Articles by Paul Ducklin

About Paul Ducklin

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog

Canadian spam, New York taxis and Brazilian passwords - 60 Sec Security [VIDEO]

60ss-video-250

Canada goes "opt in", NYC makes a hash, and Brazil forgets its punctuation.

It's 60 Second Security for 28 June 2014!

Flaw in PayPal’s two-factor authentication, but keep calm and carry on!

Security researchers in the USA have just disclosed a flaw in PayPal's 2FA system.

Paul Ducklin looks at the mistakes that PayPal made, and what's been done to sort them out...

TimThumb plugin for WordPress - zero-day remote code execution hole disclosed, quickly fixed

thumb-250

WordPress sites with the TimThumb image thumbnailing plugin could be taken over by attackers.

Paul Ducklin looks at what went wrong and explains how to fix the hole...

"Towelroot" app makes it easy to root Galaxy S5 and other locked Androids...

towels-250

Galaxy S5 users will be cheering. System administrators are probably groaning.

Paul Ducklin looks at an Android-era variant of Hamlet's dilemma: "To root or not to root, that is the question."

SSCC 153: TrueCrypt, Towelroot, Cryptowall, and spam in Canada [PODCAST]

chet-chat-logo-featured-250

Chester Wisniewski and Paul Ducklin present this week's edition of the regular Sophos security podcast, the "Chet Chat."

In this episode: the TrueCrypt saga continues; the Towelroot software for unlocking Androids; ransomware after CryptoLocker; and Canada's long, long, long-awaited anti-spam law.

New York City makes a hash of taxi driver data disclosure

What do you do in your spare time if you're a self-confessed "urbanist, data junkie and civic hacker," like New York resident Chris Whong?

Use Freedom of Information Laws to find out more about NYC's taxi movements, of course...

Spam in Canada goes "strictly opt-in" in one week - with a grace period of only THREE YEARS

It's been a long, long, long time coming, but spam in Canada really does go "strictly opt-in" on this year's Canada Day, 01 July 2014.

After that, you will have a meagre THREE YEARS to adapt your business practices and acquire express consent from your mailees...

Privacy and iOS 8, USMS blunder and Cryptowall ransomware - 60 Sec Security [VIDEO]

60ss-video-250

One minute of fun with a serious side...

60 Second Security - 21 June 2014

TrueCrypt mystery - forking weirder than before

The TrueCrypt mystery is solved!

The developers have spoken!

Unless, of course, the latest "solution" is yet another layer in the mystery...

SSCC 152 - PF Chang's, TrueCrypt (still!), the Twitter worm and the cost of scammers [PODCAST]

chet-chat-logo-featured-250

Sophos security experts Chester Wisniewski and Paul Ducklin turn their attention on the week's security news.

As usual, they extract plenty of useful lessons during their insightful dissection of the latest issues...

Ransomware with a happy ending

rw-not-250

Fortunately, not every cybercrook in the world is a good coder.

Let's hope it stays that way...

SCAMwatch - 5 tips to keep your friends and family out of scammers' clutches

scam-watch-250

It's National Consumer Fraud Week in Australia, so the government's SCAMwatch team has published 5 straight-talking anti-scammer tips.

With Aussies alone taken for about $90M last year, this is a battle we need to keep on fighting all around the globe...

59 vulns in IE, teenager versus Turing, and Twitter gets wormed - 60 Sec Security [VIDEO]

60ss-video-250

Is 59 vulns in IE some kind of record? Did a computer really pass the Turing Test? Can a network worm ever be a joke?

Find out in one minute!

SSCC 151 - Measuring vulns, Apple and Wi-Fi privacy, Android ransomware and more [PODCAST]

sscc-151-250

It's our weekly security pocast!

Chester Wisniewski and Paul Ducklin dig into the latest security news for lessons we can all learn...

Patch Tuesday wrap-up, June 2014 - both Adobe and Microsoft close "remotable" holes

istock_patchtuesday250

Microsoft fixed 59 vulnerabilities in Internet Explorer alone this month.

Is that worryingly bad, or pleasingly good?

Paul Ducklin investigates what actually came down the chute in the June 2014 Patch Tuesday...

"Turing Test" allegedly defeated - is it time to welcome your robot overlords?

tt-feat-250

There's a lot of hype around the news that a computer has passed the "Turing Test" at last.

But what is a Turing Test, and what does it teach us?

Paul Ducklin digs into the story behind the story...

Gameover and CryptoLocker revisited - the important lessons we can learn

gocl-robot-250

Which is worse - Gameover or CryptoLocker?

What can we learn from the recent US-led takedown of this notorious crimeware?

More importantly, what advice should we be passing on to other people?

Patch Tuesday for June 2014 - 7 bulletins, 3 RCEs, 2 critical, and 1 funky sort of hole

pt-june-2104-250

You'll be patching and rebooting everything this month.

Paul Ducklin gives you a brief overview to help you prepare.

He also explains some vulnerability terminology you might not have heard before...

Mobile malware, Gameover, CryptoLocker, and SSL/TLS holes - 60 Sec Security [VIDEO]

2014-06-07-thumb-250

How long has mobile malware been around? Is it really game over for Gameover and CryptoLocker? Which cryptographic security libraries need patching?

It'll only take a minute to find out...

CryptoLocker wannabe "Simplelocker" scrambles your files, holds your Android to ransom

sl-bars-250

"If the crooks keep copying Windows threats that were financially lucrative," you're thinking, "we'll soon see Android ransomware that doesn't just lock your device, but locks up your data instead, or as well."

Guess what?