Hotspot maker Ruckus Wireless, however, has developed a kind of ad-hoc security system for open hotspots, which it plans to release next week with the next version of its access point management software. Called Open Secure Hotspot, the technology automatically generates encryption keys for any user who logs into an open Ruckus hotspot, granting them a secure connection within moments, Ruckus VP of marketing David Callisch told GigaOM.

Ruckus started out as a supplier of IPTV wireless streaming nodes and enterprise wireless LANs, over which security measures were much easier to enforce. But as Ruckus’s public access network business grew it found itself supplying more Wi-Fi gear that enterprises and service providers simply wanted open to the public, Callisch said. Those customers didn’t want their open networks turning into playgrounds for Firesheep, man-in-the-middle attackers and other internet nasties, Callisch said, so they pressed Ruckus to develop a secure form of open Wi-Fi.

The rather confusing diagram above details how the security software works, but here’s what it boils down to: Anytime an unknown user connects to an upgraded Ruckus hotspot he or she will receive the option of establishing a secure connection to the network. If the user opts in, Ruckus’s network gateway will generate what Ruckus is calling a dynamic pre-shared key, randomly generated for each device. Users can either input the key by launching an executable file sent by the gateway, or they can manually enter the key into their Wi-Fi settings.

It may not seem like the most elegant way of getting online in a hotel lobby or public square, but Callisch but it’s still a relatively simple process, and it beats the alternative – surfing the internet over a naked connection or installing virtual private network (VPN) software on the fly.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

If the accusations are true, it was one of the more successful pirate operations in history. At its peak, Megaupload saw approximately 7 percent of internet traffic and grossed over $150 million in annual revenue. But Megaupload’s incredible run ended in the fall of 2012 when the FBI forcefully took down the site and sought Kim’s extradition from New Zealand to face a litany of criminal charges.

Of course, you can’t expect to keep a guy with the last name Dotcom down, and sure enough he recently announced the relaunch of a Megaupload redux dubbed Mega. Only Mega is a security- and privacy-conscious file-sharing service that audaciously targets storage industry magnates like Dropbox and Box.net.

And loathe as some of us may be to admit it, he just may be on to something. Mega differentiates itself by embracing client-side encryption: generating and storing the keys on a user’s local machine rather than encrypting everything in the cloud. The result of such client-side encryption is not only a far more secure product – and a security practice the industry should embrace – but a significant reduction in cost and legal liability for Mega and other cloud storage providers that use this architecture.

How Mega is different

Security is one of the biggest inhibitors to cloud adoption. Yielding sensitive data to a third party over the public internet continues to be a dealbreaker for many medium- to large-scale enterprises, with their desire for privacy and concerns of regulatory and legal exposure.

In the movement to the cloud, data is exposed at two points to attack or compromise: in-flight (when it is being transmitted over the security no-man’s land of the public internet) and at-rest (when it physically sits on servers within the cloud system). In both instances there are a myriad of threats that could allow that data to be stolen or compromised.

Mega employs cryptography to protect data in-flight and at-rest. Now by all means, using encryption to protect data in-flight isn’t really game changing. Similar to most security-conscious sites, Mega wraps communication between its users with Secure Socket Layer (SSL) encryption.

But Mega is unique in its approach to handling encryption at rest. Rather than encrypting and storing keys for a client’s data within Mega’s infrastructure, Mega pushes their cryptography back to their users. So Mega users encrypt their own data prior to sending it to Mega’s servers, and store keys locally such that even Mega can’t read their data – or be forced to yield it to authorities.

While this sounds like a feature tailored solely to the needs of a company that will frequently find itself at the end of a subpoena, the desire to have users keep their own keys and send data in the form of encrypted “ciphertext” (rather than unencrypted “plaintext)” is actually one shared by mainstream small businesses and enterprises alike.

Benefit for providers

Having cloud providers hold ciphertext and having users handle their own encryption and keep their own keys makes sense on both sides of the fence.

In an architecture where customers are responsible for their own encryption and key management, significant legal liabilities are lifted from the service provider. Customers would assume personal liability for the selection and correct implementation of encryption algorithms – a critical concern for compliance regulations like PCI-DSS that incorporate strict rules on cryptography.

