Computer crooks and spammers are abusing a little-known encoding method that makes it easy to disguise malicious executable files (.exe) as relatively harmless documents, such as text or Microsoft Word files.

The “right to left override” (RLO) character is a special character within unicode, an encoding system that allows computers to exchange information regardless of the language used. Unicode covers all the characters for all writing systems of the world, modern and ancient. It also includes technical symbols, punctuations, and many other characters used in writing text. For example, a blank space between two letters, numbers or symbols is expressed in unicode as “U+0020″.

The RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew. The problem is that this override character also can be used to make a malicious file look innocuous.

This threat is not new, and has been known for some time. But an increasing number of email based attacks are taking advantage of the RLO character to trick users who have been trained to be wary of clicking on random .exe files, according to Internet security firm Commtouch.

Take the following file, for example, which is encoded with the RLO character:

“CORP_INVOICE_08.14.2011_Pr.phylexe.doc”

Looks like a Microsoft Word document, right? This was the lure used in a recent attack that downloaded Bredolab malware. The malicious file, CORP_INVOICE_08.14.2011_Pr.phyldoc.exe, was made to display as CORP_INVOICE_08.14.2011_Pr.phylexe.doc by placing the unicode command for right to left override just before the “d” in “doc”.

I wanted to see this work on my Windows 7 system, but found that I had to enable a registry tweak to allow the insertion of unicode into file names. After a reboot, I was able to rename any executable by holding the ALT key, then pressing the “+” sign on the keypad and typing “202e” in front of the targeted area while renaming a file.

According to Commtouch, this technique is being used to conceal malicious files in an unusually aggressive series of spam blasts that have been ongoing since mid-August.

“The average outbreak during 2010 occurred every 10-14 days and consisted of 5-10 billion messages sent by botnets,” Commtouch co-founder Amir Lev said. “The outbreak distribution kept enough bots alive to manage [a] certain level of malicious activity.”

In contrast, Lev said, recent malware spam outbreaks have been far more frequent – sometimes three per day. The malware variants embedded in the spam include many password-stealing bots used in high-profile cyber heists, such as SpyEye and Zbot/ZeuS, in addition to Sasfis and fake antivirus. The lures used include UPS package notifications, credit card errors, inter-company invoices, and supposed notifications from NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.

Some email applications and services that block executable files from being included in messages also block .exe programs that are obfuscated with this technique, albeit occasionally with interesting results. I copied the program that powers the Windows command prompt (cmd.exe) and successfully renamed it so that it appears as “evilexe.doc” in Windows. When I tried to attach the file to an outgoing Gmail message, Google sent me the usual warning that it doesn’t allow executable files, but the warning message itself was backwards:

Unfortunately, many mail applications don’t or can’t reliably scan archived and zipped documents, and according to Commtouch and others, the malicious files manipulated in this way are indeed being spammed out within zip archives.

This class of attack is a good reminder that there is no substitution for being careful with unbidden documents and attachments sent to you via email. If you receive a message with an attachment you weren’t expecting — even if it appears to come from someone you know — the safest option is to take a second and reply back to the person to verify the contents of the message and that they meant to send it.

I have not had an opportunity to test this on other operating systems or email clients (although my Mac happily displayed the cmd.exe file as evilexe.doc). I’d be interested in comments from readers who have broader experience with this approach in manipulating file types.

Want more friends and followers? Emerging enterprises will create them for you — for a price. An abundance of low-cost, freelance labor online is posing huge challenges for Internet companies trying to combat the growing abuse of their services, and has created a virtual testbed for emerging industries built to assist a range of cybercrime activities, new research shows.

Free services like Craigslist, Facebook, Gmail and Twitter have long sought to deter scammers and spammers by deploying technical countermeasures designed to prevent automated activity, such as the use of botnets to create new accounts en masse. These defenses typically require users to perform tasks that are difficult to automate, at least in theory, such as requiring that new accounts be verified by phone before activation.

But researchers from the University of California, San Diego found that these fraud controls increasingly are being defeated by freelance work arrangements: buyers “crowdsource” work by posting jobs they need done, and globally distributed workers bid on projects that they are willing to take on.

