Users of social networking sites may be irritated to find that an increasing number of invitations to be a friend or contact turn out to be ads.

Spammers are turning their attention to social networking sites to hawk their products, according to Cloudmark, a messaging security company. As email antispam technology has improved, spammers have branched out to other areas, said Adam O’Donnell, director of emerging technology at Cloudmark. “The social networking side provided a fertile ground for spammers,” he said.

Junk emailers are using multiple messaging vectors available on social networking sites, including direct messaging to friends, bulletin board posts and profiles, O’Donnell said. For example, a spammer will create a profile, which includes a link to a porn or dating site, then invites a bunch of people to be their friend or contact.

In a recent six-month period, Cloudmark tracked a 300 percent increase in spam on a large social networking site that it works with. Also, at several major social networking sites, about one-third of new accounts created are fraudulent, designed for spam and other attacks, the company said.

On Monday, Cloudmark released what it said was the only commercial product to combat spam, phishing and other attacks on social networks. Cloudmark Authority for Social Networking Providers, which extends Cloudmark’s carrier-grade platform, is designed to protect all communication channels on a social networking site. The company said the technology has been deployed at one of the largest social networking sites, but wouldn’t identify it.

There’s no spam filter that end users can deploy to protect themselves on social networking sites, O’Donnell said. Some sites like LinkedIn are used as business tools, he said, adding, “If it came to a point on social networks where 80 percent of inbound content is spam, they’re no longer a useful business tool.”

Jamz Yaneza, a senior threat researcher at Trend Micro who uses several social networking sites including Facebook and MySpace, said he’s noticed an increase in friend invitations that push products. There have been a lot of exploits against social networking sites, he said, citing last year’s hack of singer Alicia Keys’ MySpace page.

Paul Ferguson, also a threat researcher at Trend Micro, said the growth of users on social networking sites “far outpaces their ability to keep the platform secure.” He added, “The back-end mechanisms that allow the interactivity also allow people to use them for malicious purposes.”

There has been a lot of interesting work going on in the research community of late on a handful of really specialized and esoteric application attacks, like Mark Dowd’s NULL pointer attack and David Litchfield’s lateral SQL injection technique. These two methods have a few things in common, specifically the fact that they both exploit things that were thought to be unexploitable. One other similarity is that some people seem to be dismissing these techniques as theoretical or purely academic thought exercises that will never see the light of day. Proponents of this line of thinking say that enterprises don’t need to worry about crazy, multi-step attacks that are hard to understand. It’s things like buffer overflows and worms that really need your attention, they say.

This is, ah, how should I put it, ridiculous. These new attacks are exactly the kind of things that should worry you if you’re charged with protecting a corporate network. Hackers pay good money for reliable attack methods like this, particularly when they are brand new and not well understood. Security specialists know what a buffer overflow attack looks like, and there are any number of products out there that are capable of stopping these attacks. But the complex techniques like Litchfield’s and Dowd’s are the ones that find the cracks in network defenses and by the time they’re recognized for what they are, it’s game over. And who’s to say that some hacker in the Ukraine or Brazil or China hasn’t been using the same techniques for months?

Sure, worms and viruses and phishing are still threats, but to ignore new attacks because they look difficult or complex is foolish at best and negligent at worst.

Secure Computing today named Daniel Ryan as interim CEO. He replaces John McNulty, who served as board chairman and CEO since 1999.

Ryan has served as the company’s president and chief operating officer since last August. Richard Scott, a Secure Computing board member since January 2006, was appointed chairman. McNulty will continue as a board member.

The San Jose-based vendor, which makes Web security gateways and other products, didn’t explain why McNulty is stepping down. A call to a company press contact was not immediately returned.

McNulty’s tenure included Secure Computing’s $274 million acquisition of email security vendor CipherTrust in 2006, which closely followed its $295 million acquisition of CyberGuard. Scott was a CyberGuard board member.

A national data breach law is unlikely, said members of a panel at the RSA Conference Tuesday.