By having their customers manage keys locally, service providers can also significantly reduce costs. Many modern PCs incorporate a Trusted Platform Module (TPM) – a hardware device that can safely store cryptographic keys for prolonged periods of time. Storing keys locally on a TPM is relatively costless for the customer, but safely storing keys en masse in the cloud requires the use of expensive key management servers.

The cost of encryption

Encryption is also still not a costless process. By pushing customers to encrypt and decypt their own data, cloud providers can also redirect the significant compute time required to handle cryptography towards providing a higher quality of service for their customers.

For customers, sending only ciphertext to the cloud and keeping keys locally has real benefits beyond peace of mind. If a cloud services provider is ever hacked, that customer’s data will be encrypted in a way that can’t be decrypted using its service provider’s security infrastructure. There’s no master database of passwords that an attacker can break into. Customer data on the service provider remains locked in ciphertext and encrypted using one of any number of symmetric key algorithms.

It’s important to note, though, that there are consequences for moving to a client-side encryption architecture. For instance, when customers send only ciphertext to the cloud, popular means of reducing the on-disk footprint of data such as deduplication (in short, a process where copies or parts of files are deleted and data is instead “pointed” towards a single instance) are generally rendered impossible.

It’s also important to note that, for the server to dedupe data encrypted by the client, the client must yield sensitive information about the plaintext at various points during its encryption. The fact that Mega seems to perform client-side encryption with deduplication is a red flag to many security cognoscenti, and may even be a sign that Mega has more visibility into its clients; data then it otherwise claims.

Holes in Mega’s strategy

Mega’s security infrastructure is far from perfect. Their decision to handle cryptography in browser-based Javascript has already earned wide-spread criticism, and due to implementation issues in how Mega creates keys for users,  hackers could work around encryption and access plaintext data (what’s called a “side-channel attack”).

Regardless, to give credit where it’s due, Kim Dotcom’s decision to push encryption to the client is an impressively forward-thinking maneuver that should be replicated by Dropbox and other cloud storage providers. Client-side encryption makes financial and legal sense for customers and service providers, helping to enable even regulatory compliance-bound customers to embrace cloud computing at scale.

Andrew “Andy” Manoske is an Associate at GGV Capital, a Sand Hill and Shanghai-based venture capital firm. Prior to GGV, he was a product manager at NetApp and managed the design of security features across the company’s entire product line. Follow him on Twitter @a2d2.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• NewNet Q4: Platform mania and social commerce shakeout
• NewNet Q4: Platform mania and social commerce shakeout
• What Enterprise Software Vendors Could Learn from the Consumer Space

Some media outlets are celebrating Mega as a phoenix-from-the-ashes story and a triumph for technology and privacy. The content industry, however, points to the track record of Kim Dotcom to warn that his new “privacy company” is just another ruse for people who want to share content without paying for it.

Here’s a look at what the service is all about — and the legal case for and against what Mega is doing.

Mega: A super secure locker for your files (or Hollywood movies)

Mega is a successor to Kim Dotcom’s earlier venture, Megaupload, which millions of people used to upload and store their files before the site was taken down last year in a controversial raid backed by the US government.

The difference this time around is encryption. Every file that a Mega users uploads and places in the online locker is encrypted so that third parties, including Mega itself, are unable to tell if that video you are storing is your niece’s birthday or Zero Dark Thirty. Sites like Ars Technica and Torrent Freak provide a good overview of the cryptography involved but the gist of it is that Mega uses a combination of passwords and browser-based encryption to keep your files private.

While Mega is nominally a way to store your files, it can also serve as an easy way to distribute them too. A Mega user, for instance, can share a file’s URL along with the password or else simply create a URL with the password embedded within it.

An advocate or an opportunist?

In an age where governments and tech companies vacuum up vast amounts of personal data, there is an appeal to the sort of encryption that Mega offers. The company, aware of this desire for anonymity, is using its encryption as a marketing tool. On its website, the company invokes a privacy section from the Universal Declaration of Human Rights and promises to give users control over who sees their files.

While this all sounds grand in theory, it’s not clear how effective it will be in practice. As Torrent Freak notes, the privacy scheme is far from exhaustive and lets Mega keep “quite detailed records of its users, including IP addresses”.

