Google has announced a new “Project Zero” initiative to directly battle targeted attacks that are made against Internet users in an effort to make the Web safer for the public.
The project, which will fight things such as zero-day attacks, which are attacks on code where serious security vulnerabilities have not yet been found or patched, is being built up by Google to fight an increasing threat around the world, wrote Chris Evans, a Google researcher, in a July 15 post on the Google Online Security Blog. Project Zero is a new, well-staffed initiative that was inspired by the company’s ongoing research into security, he wrote.
“You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” wrote Evans. “Yet in sophisticated attacks, we see the use of ‘zero-day vulnerabilities’ to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.”
The idea behind the effort is to “significantly reduce the number of people harmed by targeted attacks,” he wrote. “We’re hiring the best practically-minded security researchers and contributing 100 percent of their time toward improving security across the Internet.”
The project is wide-ranging and will focus not just on Google products, according to Evans. “We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. We’ll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we’ll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment.”
The Project Zero work will be done transparently, with every discovered bug entered into an external database where it can be tallied, he wrote. “We will only report bugs to the software’s vendor—and no third parties. Once the bug report becomes public (typically once a patch is available), you’ll be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces. We also commit to sending bug reports to vendors in as close to real-time as possible, and to working with them to get fixes to users in a reasonable time.”
To make the project even more effective immediately, Google is hiring more staffers to join in the effort, wrote Evans. “We believe that most security researchers do what they do because they love what they do. What we offer that we think is new is a place to do what you love—but in the open and without distraction. We’ll also be looking at ways to involve the wider community, such as extensions of our popular reward initiatives and guest blog posts. As we find things that are particularly interesting, we’ll discuss them on our blog, which we hope you’ll follow.”
Google is often busy helping users, developers and enterprises maintain the online security of their applications and data.
In June, Google added an early alpha version of a new Chrome browser extension that will soon give users the ability to bolster the encryption of their emails while in transit to recipients.
In April, Google asked developers who build applications using Google APIs to update their apps to the latest OAuth 2.0 authorization protocol so that user log-ins will be as secure as possible in the future. OAuth 2.0 is an authorization protocol for all Google APIs that relies on Secure Sockets Layer (SSL) for security instead of requiring individual applications to do cryptographic signing directly.
In March 2014, Google announced that all incoming and outgoing Gmail messages will also use encrypted HTTPS connections to better protect them from interception by attackers or spying, in response to allegations in the fall of 2013 that the U.S. National Security Agency (NSA) had spied on data in Google and Yahoo data centers.
Also in March, Google asked IT security experts to contribute their best tips and tricks about how to stay safe on the Internet for a project aimed at everyday users.
In December 2013, Google reminded enterprise organizations and their business users about the security safeguards and options that are available to them if accounts are hacked or if mobile devices are lost or stolen. Using available tools from Google, IT administrators can peer into and control how their users’ accounts are working and make changes to recover stolen accounts. Also available are Android device-management tools that help organizations manage Android and Apple iOS smartphones and tablets using the Google Apps Admin console.
In 2013, Google also improved its methods for helping Website owners recover their sites from hackers and hijackers. The improvements included additional security tools so Webmasters can find information about security issues on their site in one place and pinpoint problems faster with detailed code snippets.