Wednesday, July 16, 2014

Announcing Project Zero

A team of superheroes in sci-fi movies protect the world from Alien attack or bad actors, likewise Project Zero is a dedicated team of top security researchers, who have been hired by Google to finding the most severe security flaws in software around the world and fixing them.
Project Zero gets its name from the term "zero-day," and team will make sure that zero-day vulnerabilities don't let fall into the wrong hands of Criminals, State-sponsored hackers and Intelligence Agencies.
"Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage." Chris Evans said, who was leading Google’s Chrome security team and now will lead Project Zero.
Zero-day vulnerabilities could give bad actors the power to completely control target users’ computers, and in such scenario - no encryption can protect them.

Google has already recruited some hackers at Project Zero:
  • Ben Hawkes - an independent researcher from New Zealand, and well known for discovering dozens of bugs in software like Adobe Flash and Microsoft Office.
  • George Hotz - best known for hacking Sony PlayStation 3, cracking iPhone and Google's Chrome browser.
  • Tavis Ormandy - working as an Information Security Engineer at Google and known for discovering lots of critical zero-day vulnerabilities in various softwares.
  • and many more..
Main objective of the Project Zero is to significantly reduce the number of people harmed by targeted attacks.
"We're hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet." Chris added.
However, they are not restricted to finding bugs in Google's products only, rather they can choose targets by themselves strategically, but possibly team would majorly focus on the softwares that relied upon by a significant number of people. Flaw hunting and reporting process will be as mentioned below:
  1. The Project Zero team will hunt for zero-day vulnerabilities in Popular Softwares.
  2. Google will report flaws to vendors.
  3. Google will release full vulnerability disclosure only when the vendor issues a patch for it.
  4. Every bug will be filed transparently in an external database.
"We'll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we'll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment." Chris said.
Google is looking forward to grow their team of security experts and is making every effort to dedicatedly contribute to the Infosec Community.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.