Zatko joined DARPA, the research arm of the U.S. Department of Defense in 2010 and was a program manager in its Strategic Technologies Office, where he oversaw research intended to help government agencies fend off cyber attacks.

Here’s the original tweet:

Given what we all pulled off within the USG, let’s see if it can be done even better from outside.Goodbye DARPA, hello Google!

April 12, 2013 8:28 pm via Twitter for iPadReplyRetweetFavorite

@dotMudge

.mudge

Zatko first came to fame as a member of the Cambridge, Mass.-based hacking group The L0pht, a sort of unofficial think tank for hackers whose members at the time included people who went on to distinguished careers in computer security, like Chris Wysopal, Joe Grand, and Christien Rioux. He was also a member of The Cult of the Dead Cow, another hacker collective known for mixing hacking prowess with an ability to get media attention.

In the mid-1990s he did some of the early fundamental research on a type of computer security vulnerability known as a buffer overflow, and published some of the first papers on the topic. He later was the principal creator of some important security tools, including L0phtcrack . In 1998 he and other members of L0pht testified before the U.S. Senate, a session in which the group famously proclaimed that with its combined expertise, it could “bring down the Internet in about 30 minutes.”

After that, he and other L0pht members were occasionally summoned to Washington whenever senior officials, including President Clinton (he’s the long-haired guy in the picture), wanted to be seen discussing computer security issues.

In 1999, L0pht went legit and joined with the Cambridge-based computer security firm @Stake, which in 2004 became part of Symantec. In 2005 Zatko joined BBN Technologies as a research scientist.

Inside DARPA, an agency known more for its secrecy and occasionally for the cool things it does, Zatko created a Cyber Fast Track Program, through which hackers working outside government with good security ideas could get funding to work on projects that could help secure Defense Department systems.

Zatko didn’t specify what he’ll be doing at Google, and he didn’t immediately answer an email from me asking for a little more detail, though its a pretty sure bet it will involve doing some kind of research on security. I’ll add more if I hear back from him.

He’ll be the second high-profile DARPA manager to join Google in recent memory. Last year the agency’s former director, and D9 speaker Regina Dugan, joined the search giant.

For one thing, it’s just dumb. It makes it easier for anyone to make a guess and take your account for a spin. Or perhaps, as was the most recent case, you’ll get cracked by a big scary hacker attack.

That’s what’s up with a slew of blogs on Friday evening, as one or more hackers used a “botnet” — basically a creepy name for a network of automated programs — to try to access WordPress-hosted sites by attacking the lowest common denominator: Sites that use “admin” as the login name, paired with a list of the most commonly used passwords.

The brunt of the attack began last week, according to Sean Valant of HostGator, an online hosting service for Web sites. After dying off for a bit, the attack picked back up again Thursday morning, and has received some attention from Web hosts and security companies around the net.

Some, like Web security services company CloudFlare, are ringing the alarm bells (while simultaneously promoting the company’s own security services ). Which is fair, I guess. If you’re someone potentially at risk and unaware, CloudFlare could be helping you out by sounding the alert.

But I’d say it’s simpler than downloading extra protections or signing up for CloudFlare’s security plan: Just don’t use absurdly stupid usernames and passwords. Hackers go after the low-hanging fruit, which is most often found in the novice Web users who don’t take the time to switch from their default log-in information.

“Here’s what I would recommend: If you still use ‘admin’ as a username on your blog, change it; use a strong password; if you’re on WP.com, turn on two-factor authentication; and of course make sure you’re up-to-date on the latest version of WordPress,” Matt Mullenweg, founding developer of WordPress and Automattic, wrote on his blog. “Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem.”

Completely basic password security is as simple as that. So please, do us all a favor and change your log-in data if it’s something easily guessed. It’ll save you — and everyone else — a huge headache.

The “OpIsrael” attack, which was claimed on a website by activist hackers who said they were affiliated with the hacker group “Anonymous,” was the latest episode of the Middle East conflict moving from the battlefield to civilian computer networks in the public domain.

