Users of social networking sites may be irritated to find that an increasing number of invitations to be a friend or contact turn out to be ads.

Spammers are turning their attention to social networking sites to hawk their products, according to Cloudmark, a messaging security company. As email antispam technology has improved, spammers have branched out to other areas, said Adam O’Donnell, director of emerging technology at Cloudmark. “The social networking side provided a fertile ground for spammers,” he said.

Junk emailers are using multiple messaging vectors available on social networking sites, including direct messaging to friends, bulletin board posts and profiles, O’Donnell said. For example, a spammer will create a profile, which includes a link to a porn or dating site, then invites a bunch of people to be their friend or contact.

In a recent six-month period, Cloudmark tracked a 300 percent increase in spam on a large social networking site that it works with. Also, at several major social networking sites, about one-third of new accounts created are fraudulent, designed for spam and other attacks, the company said.

On Monday, Cloudmark released what it said was the only commercial product to combat spam, phishing and other attacks on social networks. Cloudmark Authority for Social Networking Providers, which extends Cloudmark’s carrier-grade platform, is designed to protect all communication channels on a social networking site. The company said the technology has been deployed at one of the largest social networking sites, but wouldn’t identify it.

There’s no spam filter that end users can deploy to protect themselves on social networking sites, O’Donnell said. Some sites like LinkedIn are used as business tools, he said, adding, “If it came to a point on social networks where 80 percent of inbound content is spam, they’re no longer a useful business tool.”

Jamz Yaneza, a senior threat researcher at Trend Micro who uses several social networking sites including Facebook and MySpace, said he’s noticed an increase in friend invitations that push products. There have been a lot of exploits against social networking sites, he said, citing last year’s hack of singer Alicia Keys’ MySpace page.

Paul Ferguson, also a threat researcher at Trend Micro, said the growth of users on social networking sites “far outpaces their ability to keep the platform secure.” He added, “The back-end mechanisms that allow the interactivity also allow people to use them for malicious purposes.”

The Web now hosts an “unprecedented” number of threats, according to a report recently released by Sophos. In the first quarter of this year, Sophos researchers discovered a newly infected Web page every five seconds, three times more than last year.

What’s especially unsettling is that a whopping 79% of these sites are legitimate ones that have been hacked. Sophos cites a March attack on a European soccer ticket site that tried to infect visitors’ computers and a February attack on UK broadcaster ITV that targeted Windows and Mac users. The top two malware threats found on the Web, Mal/Iframe and Mal/ObfJS, are used by criminals to infect Web sites by exploiting vulnerabilities, according to Sophos, a maker of antivirus software and other products.

The U.S. was the top country hosting Web-based malware in the first quarter. This year, it was responsible for hosting 42% of infected websites, up from last year, when it hosted less than 25%.

But while the number of infected Web pages is up this year, Sophos researchers tracked a decrease in the number of infected emails. One in every 2,500 emails was infected, a 40% drop from last year. Instead of sending a malicious attachment, criminals are sending links to compromised websites.

Secure Computing today named Daniel Ryan as interim CEO. He replaces John McNulty, who served as board chairman and CEO since 1999.

Ryan has served as the company’s president and chief operating officer since last August. Richard Scott, a Secure Computing board member since January 2006, was appointed chairman. McNulty will continue as a board member.

The San Jose-based vendor, which makes Web security gateways and other products, didn’t explain why McNulty is stepping down. A call to a company press contact was not immediately returned.

McNulty’s tenure included Secure Computing’s $274 million acquisition of email security vendor CipherTrust in 2006, which closely followed its $295 million acquisition of CyberGuard. Scott was a CyberGuard board member.

A national data breach law is unlikely, said members of a panel at the RSA Conference Tuesday.

There was a real opportunity three years ago to have such a law, but the drive has pretty much died, said Mike Zaneis, vice president of public policy, Interactive Advertising Bureau. “We sort of missed the bus,” he said, adding that such legislation is mired in a number of issues. Large and mid-size companies generally assume they need to notify customers of a data breach, he added.

