SSCC 106 – US DoD and BYOD, “scanner” malware, 2FA, and browser wars revisited [PODCAST]

For your listening pleasure, here’s the latest episode in our popular “Chet Chat” series.

Senior Security Advisor Chester Wisniewski discusses the latest security news with regular guest Duck (Paul Ducklin).

The pair turn their unique blend of insight, expertise and scepticism on recent events in the computer security world.

At a tidy quarter-hour in length, the Chet Chat is ideal for your daily commute or for a spot of lunchtime listening!

Listen now:

(09 April 2013, duration 15:49 minutes, size 9.5 MBytes)

Download now:

Sophos Security Chet Chat #106 (MP3)

Chet Chat episode 106 shownotes:

• US DoD reveals its Bring Your Own Device (BYOD) woes

The US Department of Defense recently published a report revealing the troubles it’s having with its BYOD programme.

With 14,000 devices of unknown provenance hosting possibly sensitive material, Chester wonders if it can be called a “BYOD programme” at all, and Duck wryly asks what chance small and medium businesses have if even the armed forces can’t compel their servicemen to do the right thing.

But the pair aren’t all negative, explaining that there is a bit of “damned if you do and damned if you don’t” in any BYOD programme, since you’ll never stop your staff using always-on mobile devices, even if they’re not on the company network.

The question is simply how to persuade your staff and your IT team to meet half way on security and control, or (as Duck says, since he can’t resist a good metaphor, let alone a bad one) how to “have your cake and eat it.”

• Malware posing as a link to a scanned document

A recent malware attack posing as a link to a document scanned by an HP Scanjet “somewhere on the network” reminds us all of the risks of internal content processed and delivered by external services.

Chester describes this pithily as “exploiting the creatures-of-habit vulnerability”, and Duck finds forgiveness for those who might fall for this sort of trick.

After all, he says, you probably click on many similar links over the course of a year (and how better to tell if a document is worth looking at than by looking at it?) without anything going wrong.

But the “law of averages” is irrelevant here, since the crooks only have to trick you once, whether you’ve been safe 20, 30 or 100 times before.

• introduces two-step authentication

Chester and Duck praise Automattic, owners of, for rolling out a 2FA service which “just works.”

They’re particularly pleased in this case because Naked Security is hosted on VIP, and the Naked Security team have happily turned the feature on.

Duck urges both users and service providers alike to take encouragement from companies like Apple and Automattic, and not to resist 2FA “because customers will find it inconvenient.”

Duck explains that the SMS verification costs him no more than about two seconds per login, and that’s the time to enter his mobile phone unlock code that keeps the verification codes separate and secure.

• Google and Mozilla announce new browser engines

Google is switching from Webkit to its new Blink engine; Mozilla is pursuing a rendering engine project called Servo.

Chester asks if this is the Browser Wars of the 1990s revisited; Duck replies happily that it is a war, but this time it’s the browser makers versus the Bad Guys, not against each other.

With the primary motivation of these new projects apparently being security rather than featuritis, both Duck and Chester are full of praise.

And on that note, Chester concludes that it looks like “bright times ahead,” and Duck is thankful to have been able to cover so much good news in this episode.

Catch up with Chet Chats and other podcasts

(09 April 2013, duration 15:49 minutes, size 9.5 MBytes)

You can download the Sophos Security Chet Chat podcast episode 106 directly in MP3 format.

And why not take a look at the back-catalogue of Sophos Podcasts in our archive? We have loads of interesting stuff for your listening pleasure.