Read the rest of this post on the original site »

That’s making companies with new approaches to security pretty popular among venture capital and private equity investors. Today, one new firm, Endgame Systems, announced that it has landed a $23 million Series B investment led by Paladin Capital. Previous investors include Bessemer Venture Partners, Columbia Capital, Kleiner Perkins Caulfield & Byers and TechOperators. Retired Lt. Gen. Kenneth A. Minihan, a managing director at Paladin and a former director of the super-secret National Security Agency, will join Endgame’s board.

Started in 2008, Endgame specializes in what it describes as providing real-time command-and-control capabilities, including analytics, visualization and knowledge discovery, all intended to enhance computer security efforts.

CEO Nathaniel Fick put it this way: “As Internet-connected devices become more pervasive in our lives, the barriers to entry are falling for malicious actors to have impact thanks to commoditized and easy-to-access tools,” he said. “The only way to be successful at cyber operations in a changing environment like that is to ingest massive amounts of data, analyze it in real-time and act.”

Endgame has been expanding in recent months. Fick joined as CEO late last year. Niloofar Howe joined as chief strategy officer. Matt Georgy, a former computer security officer with the Department of Defense and the Air Force before that, joined as CTO. Its chairman is Christopher Darby, the CEO of In-Q-Tel, the venture capital arm of the U.S. Central Intelligence Agency.

The round brings Endgame’s total capital raised to $52 million, following a $29 million investment by Bessemer in 2010.

The increasing risk of cyber attacks on critical U.S. infrastructure edged aside al Qaeda and terrorism, which were described as increasingly diffuse threats more likely to harm U.S. interests abroad than at home.

Read the rest of this post on the original site »

Whitman didn’t get more specific, and yes, that growth would have to be off a small base relative to the rest of HP. But I’ve been sort of positive on security as an opportunity for HP for a while. Remember that over the last few years, HP has beefed up its security assets via acquisition: It has TippingPoint by way of its acquisition of the networking company 3Com, and it also bought ArcSight, a security software firm.

So with this in mind, I had a quick chat with Gilliland a few minutes before he was to take the stage at RSA.

Gilliland said it’s time for the security industry to start thinking about ways that it can disrupt the steps in the process that attackers follow as they break into corporate systems and steal data. “The industry needs to focus on the adversary in a little different way than it has in the past. We spend a lot of time on the actors themselves, and we don’t spend enough time focusing on the marketplace in which they participate. That marketplace behaves in a very specific way.”

Attackers, Gilliland said, are good at sharing and monetizing intelligence, much better, in fact, than the security industry itself. Because of that, he suggests a few things.

First, build new capabilities to disrupt the attackers’ processes at every stage. “We spend most of our budgets on literally one step of their process. We spend five times more on the break-in stage than we do on any other stage,” he said. Disrupt all the steps in that process, he argued, and you make it more costly and difficult for attackers to do what they do.

Big Data can help focus on the other two areas. The second piece is finding attackers while they still have access to the system — that is, after they’ve broken in but before they’ve made off with whatever it is they’re trying to steal. “That’s the most damaging stage, and so we need to focus more energy there,” Gilliland told me. “We need to find them after they’ve gotten in but before they’ve stolen any data. As an industry, we’re pretty bad at that.”

Finally, he’d like to challenge the industry to harness the cloud and big data technologies to build a security- and intelligence-sharing infrastructure. Such an approach would help companies share the expense, while benefiting from each other’s experiences. “We could use those technologies for collective security. We can collaborate together, and big data allows us to consume massive amounts of data. If we do that effectively, I think we can win.”

