Google’s and the Future of altruistic Internet Security

By Katie Kurtz

Abstract

Google announced its new, web security initiative known as Project Zero in July 2014. Project Zero aims to address security flaws in popular third­party software that may be utilized by the networking giant. The goal is to identify and alert these companies to any vulnerabilities that could put internet users at risk. Zero­day vulnerabilities, or when unnoticed bugs allow attackers the chance to target thousands of users, are one of the biggest threats to web users. These vulnerabilities have been exploited by predators, state­sponsored , and government agencies alike. Project Zero is the first example of a single team attempting to secure the entire web for primarily altruistic reasons. This paper will examine the risks of the current every­man­for­himself system of cyber security and the steps already taken by Google and Project Zero to secure the web, as well as the future implications of altruistic and universal web security and threat analysis.

Introduction A brief look at the security structure of the internet The security of the internet has no form of regulation. At this point, safety and security is up to individual vendors. This system has not left internet users very secure. Google recently made the first step toward a perceived change. The internet giant announced in July that it created a team with the single responsibility of discovering zero­day vulnerabilities in third party software. They claim that they hope to offer a more secure browsing experience for Google users, but that their motivation is primarily altruistic. As an industry leader, it makes sense that Google would be the first major player to step into the world of universal internet security, but the project has come under scrutiny from some experts. Industry leaders have denounced Project Zero as a publicity stunt or marketing ploy, while others have called is a recruiting tool to catch and keep some of the world’s top talent. No matter where the motivation for this project arises, it is clear that this is the first step in a new direction for internet security. In a world where there already exists a black market for information on security bugs, Google’s Project Zero may mark a turning point in how internet users, software developers, and security experts approach the tricky sphere of online security. . To the Community Why do we need to change how we secure the internet? Our dependency on the internet is incredible. People, businesses, and economies all rely on an international network of easy communication to function properly. For such a heavily utilized resource, the measures taken to secure it are minimal. There is no single body tasked with securing what might be one of the most important aspects of modern day society. According to Costin Raiu, a security expert from the Kaspersky Lab’s Global Research and Analysis Team, the internet is broken. Vulnerabilities and threats are so common, Raiu says that he behaves as if his computer is compromised at all times. (Fischer) The internet has been compromised by both attackers and government agencies. In fact, “intelligence agencies have spent the last decade systematically penetrating virtually every portion of the Internet and are conducting surveillance and exploitation on a scale that a year ago would have seemed inconceivable to all but the most paranoid among us.” (Fischer, The Internet is Broken) It is not one piece of the internet that is broken, it is the entire network. Email, web traffic, and cryptology are all broken. Mobile communication is not safe. The number of security breaches that have made national headlines in just the last calendar year is entirely noteworthy in itself. There has also been an increase in the number of attacks geared toward specific groups. Syrian citizens, Human Rights activists, the defense industry, and the aerospace industry have all been targeted. (Greenberg) Even the giants are not safe. There was an uproar from Google engineers when the company discovered that the NSA “was spying on Google user information as it moved between the company’s data centers.”(Greenberg) Protection has lagged behind development for so long that it is becoming an issue of personal, national, and international security.

Moving Forward with Google In July, Google announced Project Zero, and the security community responded with a flourish of hype, excitement, and skepticism. Google created the task force to make the internet safer, citing concerns such as “fear that a criminal or state sponsored actor is exploiting software bugs to infect your computer, steal your secrets or monitor your communications.” (Evans) Google claims that they simply want to “get the ball rolling” in terms of vulnerability analysis and threat prevention from an altruistic standpoint. (Evans) The project is being led by longtime Chrome security engineer Chris Evans, with the help of some of Google’s best minds including hacking prodigy and notable researcher Ben Hawkes. (Fisher, Project Zero) The groundbreaking aspect of Project Zero is that it extends beyond Google software to any major 3rd party software commonly utilized by Googlers. In his introduction to the project, Evans claims that his team will work with total transparency. All information regarding vulnerabilities will go directly to the host company. After 60­90 days, less in serious cases, that information will be released to the Project Zero database where the team is already amassing information on bugs they have discovered since the project began. (Evans) Google has made security a priority since released documents explaining how the NSA had been intercepting user information while it traveled between the company’s data centers. Since the leak, Google has invested a significant amount of time and energy into improving the security of its many products. Dennis Fisher, a writer and security expert explained that “now employs SSL as the only connection option for Web connections. The service also delivers warnings to users about potential advanced attacks against their accounts. And the company has now encrypted the links among its data centers worldwide, making life much more difficult for high­level attackers such as the NSA and other intelligence agencies.” Clearly, despite a mixed history when it comes to protecting users’ private information, Google has made an effort to be more security minded in recent years. Offering Google users an even safer browsing experience can only benefit the company in the long run. Project Zero appears to be the obvious next step. Google seems to be covering all of its bases and expanding the project in every necessary direction, claiming that Project Zero is an attempt to protect users who are “a constant target for not just run of the mill attackers, but also for those at the top of the food chain.” (Evans) Google has been upfront about what it intends to do with Project Zero, but the company’s motivation has been called into question. The security industry has never seen any form of popularized, good­samaritan security development. With prices increasing on the black market for information on zero­day vulnerabilities and Google’s general stance as one of the most influential companies in the world, Project Zero might be the marker of the beginning of a new era of cyber security, or it may play out as nothing more than a clever marketing stunt from the current king of the internet.