“The availability of this on-demand, for-hire contract market to do just about anything you can think of means it’s very easy for people to innovate around new scams,” said Stefan Savage, a UCSD computer science professor and co-author of the study.

The UCSD team examined almost seven years worth of data from freelancer.com, a popular marketplace for those looking for work. They found that 65-70 percent of the 84,000+ jobs offered for bidding during that time appeared to be for legitimate work such online content creation and Web programming. The remainder centered around four classes of what they termed “dirty” jobs, such as account registration and verification, social network linking (buying friends and followers), search engine optimization, and ad posting and bulk mailing.

“Though not widely appreciated, today there are vibrant markets for such abuse-oriented services,’” the researchers wrote. “In a matter of minutes, one can buy a thousand phone-verified Gmail accounts for $300, or a thousand Facebook ‘friends’ for $26 – all provided using extensive manual labor.”

The evolving marketplace is best illustrated by the market for services that mass-solve CAPTCHAs — those agglomerations of squiggly numbers and letters that webmail providers and forums frequently require users to input before approving new accounts. The researchers found that the market for CAPTCHA-solving was fostered on freelancer, but quickly expanded into custom markets when the model proved profitable on a large scale. Today, there are plenty of commercial services that pay pennies per day to low-wage workers in India and Eastern Europe to solve these puzzles for people wanting to create huge numbers of accounts at one time.

Adding to the available services, there is now steep competition among services that outfox phone- verified accounts (PVAs). Web services like Craigslist, Gmail and financial institutions sometimes will place an automated call to a new account creator, and read a numeric code to them over the phone, and require the new user to enter that number into a website.

The UCSD team noticed that demand for phone-verified Craigslist accounts increased rapidly in early 2008, when Craigslist introduced phone verification for the erotic services section of the site. The researchers observed that the price the freelance market will support for creating PVAs can tell you a lot about the value of phone verification as a security mechanism. “For Craigslist, PVAs have made account abuse extremely expensive. In contrast, retail services sell Gmail PVAs for around 25 cents, a 10-20 fold  price difference compared to Craigslist,” they wrote.

This same dynamic is now driving competition among services that offer the ability to generate large numbers of fake Twitter “followers” and Facebook “friends;” such services are popular among spammers and scammers who use them to make their pages appear more legitimate and trustworthy.

As demand for these new human services continues to increase, entrepreneurs have stepped in to aggregate the workforce. Savage said overall demand for social networking links has skyrocketed since the early part of 2010, suggesting that spammers have only recently realized the potential for monetizing social links.

“Whether it’s to buy friends for a social network or to do phone verification of new accounts, over time if a particular business new business model makes sense, it gets moved out of the freelancer market and into its own stand-alone service,” Savage said.

Need a whole mess of Twitter followers a.s.a.p? Places like the twitterfollowershop.com and buytwitterfollowers.com charge between $17 and $24.95 per 1,000 followers. I called the phone number found in the WHOIS registration records for twitterfollowershop.com, and a guy named “Pat” answered. He told me that the service is powered by manual labor in Asia.

“We have people overseas who are manually following users,” he said.

Want phone verified accounts at Facebook, Craigslist, YouTube and Twitter? Buypvanow.com, verifiedaccountmonster.com and plenty of others will sell verified accounts by the hundreds.

The UCSD paper describing the research in more detail is available here (PDF).

Google warned on Wednesday that hackers were launching targeted phishing attacks against hundreds of Gmail account users, including senior U.S. government officials, Chinese political activists, military personnel and journalists. That story, as related in a post on the Official Google Blog, was retold in hundreds of media outlets today as the latest example of Chinese cyber espionage: The lead story in the print edition of The Wall Street Journal today was, “Google: China Hacked Email.”

The fact that hackers are launching extremely sophisticated email attacks that appear to trace back to China makes for great headlines, but it isn’t exactly news. I’m surprised by how few media outlets took the time to explain the mechanics behind these targeted attacks, because they offer valuable insight into why people who really ought to know better keep falling for them. A more complete accounting of the attacks may give regular Internet users a better sense of the caliber of scams that are likely to target them somewhere down the road.

