28, 2019 @12:09PM (#58505500)

    And we know it and we don't want to fix it because it would be too expensive. Stay away from that company, their leadership has basically given up on the product improvements and is just looking to either ride or sell it out.

    It's very easy to mitigate a nation-state attack. They are knowledgeable enough to exploit anything a criminal can do but they're not anything special. Even the NSA's exploits were mitigated with already known best practice (like partitioning your network, proper roles and not hanging your network directly on the Internet without a basic firewall). Governments don't have some secret knowledge unless you give them your keys.

    • by raymorris ( 2726007 ) on Sunday April 28, 2019 @01:05PM (#58505790) Journal

      The regulation S-K disclosure lists which threats / risks the management believes are significant.

      Any similar company faces that risk of an attack, not all of them take it seriously. For a company that provides corporate communications, failing to list the cyber attack as something which could significantly impact the company would indicate management thinks "it will never happen to us". Risks listed on the S-K are things that the C suite and board are paying attention to.

      As a security professional, seeing that Slack executives see IT security as a serious business risk which deserves real investment is a very good sign.

      My own knowledge of Slack security is this:
      I work for a large company, with $21 billion in annual revenue. They've been spending significant money on IT security, hiring some very good security people. The very smart security people at my company selected Slack as one of our internal communication tools for the security team. I know they looked at the security of Slack before they selected it, and I have every reason to believe they did a good job of considering Slack security. I may eventually do my own threat model and security analysis of Slack, but until then I trust that my boss and the CISO chose wisely.

  • The gears turn exactly once when corporations decide that they need a messaging platform for their employees. Nice monoculture they're setting up.

  • by gnasher719 ( 869701 ) on Sunday April 28, 2019 @12:55PM (#58505740)
    That's the kind of form where you register every single possible threat to your business that might possibly happen. Anything that happens that you didn't register here can lead to shareholders suing you, so you register even the most absurd things.

    The whole point is that if Slack has to spend money on any such threat, the shareholders can't sue them because they didn't announce it can happen. There's probably also a clause "we might be sued for any actual or imagined wrongdoing".
  • Software is built for profit, not for security. Until companies are sued in a big way for their security lapses, they won't take customers' security seriously.

Life is a whim of several billion cells to be you for a while.

Working...