1.) This Is the Site Likely Responsible for the Recent Major Tech Company Hacks

2.) Yahoo CEO Mayer Now Requiring Remote Employees to Not Be (Remote)

3.) Microsoft Could Make Billions From Office for iPad

4.) Confirmed: Pinterest Completes $200 Million Funding at $2.5 Billion Valuation

5.) NFC: What You Need to Know

6.) I Love You, Man: Gates Lashes Himself to Ballmer Over Microsoft’s Mobile “Mistake” (Video)

7.) For $19, an Unlimited Phone Plan, Some Flaws

8.) Tesla Owners Hit the Road to Prove Long-Distance Can Be Done

9.) Why Google Made Its Own High-End Laptop, the Chromebook Pixel

10.) When Mayer Called Yahoo’s Mobile Revenue “Nascent,” She Wasn’t Kidding (And Here’s the Actual Number She Left Out)

For more of the week in review, you should follow us on Facebook and Twitter.

Sergey Nivens / Shutterstock.com

But that’s not to say that Apple hasn’t been preparing — quietly as always — for the kind of eventualities that tend to crop up when hackers and other digital miscreants are taken to probing your systems for vulnerabilities.

One visible sign of that preparation can be detected in the personnel that Apple has been hiring in the area of software and system security in recent years. Apple rarely if ever comments on any but its most senior hires. Nevertheless, several names have come to light. And while Apple generally doesn’t comment to confirm or deny the role that any of these people may or may not be playing in response to the latest incident, here are some people whose job at Apple involves security.

Craig Federighi: Senior vice president for software engineering, Federighi is in charge of all aspects of Apple’s operating system software, both on the Mac and the iOS platforms, and reports directly to CEO Tim Cook. He inherited responsibility for iOS after last year’s departure of Scott Forstal. He worked at Next Computer, the company Apple acquired in 1996 that brought Steve Jobs back to Apple after more than a decade. Later, Federighi spent a decade at Ariba, including a stint as its CTO. Everyone involved in OS security, whether for the iPhone, iPad or the Mac, reports to him.

David Rice: Hired in 2011 as Apple’s global director of security, Rice is a graduate of the U.S. Naval War College and spent time at the National Security Agency. However, he’s best known for his 2007 book “Geekonomics,” in which he argued that software is a new kind of public infrastructure that when built badly amounts to a public hazard, and those who buy it become virtual crash test dummies who have to suffer with a software industry that is unaccountable for the results.

Window Snyder: Hired in 2010, Snyder lists her title as Senior Product Manager, Security and Privacy. She had previously headed up security operations at Mozilla, the open source software organization responsible for the Firefox Web browser. She has also held software security positions at Microsoft and @stake, a security firm that’s now part of Symantec. She’s listed as co-author, with Frank Swiderski, of a Microsoft-produced book called “Threat Modeling,” which focuses on looking at computer security from the point of view of an attacker.

Ivan Krstić: Hired in 2009, the Croatian-born Krstić is in charge of core OS security on the Mac. He previously ran security for the One Laptop Per Child program, where he came up with a method to secure programs in Linux called BitFrost that wrapped individual programs in their own virtual operating environments so that one couldn’t harm the other. The approach was considered so novel that some suggested incorporating it as a core feature of Linux.

Kristin Paget: Currently a Core OS Security Researcher, Paget is a Microsoft veteran who’s generally credited with “saving Windows Vista” by forcing a delay in that operating system’s release after demonstrating that it wasn’t as secure as previously thought, Paget joined Apple late last year as a Core OS security researcher. Her hiring was first reported by Wired.

Image: Sergey Nivens / Shutterstock.com

Jeffrey Carr, CEO of Taia Global, writes today in a blog post that he thinks Mandiant’s report is full of holes.

“In summary, my problem with this report is not that I don’t believe that China engages in massive amounts of cyber espionage,” he writes. “My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges — that there are multiple states engaging in this activity; not just China.”

Carr explains that Mandiant’s report doesn’t include a thorough analysis of alternative explanations, the purpose of which would be to exhaust the alternatives and thus narrow down the range of possible conclusions. He says that intelligence agencies like the Central Intelligence Agency routinely engage in a vetting process known as Analysis of Competing Hypotheses (ACH). This is something, Carr argues, that Mandiant didn’t do. Thus its rather explosive allegation isn’t ironclad.