Meanwhile, a closer look at Mega’s privacy policy also reveals several references to advertising. These include Mega’s right to collect information about your visits to the site so as to serve you ads; it also mentions Mega’s intention to sell information about its users’ (albeit anonymous) activities to advertisers.

These less-than-perfect terms suggest that Mega’s prime interest is profit not privacy. Just as ad sales and premium memberships from Megaupload allowed Kim Dotcom to blow a bundle on models and yachts, it appears “the privacy company” is likewise designed more as a money machine than a moral cause.

Mega’s See No Evil Strategy

The new Mega site is barely a day old but the content industry is already menacing it. The Motion Picture Association of America, for instance, said it is reserving judgment but cited Kim Dotcom’s history of “pushing stolen, illegitimate content into the marketplace” to say it is skeptical. Meanwhile, TorrentFreak reports that a group representing the adult entertainment industry plans to lobby Visa and others to cut off anyone that provides payments services on behalf of Mega.

These reactions are hardly surprising and, given the content industry’s history of legal overreach, one has to take their claims with a grain of salt. But given that the new Mega service is likely to be a bonanza for pirated content, it’s worth asking if the company’s strategy to avoid legal liability will hold up.

This time around, Kim Dotcom and his merry Mega men want to ward off copyright claims by pointing to the site’s encryption features to say they have no idea whether users are sharing copyrighted files or not. The site also boasts strong language that piracy is “strictly prohibited”.

Unfortunately for Mega, the site’s copyright strategy also sounds a lot like “willful blindness” — a legal concept that means you can’t avoid liability by deliberately staying unaware of what’s going on. US courts have recently taken dim views of willful blindness in both patent and copyright cases. Mega, however, has set up shop in New Zealand and the small country has so far succumbed to Kim Dotcom’s theatrics, which means the company is likely to remain open for business for the foreseeable future.

The bottom line is that Mega’s arrival puts internet users in a bind. On one hand, they can side with a company that is doing good things for privacy but that is also greedy, self-serving and manipulative. On the other, they can side with content owners who have legitimate complaints about Mega, but who have burned much of their credibility in past copyright debates.

(Image by Kletr, Thorsten Rust and suphakit73 via Shutterstock)

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• SOPA, OPEN and the fight for the Internet
• Connected consumer first-quarter 2013: Analysis and outlook
• Social media in Q1: commerce and discovery dominated

The confirmation-slash-denial comes after security researcher Gaurang Pandya, who works for Unisys Global Services in India, detailed on his personal blog how browser traffic from his Series 40 ‘Asha’ phone was getting routed via Nokia’s servers. So far, so Opera Mini: after all, the whole point of using a proxy browser such as this is to compress traffic so you can save on data and thereby cash. This is particularly handy for those on constricted data plans or pay-by-use data, as those using the low-end Series 40 handsets on which the browser is installed by default (it used to be known as the ‘Nokia Browser for Series 40′) are likely to be.

However, it was Pandya’s second post on the subject that caused some alarm. Unlike the first, which looked at general traffic, the Wednesday post specifically examined Nokia’s treatment of HTTPS traffic. It found that such traffic was indeed also getting routed via Nokia’s servers. Crucially, Pandya said that Nokia had access to this data in unencrypted form:

“From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.”

Pandya pointed out how this potentially clashes with Nokia’s privacy statement, which claims: “we do not collect any usernames or passwords or any related information on your purchase transactions, such as your credit card number during your browsing sessions”.

So, does it clash?

Nokia came back today with a statement on the matter, in which it stressed that it takes the privacy and security of its customers and their data very seriously, and reiterated the point of the Xpress Browser’s compression capabilities, namely so that “users can get faster web browsing and more value out of their data plans”.

“Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them,” the company said. “When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.

“Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”

To paraphrase: we decrypt your data, but trust us, we don’t peek. Which is, in a way, fair enough. After all, they need to decrypt the data in order to de-bulk it.

The issue here seems to be around how Nokia informs – or fails to inform – its customers of what’s going on. For example, look at Opera. The messaging around Opera Mini is pretty clear: the browser’s FAQs spell out how it routes traffic. Although you can find out about the Xpress Browser’s equivalent functionality with a bit of online searching, it’s far less explicit to the average user. And this is particularly unfortunate given that the browser is installed by default — people won’t necessarily choose it based on those data-squeezing chops.

