Spam researchers have discovered a recent run of unwanted messages using Google’s Web-based word processor and even testing their campaigns using Google analytical tools.

MessageLabs spokesperson Matt Sergeant, said the spam messages are successful in getting through most enterprise email filters. The messages don’t contain content, only a link that takes recipients to a Google Docs file. Once opened the file touts the all too familiar pharmaceuticals hyped in many spam campaigns.

“This is another method that spammers have found of hosting a website in a place that’s bulletproof basically,” Sergeant said.

Google has labeled the hosted file as being registered as spam. The good news is that Google Docs is still in its infancy, so there aren’t a lot of people using them in a corporate setting, Sergeant told me. So far the messages have come in very small numbers, but large enough that they triggered an alert at MessageLabs.

Anne Bonaparte, a veteran security industry executive, is taking over the top job at change-management vendor Solidcore Systems. Bonaparte has spent time at a number of security vendors, including VeriSign, MailFrontier, SonicWall and Tablus. She takes over as CEO at Solidcore, as founder and former CEO Rosen Sharma steps asides to take the CTO job. Bonaparte most recently held the CEO job at Tablus, one of the numerous companies scratching and clawing for a piece of the data-loss prevention market, before RSA Security acquired Tablus last summer.

Before her stint at Tablus, Bonaparte was CEO of MailFrontier, an email security company, which she led through its acquisition by SonicWall in 2006. Her experience in leading start-ups through their second phase as they look for either an acquisition partner or major investors will come in handy at Solidcore, a vendor that is smack in the middle of that stage in its growth right now. The company started out as a provider of software for companies looking to prevent admins from making unauthorized changes to servers. It has since evolved into a player in the security market, mainly as a result of its role in compliance efforts.

Users of social networking sites may be irritated to find that an increasing number of invitations to be a friend or contact turn out to be ads.

Spammers are turning their attention to social networking sites to hawk their products, according to Cloudmark, a messaging security company. As email antispam technology has improved, spammers have branched out to other areas, said Adam O’Donnell, director of emerging technology at Cloudmark. “The social networking side provided a fertile ground for spammers,” he said.

Junk emailers are using multiple messaging vectors available on social networking sites, including direct messaging to friends, bulletin board posts and profiles, O’Donnell said. For example, a spammer will create a profile, which includes a link to a porn or dating site, then invites a bunch of people to be their friend or contact.

In a recent six-month period, Cloudmark tracked a 300 percent increase in spam on a large social networking site that it works with. Also, at several major social networking sites, about one-third of new accounts created are fraudulent, designed for spam and other attacks, the company said.

On Monday, Cloudmark released what it said was the only commercial product to combat spam, phishing and other attacks on social networks. Cloudmark Authority for Social Networking Providers, which extends Cloudmark’s carrier-grade platform, is designed to protect all communication channels on a social networking site. The company said the technology has been deployed at one of the largest social networking sites, but wouldn’t identify it.

There’s no spam filter that end users can deploy to protect themselves on social networking sites, O’Donnell said. Some sites like LinkedIn are used as business tools, he said, adding, “If it came to a point on social networks where 80 percent of inbound content is spam, they’re no longer a useful business tool.”

Jamz Yaneza, a senior threat researcher at Trend Micro who uses several social networking sites including Facebook and MySpace, said he’s noticed an increase in friend invitations that push products. There have been a lot of exploits against social networking sites, he said, citing last year’s hack of singer Alicia Keys’ MySpace page.

Paul Ferguson, also a threat researcher at Trend Micro, said the growth of users on social networking sites “far outpaces their ability to keep the platform secure.” He added, “The back-end mechanisms that allow the interactivity also allow people to use them for malicious purposes.”

Anonymizer, the pioneering online privacy company, was acquired Thursday by a highly specialized national-security technology provider. Anonymizer began in 1995 as a provider of technology to help consumers, and later enterprises, protect their identities online. The company has a variety of products now that enable users to avoid spam, surf Web sites anonymously and protect their email addresses. It is probably best known for its Anonymous Surfing product, which redirects users’ Web traffic through a proxy, hiding their actual IP addresses. But it also offers products that provide users with disposable email addresses and offerings for enterprises that enable executives to check out competitors’ sites anonymously.

The company acquiring Anonymizer, Abraxas, is a provider of technology and risk management services to the national security community and was founded by Richard H. Helms, a former CIA officer (no relation to Richard M. Helms, former director of CIA). The two companies, both based in San Diego, already share some similarities. Lance Cottrell, the founder and chief scientist at Anonymizer, is also chief scientist at Abraxas. Abraxas’ board of advisers includes former DHS secretary Tom Ridge, and Alan Wade, the former CIO of CIA.

Secure Computing today named Daniel Ryan as interim CEO. He replaces John McNulty, who served as board chairman and CEO since 1999.

Ryan has served as the company’s president and chief operating officer since last August. Richard Scott, a Secure Computing board member since January 2006, was appointed chairman. McNulty will continue as a board member.

The San Jose-based vendor, which makes Web security gateways and other products, didn’t explain why McNulty is stepping down. A call to a company press contact was not immediately returned.

McNulty’s tenure included Secure Computing’s $274 million acquisition of email security vendor CipherTrust in 2006, which closely followed its $295 million acquisition of CyberGuard. Scott was a CyberGuard board member.