“This [ACH] is rarely if ever done by information security companies, and it’s the single biggest objection that I have when it comes to individuals making claims of attribution to nation states,” he writes.

There are, Carr notes, more than 30 countries that have military hacking capabilities who may or may not have the capabilities noted by Mandiant. Also, one of Mandiant’s primary claims has to do with the attacks being traced to a certain area of outer Shanghai, an area where there are a lot of people and a lot of computers. And if the attackers are indeed in China, why wouldn’t they take greater care to cover their tracks?

In the academic world, research papers go through a process called peer review before they’re published. Carr suggests that Mandiant’s report should be subjected to the same thing. He suggests that students at the Mercyhurst College Institute of Intelligence Studies (Mercyhurst, in case you didn’t know, is sort of a feeder school for the intelligence community) take Mandiant’s findings and run them through a thorough review.

“If you’re going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding,” he writes. “Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.”

The flaw was also used to compromise Macs at other companies, including a recently disclosed attack at Facebook.

“Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plugin for browsers,” the company said in a statement to AllThingsD. “The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.”

The company noted that it has been shipping Macs without Java since the release of Mac OS X Lion, and that it also has a software mechanism that disables Java if it goes unused for 35 days. Apple is also releasing an updated software tool to detect and remove Java-related malware.

On Friday, Facebook confirmed that it was a victim of a targeted attack last month.

Such attacks have been on the rise, with many government agencies and companies saying that they have been targeted.

The attack on Apple employee computers was reported earlier on Tuesday by Reuters.

“The supreme art of war is to subdue the enemy without fighting.” The Chinese philosopher Sun Tzu wrote that.

Both come to mind as the world is waking up a newly disclosed body of evidence from the Internet security firm Mandiant, publicly illustrating, in the starkest terms yet, how wide, deep and pervasive computer hacking attacks from China have become. As reported on the front page of today’s New York Times, numerous attacks on American, Canadian and British companies, dating as far back as 2006, have been carried out by a single unit of the China’s People’s Liberation Army. Mandiant, a firm based in Alexandria, Va., has identified it as Unit 61398, operating out of a single building just walking distance from the point in outer Shanghai where the Huangpu and Yangtze Rivers meet.

The company maintains that the unit has compromised the networks of at least 141 companies or organizations, and probably more than that, spending an average of 356 days perusing their networks. In one case, the attackers had unfettered access to a target’s computers and networks for a grand total of four years and 10 months.

Who do they attack? None of the companies are named. But, if you think back, you can remember some names that have disclosed attacks blamed on China, that might fit the bill: Google and Intel have over the years complained in public of attacks carried out by China. The Times says the army unit was the one responsible for the attacks carried out in 2011 against RSA, the security unit of the technology company EMC, which were described at the time as “extremely sophisticated.”

More recently, a series of attacks against media organizations have been attributed to China: The New York Times, The Wall Street Journal (which, like this website, is owned by News Corp.), Bloomberg News, the Washington Post and the Associated Press are among them.

Other targeted industries include information technology, defense and aerospace, energy, transportation, satellites and communications, navigation, chemicals, health care and mining, to name a few.

What do the attackers take? Here’s a list taken directly from Mandiant’s report:

• product development and use, including information on test results, system designs, product manuals, parts lists, and simulation technologies;
• manufacturing procedures, such as descriptions of proprietary processes, standards, and waste management processes;
• business plans, such as information on contract negotiation positions and product pricing, legal events, mergers, joint ventures, and acquisitions;
• policy positions and analysis, such as white papers, and agendas and minutes from meetings involving high-ranking personnel;
• emails of high-ranking employees; and user credentials and network architecture information.

Most of the time, the victim company doesn’t even know that its information has been stolen until it is far too late to do anything about it.