Google said “the goal of this effort seems to have been to monitor the contents of targeted users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)”

This statement freaked me out a little bit. When was the last time you checked whether your email forwarding settings had been modified? If you’re like me, probably never. This might be the most useful aspect of the Google disclosure, and it contains a few helpful pointers about how to check those settings in Gmail. Google also took this opportunity to remind users about the value of enabling 2-step verification, a security precaution I highlighted in a February blog post.

To my mind, the most valuable content in the Google Blog entry is a footnote that points to the Contagio Malware Dump blog, an incredibly detailed and insightful (if slightly dangerous) resource for information on targeted attacks. It’s worth noting that Google relied on Contagio to reconstruct how the attacks took place, and the author –blogger Mila Parkour — first wrote about these attacks almost four months ago.

Most of targeted email attacks chronicled on Parkour’s blog involve poisoned file attachments that exploit zero-day software flaws in programs like Adobe Flash or Microsoft Word.  This campaign also encouraged people to click a link to download a file, but the file was instead an HTML page that mimicked Gmail’s login page. The scam page also was custom-coded to fill in the target’s Gmail username. Contagiodump has a proof-of-concept page available at this link that shows the exact attack, except populated with “JDoe” in the username field.

Parkour also published an informative graphic highlighting the differences between the fake Google login page and the legitimate page at https://mail.google.com.

Some readers may think they’re not important enough to warrant targeted phishing attacks such as these, but the truth is that such phishing attacks can be automated quite easily. I’d be willing to bet that it won’t be long before more traditional, financially-motivated cyber crooks start incorporating these techniques in their scam emails.

Along these lines comes a blog post today from security vendor Trusteer, which warned that scam artists are once again using cleverly disguised LinkedIn invites to foist password-stealing malicious software. Trusteer said this latest attack started with a simple connect request via email that was made to look it came from another user of the social networking service. Users who click the link are redirected to a site in Russia outfitted with a version of the Blackhole Exploit Pack, which tries to silently install a copy of the ZeuS trojan by heaving a kitchen sink full of browser exploits at visitors.

The image below, taken from Trusteer’s blog, shows the booby-trapped LinkedIn request on the top; the image below is what a legitimate LinkedIn request looks like. Would you have been able to tell them apart?

Image courtesy Trusteer

Here are a few simple tips that can help you avoid becoming the next victim of these attack methods:

• Keep your software up-to-date. Legitimate, high-traffic Web sites get hacked all the time and seeded with exploit kits. Take advantage of programs like Secunia’s Personal Software Inspector or Filehippo’s Update Checker to stay abreast of the latest security updates.
• Be extremely judicious about clicking links in emails. Try to avoid responding to invites by clicking links in emails. I notice that Twitter has now started sending emails when someone re-tweets your posts: Avoid clicking on those as well. It’s safest to manage these accounts by visiting the sites manually, preferably using a bookmark as opposed to typing these site names into a browser address bar.
• Pay close attention to what’s in the address bar: Checking this area can prevent many email-based attacks. Staying vigilant here can also block far more stealthy attacks, such as tabnabbing.
• Consider using an email client, such as Mozilla’s Thunderbird, to handle your messages. It’s a good idea to have emails displayed in plain text instead of allowing HTML code to be displayed in emails by default.

The recent massive data leak from email services provider Epsilon means that it is likely that many consumers will be exposed to an unusually high number of email-based scams in the coming weeks and months. So this is an excellent time to point out some useful resources and tips that can help readers defend against phishing attacks and other nastygrams.

Don’t take the bait: Many people are familiar with the traditional phishing attack, which arrives in an email that appears to have been sent from your bank or ISP, warning that your account will be suspended unless you take some action immediately, usually clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Commercial emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email. Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment (most phishing scams are hosted on hacked, legitimate Web sites). If you’re really concerned, pick up the phone (gasp!) and call the company to find out if there really is anything for you to be concerned about.

