[BreachExchange] Be careful what you write on Slack: Hackers are targeting your office gossip

[Destry Winant]

https://www.marketwatch.com/story/why-hackers-may-soon-target-your-office-gossip-as-well-as-your-bank-account-2018-04-05

Be careful what you chat your coworkers — it could be costly.

Slack Technologies, the popular workplace messaging service, is moving
forward with plans to go public after garnering a $7.1 billion
valuation in August.

But there’s one issue experts say will be a major hurdle for the
company, its users and potential investors: security.

In 2017, Slack said it had detected and patched a vulnerability that
would have given hackers full access to chat histories, shared files,
and other features, Wired reported. The bug was discovered by security
company Detectify and fixed before any information was leaked.

George Avetisov, chief executive officer of security company HYPR,
said employee gossip makes Slack and other office chat programs an
appealing target for hackers.

Slack asks users to report any potential vulnerabilities. (Slack
declined to comment).

“Forget corporate espionage — workforce chat logs are often a treasure
trove of embarrassment and blackmail,” he said. “It is difficult to
police what is said in Slack discussions, especially at mid-to-large
sized organizations where dozens or hundreds of private channels are
commonplace. Criticizing management? Complaining about that demanding
customer? Jealous about a co-worker’s new desk? These are seemingly
harmless comments that a malicious third party could exploit if chat
logs ever leaked.”

Ransomware attacks — malware that encrypts data until victims pay up —
have been on the rise, and a new form of crypto extortion is also
increasing: Blackmail attacks. Hackers are going after compromising
photos, chats and emails, and demanding funds to keep them under
wraps, according to Paul Calatayud, chief security officer, Americas,
at security company Palo Alto Networks.

While consumers have traditionally considered information like credit
card and Social Security numbers to be the main targets for hackers,
the rise of ransomware attacks means everything from seemingly
inconsequential messages in chat programs like AOL Instant Messenger
to snapshots on your Google DriveGOOG, -0.92%  could be used against
you.

“There have been more attacks on data like emails and company gossip,
that may not be seen as valuable but do have value to the company’s
brand,” Calatayud said. He was speaking on a panel hosted by the
National Cybersecurity Alliance in New York. “The model has changed
from ‘How do I take this data and sell it on the market,’ to, ‘How do
I take this data and hold it for ransom and hold it against it because
you perceive it to be valuable?’”

Ransomware attacks increased 2,500% in 2017, according to computer
security company Carbon Black, and they are expected to continue to
grow. This includes extortion attacks, like the high-profile hack of
Sony in 2014. In that incident, unknown hackers held the studio’s
internal data for ransom, including gossip about celebrities, internal
drama, and even Amazon AMZN, -0.69%   purchases. They ultimately
leaked the company’s dirty laundry publicly, costing it more than $150
million.

Such attacks can also target individual users: In September 2017, some
Apple users reported being remotely locked out of iCloud accounts
while hackers demanded payment in Bitcoin to unlock them. In July
2017, ransomware was found on Android devices, and the hackers
demanded payment and threatened to send victims’ browsing histories to
all of their contacts.

Embarrassing information discovered through such attacks could be more
dangerous to companies than a traditional hack involving stolen funds,
Dmitri Alperovitch, co-founder and chief technology officer of
security company CrowdStrike, told the NCSA panel. He said these
attacks and cybercrimes have been fueled in part by cryptocurrency.

“In the 1980s when files were encrypted and they would say, ‘Wire
money to this bank account,’ it would be easier to trace it back to
the cybercriminal,” he said. “Bitcoin and crypto have made it much
easier and much safer from the criminals’ perspective to demand
ransom.”

To address this problem, we need more regulation of cryptocurrencies,
said Choo Kim-Isgitt, head of product at EdgeWave, a cybersecurity
company that monitors email security. She said there has been a huge
uptick in attacks on email that go beyond the classic spammy links.
“Email remains the primary attack vector, but it may not be for
financial gain in the direct route we have seen in the past — it’s a
little more creative,” she said.

To protect yourself, she recommended taking basic precautions: using
strong passwords, and being careful about which messages you open.
Government agencies like the Internal Revenue Service will never email
you, and be careful about sending any money over the internet. “It’s
better to be suspicious than to regret it later,” she said.

It is traditionally recommended not to pay ransoms to avoid
incentivizing ransomware attacks, Avetisov said, but unfortunately
that doesn’t bring back your data. He recommended paying to get data
back if it’s highly sensitive, contacting law enforcement to report
the incident, and adopting strong security measures so it doesn’t
happen again.