Who gets the information in the end? It’s unclear, exactly, and so Mandiant engages in educated conjecture and looks at the available evidence. In one case in 2008, a targeted company suffered an intrusion lasting two and a half years, during which emails and attachments of the CEO and general counsel were stolen. During the same time period, news reports showed that a Chinese company had managed to negotiate a significant increase in the price of a certain commodity component with an unnamed victim company. It may be a coincidence, Mandiant concedes, but then again, it may not.

How do they attack? Usually by sending innocent-looking attachments in email messages. An employee at the target company opens it, triggering software embedded within it that gives attackers remote access to that employee’s machine, which then serves as a beachhead for more attacks. You can see a short video showing some of the attacks actually taking place in the video below.

Certainly, suspicions about China and its intentions, capabilities and actions in this area have pervaded for months. Knowledge about all this has probably circulated within the classified community for years, and no doubt plays a part in the concern among lawmakers and U.S. federal government agencies about the growth of the Chinese networking company Huawei.

Mandiant points to another: Unit 61398, it says, carried out a series of attacks against a unit of a Canadian company called Schneider Electric. The incident was first reported by security blogger Brian Krebs, and was carried out when the unit was an independent company called Telvent. What does the company make? Remote access tools, basically software that lets you control one computer from another computer far away.

The part that should scare you is what kinds of computers this software is intended to control: They’re known generally as SCADA systems, or supervisory control and data acquisition systems. They’re the stripped-down machines that sit between large industrial machinery like generators or pumps, or any other kind of big, automated equipment, and regular computers.

In a series of letters to customers in September of last year, Telvent disclosed that attackers traced to China had installed malicious software on its network, and had stolen files related to a key product called OASyS SCADA, which is designed to connect older IT assets to certain “smart grid” systems running on electrical power networks.

Attacks on SCADA systems can be very effective, in part because the machines involved are older and have tended to be less well-secured. How effective? Remember Stuxnet? The malware attack carried out by American and Israeli intelligence agencies against the Iranian nuclear research program? In that attack, nuclear centrifuges were caused to spin out of control, and ultimately explode. That was an attack against SCADA systems. We already know how easily attacks like it might be carried out here.

Stealing intellectual property and trying to gain an edge in business negotiations is one thing. Penetrating the systems that run critical infrastructure is rather more serious, bordering on sabotage. Now that the government officially considers cyberspace a theater of warfare, similar to land, sea, and sky, this is starting to look serious.

“Last month, Facebook security discovered that our systems had been targeted in a sophisticated attack,” the company said in a blog post. “The attack occurred when a handful of employees visited a mobile developer website that was compromised.”

Facebook said that these employees then had malware installed on their laptops as a result of their visiting the website. The hack used what is called a “zero-day Java exploit,” a known vulnerability in Oracle’s software which has gained much attention in recent months. Essentially, anyone visiting a website using this attack who also has Oracle’s Java enabled in their browser was vulnerable. As a result, hackers inserted malware onto the laptops of multiple Facebook employees.

“As soon as we discovered the presence of malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day,” the post read.

In the company’s post, Facebook notes that it had “found no evidence that Facebook user data was compromised.”

Facebook did not say what the hackers did have access to, however, after the installation of said malware.

Facebook’s announcement comes on the heels of a string of recent attacks on other major websites. Twitter, the microblogging social network that hosts more than 200 million active users on its service, announced it had been hacked two weeks ago, and that upward of 250,000 user accounts may have been compromised as a result.

Other targets have included the Washington Post, the New York Times and The Wall Street Journal, all of which have said they believe that the Chinese government was somehow involved in their system infiltration.

But both Facebook and Twitter, in their respective blog posts, made no accusation or direct comparison to the hacks made on the Times, the Journal or the Post.

Facebook declined to comment when asked if the company suspected the Chinese government was involved.

Something to note, however: Facebook directly points to the zero-day exploit, which takes advantage of Oracle’s Java vulnerability, as the root cause of the attack. While Twitter did not detail the exact methods of how its systems were infiltrated, Twitter director of information security Bob Lord reminded users that security experts strongly recommend turning off the problematic Java inside of their browsers.