Links Lie: You’re a sucker if you take links at face value. For example, this might look like a link to Bank of America, but I assure you it is not. To get an idea of where a link goes, hover over it with your mouse and then look in the bottom left corner of the browser window. Yet, even this information often tells only part of the story, and some links can be trickier to decipher. For instance, many banks like to send links that include ridiculously long URLs which stretch far beyond the browser’s ability to show the entire thing when you hover over the link. The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you.  Want to learn more cool stuff about links? Check out this guy’s site and you’ll be a link ninja in no time.

“From” Fields can be forged: Just because the message says in the “From:” field that it was sent by your bank doesn’t mean that it’s true. This information can be and frequently is forged. If you want to discover who (or what) sent a message, you’ll need to examine the email’s “headers,” important data included in all email.  The headers contain a lot of information that can be overwhelming for the untrained eye, so they are often hidden by your email client or service provider, each of which may have different methods for letting users view or enable headers. Describing succinctly how to read email headers with an eye toward thwarting spammers would require a separate tutorial, so I will link to a decent one already written at About.com. Just know that taking the time to learn how to read headers is a useful skill that is well worth the effort.

When in doubt, type it out: If you’re not sure about the validity of an email, don’t click on the link in the message. Instead, take a moment to visit the Web site of the sender in question by typing the URL into a Web browser, and access your account normally.

Keep in mind that phishing can take many forms: Why steal one set of login credentials for a single brand when you can steal them all? Increasingly, attackers are opting for approaches that allow them to install a Trojan that steals all of the sensitive data on victim PCs. So be careful about clicking links, and don’t open attachments in emails you weren’t expecting, even if they appear to come from someone you know. Send a note back to the sender to verify the contents and that they really meant to send it. This step can be a pain, but I’m a stickler for it; I’ve been known to lecture people who send me press releases and other items as unrequested attachments.

If you didn’t go looking for it, don’t install it: Password stealing malware doesn’t only come via email; quite often, it is distributed as a Facebook video that claims you need a special “codec” to view the embedded content. There are tons of variations of this scam. The point to remember is: If it wasn’t your idea to install something from the get-go, don’t do it. Do your homework before installing programs, plug-ins, or ActiveX controls, and always try to download the installer directly from the vendor’s Web site if you can.

Think Ahead: While this may be of little help to folks who received multiple warnings from companies impacted by the Epsilon breach, the best way to avoid dealing with email scams is to be very selective in giving out your email address. If you don’t already have one, consider creating a second email address to use when signing up for any services that require an email. Alternatively, if you’re sure you won’t need a specific service or site more than once or for more than a few minutes, you can take advantage of a free service like 10 Minute mail; as its name suggests, 10minutemail.com lets you create throwaway addresses that give you just enough time to sign up for something and then check your inbox for the message containing the obligatory confirmation link.

Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy. When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder. That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that example.com shared my address with others (or that it got hacked, too!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.

Let’s summarize with a few quick rules:

1. Don’t open emails if you don’t recognize the sender’s name or domain.

2.  Take a moment to check that the sender is really the one whose name appears as “From.”

3.  Don’t click on links in emails or open attachments unless you are sure the sender is trustworthy.

4. When in doubt, go to the senders’ websites  by typing their addresses  in your browser bar.  Or call the senders – they probably need to know that spam is being sent in their names.

5.  Your  email address should be kept private if possible. Consider using a second or throwaway address if you are required to provide it.

6. Be extremely cautious when a website tells you that you need to install an add-on or download of any sort.

Stolen or easily-guessed passwords have long been the weakest link in security, leaving many Webmail accounts subject to hijacking by identity thieves, spammers and extortionists. To combat this threat on its platform, Google is announcing that starting today, users of Google’s Gmail service and other applications will have the option to beef up the security around these accounts by adding one-time pass codes sent to their mobile or land line phones.

For several months, Google has been offering this option to business customers and to “hundreds of thousands” of regular users who lost control over their accounts due to password theft, said Nishit Shah, product Manager for Google Security. Today, Google will begin rolling this feature out to all users, although it may be available to all users immediately, Shah said.