And it looks like Nokia belatedly recognizes that fact. The statement continued:

“We aim to be completely transparent on privacy practices. As part of our policy of continuous improvement we will review the information provided in the mobile client in case this can be improved.”

The moral of the story is that those who want absolute security in their mobile browsing should probably steer clear of browsers that compress to cut down on data. Even if Nokia isn’t tapping into that data – and there is no reason to suspect that it is – the very existence of that feature will be a turn-off for the paranoid, and reasonably so. And that’s why Nokia should be up-front about such things.

UPDATE: A kind soul has reminded me that, unlike Xpress Browser and Opera Mini, two other services that also do the compression thing leave HTTPS traffic unperturbed, namely Amazon with its Silk browser and Skyfire. This is arguably how things should be done, although it does of course mean that users don’t get speedier loading and so on on HTTPS pages.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The Internet of Things: What It Is, Why It Matters
• Report: How Mobile Cloud Computing Will Change Tech
• Analyzing the wearable computing market

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A near-term outlook for big data
• Connected world: the consumer technology revolution
• 12 tech leaders’ resolutions for 2012

1. Be smart about passwords and security questions.

Ideally, passwords and usernames should be unique for each service so a breach at one doesn’t result in carte blanche access to the rest of your accounts (if the LinkedIn breach didn’t beat the practice into our collective head, nothing will). Passwords also should be obscure enough that someone won’t be able to guess them if they know a few factoids about the target. And complex helps too: interspersing numbers, symbols and upper-case letters makes it harder to guess even if someone gets the phrase right.

When it comes to security questions, don’t choose answers that are readily available online. If you have a really good memory (or are already good at keeping track of numerous passwords and usernames), choose non-sensical answers to the questions. Your mother’s maiden name: Thomas & Friends, for example.

2. When possible, encrypt

Essentially, encryption software will scramble information and make it unreadable to anybody without the password to decrypt it (or the determination to crack it). However, like anything that make us more secure, it requires some effort on the user’s part. At the least, that means remembering the password for services (such as FileVault on Mac devices) that offer encryption as a standard feature, because losing it might mean losing access to data when it’s needed. For true security in the cloud, though, client-side encryption is probably the best idea, which means finding, possibly paying for and, most importantly, actually using third-party software.

3. Use two-factor authentication

AWS’s Multi-Factor Authentication device

Two-factor authentication means logging in requires both username and password, and a unique code sent at that time to a device the user has on his or her person. For Google accounts, for example, that’s usually via an SMS message to a mobile phone although it can be an app, as well. For some banks (as well as for Amazon Web Services) that can be a device designed especially for the purpose. It can be a pain to always look to another device while logging in, and those without their devices can be out of luck or in for a hassle if they need access, but it’s a pretty effective method even if someone gets your password.

4. If you need it, back it up

It’s kind of strange how cloud services have become so prolific we’re now talking about backing up data locally. Irony aside, however, it’s about the smartest thing someone can do to make sure they always have their important data. External hard drives are relatively cheap, as are third-party cloud services designed specifically for backing up data, so there’s really no excuse not to have multiple copies of files. For whatever it’s worth, Google even lets users download certain account information, which could ensure you never lose Gmail data.

5. Delete it when it’s done

In an era of seemingly limitless online storage, it can be hard to come to terms with the idea that e-mail messages or files might outlive their importance. But to ensure no one sees potentially damaging information — such as salacious messages, messages including personal information such as credit card or Social Security numbers, or username/password reminders for online accounts — it’s smart to delete some stuff sometimes. If messages or other files really must exist ad infinitum, though, back them up (and maybe encrypt them) before deleting them.

6. Don’t be a dummy

Just generally, be smart when doing stuff online. Use antivirus software to help prevent malware (such as keystroke loggers) that could help someone access account information. Keep your Wi-Fi network locked down; maybe don’t even broadcast it. Don’t click on links or open attachments in suspicious e-mail messages, even when they’re from companies with which you do business. If you end up on a site that looks sketchy and has a .ru domain, leave. Don’t go to Black Hat and send anything remotely important over the Wi-Fi network. You get the point.