Jim Dempsey, vice president of public policy at the Center for Democracy and Technology, said it’s highly unlikely a national breach law will be passed. About 39 states have enacted breach notification laws and companies generally have applied them nationally, he said. The only entities left out of coverage are state agencies and universities in a few states that don’t have breach notification laws, Dempsey said.

“At this point, there’s no support for a federal law,” he said.

Companies are worried that a federal law would end up more stringent than the state laws while privacy advocates are worried it wouldn’t be stringent enough, he added.

East Coast supermarket chain Hannaford Bros. Co. said Monday that its network was broken into and customer credit and debit card numbers were stolen.

The Associated Press reported that company officials said the breach exposed 4.2 million credit and debit cards and led to 1,800 cases of fraud.

In a statement on the company’s website, Hannaford CEO Ron Hodge said the stolen data was limited to credit and debit card numbers and expiration dates; no personal data was accessed. The card numbers were stolen from Hannaford’s computer systems during transmission of card authorization.

The breach affected Hannaford stores in New England and New York, Sweetbay stores in Florida and some independently-owned retail locations in the Northeast that carry Hannaford products. Hannaford discovered the intrusion on Feb. 27 and alerted law enforcement officials.

The company advised customers that made purchases at its stores using credit and debit cards over the last three months, and who suspect their accounts may have been compromised, to immediately notify their card issuer or bank.

In his statement, Hodge said Hannaford “doesn’t collect, know or keep any personally identifiable customer information from transactions.” He added, “We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry.”

Meanwhile, the Massachusetts Bankers Association said in a statement Monday that Visa and MasterCard have notified 60 to 70 banks in Massachusetts about a large data breach involving what the card companies would only describe as a major retailer.

The MBA estimates that “hundreds of thousands” of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and urged consumers to monitor their accounts. The association said it has been in discussions with the card companies and pursuing legislative alternatives that would require that the name of the retailer involved in a breach be released.

If security executives want a seat at the table or leverage the one they have, they need to get creative.

That was the message Chevron Chief Information Protection Officer Richard Jackson delivered in a keynote at the Cornerstones of Trust conference Thursday in Foster City, Calif. Some 250 security professionals attended the event, which was co-hosted by the Information Systems Security Association’s Silicon Valley and San Francisco chapters and San Francisco Bay Area InfraGard.

IT security is often perceived as increasing costs and creating hurdles, Jackson said. Changing that perception requires a creative mindset that drives organizational value by aligning with the business. When speaking with business executives, use language they understand and tailor the message of security to their needs, he said. “As you try to market security and build influence, don’t force it. Understand their needs and move accordingly.”

Don’t overwhelm executives with technical data; have a few key metrics, Jackson advised. Also, a governance framework can help validate decisions around risk management and security. And thinking in business terms may mean identifying areas where there may be too much security, he added.

He urged audience members to take risks and to be visionaries: “Go ahead and predict the future … It’s OK to be a visionary and find it doesn’t come true. You’ll be more prepared for what happens in the short term if you think long term.” Jackson said it’s important for security professionals to remain dissatisfied and to search for continuous improvement. The attackers we’re defending against are always unsatisfied, he noted.

Conference attendee Sheryl Harkleroad, IT manager at Suhr Risk Services of California, a Burlingame, Calif.-based insurance broker, said she completely agreed with Jackson’s message about understanding the business and working with business units to help them succeed. She’s a recent graduate of Norwich University’s master’s program in information assurance.

“Much of what was said was not new to me, but reinforced what I’ve learned in recent months about the need for infosec leaders to understand the business side and speak in their language. Being viewed as an enabler and not an obstacle is the only way to get any buy-in and acceptance of a security program,” she said.

If you’re a security professional based in the San Francisco Bay Area or happen to be in the area next month, you might want to check out the Cornerstones of Trust conference.

The annual conference, sponsored by the San Francisco and Silicon Valley chapters of the nonprofit Information Systems Security Association (ISSA) and San Francisco Bay Area InfraGard, will be held March 6 in Foster City.

