14 DAY TRIAL // Google has had enough of people exploiting zero-day vulnerabilities, be them hackers or government entities. After numerous efforts to make sure the system is secure following the NSA revelations, Google has now announced the so-called “Project Zero,” which makes use of hackers’ talents to discover and fix zero-day bugs.
The company has already invested a lot in securing its products, including SSL encryption by default for Search, Gmail and Drive. When it discovered from the media that the NSA had also infiltrated the connection between its servers to get access to the unencrypted data traveling there, Google moved to also encrypt that data.
“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” Google writes in the announcement, taking a jibe at the NSA and its mass surveillance efforts, which often targeted the world’s largest Internet company.
Google’s objective is to significantly reduce the number of people harmed by targeted attacks, which is why it’s been hiring security researchers who dedicate their time to improving security across the Internet, not just at Google.
So, what will Google’s new team do? It will look for vulnerabilities, as well as conduct new research into mitigations, exploitations, program analysis and everything else.
Not only will the company look for these vulnerabilities, but it will also file them in an external database, while reporting them to the software vendor, but no third parties. Once a patch is available, the bug report will likely become public and everyone will have access to it.
This is also another jibe to the NSA, which admitted to looking for and discovering various zero-day vulnerabilities. The US government, however, said that these weren’t always reported immediately. Instead, some are kept and exploited by the NSA for a while before the risk of discovery from third parties is too big to continue and only then they are shared with the world.
All this information came forth after the Heartbleed bug was exposed several months ago thanks to Neel Mehta of Google’s security team that discovered it. The NSA was then accused of knowing about the OpenSSL vulnerability and exploiting it for years, something that the intelligence agency actually denied.
However, it is rather hard to believe that the spy agency, which commonly seeks such coding issues, didn’t know about Heartbleed in advance. As a reminder, the vulnerability left no traces on the affected servers and provided the attackers with unencrypted access to whatever content passed through the targeted server at the time of the attack. Google, Facebook, Yahoo and many other companies and products were affected by it since it slipped through the cracks of an OpenSSL update dating two years back.