WebUser 01 May 2019

12 1 - 14 May 2019 Email us your security questions [email protected]

Q

How worried

should we be

about Amazon

staff listeningto Alexa

recordings (bit.ly/

alexa474)?

Jason Goulding, Facebook

A

It’s uncomfortable

enough to know

that Alexa has all

this information and that

humans have been

Outlook.com hack isworse

than Microsoft claimed

A hack that Microsoft

said affected“some”

of its users’ email

accounts has been

revealedto be much

worse than initially

thought, with hackers ableto access

messages from a large number of

Outlook.com, MSN and Hotmail

addresses.

According to Microsoft, the hackers

could have viewed ac count email

addresses,folder names and the

subject lines of emails – but not the

content of the messages or any

attachments. It’s not clear how many

webmail users have been affectedby

the breach, whichtook place during

the first three months of thisyear, or

who the hackers are, but theyweren’t

ableto steal login details or other

personal information. As a cautionary

measure, Microsoft isrecommending

listening in, but what’s

especially alarmingis the

suggestion that Amazon

allowed customers an

opt-out for Alexa sharing

their voice commands, yet

the company still went ahead

and analysed their

recordings. An opt-out

should cover all data ; and

even if people opt in, that

datashould be anonymised.

If there’s a connection

established between the

Alexa recordings and

Amazon account details,

this news is even more

concerningbecause it gives

Amazon the ability to pin

specific recordings to

identifiable individuals.

It’s important that companies

who capture data obtain

informed consent – and if

Amazon is doing this without

people realising, it is

potentially breachingGDPR.

Computers contain huge

amounts of privat e dataand

the companies providin g us

with services have massive

amounts of power at their

disp osal. We know that our

datais valuable, and we’ve

now reached a point where

the minutiae of our

everyday lives is being

captured in one form or

another. We, as consumers,

have a right to know when

this is happening – and be

given the ability to opt out.

Anyone worrie d about

this development should

check the default settings

of their Alexa device, opt

out of humanverification

where applicable and

disable any other

functionality that concerns

them. If you’re in doubt

about something, seek

advice from the relevant

company’s support team.

News about the latest threats and advice from security experts

Stay Safe Online

SECURITY ALERT! |What’s been bothering us this fortnight

Security Helpdesk|Your questions answered by security specialists

that affected usersreset their passwords.

“Microsoftregrets any inconvenience

causedby this issue,” said thecompany.

“Please be assured that Microsoft takes

data protectionvery seriously and has

engaged its internal security and privacy

teams in the investigation andresolution

of the issue, aswell as additional

hardening ofsystems and processesto

prevent suchrecurrence.”

bit.ly/outlook4 74

Hotelwebsites arefailing to

secure customer data

Two-thirds of hotelwebsites

inadvertently leak personal datato

third-partycompanies and leave their

customers vulnerableto hackers,

according to researchby Symantec.

The cybersecurity firmfound that the

majority of bookingsystems usedby

hotelscould allow scammersto access

personal information such as mobile-

phone and passport numbers.

The leakscome from theconfirmation

emails sentto

customers, which

oftencontain an

unsecured direct

link to their online

booking.The

report suggests

that anyone on the same network

could intercept the email and modify

or cancel theirreservation.

The researcherstested thewebsites

of 1,500 hotels from 54countries and

found that two in three of them –67%,

• had the problem.These security
  lapses are in breach of the EU’s GDPR
  laws, whichstate that firms must
  protect the personal data of customers.
  “Thefact that this issueexists,
  despite the GDPRcoming into effect in
  Europe almost oneyear ago, suggests
  that the GDPR’s implementation has
  not completely addressed how
  organisationsrespondto data
  leakage,” said Symantec.
  bit.ly/hotel4 74

THIS ISSUE’S EXPERT:

David Emm, Principal

SecurityResearcherat

Kaspersky Lab

(www.kaspersky.co.uk)