“It’s an extra step, but it’s one that significantly improves the security of your Google Account because it requires the powerful combination of both something you know—your username and password—and something that only you should have—your phone,” Shah wrote in a blog post published today. “A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a ‘Remember verification for this computer for 30 days’ option, and you won’t need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.”

I set up the 2-step verification process for my Gmail account, and found the process to be quick and painless, if a little involved. I choose to set it up to call my Skype line and read the code aloud, and the call came in three seconds after I hit the submit button. The setup wizard then gave me 10 backup codes to use in cases when for whatever reason I don’t have access to my Skype account. Another setup page offered the ability to add a secondary backup phone to send the code via SMS/text message, or automated voice message.

A final page warned that “Google has detected that you need to create application-specific passwords” to use applications like mobile Gmail, desktop Picassa or AdWords editor. I skipped this step because I don’t use those services, but was confused by the prompt that said “Your two-step verification settings have not changed.” When I went back again and ran through all the setup options, Google’s system did not prompt me to add the application specific codes, but instead gave a page with a button to “turn on 2-step verification”, which signed me out of my Gmail and then called me with the one-time code. At the corresponding login page, the option to “Remember this computer for 30 days,” was pre-checked.

This feature is undoubtedly a useful tool for securing accounts; the challenge will be making users aware of the option. For now, the option to enable it is tucked inside of the “user settings” panel in Gmail, an area into which many users probably never venture. And to be sure, many users probably will end up locking themselves out of their accounts, despite the availability of multiple means of obtaining a secondary code that Google has offered. On top of that, threats to mobile devices or cleverly-designed social engineering attacks could still trick users into giving away the codes.

Still, the 2-step verification process is more robust than many banks are offering their customers for online authentication these days. Given the epidemic of commercial and consumer e-banking account takeovers aided by password theft, it would be nice to see financial institutions taking a cue from Google’s offering.

Federal investigators have identified a 23-year-old Russian man as the mastermind behind the notorious “Mega-D” botnet, a network of spam-spewing PCs that once accounted for roughly a third of all spam sent worldwide.

According to public court documents related to an ongoing investigation, a grand jury probe has indicted Moscow resident Oleg Nikolaenko as the author and operator of the Mega-D botnet.

Federal agents settled on Nikolaenko thanks to information provided by Lance Atkinson, an Australian man named as a co-conspirator in the “Affking” e-mail marketing and counterfeiting operation that was shuttered in 2008 after investigations by the FBI, the Federal Trade Commission and international law enforcement authorities. The Affking program generated revenues of $500,000 a month using spam to promote counterfeit Rolexes, herbal “male enhancement” pills and generic prescription drugs.

As part of his guilty plea to spam violations, Atkinson provided investigators information on the top spammers who helped to promote the Affking products. Among them was an affiliate who used the online nickname “Docent,” who earned nearly $467,000 in commissions over a six month period in 2007.

Atkinson told investigators that Docent’s commissions were sent to an ePassporte account, under the name “Genbucks_dcent,” that was tied to the e-mail address “4docent@gmail.com.” Records subpoenaed by the grand jury found that the ePassporte account was registered in Nikolaenko’s name to an address in Moscow.

According to court documents, investigators found numerous executable files in Docent’s Gmail inbox. Those files were analyzed by researchers at SecureWorks, an Atlanta based security firm, which found them to be samples of the Mega-D malware.

Update: [Nikolaenko was reportedly arrested in the United States recently. See update at the end, after the jump.]

But U.S. investigators missed at least two chances to apprehend Nikolaenko: The grand jury said a review of U.S. State Department records indicate that Nikolaenko entered the United States in Los Angeles on July 17, 2009, and left the country ten days later. He returned to the U.S. on Oct. 29, 2009, entering from New York and visiting Las Vegas before exiting the country on Nov. 9 from Los Angeles.