There was a real opportunity three years ago to have such a law, but the drive has pretty much died, said Mike Zaneis, vice president of public policy, Interactive Advertising Bureau. “We sort of missed the bus,” he said, adding that such legislation is mired in a number of issues. Large and mid-size companies generally assume they need to notify customers of a data breach, he added.

Jim Dempsey, vice president of public policy at the Center for Democracy and Technology, said it’s highly unlikely a national breach law will be passed. About 39 states have enacted breach notification laws and companies generally have applied them nationally, he said. The only entities left out of coverage are state agencies and universities in a few states that don’t have breach notification laws, Dempsey said.

“At this point, there’s no support for a federal law,” he said.

Companies are worried that a federal law would end up more stringent than the state laws while privacy advocates are worried it wouldn’t be stringent enough, he added.

So you travel thousands of miles, shelling out a cool $2,125 for the full-conference fee, and you get to the your first session of the day–one of the best on the RSA docket: Joanna Rutkowska’s presentation on security challenges in virtual environments–and you’re asked to leave because all the chairs in the room are taken 15 minutes before the start, and you’re not allowed to stand in the back.

Score it: San Francisco fire marshal 1, full-fare paying RSA attendee 0.

More than 50 attendees grumbled their way out of the session–held in one of the smaller conference rooms at the Moscone Center–who were told that fire laws prohibit standing along the perimeter of the room.

Two security staffers came into the room and made it clear that anyone not seated–Information Security magazine included–had to leave. One attendee remarked that pre-registration for sessions was not an option, and nowhere in the registration process was this particular issue raised. “You can take that upstairs,” security told him.

To her credit, Rutkowska stuck up for her audience, asking why they couldn’t stay and sit on the floor. But not even a renowned hacker has any pull at RSA.

Lesson learned: Put Rutkowska in a bigger room next year. Her sessions are always well attended at industry events such as RSA and Black Hat. And hers was the only virtualization research session scheduled Tuesday, an issue not lost on those who crammed the hallway straining their hearing for some insight. Before of course, the doors were shut.

East Coast supermarket chain Hannaford Bros. Co. said Monday that its network was broken into and customer credit and debit card numbers were stolen.

The Associated Press reported that company officials said the breach exposed 4.2 million credit and debit cards and led to 1,800 cases of fraud.

In a statement on the company’s website, Hannaford CEO Ron Hodge said the stolen data was limited to credit and debit card numbers and expiration dates; no personal data was accessed. The card numbers were stolen from Hannaford’s computer systems during transmission of card authorization.

The breach affected Hannaford stores in New England and New York, Sweetbay stores in Florida and some independently-owned retail locations in the Northeast that carry Hannaford products. Hannaford discovered the intrusion on Feb. 27 and alerted law enforcement officials.

The company advised customers that made purchases at its stores using credit and debit cards over the last three months, and who suspect their accounts may have been compromised, to immediately notify their card issuer or bank.

In his statement, Hodge said Hannaford “doesn’t collect, know or keep any personally identifiable customer information from transactions.” He added, “We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry.”

Meanwhile, the Massachusetts Bankers Association said in a statement Monday that Visa and MasterCard have notified 60 to 70 banks in Massachusetts about a large data breach involving what the card companies would only describe as a major retailer.

The MBA estimates that “hundreds of thousands” of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and urged consumers to monitor their accounts. The association said it has been in discussions with the card companies and pursuing legislative alternatives that would require that the name of the retailer involved in a breach be released.

I’m listening to a panel discussion right now featuring six former members of the L0pht hacking collective and Mudge, perhaps the most famous member of the group, just told a great story about the group going to ask Battery Ventures for the money to help fund @stake. Speaking to Chris Wysopal, aka Weld Pond, he said:
“I remember going to pick you up at your house to go see Battery and you said, Do I wear a suit? And both your wife and I said, When you’re asking someone for ten million dollars, you wear a [expletive deleted] suit.”

Just in case you’re in the market for ten million bucks, there’s the dress code.

If security executives want a seat at the table or leverage the one they have, they need to get creative.

That was the message Chevron Chief Information Protection Officer Richard Jackson delivered in a keynote at the Cornerstones of Trust conference Thursday in Foster City, Calif. Some 250 security professionals attended the event, which was co-hosted by the Information Systems Security Association’s Silicon Valley and San Francisco chapters and San Francisco Bay Area InfraGard.

