Could your Apple iPad give away your data?

I read a blog today. The blog’s author compared the much-lauded (but in my view highly overrated) Apple iPad against laptops in general, and highlighted several features that iPad has that laptops should emulate.

Well yes, maybe. The one that caught my eye was the issue of instant-on. “You can click the iPad’s power button and it is instantly ready to pull up a web page, calendar or email”, the blogger wrote. Yes of course we all want computers to be instantly available as soon as we press that button, Apple is very good at making devices that appear to be easy to use but which, after a few minutes’ thought — or, often, after a few hours of ownership and intensive use — turn out to be not quite so smart after all.

The only issue with instant-on is that anyone can do it. The person who steals your iPad that you carelessly left on the coffee-shop table as you order another skinny latte, or who lifts it from your bag on a crowded train or bus will have no problem turning it on and gaining instant access to your stuff: your email, your Facebook page, your passwords, personal information…. Your life.

If it never leaves the home then maybe that’s a different story. But wait: burglars can and do steal computers if they’re small enough to walk away with without looking suspicious, and I believe an iPad qualifies. Or your small (or not so small) child — or lodgers or whoever — can come along and press all sorts of buttons with neither let nor hindrance, leading to all sorts of weirdnesses.

Aren’t we lucky the iPad is so convenient?

A combination of username and password is not the most secure way of protecting data but, when balancing convenience against security, it’s good enough and should deter most thieves.

Many years ago, my IBM ThinkPad laptop was among the goodies taken away by a burglar and, about three years later, I received a phone call from someone (who purported to be and might well have been an innocent buyer) who had managed to find out where it came from and wanted the password for it.

Of course I refused, not knowing where the machine was, who had it, or what stuff that I wanted might still be on it. But I was satisfied that that the ThinkPad has industrial-strength, password-protected encryption and that the data would be unavailable to whomever: they would have to wipe the disk to make any use of the machine.

So when you read that convenience is the sole criterion of value, think hard: data on portable devices can end up anywhere and instant-on could mean instant bye-bye to your personal data. So if you have one, use the password feature. It might be a little inconvenient most of the time, but it will be very convenient the one time it’s really needed.

Kroxxu botnet’s secrets revealed
Avast’s Jiri Sejtko, head of virus research at the company’s virus lab, has written a fascinating account of how he tracked down Kroxxu, a botnet based on infected websites with the aim of stealing passwords.

Since its inception in October 2009, it’s grown to become a network with over 10,000 redirectors, 2,500 PHP redirectors, and over 700 malware distribution sites. The 15 redirectors used in the longest active connection send visitors through seven countries in three continents to infectious exploits, with many of the zombie machines enduring 90 days or more.

It’s worth checking out.

Can you trust a stranger?

Can you trust strangers? That really depends on the context.

I was on a crowded train recently when two fellow passengers started reading out credit card details down their mobile phones.

I had my laptop open. Had I been in a malicious frame of mind, I could have stored their credit card numbers, security codes, start and expiry dates, and their dates of birth.

Only when I couldn’t stop myself from expressing surprise that they were prepared to divulge this information to what was effectively a roomful of strangers did they pause. When I said I didn’t think it was a good idea, they agreed, and said they’d thought twice about it but decided to go ahead anyway.

Not a good decision. Interesting that, as a side issue, they trusted me when I said that but then decided not to trust everyone else in the carriage, as they stopped reading out a further card number.

Similarly, one US man decided to trust a flashing box on his screen that appeared to be offering him free money. It said he was the millionth reader and that he’d won a $1,000 gift certificate to Wal-Mart, and all he had to do was supply his email address, age, household income, years of education completed and a bunch of health questions. Phew. All for a Wal-Mart voucher.

The pay-off, as you might have guessed, was not a $1,000 voucher but, within an hour, a deluge of spam about educational opportunities, medical supplies, dating services and laptops. He tried to unsubscribe from the emails yet each day brings 20 to 40 new items.

Fortunately, as far as we know, the spam has yet to deliver more than irritation as opposed to malware — though that’s pretty likely at some point, which is when he’ll need adequate protection from good quality, regularly updated AV software.

The moral of the story is not to assume that such pop-ups are anything to do with the site you’re visiting and not to trust strangers. At least, those with whom you’re not eyeball to eyeball — in which case you’ve slightly more of a fighting chance to use your common sense to decide whether or not they’re on the level.

My fellow passengers eventually made that judgement and, fortunately for them, I didn’t record any of the information they splashed around. For their sakes, I hope none of the fellow travellers did either.

About

This blog aims to bring you the latest updates on security threats that could affect your PC. Although it’s sponsored by Avast, the company has no veto over what I write. It’s designed to be practically useful, and provide helpful advice – comments more than welcome.

I’m Manek Dubash, a journalist specialising in technology over the last 25 years. I’ve edited PC Magazine UK, been deputy editor at Personal Computer World, and am now freelancing for sites including ZDNet UK.

I also work in video and audio, including direction and production for NetEvents TV, and work as an events photographer. There’s more about me here.