Scheduled keynote speakers are Richard Jackson, chief information protection officer and general manager of global information risk management at Chevron, and Amit Yoran, CEO of NetWitness and former cybersecurity chief at the Department of Homeland Security.

The conference will have four parallel tracks covering a range of topics: convergence of physical and IT security, security metrics, securing core business functions, and predictive analysis for risk measurement. Featured speakers include Wells Fargo CSO William Wipprecht, consultant Fred Cohen, Liam Lynch, chief security strategist for eBay Marketplaces, and eTelecare CISO Kim Jones.

For more information or to register, visit the conference Web site at http://www.cornerstonesoftrust.com/index.htm. The cost is $50 for members and $75 for non-members.

Information security hit the big screen — well, not so big screen — with the debut of Fortify Software’s documentary, “The New Face of Cybercrime” Thursday in San Francisco.

Billed as a “world premier,” the showing of the short film was in a small, private theater inside a movie complex, and attended by about 130 people. The slick film, which features security experts like Marcus Ranum, Gary McGraw and Howard Schmidt, along with corporate executives and an ominous soundtrack, is a basic primer for the general public on information security.

Director Frederic Golding told the audience during a panel discussion after the showing that the film is intended to generate awareness of information security threats for the masses (although the film did make a point to convey the importance of application security — Fortify’s business). “To a lot of you here, it probably seemed very simple,” he said.

Still, the audience of mostly IT security professionals were harsh critics. “You didn’t make it scary enough,” a network security engineer told the filmmakers during a Q&A after the panel. The movie touched on issues like cross-site scripting but should have delved deeper, he said, adding, “The only way to get people to open their eyes is through shock.” Others said the film didn’t discuss enough of the end user experience, or show how laws haven’t caught up to modern cybercrime.

Golding and Roger Thornton, Fortify founder and CTO and the film’s executive producer, took turns defending the film and both said they would have liked to include interviews with cybercriminals but were warned by law enforcement that it was too dangerous.

At a reception afterwards, Craig Rosenberg, a network engineer at Serena Software, said the movie was good but didn’t go into as much depth as he’d like. Some details on what end users can do to protect their PCs might have been good, he said.

No word on a sequel, and there’s no Hollywood premier slated for the film — private screenings are scheduled for later this month in New York and London.

These days, “green” is being used to market everything from cars and light bulbs to cleaning products. Now security vendors are jumping on the bandwagon to promote their products as good for the environment.

Astaro today issued a press release touting its unified threat management (UTM) appliances as facilitating “greener networks.” The technology, according to the vendor, allows customers to remove up to 10 standalone products, thereby limiting computer waste and reducing electricity consumption between 50 percent and 1000 percent, depending on the number of network security point products deployed and their power draw.

“Astaro is committed to greener networking,” Astaro CEO Jan Hichert proclaimed. The Astaro Security Gateway gives customers an affordable way to create “a far greener network environment,” he said.

Given how reluctant executive management can be when it comes to buying security, going green might be a tough sell. But if it improves the bottom line, then we’re talking.

Social networking sites like Facebook and MySpace aren’t very popular in the corporate world, according to a study by Barracuda Networks.

Analyzing data from businesses using its Web filtering appliance, the company found that 44 percent block MySpace while 26 percent block Facebook. More than 50 percent block one of those sites or both.

“It was interesting to us to see such a significant backlash in the corporate environment, with 50 percent blocking the social networking sites. And that number will go higher,” Dean Drako, Barracuda president and CEO, said in an interview. “Customers that weren’t blocking but were monitoring social networking sites … a significant percentage expect they’ll be blocking those sites soon.”

Customers said they were concerned about the sites being a productivity drain, Drako said. They also were worried about offensive content on MySpace.

A separate survey of 228 IT professionals by Barracuda showed that the top reason businesses restrict employee Web surfing overall is to block viruses or spyware. Productivity was the second biggest reason.