IT security is often perceived as increasing costs and creating hurdles, Jackson said. Changing that perception requires a creative mindset that drives organizational value by aligning with the business. When speaking with business executives, use language they understand and tailor the message of security to their needs, he said. “As you try to market security and build influence, don’t force it. Understand their needs and move accordingly.”

Don’t overwhelm executives with technical data; have a few key metrics, Jackson advised. Also, a governance framework can help validate decisions around risk management and security. And thinking in business terms may mean identifying areas where there may be too much security, he added.

He urged audience members to take risks and to be visionaries: “Go ahead and predict the future … It’s OK to be a visionary and find it doesn’t come true. You’ll be more prepared for what happens in the short term if you think long term.” Jackson said it’s important for security professionals to remain dissatisfied and to search for continuous improvement. The attackers we’re defending against are always unsatisfied, he noted.

Conference attendee Sheryl Harkleroad, IT manager at Suhr Risk Services of California, a Burlingame, Calif.-based insurance broker, said she completely agreed with Jackson’s message about understanding the business and working with business units to help them succeed. She’s a recent graduate of Norwich University’s master’s program in information assurance.

“Much of what was said was not new to me, but reinforced what I’ve learned in recent months about the need for infosec leaders to understand the business side and speak in their language. Being viewed as an enabler and not an obstacle is the only way to get any buy-in and acceptance of a security program,” she said.

If you’re a security professional based in the San Francisco Bay Area or happen to be in the area next month, you might want to check out the Cornerstones of Trust conference.

The annual conference, sponsored by the San Francisco and Silicon Valley chapters of the nonprofit Information Systems Security Association (ISSA) and San Francisco Bay Area InfraGard, will be held March 6 in Foster City.

Scheduled keynote speakers are Richard Jackson, chief information protection officer and general manager of global information risk management at Chevron, and Amit Yoran, CEO of NetWitness and former cybersecurity chief at the Department of Homeland Security.

The conference will have four parallel tracks covering a range of topics: convergence of physical and IT security, security metrics, securing core business functions, and predictive analysis for risk measurement. Featured speakers include Wells Fargo CSO William Wipprecht, consultant Fred Cohen, Liam Lynch, chief security strategist for eBay Marketplaces, and eTelecare CISO Kim Jones.

For more information or to register, visit the conference Web site at http://www.cornerstonesoftrust.com/index.htm. The cost is $50 for members and $75 for non-members.

Information security hit the big screen — well, not so big screen — with the debut of Fortify Software’s documentary, “The New Face of Cybercrime” Thursday in San Francisco.

Billed as a “world premier,” the showing of the short film was in a small, private theater inside a movie complex, and attended by about 130 people. The slick film, which features security experts like Marcus Ranum, Gary McGraw and Howard Schmidt, along with corporate executives and an ominous soundtrack, is a basic primer for the general public on information security.

Director Frederic Golding told the audience during a panel discussion after the showing that the film is intended to generate awareness of information security threats for the masses (although the film did make a point to convey the importance of application security — Fortify’s business). “To a lot of you here, it probably seemed very simple,” he said.

Still, the audience of mostly IT security professionals were harsh critics. “You didn’t make it scary enough,” a network security engineer told the filmmakers during a Q&A after the panel. The movie touched on issues like cross-site scripting but should have delved deeper, he said, adding, “The only way to get people to open their eyes is through shock.” Others said the film didn’t discuss enough of the end user experience, or show how laws haven’t caught up to modern cybercrime.

Golding and Roger Thornton, Fortify founder and CTO and the film’s executive producer, took turns defending the film and both said they would have liked to include interviews with cybercriminals but were warned by law enforcement that it was too dangerous.

At a reception afterwards, Craig Rosenberg, a network engineer at Serena Software, said the movie was good but didn’t go into as much depth as he’d like. Some details on what end users can do to protect their PCs might have been good, he said.

No word on a sequel, and there’s no Hollywood premier slated for the film — private screenings are scheduled for later this month in New York and London.