That could suggest that the two attacks were connected, though neither company says as much outright. But both Facebook and Twitter included language in their posts that their respective companies were part of a larger series of attacks on multiple companies over the past few months.

“Facebook was not alone in the attack. It is clear that others were attacked and infiltrated recently as well,” the company’s post says.

Twitter did not immediately respond to a request for comment.

The string of hacks also come as U.S. President Barack Obama recently released an executive cybersecurity order during his State of the Union address earlier this week, which would better allow government agencies to share information related to cyber-espionage and attacks within the private sector, while avoiding many of the unpopular concessions that the previously proposed CISPA made.

For now, however, Facebook will continue its investigation with law enforcement, as well as pursue its own “informal” cooperative investigation with others in the space.

“As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected. We plan to continue collaborating on this incident through an informal working group and other means.”

As expected, the order creates a government working group that will reach out to the private sector to put in place some voluntary standards for companies deemed to be running critical infrastructure — banks, utilities, transportation companies and the like.

The president also addressed some of the concerns in his State of the Union address last night, saying, “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

Industry generally opposes the creation of standards, even voluntary ones, arguing that they tend to become de facto requirements. And there’s almost no point in following them if you can’t get any protection from civil liability if you do. That’s something that can only come from Congress, and the last time it passed legislation on this subject, Obama vetoed it. That bill did contain liability protection provision, but the Administration argued that it didn’t go far enough to protect things like personal data that might be shared between companies fending off an attack.

What the order really amounts to is a starting gun on the renewed push by the White House to get a new cybersecurity bill (I’m already really sick of that word) through Congress this year. Over the summer, the president outlined his concerns in a Wall Street Journal op-ed.

One thing that is happening: Companies in the information security space are seeing their share prices rise today, in part on assumptions that digital securities concerns topping the national agenda could mean new business in the coming year. Shares of Symantec opened higher in early trading, as did shares of Intel, which owns software security company McAfee. Checkpoint Software also rose.

Shares of a few companies are falling: Palo Alto Networks fell by more than 1.5 percent, while Sourcefire, which rose by more than 7 percent yesterday going into Obama’s speech and in anticipation of the order, settled down by more than 1 percent.

Here’s Obama’s executive order in full, as posted to Scribd:

President Obama's Cybersecurity Executive Order, Feb. 12 2013 by Arik Hesseldahl

That the new policy is expected this week implies that President Obama may devote a few words to the subject in his State of the Union address on Tuesday night. Or he may not. But the fact of the matter is that the headlines have been rife of late with news of hacking attacks against American banks, media organizations and others that appear not be coming from pranksters in a basement, but from parties that appear to be operating barely at arm’s length from governments in countries like China and Iran.

One provision would order government agencies to share more information about the nature of computer threats with private companies and give relevant executives of those companies the option to get proper security clearances to get briefed on certain classified information about the nature of the threats, and perhaps lay the groundwork for improved responses.

Republicans and business groups have generally opposed this approach, arguing that voluntary government standards essentially amount to implied regulations that they have to follow whether they want to or not. Additionally they say — correctly — that any government-set standards would quickly be overtaken by the fluid nature of cyber security threats, which are changing daily.

Compare the approach, however, to the European Union, which has its own proposal for cyber security rules on the table, this one more onerous. It would require certain companies, including search engines, energy companies, banks, transit hubs, stock exchange and others to report disruptions to the operations of their computing systems and networks — including anything from human error to full-blown cyber attacks — to government authorities. The expectation is that the proposal will become law within the 27-nation EU within two years. Nothing voluntary about it.

Given the difference, here’s an interesting thought: So often the targets of attacks are entities so large as to have global operations and global networks. An attack on Google’s operations in Europe, for example, one that under the EU scheme would have to be reported to government authorities there, amounts to an attack on its operations in the States. The same is certainly true for many banks that operate on more than one continent.

