This week in privacy
The hacking of heiress Paris Hilton's cell phone reveals that two things were missing: privacy and security.
Hilton, the hotel heiress who shot to prominence after starring in a home video that became an Internet phenomenon, found herself again exposed on the Net when the contents of her cell phone were published on the Web. The content included the phone numbers of the socialite's friends, such as rapper Eminem, actor Vin Diesel, actress Lindsay Lohan, singers Christina Aguilera and Ashlee Simpson, and tennis players Andy Roddick and Anna Kournikova.
A representative for T-Mobile confirmed that information from Hilton's T-Mobile Sidekick has been posted online, but it's unknown whether the information was accessed via hacking or use of the password. The Sidekick allows owners to make phone calls, surf the Web, take pictures, and send e-mail and instant messages. It uses an online server to store at least some information, including phone numbers.
A mass-mailing e-mail worm promising explicit pictures from Hilton's video took to the Web soon afterward, quickly becoming the third most commonly encountered virus. The new Sober variant sends itself in German and English, using a variety of subject lines, including "Paris Hilton, pure!" and "Paris Hilton SexVideos."
While the FBI investigates the suspected Hilton hacking, it is also warning about malicious e-mails designed to appear as if they were generated by the law enforcement agency.
The mail is disguised as correspondence warning people that their Internet use has been monitored by the FBI's Internet Fraud Complaint Center and that they have "accessed illegal Web sites." The e-mails then direct recipients to open the virus-laden attachment to answer a series of questions.
Hilton was not alone in Web woes. Personal data for more than 20,000 people was exposed by two security holes on PayMaxx's automated W-2 site. The security issues could allow anyone to view the W-2 forms generated for employees of PayMaxx's clients for the last five years, according to a former PayMaxx customer who discovered the flaws.
The alleged problems came to light after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.
Meanwhile, a convenient voice mail feature has likely opened up many T-Mobile subscribers' voice mail boxes to unauthorized attackers armed with a simple hack. The attack could be used to download a person's voice mail or take control of the victim's voice mail functions, provided the attacker knew the subscriber's phone number.
T-Mobile acknowledged the problem, but said that the solution is simple: Users should set their voice mail to require passwords.
Serious security flaws in self-publishing tools used by millions of people on the Web are being exposed by hackers using blogs to infect computers with spyware. Security experts said malicious programmers can use JavaScript and ActiveX to automatically deliver spyware from a blog to people who visit the site with a vulnerable Web browser.
Spyware tools also have been hidden inside JavaScript programs that are offered freely on the Web for bloggers to enhance their sites with features such as music. As a result, bloggers who use infected tools could unwittingly turn their sites into a delivery platform for spyware.
The problem affects only Web surfers using Microsoft's Internet Explorer who fail to choose the browser's highest security settings.