IBM’s X-Force security research team and IBM Research are studying ways to protect virtual computing environments. Code named Phantom, the research project has been ongoing and could result in new products and best practices designed to leverage the hypervisor to improve security. In this interview at RSA 2008, Joshua Corman, principal security strategist with IBM’s ISS team, explains Project Phantom and how IBM says it could help alleviate some of the risks associated with virtual environments.

Richard Stiennon, the well-traveled vendor executive and industry analyst, has taken up a new post as the CEO of new MSSP Seccom Global, an offshoot of Seccom Networks, an Australian company. Stiennon is a former Gartner analyst who probably is best known for a research study he was involved with in 2003 declaring that IDS was dead and encouraging enterprises to spend whatever money they had allocated for the technology on things like multi-function firewall appliances. “Intrusion detection systems are a market failure,” he said at the time. Most recently Stiennon was the chief marketing officer at Fortinet, which is a partner of Seccom. He also has spent time at independent analyst firm IT-Harvest, Webroot and PriceWaterhouseCoopers.

Seccom’s Australian operation provides a number of managed security services, including mail and network monitoring. Stiennon’s appointment as CEO coincides with the company’s entry into the U.S. market, which already has its fair share of MSSPs. Large players such as VeriSign and Symantec have staked out the high end of the market and many ISPs, such as AT&T, have gotten into the business of offering security services in the cloud, as well. It will be interesting to see how an unknown company such as Seccom goes about competing with the big established MSSPs here. One would guess that Stiennon’s name recognition and extensive experience in the industry will help open a few doors at the very least.

I recently tripped over a blog write-up from independent analyst Eric Ogren about his irritation with security vendors using FUD to sell products. It’s an older posting from 2006 but his message is as relevant today as it was two years ago.

Building his case around a threat report Websense released at the time, he wrote, “I’m not sure that the world is better off with yet another security vendor telling us that Phishing, malicious websites, malicious code, hacking tools, P2P, IM and Chat attacks have all increased.”

He dismissed the report as FUD marketing designed to create demand for security products, but that he believed the reports could actually have the opposite effect by pointing out the futility of security products to stop attacks.

He’s not the first security expert to rail against the FUD factor. Security luminary Bruce Schneier has devoted huge chunks of his time speaking out against security ‘theatre’ — policies and products that are more about offering the perception of security rather than addressing the actual risks.

And, rightly or wrongly, the Apple crowd is constantly crying FUD whenever something is written about a security flaw or malware affecting their beloved Macs.

I bring up the issue because it’s long been a source of irritation for me. As a security writer, I’m constantly buried beneath tons of voicemail and email from vendors looking for attention, and the PR machinery almost always uses FUD to make a case for buying the latest compliance-out-of-the-box appliance or the “first of its kind” bot/spyware/worm/common cold zapper.

Along the way, the PR community likes to invent new words or phrases to define the threat, many of which start with the letters “ph” (phishing, pharming, phlooding).

I’ve been looking back through four years of writing for the sake of nostalgia. The big thing that strikes me is that we’ve written a lot of stories about the latest flaw or exploit and someone is always banging on the alarm bell with a hammer.

In the final analysis, it’s prudent to flag the latest flaws and exploits because IT security professionals need to be aware of these things and incorporate the information into their patch management process. Heck, alerting them to these things is what we’re here for. But the tone and level of alarm that should go into these stories is always something we wrestle with.

Everyone has a role to play in information security, from the IT pros to the vendors, analysts and media. But from the content I look back on, I see little evidence that vendor-generated fear has ever made a difference.

Warnings about some flaw or exploit opening the door for a catastrophic Internet-ending event are never followed by the big doom. On the other side of the spectrum, the epidemic of data security breaches shows that all the FUD and security spending in the world can’t prevent the bad guys from punching through. The recent Hannaford supermarkets breach proves you can respond to the fear and spend a lot of money on new technology and still get whacked.

I recently asked Rhode Island-based network engineer Edward Ziots whether he jumps at every exploit warning. Here’s what he told me by email:

“We don’t jump, it would be imprudent to do so. Basically I read up on how the exploit works, even look at the code offline to ascertain if it would be available to be downloaded or how much effort would it take to be in a working exploit. Next, you basically need to adjust your risk assessment based on the controls you have in house, and how many systems could be affected and in what manner.

“Lastly communicate the adjusted risk assessment to management, security and await decision on whether to raise priority for patching, or to deploy other security measures to mitigate until all systems can be patched.

“Honestly, it makes it very difficult with exploit code in the wild and reports of working exploits not to raise your risk level and deploy extra manpower and time and effort to get all systems patched. It’s just due diligence.”

My advice is to take the FUD with a grain of salt and remember that while cyberspace is a dangerous place and you’ll sometimes have to raise your level of alertness as Ziots does, most enterprises will survive with the proper mix of security tools, policies and a calm awareness of the risks.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

In this interview at RSA Conference 2008, Sourcefire founder and Snort creater, Martin Roesch, talks about the sudden departure of the company’s CEO and the future of intrusion defense.

In the conclusion of this two-part video series, Information Security magazine Senior Technology Editor Neil Roiter explores security services in the U.S. telecom market. In an interview at RSA Conference 2008, Stan Quintana, vice president of AT&T Security Services discusses the company’s strategy. He talks about what makes carriers qualified to offer security services and some of the challenges facing the industry.