Dunce image courtesy of Shutterstock user RTImages.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The rise of M2M security challenges
• Quality of the cloud: best practices for ISVs
• The role of converged infrastructure in the data center

Both scenarios are enough to give any CISO heartburn, but neither option is the right answer. IT needs to provide a sanctioned alternative that allows employees to be überproductive while still maintaining security and control. For IBM, this came in the form of MyMobileHub, a homegrown solution that hosts all data onsite. That’s great for IBM, but the rest of us would be better served by partnering with a trusted cloud vendor. Here are some critical criteria that will help you differentiate between BYOD-friendly and BYOD-adverse vendors.

1. If my data is stored in the cloud, who has access?

The inherent benefits of data storage in the cloud are obvious: virtually limitless storage, no required maintenance or upgrades, and little to no administration overhead is required. But how can businesses trust that their data is safe when it’s stored in third-party data centers? A universal set of requirements seems to have standardized around encryption, backup, audit logging and check-the-box certifications. However, IT should press vendors to explain how data is protected at all layers in the security stack. Will data or credentials be cached and stored in the clear to optimize product performance? Will the vendor provide and manage the encryption keys that give full access to that sensitive data? Are the right controls in place to block unauthorized access by employees at the vendor site? Visibility into data access practices will help differentiate between vendors when AES-256 encryption at rest and 256-bit SSL encryption in transit become the norm.

2. How do existing security controls, such as data loss prevention (DLP) and eDiscovery, apply to my data in the cloud?

Productivity apps should not be exempt from any security or compliance policies that keep your business data protected. This means that interoperability is key. Are the audit logs associated with the service exportable in a format that can plug into a downstream log management tool? How does the vendor’s platform comply with eDiscovery mechanisms, including search and legal holds? Can your existing DLP policies map to affect the actions your users take within the productivity app? When looking for a vendor, try to find services that compliment your current security posture rather than introduce new complexities.

3. How can I differentiate between business data and my employees’ personal data?

One of the major concerns with BYOD is identifying which data belongs to the user and which belongs to the business. The legal headaches that accompany an accidental wipe of personal data is enough to scare IT away from BYOD altogether. How do the vendors you’re evaluating approach this dilemma?

Although the risks aren’t trivial, a future where BYOD is fully embraced within your business may be near. The good news for IT is that vendors are aware of the challenges and are developing innovative technologies to help facilitate a more confident transition. 2011 was the year of mobile device management (MDM), and 2012 will focus on extending a new level of protection to the actual applications and data on all devices, whether personal or corporate-issued. Partnering with a trusted vendor will enable IT to focus on solving the issues that matter, rather than funding and allocating resources to an internal “Siri-for-business” initiative.

Anthony Kennada is Symantec’s senior manager of emerging cloud products. Prior to joining Symantec, Kennada worked at LiveOffice (now part of Symantec) and Box.net.

Image courtesy of Flickr user FutUndBeidl.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A near-term outlook for big data
• Quality of the cloud: best practices for ISVs
• From car to cloud: the future of the in-vehicle app landscape

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Cloud computing infrastructure: 2012 and beyond
• Forecasting the future cloud computing market
• Migrating media applications to the private cloud: best practices for businesses

In the specific case of Shady RAT, spear fishing emails were sent to the target containing links to a web page that, when clicked on, automatically loaded a malicious remote access tool (RAT) program on the computer, thus gaining access to the network and the high-value information.

The new security threats

In the “old” days, it was fairly straightforward to imagine boundaries around your business data. Today, it’s fair to say, with the rapid adoption of cloud and mobile computing and the overall consumerization of IT, traditional boundaries have become fluid and, in most cases, nonexistent. In today’s world, hackers have figured out how to target the data when it is most exposed, whether it’s on a corporate server, an iPhone or in the cloud.

In this new IT world without boundaries, the traditional “layered” approach to enterprise data security becomes ineffective. Instead of assuming that data perimeter protection (protecting the networks and data “containers”) will keep data safe, we need to assume the bad guys are smart enough to not care about the containers and to instead attack the data. As the continued severity of data breaches show, bad guys are interested in the data itself, whenever it might be, and whenever they decide the time is right to strike.