Sharing of information about cyber security incidents has always been a tricky thing. Large companies don’t like to advertise that they’ve been attacked and their operations disrupted — and when they do disclose it publicly, they do so only sparingly — and the same is true for countries. One country doesn’t like sharing what it knows about a cyber attack because it doesn’t trust what its neighbor might do with the information.

But the difference in approaches makes me wonder why there isn’t more cooperation generally between countries, especially between the U.S. and Europe. National borders mean nothing in the digital realm, and attacks are very often launched from computers in one or more countries, operated remotely by people in one or more countries, against targets in one or more countries. Now everyone is a target and no one knows exactly who the attackers are.

This makes questions about cyber warfare and security infinitely more complex. Most attackers operate at a certain remove from any governments to which they may hold an allegiance, however strong or loose, allowing for what the diplomats like to call “plausible deniability.” Or they may be the equivalent of digital mercenaries fighting for whoever pays the most, or some combination of both. The multiple combinations of variables make the the old nation-to-nation, single attacker, single target paradigm seem outmoded.

That makes the sharing of information among authorities in the most target-rich nations — the U.S. and Europe generally — an important piece any response. If houses are being broken into by a burglar who happens to be good at prying open a certain kind of door or window that happens to be prevalent in your neighborhood, would you not want your neighbor to share that information with you so that you can prepare accordingly?

Perhaps the same kind of common sense approach should apply to the community of nations in the area of cyber security. Could it be done under the auspices of a multination treaty? Perhaps something similar to NATO, where an attack on interests in one country — whatever the entity doing the attacking, be it a nation-state, terrorists, or a gang of troublemakers — amounts to an attack on all? Just a thought.

The latest victim of digital miscreants is the U.S. Department of Energy, in an attack, the New York Times says, that resulted in the compromising of personal data on “several hundred employees.” It is, of course, hard to know whether this incident is connected to the high-profile attacks upon that newspaper’s computers along with those of The Wall Street Journal (which, like this Web site, is owned by News Corp.), the Washington Post and Bloomberg News.

The apparent targets were journalists who cover China. One can easily imagine a scenario where attackers acting in the pay of Chinese political leaders were tasked with learning as much as possible about “sources and methods,” which — in the intelligence business as well as in journalism — are the twin crown jewels of the trade: Who provides information that shows up in stories, and how that information is shared.

The source of another attack, this one on Twitter, is as yet unknown, and may not be connected to the China-sourced attacks on the media organizations. When one rash of attacks comes to public light, it sort of behooves other companies to disclose attacks that may be wholly unconnected in order to soften the blow to a corporate reputation. When computer security disclosures take place in groups, it’s easy to conflate them and make them all seem like one big story, even if each disclosed incident may be unconnected.

And these are only the companies that have admitted to being targeted in the latest round of incidents. It’s easy to imagine that there are probably more that decided it was not in their best interest to go public with the information, or that haven’t done so yet. In prior incidents, companies like Intel and Google have conceded that they, too, have been attacked by parties working in China.

Disclosure may soon become the rule rather than the exception. According to new rules expected to be proposed Thursday before the European Union parliament, search engines, banks and utilities will be required to disclose attacks against them.

The timing of the disclosures comes as the Obama administration is said to be working on a classified set of guidelines on the conduct and use of cyber weapons. While Twitter or news media organizations aren’t exactly considered critical infrastructure that if attacked would trigger a retaliation, the sheer volume and effectiveness of attacks suggest a time is coming when attacks against systems crucial to the flow of daily life, like power utilities and the banking system, will become more routine.

Last month, government sources disclosed that Iran was thought to be behind a series of denial-of-service attacks against several U.S. banks. Those attacks might have been retaliation against the U.S. for its role, never officially acknowledged, in the Stuxnet attacks against the Iranian nuclear research program.

