For the last year and a half, I’ve been writing a weekly column called Security Blog Log, about what IT security pros are discussing in the blogosphere. Starting this week, the column will be posted in this blog. Since this is a column about blogs and we now have our own, we thought the move would make sense. Let us know what you think. Meantime, here’s a look at what security bloggers are focusing on this week:

Google launches its own security blog

We’ve written plenty about Google-based threats of late, but the search giant has just made a big gesture to show it takes security seriously — It has launched a blog all about Google security.

Panayiotis Mavrommatis and Niels Provos of Google’s antimalware team say in the blog’s inaugural posting that online security is an important issue for Google, its users and anyone who uses the Internet.

“Thus, we’ve started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security,” they wrote. “Among the issues we’ll tackle is malware.”

They note that Google started an anti-malware effort about a year ago. “As a result, we can warn you in our search results if we know of a site to be harmful and even prevent exploits from loading with Google Desktop Search,” they said.

Still shopping after the data breach

In the Emergent Chaos blog, Adam Shostack asks why customers don’t take their business elsewhere after a company acknowledges a data breach. He offers two theories: people may simply not know about the breaches, or they are so overwhelmed with notices that they can fail to grasp the significance of a data breach notification letter.

“The trouble is, I haven’t met anyone who says that they’ve gotten so many notices they just ignore them now,” he wrote. “Absent data, “I’m leaning toward the first explanation.”

One of his readers responded that his or her parents continued shopping at TJ Maxx even after TJX disclosed the breach that exposed at least 45.7 million credit and debit card holders to identity fraud. This, the respondent said, is because they didn’t understand what it means to have that information stolen, and that’s probably what has happened in many instances.

Shostack is looking for more feedback, so here’s my two cents: People have a tendency to ignore a problem until they personally suffer some consequences. I doubt identity theft victims who have traced their woes back to the TJX breach are still shopping there.

From phishing to vishing

Gunter Ollmann over at IBM ISS has an entry in the Frequency X blog this week about the increasing threat to VoIP users. He points to a white paper on what has become known as “vishing” — phishing attacks directed at VoIP users. Given the explosion of VoIP usage in the last couple years, it makes sense that attackers would use the technology to dupe users with the same social engineering tricks that seem to work so well for them everywhere else. Here’s a bit from Ollmann’s posting:

“Phishing has increasingly developed into a broader category of threats that rely on social engineering to cause a message recipient to perform auxiliary activities that enable the phisher to conduct the second phase of the attack. Phishers rely on numerous Internet messaging systems to propagate their attacks. As such, many similar-sounding threats have been named based on the messaging system being used—each with its own nuances and target audiences.”

Hence the term “vishing,” for phishing attacks aimed at VoIP users.

Update on Mary Ann Davidson blog

I recently took Oracle CSO Mary Ann Davidson to task for not updating her blog more often. Out of fairness, I’m back to report that after a gap of nearly four months, the Mary Ann Davidson blog has a fresh entry connecting her travels in the Holy Land with some lessons about security in the age of Web 2.0.

I’ll leave it to readers to visit her blog for the full details. My purpose here is to restate my opinion that blogs should be updated regularly, especially when the blogger is focusing on current events.

My gripe with Mary Ann’s blog was that she hadn’t updated a Jan. 29 posting in which she touted what was at the time an upcoming keynote address at the RSA security conference from Oracle CEO Larry Ellison. As RSA attendees know, it’s a keynote Ellison canceled at the 11th hour.

It’s understandable when a blogger is kept from filing regular updates due to business travel and other reasons. But when facts that were true at the time of posting change, the blogger has a responsibility to correct the record, at least out of respect to customers who are visiting the blog for guidance on what the company is up to.

As I said in that previous column, Oracle has caught plenty of flak for not being on top of its security game. To be fair, the company has taken some encouraging steps in recent months to improve the patching process for DBAs, including its decision to streamline the quarterly patch bulletin, offer more details about its security holes and even offer advance notice on upcoming fixes.

But when the database giant’s main security voice stays silent for long periods of time and leaves her blog out of date, it doesn’t help to bolster the company’s image.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Recent columns:

Scrapping Patch Tuesday a bad idea, say bloggers

Bloggers not for easing PCI DSS

Are hacking contests good or evil?

Technorati Tags: Google, antimalware, data+breach, VoIP+Security