Google To Tackle Security Threats With New Project Zero Team
July 15, 2014

Google To Tackle Security Threats With New Project Zero Team

Peter Suciu for - Your Universe Online

On Tuesday Google reaffirmed its commitment to security with the creation of a new, well-staffed team dubbed Project Zero.

"Security is a top priority for Google," Chris Evans, researcher herder at Google, posted in the official Online Security Blog. "We've invested a lot in making our products secure, including strong SSL encryption by default for Search, Gmail and Drive, as well as encrypting data moving between our data centers. Beyond securing our own products, interested Googlers also spend some of their time on research that makes the Internet safer, leading to the discovery of bugs like Heartbleed."

Evans further noted that people should be able to use the web without fear from cyber criminals or state-sponsored hackers.

"Yet in sophisticated attacks, we see the use of 'zero-day' vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem," Evans added. "Project Zero is our contribution, to start the ball rolling. Our objective is to significantly reduce the number of people harmed by targeted attacks. We're hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet."

Google announced that it will not place any particular bounds on this project, but instead will work to improve the security of any software depended upon by large numbers of people. Google will use pay attention to targets, motivations of the attackers and of course the techniques that those hackers may employ. The tech giant announced that its efforts will utilize standard approaches including locating and reporting large numbers of vulnerabilities and at the same time will conduct new research into mitigations, exploitation, program analysis and generally anything else that the researchers may decide is a worthwhile investment.

Evans noted that Google will be committed to these efforts transparently as well, and that every bug found will be filed in an external database, and that Google will only report bugs to the software's vendor and no third parties.

When the bugs found become public, which could be when a patch is made available; Google will provide vendor time-to-fix performance as well as discussions about exploitability. Google noted that it will be committed to sending bug reports to vendors in as close to real-time as possible.

Evans also announced that Project Zero will have its own blog, where interested readers can follow the progress of this new team, and also made it clear that Google is now looking to hire additional staffers to help with these efforts.

"We're hiring. We believe that most security researchers do what they do because they love what they do. What we offer that we think is new is a place to do what you love—but in the open and without distraction. We'll also be looking at ways to involve the wider community, such as extensions of our popular reward initiatives and guest blog posts."

This isn't to say that Google hasn't already filled Project Zero with some top talent.

"Project Zero has already recruited the seeds of a hacker dream team from within Google: New Zealander Ben Hawkes has been credited with discovering dozens of bugs in software like Adobe Flash and Microsoft Office apps in 2013 alone," Andy Greenberg reported for Wired on Tuesday. "Tavis Ormandy, an English researcher who has a reputation as one of the industry’s most prolific bug hunters most recently focused on showing how antivirus software can include zero-day flaws that actually make users less secure. American hacker prodigy George Hotz, who hacked Google's Chrome OS defenses to win its Pwnium hacking competition last March, will be the team’s intern. And Switzerland-based Brit Ian Beer created an air of mystery around Google's secret security group in recent months when he was credited under the 'Project Zero' name for six bug finds in Apple's iOS, OSX and Safari."

Project Zero follows Google's efforts to pay for "bug bounties," something many tech companies already do by providing rewards for friendly hackers who find flaws in a company's code. Last year, Microsoft paid a record $100,000 bounty to a hacker who found a new "exploitation technique" in Windows.

"There are many third-party research groups, such as HP's TippingPoint Zero Day Initiative, that work in ways similar to Project Zero, paying third-party researchers to submit bugs in others' products," reported Larry Seltzer for ZDnet. "Microsoft has a program for research into vulnerabilities in third-party products. It accepts reports from third-party researchers, but doesn't pay for them."