Effective as the Stuxnet attacks may have been — they are said to have caused some Iranian nuclear centrifuges to explode — they showed the world what is possible, and in time that learning will stick. The ease of Stuxnet-like attacks against industrial systems in particular has already been demonstrated by security researchers, and has long been on a list of things Western policymakers have to worry about when it comes to cyber security.

Consider this just a hunch, but there’s going to be a lot more news like this throughout the year.

If you haven’t read it yet, I’ll spare you the effort. Last fall, the Times was getting ready to publish a lengthy report about how relatives of Chinese premier Wen Jiabao had amassed a sizable fortune. Knowing China’s reputation for carrying out hacking attacks against companies and other entities that annoy it, Times executives had the foresight to have the company’s Internet service provider watch for any unusual activity.

Predictably, it showed up. It was a classic spear-phishing attack that contained a remote access tool, packaged in an email attachment innocently opened by an employee. The incident provided the Times and the security firm it hired, Mandiant, the opportunity to watch the intruders’ activity for an extended period of time as they roamed the network. Once Mandiant had a pretty good idea of all the different paths for getting in and out, they shut down and isolated all the affected machines, plugged all the holes and that was that.

Interesting. But it’s not the first time the Times has been hacked in a high-profile manner. The story reports that the first attack occurred on Sept. 13. That’s a notable date because it is, coincidentally, the 15-year anniversary of the day in 1998 that the New York Times Web site was attacked by a hacking group calling itself Hacking for Girliez.

I wrote about that attack for Wired. The attack was a basic Web defacement. The Times front page was replaced with another page (you can see the results, not completely safe for work, here) that contained within its HTML code a rambling message about the then-jailed hacker Kevin Mitnick, and a weird poem.

No one was ever arrested for the attack and it’s a pretty sure bet no one ever will be, mainly because the statute of limitations would have long expired. But someone did get the perpetrators to sit for an interview. Adam Penenberg, then a writer for Forbes and now an editor for PandoDaily, got “Slut Puppy” and “Master Pimp” to answer some questions. Their motivation at the time? They were bored and couldn’t agree on a video to watch.

The 1998 attack was the first incident for the Times, and for a little while its entire Web site was taken down in order to prevent the display of the hacked page. The timing of this attack probably has nothing to do with this latest attack. But then again, hackers of all stripes are known for long memories and a unique sense of humor.

That was the warning given by Gen. William Shelton (pictured in a file photo), head of the U.S. Air Force’s Space Command, which is also in charge of the Air Force’s cyberwar group, in a speech in Washington, D.C., yesterday, which was covered by Reuters.

Shelton’s warning comes nine days after security experts familiar with the opinion of U.S. government officials told the New York Times that Iran is behind a series of denial-of-service attacks in late 2012 meant to disrupt the normal flow of financial business. Banks affected included Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, J.P. Morgan Chase and PNC.

The attacks were largely seen as a retaliation not only for Stuxnet, but for other malware-based campaigns that are thought to have been targeted against Iran: Flame, which turned computers into sophisticated spying tools, using their built-in video cameras and microphones; and Gauss, which sought to intercept bank account information.

Shelton didn’t speak directly to whether or not Iran has attacked U.S. government networks, but said that its efforts are ongoing.

Shelton referred to the Stuxnet attack in 2010 as the “Natanz situation.” In that instance of sophisticated digital sabotage, as reported by the New York Times, malware targeting Windows burrowed its way into industrial control computers called Programmable Logic Controllers, targeting a specific setup in a specific configuration. The malware then seized control of those systems and cause some centrifuges to spin out of control and ultimately explode, while computer monitors displaying the condition of those centrifuges showed them to be normal. At the time, the damage was thought to have set the Iranian nuclear research program back by about two years.

Shelton says it had another effect: An increase in Iranian resolve to strike its enemies in the cyber realm. “The Iranian situation is difficult to talk about,” Reuters quotes Shelton as saying. “It’s clear that the Natanz situation generated reaction by them. They are going to be a force to be reckoned with, with the potential capabilities that they will develop over the years and the potential threat that will represent to the United States.”