LAS VEGAS--Researchers at the Black Hat security conference on Thursday showed how an attacker could spoof a type of SMS message that appears to be sent from the carrier or some other trusted source.

This attack on MMS (multimedia messaging service) messages, a type of SMS message, could allow an attacker to trick the recipient into visiting a malicious Web site or ultimately do something else to harm the phone or steal data.

The attacks work potentially on any type of phone that is MMS-enabled and operating on Global System for Mobile communications (GSM) networks, said Zane Lackey, a senior … Read more

LAS VEGAS--Two researchers have separately uncovered flaws in the way domain names are verified on the Internet that could allow attackers to impersonate a site and steal information from unsuspecting Web surfers.

Dan Kaminsky, who discovered a serious flaw in the Domain Name System (DNS) last year, and Moxie Marlinspike gave presentations at the Black Hat security conference on Wednesday about how someone could acquire certificates for domains they don't own and thus trick people into visiting those illegitimate sites or inadvertently sharing information.

Marlinspike, an independent researcher, said a flaw in the way browsers and mail clients implement … Read more

LAS VEGAS--Researchers have discovered a way to take complete control over an iPhone merely by sending special SMS messages and demonstrated it on my iPhone at the Black Hat security conference on Wednesday.

Although an attacker could exploit the hole to make calls, steal data, send text messages, and do basically anything that I can do with my iPhone, the researchers were kind and merely rendered it temporarily inoperable.

Here's what happened: While I was talking on the phone to Charlie Miller, his partner, Collin Mulliner, sent me a text message from his phone. One minute I'm talking … Read more

LAS VEGAS--You can take the man out of Google, but you can't take Google out of the man.

While working as chief information officer and vice president of engineering at Google from 2004 to 2008, Douglas Merrill oversaw the search giant's internal IT systems. He left to be chief operating officer of new music at EMI, marrying his professional ambitions with his love of music.

At EMI, employees used Exchange Calendar, which uses a "painful remote-access methodology," he said in a keynote speech on Tuesday at the Black Hat security conference.

"I paid my admin … Read more

Microsoft plans to open two of its first retail locations in Scottsdale, Ariz., and Mission Viejo, Calif., CNET News has learned.

The software maker confirmed on Tuesday that it has signed leases in both spots as part of an effort to launch its first retail outlets this fall.

"Over a billion people use our products every day yet we don't always have a way to directly connect with them," said Microsoft spokeswoman Kim Stocks. "We see the physical stores, as well as a consistent online experience, helping that."

The Orange County, Calif., store is in … Read more

Microsoft released an emergency patch on Tuesday to protect Internet Explorer users from a hole in technology used to build ActiveX controls and other Web application components that has been targeted in attacks.

A critical patch for all versions of IE will protect consumers, while a security update for Visual Studio will help developers fix the controls and components they built that could be affected.

Microsoft also has had discussions with Adobe, Sun, and Google about some components involving their software that are affected, said Mike Reavey, director of the Microsoft Security Response Center. He declined to elaborate.

Internet Explorer … Read more

One year after launching three security programs designed to improve security industry-wide, Microsoft is finding that more security patches are beating exploits out the door.

Meanwhile, the Microsoft Security Response Center said that of the 50 security bulletins it published from October 2008 to June 2009, patches were released in response to 138 vulnerabilities. Of those, 17 had public exploit code available at the time of the release, and for 67, consistent exploit code was likely to be written, according to the software giant.

The news comes after Microsoft announced on Friday that it would be releasing security updates on … Read more

In a rare move, Microsoft on Friday said it would be releasing security updates on Tuesday--outside of its monthly patch cycle--for a critical vulnerability in Internet Explorer and a moderate vulnerability in Visual Studio.

The two security bulletins will address one overall issue and are being released separately "to provide the broadest protections possible to customers," Microsoft said in a statement.

The vulnerabilities affect Windows 2000, Windows XP, Vista, Windows Server 2003 and 2008, Internet Explorer 6, 7 and 8, Microsoft Visual Studio .NET 2003, Visual Studio 2005 and 2008 and Visual C++ 2005 and 2008, according to … Read more

The encryption functionality of the iPhone 3GS is so easy to crack that it is essentially "broken" as far as protecting sensitive personal data like credit card and social security numbers, according to a forensics expert and iPhone developer.

"I don't think any of us [developers] have ever seen encryption implemented so poorly before, which is why it's hard to describe why it's such a big threat to security," Jonathan Zdziarski told Wired.

With physical access to a 3GS iPhone and some free software data can be extracted within two minutes and an … Read more