The Slack Hack: How Cybersecurity Professionals Are Striving to Keep Sensitive Workplace Tools and Third-Party Apps from Being Exploited

During COVID-19, moving most workplaces to a strictly online platform became a necessity. But this process came with its fair share of troubles. One of the most notable was the prevalence of Zoom meetings getting hacked, commonly referred to as “Zoom Bombing”. Today, we are still utilizing telework and virtual platforms for most workday processes with an expected upward rise in this trend. And new research suggests that this steady increase in online work, and the associated use of third-party apps like Slack and Microsoft Teams, creates the perfect breeding ground for exploitation and infiltration via hacking. Cybersecurity professionals are now doubling down in the search for better ways to protect these, and similar, workplace tools.

Cybersecurity Risks of Third-Party Apps

Third-party applications are software developed by a party outside of the manufacturer, as opposed to official or “first party” apps from Microsoft, Google, or Apple which are backed by these companies’ guarantees and resources. Many third-party apps are, in fact, approved for use by the manufacturer despite the limited security and data protection they may provide. And some apps are not legitimate and should be avoided altogether.

Apps can be installed on your cell phone or computer by downloading them from an app store, like Google Play or the Apple Store, or external websites. They are used in conjunction with a device’s operating system to enhance the user experience or provide certain desired functionality.

There are several problems, however, with third-party apps. Between malicious apps disguised as legitimate ones, legitimate apps with poor security, insecure connections and integration, gaps in coding, and compatibility issues, there are many avenues for app hacking and exploitation.

A recent research study performed by the University of Wisconsin-Madison found that two apps in particular, Slack and MS Teams, had some of the most worrisome gaps in their app security models, especially when considering how widely spread their usage is across many workplaces.

Wired.com states that Slack and Microsoft engineers who manage these apps “allow integration of apps hosted on the app developer's own servers with no review of the apps' actual code” as well as perform only a perfunctory review for overall security vulnerabilities.

Microsoft denies these claims, stating that the protection of user data is always their number one priority, and they are looking into these findings.

Are There More Secure App Options? 

Not all apps are created equal. While most legitimate apps offer some level of user privacy and security, not all platforms employ the same, if any, encryption methods. 

End-to-end encryption (E2EE) is when data is secured in a way that prevents surveillance from outside sources, like internet providers, Wi-Fi users, a company’s IT team, and malicious actors. This type of encryption is one of the most important considerations when it comes to security, especially with text messaging or chat systems. Apps like Signal, WhatsApp, Threema, Telegram, and others are very popular in the professional environment, as they use E2EE to help ensure data encryption and user privacy. Slack does not offer E2EE functionality, and MS Teams only offers E2EE for some of its features, like one-to-one calling.

Utilizing a virtual private network (VPN) can also help protect online data. A VPN reroutes your open or password-protected Wi-Fi connection through a secure encrypted server hosted by the VPN company to add an extra level of protection to your entire online experience, and is not limited to a specific app. This is a common practice seen within the IT infrastructure of larger companies and the federal government. It is important to note, however, that no app or connection to the internet is completely immune to a cyberattack and as an online user, it is up to you to protect yourself as best as possible.

How Are Cybersecurity Professionals Securing the Workplace?

Since many workplace operations fall under the management of an IT department, employees depend on the company’s cybersecurity professionals to ensure data privacy.

According to Forbes, there are several ways to help secure an online work environment. Cyber professionals must often take an offensive cyber engineering approach to potential threats and be proactive in their research and action towards the prevention of cyberattacks.

These practices include:

• Utilizing secure cloud-based methods
• Restricting employee access to certain systems and preventing unauthorized app installs
• Researching hacking solutions and methods online to predict certain attacks
• Employing two-factor authentication and VPNs for access to computers and equipment
• Exercising cybersecurity with not only a work computer but also a home computer, which is often used for work purposes
• Creating an action plan for breaches before they occur, not after

The best prevention starts with an educated workforce and informed users. However, the need for professionals in the field of cybersecurity persists as hacking and online threats increase daily and remote work becomes more prevalent.

How to Protect Yourself When Using Apps

Luckily there are many ways to protect yourself while online and using third-party apps. For a safer virtual workplace, it is recommended that users:

• Install legitimate anti-virus software like Norton or MacAfee, keep it up-to-date, and run the recommended, periodic scans. Avoid free anti-virus found in app stores as it could be a malicious fake.
• Password-protect your Wi-Fi connection and do not connect to any open Wi-Fi connections, like those found at bookstores, coffee shops, and hotels.
• Connect to the internet using a VPN, especially if traveling, and even when at home.
• Do not open suspicious emails, attachments, or links, avoid clickbait, and use caution even if a site or email seems like it is sent from a legitimate source, like a fellow coworker.
• Only install legitimate apps after researching them on their official website, and after having a conversation or putting in a request ticket with your company’s IT team. Many apps need to be vetted before installing on a work computer or need admin permissions to install. Once installed, check the default settings to optimize privacy if possible. Apps with E2EE are best in terms of privacy.

And most importantly, an informed user is the best user. Keeping up with news stories of recent hacks and tricks being used today, staying vigilant, educating yourself in best online practices, engaging in your employer’s cybersecurity training, and using intuition and common sense are the first lines of defense when working online.

Education in Cybersecurity

If you have an interest in learning more about cybersecurity or in pursuing a career in cyber, you can further your education with Capitol Technology University. Our STEM-focused programs provide a comprehensive curriculum in this evolving field as we specialize in cyber and information security studies. We have many on-campus and online offerings for undergraduate, graduate, and doctoral students, both locally and internationally, to ensure the best overall learning experience:

• Award-Winning Programs – Our cyber programs have been nationally recognized for their academic excellence, affordability, and innovation.
• Cyber & Information Security Degrees – Our degrees explore everything from cyber science and analytics to management of technology to cyberpsychology, and more! Whatever your area of interest is, we have a program tailored for you. 
• Centers & Labs – Our centers and labs provide technical experience and networking opportunities for cyber research, security, coding, ethical hacking, critical infrastructure, space systems, women in cyber, and more.
• Summer Programs – Our Capitol Cyber Sleuths program offers educators the opportunity to learn more about cybersecurity to enhance their K-12 student curriculums.
• Cyber Saturdays – Spend a Saturday in our Cyber Lab, where you will meet with members of our faculty, staff, students, and Signal-9 Cyber Battle Team, engage in hands-on activities, and learn about our cyber programs!
• Location – Our campus is situated near the heart of the nation’s technology hub, contributing to our unique partnerships and internship opportunities that benefit our students.

For more information about a career in cyber, visit our website.

For a deeper look into finding encryption vulnerabilities in commonly used apps, view our Cap Tech Talk Webinar.