Jeff Gelles: 'Cyberwar' growing more sophisticated on the Internet

A look into latest spyware software. (Illustration by Chuck Todd)

In the cat-and-mouse game that pits Internet attackers against everyone else - from ordinary computer users to super-secure financial institutions and governments - the cat is lately looking a lot more ferocious.

"Cyberwar" is no longer just a sci-fi concept. Just ask the Iranians who discovered in 2010 that their uranium-enrichment program had been at least partly disabled by the Stuxnet computer worm, or the malware researchers at Russia's Kaspersky Lab who last year added viruses known as Flame, Gauss, and Shamoon to the list of known cyberwar weapons.

Unfortunately for the rest of us, the increasing sophistication of malware writers - even those secretly working to protect us from harm far worse than data loss or identity theft - has a ripple effect throughout cyberspace. For evidence of the arms race, you probably need look no further than your e-mail inbox.

In recent weeks, mine has displayed multiple examples of "spearphishing" - the targeted variant of phishing, which has been popular among identity thieves for more than a decade.

Phishing began with mass e-mails, easily recognizable to sophisticated users, that sought to trick victims into saying "that's my bank" and freely giving up passwords and other valuable personal data. Its success fueled the rise of identity theft.

Spearphishing takes the crime to the next level, with sophisticated e-mails directed at particular victims. But in any of its forms, phishing is an attack that relies as much on social engineering - manipulating people - as it does on sophisticated code writing.

Social-engineering attacks come in other forms, sometimes woven together with malicious code.

For instance, in a report on recent threats, Malwarebytes Corp. researcher Adam Kujawa warns about the spread of "ransomeware": malware that appears to seize a victim's computer while provoking what Kujawa calls a sense of "assumed guilt."

One example announces "Your computer has been blocked!" and bears the logo of the U.S. Department of Justice. It refers to "possible violations" of laws involving child pornography, copyright, software licensing, and steers victims to send money. If they fail to pay the supposed fine, they face deletion of all their files.

How can you guard against encountering malware? Unfortunately, the answer isn't as easy as it was in the days when you were safe if you kept key programs up to date, ran security software, and resisted the temptation to click on a suspicious link.

Today, you're also vulnerable to "drive-by downloads": Simply visiting a malicious page is enough to open your computer or even your smartphone to malware. And even updated security software won't block brand-new malware.

For advice, I spoke with Art Manion, a vulnerability analyst at the CERT Coordination Center, part of the federally funded Software Engineering Institute at Pittsburgh's Carnegie Mellon University.

CERT recently issued an unusual warning. Because of vulnerabilities that are difficult to patch, it advised computer users to block their Web browsers from running Java, a programming language used in many Web-based utilities, games, and other "applets" that Internet users encounter.

"There are plenty of benign Java applets out there. My bank uses one to let me deposit checks from home," Manion told me. "The problem is that it has become an attack vector."

Not everyone is following CERT's advice. Some companies, including the one I work for, have built Java applets into routine processes that make disabling it a headache.

But if you want to guard against Java's vulnerabilities, it's worth following CERT's advice. For directions from Oracle on how to disable it within all your browsers, go to

CERT also offers instructions for disabling Java within a particular browser. Go to

Doing so might be worthwhile if you want to follow Manion's own strategy for limiting risk. He uses two browsers: one for important, sensitive sites such as his bank, and the other for general Web surfing - with Java disabled.

For further protection, he also uses a Firefox extension called NoScript that blocks not just Java but other plug-in software, such as Flash. With it, he can "whitelist" a particular site, such as his bank, or decide whether to allow the plug-in on a case-by-case basis.

Cyberspace is a dangerous place nowadays. It's wise to beware.


Contact Jeff Gelles at 215-854-2776 or