What do we do in this new world? How do we protect data so that it is locked down and unusable by the bad guys while it is still accessible to those who need to use it for business purposes? While we can’t ignore the old approaches and steps for data protection, such as protecting IT infrastructure and putting in place effective monitoring approaches, we need a new step. Encryption, and not the traditional public key encryption, is the only way to keep sensitive data protected while at the same time keeping it usable.

Secure the data, not the perimeter

Protecting private and sensitive data in a cloud/mobile world is difficult, expensive and increasingly mandatory to comply with federal and state regulations as well as to protect brand and business reputations. Thus, we need to think about data protection from a data-centric point of view, where the data itself is protected. When you start thinking about how to protect your data in a world without boundaries, think about these four things:

• Monitoring matters. Monitoring is an essential component of your overall security; network monitoring and database monitoring solutions help identify the kinds of attacks that are all around, such as script kiddies. They are also very useful for identifying internal threats such as unauthorized access to the database. These approaches give you a lot of information about what has happened, but they don’t actually stop an attacker from getting high-value data.
• Keep data safe when it’s on the move. Of course not all encryption is created equal. Many encryption solutions are like bank vaults — they protect the money, but as soon as the money is moved, or thieves break in and steal the money, the money is out in the open and can be used. So now, many banks use dye protection packs, which make the cash useless if it is stolen, and as soon the cash is removed from the vault the dye packs explode, making it clear the cash has been stolen. A data-centric encryption approach renders stolen data useless to the attacker.
• Protect your keys. Encryption and other types of protection mean there are keys or tables involved that can give you access to the original data. These must be protected too. The best security solutions have keys that are never stored, so they can’t be stolen. The keys are computed only as needed. The recent RSA SecureID breach illustrates that hackers are getting more sophisticated and are going after keys.
• Make yourself less of a target. The price for credit card data has dropped from $500 per “gold” card to less than $50, driving attackers to plan and execute more-sophisticated attacks designed to pull out more valuable data. This includes trade secrets, legal documents, more complete customer records than can be mined for high-net-worth individuals, etc. Hackers look for the highest reward, profits or publicity, with the lowest protections in place. If they hack you and all they get is encrypted data, they will move on.

We can win

We can beat the bad guys. We have the technology to stop these new advanced persistent threats. Data-centric protection focuses on encrypting the digital assets, emails, documents, database records, in a way that they remain encrypted wherever they go. If they are stolen, those assets cannot be used, credit cards will not validate, emails will show up garbled and documents will not reveal their contents.

Format Preserving Encryption (FPE/FFX), which is the encryption technology underlying data-centric encryption, is being standardized by NIST and is backed by several solution providers like Voltage, Verifone and Ingenico. With Shady RAT, data-centric encryption would not have stopped the programs from taking the data, but they would prevent the attackers from using it. Data–centric encryption turns gold into straw, making the data useless.

Matt Pauker is the co-founder of Voltage Security.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Quality of the cloud: best practices for ISVs
• AWS Storage Gateway jolts cloud-storage ecosystem
• Connected world: the consumer technology revolution

I suggested some reasons why to encrypt your iOS backups before, the main one being that your data is then protected. But this new software, called Phone Password Breaker Tool, is available to anyone wishing to pay a small fee for it. It’s being marketed as a tool to ‘recover’ password-protected devices, but it could also be used as a way for hackers to get access to your phone backups.

Able to get past the encryption on backups of both Apple’s iOS devices and BlackBerry devices, Phone Password Breaker will not only reveal the password set on the backup, but also extract passwords for mail accounts, websites and third-party applications — data that could be of great interest to malicious characters.

Luckily, the software requires the device to be physically connected to the computer in order to crack the encryption. That’s good news, since a hacker will need access to both the device and your computer — and if you’re sensible with your hardware, that isn’t likely to happen.

However, as Cult of Mac notes, it’s perfectly possible that a partner or other family member could grab your phone and take a sneaky look through your recent call history. If you have anything to hide (that call to the jewellers to arrange to pick up the engagement ring you bought, of course), make sure you keep an eye on where your phone is. To be really safe, remember not to store anything on the device that you wouldn’t potentially want a stranger reading.

Like I said, as long as you have your phone with you, there’s no need to worry, since physical access is required to use the tool.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q2: Smartphone growth surges; iPad’s rule continues
• Why the iPad is Right for the Enterprise
• Where new opportunity lies in the mobile operating system space