Investigators say Nikolaenko was supposed to leave Los Angeles on Nov. 11, but cut his trip short by two days. They concluded that the 23-year-old left early because he wanted to get home to repair damage that security experts had inflicted on his botnet. On Nov. 4, 2009, researchers from Milpitas, Calif. based FireEye executed a “stun” attack on Mega-D by seizing control over the botnet’s control networks.

“Based on the timing of the Fireeye attack on the Mega-D botnet, I believe that Nikolaenko left the U.S. early to repair damage caused by Fireeye,” wrote Special Agent Brett E. Banner, in the government’s complaint against Nikolaenko.

After the FireEye takedown, spam from Mega-D all but disappeared. But in the days following his return to Moscow, the botnet recovered gradually, and by Nov. 22, spam from Mega-D was back to pre-takedown activity levels. By Dec. 13, Mega-D was responsible for sending nearly 17 percent of spam worldwide, according to security vendor M86 Security.

Joe Stewart, a senior security researcher at SecureWorks, said that at the beginning of Nov. 2009, there were at least 120,000 computers infected with Mega-D that were relaying spam, but Stewart said he hasn’t seen any signs of activity from Mega-D over the past several months.

While Mega-D may be dead, information obtained by KrebsOnSecurity.com suggests that Nikolaenko has nonetheless continued spamming, and that, until at least June 2010, he was a top-earning affiliate for Spamit.com. Prior to its closure at the end of Sept. 2010 — Spamit was the world’s most active affiliate program for promoting knockoff prescription drugs.

A Spamit affiliate using the same “4docent@gmail.com” address made nearly $81,000 in the first five months of 2010 promoting online pharmacies for Spamit. The earnings were deposited into the same “Genbucks_dcent” ePassporte account named in the criminal complaint against Nikolaenko. It’s not clear whether Nikolaenko was able to enjoy all of those earnings: ePassporte also went belly-up in September, leaving thousands of customers without access to millions of dollars in funds.

A copy of the full complaint against Nikolaenko is available here (PDF).

Update, Dec. 2, 5:40 p.m. ET: The Milwaukee-Wisconsin Journal Sentinel reports that Nikolaenko was arrested after entering the United States to attend a car show in Las Vegas. He is is scheduled to make his initial court appearance in Milwaukee on Friday.

Google on Monday said it was expanding a program to pay security researchers who discreetly report software flaws in the company’s products. The move appears aimed at engendering goodwill within the hacker community while encouraging more researchers to keep their findings private until the holes can be fixed.

Earlier this year, Google launched a program to reward researchers who directly report any security holes found in the company’s Chrome open-source browser project. With its announcement today, Google is broadening the program to include bugs reported for its Web properties, including Gmail, YouTube, Blogger and others (the company says its desktop apps – Android, Picasa and Google Desktop, etc.  are not included in the expanded bounty program).

The program is unlikely to attract those who are looking to get rich selling security vulnerabilities, as there are several less reputable places online where critical bugs in important online applications can fetch far higher prices. But the expanded bounty may just win over researchers who might otherwise post their research online, effectively alerting Google to the problem at the same time as the cyber criminal community.

“We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page,” Google’s security team wrote on the company’s security blog. “As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer.”

The standard reward for bugs will continue to be public recognition and $500, although the search giant said bugs that are particularly severe or clever could earn rewards of up to $3,133.7 (this is leet speek for “elite”).

Google said it won’t pay for bugs that involve overtly malicious attacks, such as social engineering and physical attacks or so-called “black hat search engine optimization” techniques –  and that it wouldn’t count less serious flaws such as denial-of-service bugs, or flaws in technologies recently acquired by Google.

Other companies have established bug bounty programs. For example, Mozilla, the organization behind the Firefox Web browser, for years paid researchers $500 for bugs, but recently upped the amount to $3,000.

Charlie Miller, a security researcher who has reported a large number of bugs in a variety of applications and programs, was initially critical of such a tiny bounty from one of the world’s wealthiest and most powerful businesses. But reached via e-mail Monday evening, Miller said that while he’d always like to see more money being paid to bug researchers, the relatively few companies that offer bug bounties also deserve recognition.

