Slack Warns Investors It's a Target For Nation-State Hacking (vice.com) 57
Slack said it faces threats from "sophisticated organized crime, nation-state, and nation-state supported actors" in an S-1 securities registration form published online Friday. An anonymous reader shares this report from Motherboard:
The document says that these threats from organized crime and nation-states actors and affiliates are alongside "threats from traditional computer 'hackers', malicious code (such as malware, viruses, worms, and ransomware), employee theft or misuse, password spraying, phishing, credential stuffing, and denial-of-service attacks."
These threats are impossible to entirely mitigate, according to the document.
The S-1 filing does not claim that an attack from organized crime, nation-state, or nation-state affiliate actually happened. Rather, it just says that threats from these actors present an active risk to the company. Slack was breached in March 2015, as the company points out in its S-1 filing. For four days, an unknown person or group of people had access to Slack information that included "user names, email addresses, encrypted passwords, and information" and phone numbers stored by the company. Slack introduced two-factor authentication to its services following the incident.
The article also points out that Slack doesn't have end-to-end encryption, and that "in some cases, it's possible for your boss to download and read your entire Slack history without your knowledge."
These threats are impossible to entirely mitigate, according to the document.
The S-1 filing does not claim that an attack from organized crime, nation-state, or nation-state affiliate actually happened. Rather, it just says that threats from these actors present an active risk to the company. Slack was breached in March 2015, as the company points out in its S-1 filing. For four days, an unknown person or group of people had access to Slack information that included "user names, email addresses, encrypted passwords, and information" and phone numbers stored by the company. Slack introduced two-factor authentication to its services following the incident.
The article also points out that Slack doesn't have end-to-end encryption, and that "in some cases, it's possible for your boss to download and read your entire Slack history without your knowledge."
Goodbye insurance money! ;) (Score:1)
Bad wording there.
Then again, I'm very happy I never have to use Slack again.
Re: (Score:1)
Slack is what some turds did after they killed Glitch.
Re: (Score:1)
Slack is IRC for techbro MBAs.
What's so great about persistent chat history? (Score:1)
The main complaint about IRC vs. Slack/Discord/whatever seems to be that IRC doesn't support persistent, server-side chat history. But I've not heard any compelling justification for why that's so important, only that it's nice to have context for a conversation after joining a new channel. So... lurk a few minutes to see what's being discussed? Chit-chat is inherently transient, persistent logs of everything is just a bad idea for privacy, protocol complexity, resource requirements, ...
Personally I think i
Re: Confessions Of A Slack Hater (Score:2)
As the Slack experience seems to get demonstrably worse the more contacts, messages, and workspaces you have, then it sounds like Slack is about to hit a critical wall.
Re: (Score:2)
In our (small) organization, Slack has completely supplanted internal email. Sure, there are some channels for idle chit-chat that really don't need persistent history, but most private conversations and many technical-oriented channels need their full history.
Your use-case is not the only one.
Re: (Score:2)
I'm in a small organization (50 or so people). It's got to the point where the persistent history is worthless because I can never find anything in it. Everyone just assumes I know every bit of knowledge they ever dropped on Slack over the last two months. So, now I can go on Slack and ask them about it, adding even more noise to problem and making the whole system worse. Or I can just get up and walk to their desk and ask them, which is what I usually end up doing.
A messaging app that compels me to get
Re: (Score:1)
I'm in a small organization (50 or so people). It's got to the point where the persistent history is worthless because I can never find anything in it.
This is more-or-less why Wikis were created. Persistent discussion threads inevitably fill with too many questions and cruft to be meaningful resources.
*gasp* (Score:2)
It's almost as if software should be built around security instead of the other way around. -_-
Re: (Score:2)
Security grade doesn't even really exist, probably because nobody has found a way to make the easy money off it yet.
No it's because none of those paranoid motherfuckers want to talk to anyone or be talked to by anyone.
Translation: our security is bad (Score:3)
And we know it and we don't want to fix it because it would be too expensive. Stay away from that company, their leadership has basically given up on the product improvements and is just looking to either ride or sell it out.
It's very easy to mitigate a nation-state attack. They are knowledgeable enough to exploit anything a criminal can do but they're not anything special. Even the NSA's exploits were mitigated with already known best practice (like partitioning your network, proper roles and not hanging your network directly on the Internet without a basic firewall). Governments don't have some secret knowledge unless you give them your keys.
Re: Translation: our security is bad (Score:2)
Limited liability corporations already have that. This is more about future legal expenses.
The opposite:We take the threat seriously (Score:5, Interesting)
The regulation S-K disclosure lists which threats / risks the management believes are significant.
Any similar company faces that risk of an attack, not all of them take it seriously. For a company that provides corporate communications, failing to list the cyber attack as something which could significantly impact the company would indicate management thinks "it will never happen to us". Risks listed on the S-K are things that the C suite and board are paying attention to.
As a security professional, seeing that Slack executives see IT security as a serious business risk which deserves real investment is a very good sign.
My own knowledge of Slack security is this:
I work for a large company, with $21 billion in annual revenue. They've been spending significant money on IT security, hiring some very good security people. The very smart security people at my company selected Slack as one of our internal communication tools for the security team. I know they looked at the security of Slack before they selected it, and I have every reason to believe they did a good job of considering Slack security. I may eventually do my own threat model and security analysis of Slack, but until then I trust that my boss and the CISO chose wisely.
And yet... (Score:2)
The gears turn exactly once when corporations decide that they need a messaging platform for their employees. Nice monoculture they're setting up.
Security registration form for heavens sake (Score:4, Insightful)
The whole point is that if Slack has to spend money on any such threat, the shareholders can't sue them because they didn't announce it can happen. There's probably also a clause "we might be sued for any actual or imagined wrongdoing".
Profits (Score:1)