Google has launched a new initiative to help significantly reduce the number of people harmed by online attacks.
The company is hiring a crack team of researchers, called Project Zero, who will be entirely dedicated to improving security across the Internet.
Google said that the team will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers.
“We’ll use standard approaches such as locating and reporting large numbers of vulnerabilities,” said Google’s Chris Evans in a blog post.
“In addition, we’ll be conducting new research into mitigations, exploitation, program analysis – and anything else that our researchers decide is a worthwhile investment.”
All of Project Zero’s findings will be filed in an external database, and bugs will only be reported to the software’s vendor, not third parties.
Once the bug has been patched, anyone will be able to check how long it took that vendor to find a fix, see any discussion about exploitability, and view historical exploits and crash traces.
“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” said Evans.
“Yet in sophisticated attacks, we see the use of ‘zero-day’ vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop.”
The news comes after a team of part-time researchers from Google and a small Finnish security firm called Codenomicon uncovered a flaw in the encryption technology used to protect many of the world’s major websites.
The so-called ‘Heartbleed’ bug was said to be one of the most serious security flaws ever found, partly because it had remained undiscovered for more than two years.
Attackers were able to exploit vulnerable versions of the open-source software known as OpenSSL – which runs on millions of web servers – to steal passwords, credit card details, encryption keys and other sensitive data, without leaving any trace.
It is the success off this part-time research that has led to the creation of Project Zero.
“As an organisation at the forefront of online innovation, Google is certainly well placed to be exploring the web for trouble and should be highly commended for doing so,” said Ross Brewer, vice president and managing director for international markets at cyber security firm LogRhythm.
“Too many organisations have a ‘finders keepers’ attitude towards sharing information, which is both unhelpful and dangerous. By searching for and revealing bugs, vulnerabilities and, I imagine, a whole host of other online ‘nasties’, Google will likely save many organisations from disastrous attacks.”
However, he warned that organisations should not become complacent about monitoring their own IT systems for unusual activity, such as files moving in a suspicious fashion, or users logging on at odd time.
“While many of us may rely solely on Google to answer our day-to-day search queries, it would be an error to rely on them to protect our networks in equal measure,” he said.
via Telegraph.co.uk
randietech 