“With so many companies (MS, Adobe, Apple, Oracle) not paying anything, I’m very happy to see any money going out for these types of programs,” Miller wrote. “It motivates and rewards researchers.  The security of the products (or websites) that the average person uses goes up.  Also, it provides vendors with a level of control they otherwise lack.  If a researcher reports a bug and then decides they think the process is not working well, they’ll think twice about dropping it on full disclosure if they know they’ll lose their finder’s fee.”

Google has reportedly stopped censoring Chinese search results for its Google.cn property, in response to what it said earlier this week were targeted attacks against its corporate infrastructure aimed at Chinese dissident groups. But a security research firm claims the attack that hit Google was part of a larger, unusually sophisticated assault aimed at stealing source code from Google and at least 30 other Silicon Valley firms, banks and defense contractors.

Also, Google switches to “always on” encryption for all Gmail users. And some pundits see ulterior motives in Google’s Chinese hacking disclosure. More after the jump.

In a report released shortly after Google’s disclosure Tuesday evening, Sterling, Va. based iDefense cited two independent, anonymous sources in the defense contracting and intelligence consulting community as saying that Google traced the attack back to a “drop server” used as a repository for stolen files, where Google discovered its own data as well as proprietary data suggesting that at least 33 additional companies had been hit.

iDefense said the attack bears “significant resemblance” to a July 2009 attack in which assailants launched targeted e-mail campaigns against approximately 100 IT-focused companies. That attack employed a PDF file that exploited a then-undocumented vulnerability in Adobe Reader, and that a similar leveraging booby-trapped PDFs-as-attachments was used in the attack against Google, the report notes.

Kim Zetter at Wired.com’s Threat Level blog has a great deal more information in her thorough story on this.

Cynics see all kinds of ulterior motives in Google’s announcement that it got hacked and the subsequent arm-twisting with the Chinese government. Foreign Policy‘s Evgeny Morozov has penned a pair of incisive and trenchant opinion pieces speculating that Google’s move was little more than a calculated PR and business bid to gain market share vis-a-vis China’s dominant Baidu search engine. Krebsonsecurity.com reader and fellow security blogger Gunnar Peterson pointed my attention to a piece by Motley Fool‘s Tim Hanson that echoes those sentiments.

In apparently related news, Google has switched to “always on” encryption for all Gmail users, not just for those who have gone out of their way to select the “always use https://” option. By default, Google has always forced users to transmit their credentials over an encrypted (https://) connection when logging in, but after that Gmail users were popped back into an unencrypted connection unless they had changed the default option in the Gmail user settings to encrypt all Gmail communications.

The danger is that there are now free tools that help attackers steal the session cookie that most Webmail providers use to indicate users have already authenticated.  Armed with these tools, anyone recording the traffic on the local network would be able to access your Gmail inbox by simply loading that cookie on their machine. While these tools assume the attacker is on the same network as the target, most users do not sign out of Web mail services, and any session cookies that keep users logged in to their Webmail will most likely be transmitted periodically when roving users connect to a wireless network, for example.

Alas, Google has many properties that still do not enjoy this always-encrypted setting. In mid-2009, a Who’s Who of more than three dozen high-tech and security experts from industry and academia urged Google to encrypt all Google services by default, noting that tens of millions of consumers now rely on Google for a wide array of services that include sensitive data, such as Google Adsense, Adwords, Google Health. Still, this is a welcome step that hopefully will be emulated by the likes of Microsoft and Yahoo!, the other two major Webmail providers.

The message staring out at me from my Gmail inbox said I’d received an update on my previous conversation with a sender named “vaishali”. The “(3)” next to the sender’s name suggested that I had responded to this person before, although I didn’t recognize the name. I clicked anyhow.

Alas, the message was spam for some company that I won’t mention here. As it happens, Gmail assigned the (3) to the message suggesting a threaded conversation because the sender had sent the same missive three times in a row. I have no way of knowing whether this was some clever new scheme by the spammer or merely an accident, but it certainly seems like an effective way of tricking people into clicking on an e-mail that they might normally just delete.