Why the internet needs Project Zero to be more than a publicity stunt Software development is a business, and like all businesses, money causes trouble. Discovering and selling information on zero days can be extremely lucrative, if you sell to the right people. Unfortunately, those people are rarely the developer. There is a black market for selling and buying information on zero days. Like most black markets, 3rd party zero day dealers can get a much more money than he or she will receive by providing the information straight to the company with the vulnerability. Companies like Google often reward a few thousand dollars, while IOS flaws can sell for up to $250,000 through a third party. (Greenberg) Dealers have cited that most of their clients are US and European companies and government contractors, trying to purchase information about zero days for their own purposes. One dealer claims that 80% of his revenue comes from the US. (Greenberg) With such a powerful price discrepancy between the good guys and the questionable guys, it is no surprise that this market is currently flourishing. One dealer claims that there are 12­14 zero days showing up every month, a huge increase in numbers from just a couple of years ago. (Greenberg) Hackers who discover zero days are faced with a tough decision. If a hacker is less concerned with the general safety of the internet, they can make a small fortune by selling their information to an undisclosed government agency under the condition that they do not ask questions about the buyer and their purpose. Price depends on the scope that the bug affects. A Windows exploit will make more than one affecting Mac OSX, just like any OS bug can sell for five times more than an Android. One dealer claims that his market works just like any other, “You’re basically selling commercial software, like anything else. It needs to be polished and come with documentation… The only difference is that you only sell one license, ever, and everyone calls you evil.”(Greenberg) Evil may be one of the nicer sentiments lobbed at these merchants. Chris Soghoian, a privacy activist, called these middle­men “the modern­day merchants of death” who are in the business of selling “the bullets of cyberwar.” He also believes that “security researchers should not be selling zero­days to middle man firms…These firms are cowboys and if we do nothing to stop them, they will drag the entire security industry into a world of pain.” Beyond dealers, there are small firms that buy and sell software exploits. Vupen, Endgame and Netragard all purchase zero days and so do major security contractors like Northrop, Grumman and Raytheon.

Action Items Understanding Zero Days A zero day is an attack that exploits unknown vulnerabilities before the developer has time to work out a patch. The term zero day can refer to any unknown bug in any computer application. Due to the nature of computer programing, bugs often slip through the development stages and are not discovered until after the application is made public. Patches are released in updates once the bug has been discovered. A recent, highly publicized example of a zero day vulnerability is the bug. The vulnerability was found in OpenSSL, a widely­used encryption library. It went unnoticed for two years, giving attackers a long window to exploit user information.

Understanding Heartbleed and its Risks Heartbleed is referred to by the official moniker CVE­2014­0160. The name Heartbleed comes from the bugs location in TLS/DTLS heartbeat extension (RFC6520). Exploiting the bug allows for leaked information from server to client and vice versa. (Heartbleed) The long period of exposure makes Heartbleed unique, and the undetectable nature of its exploitation make it dangerous. The OpenSSL security advisory stated the issue as follows:

TLS heartbeat read overrun (CVE­2014­0160) ======

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

A simple missing bounds check put an extraordinary number of users at risk. Zero days like Heartbleed can be extraordinarily dangerous for internet users. Given the potential power of an exploit, people all over the world are looking for zero days to sell to third parties, government agencies, or to exploit themselves. A clever attacker can take advantage of a flaw or backdoor that a company is oblivious to, giving users no way to protect themselves against it. Any action taken to exploit a vulnerability is difficult to detect given that developers do not know where to look. There is no anti­virus that can protect against the unknown.

How are Zero Days Discovered? Finding zero day vulnerabilities could be as simple as looking at old bugs and tracing through their patches to new ones. Some patches don’t address the root problem, others miss certain variants of the issue, some complicated patches even introduce new problems. (Beer) Problems can emerge via integer overflow issues, or heap manipulation. Vulnerabilities can be found anywhere, making it difficult for developers to be sure that they are protecting the correct aspects of their software. There is strategy involved with finding zero­days, and even more involved with finding ones that matter. Project Zero is hoping to maximize “bug collisions”. (Peterson) Their goal is to find the flaws that attackers are looking for first, and to fix bugs faster than they are introduced.

A skeptical view of ‘altruism’ Zero days can make a fortune, launch cyber warfare, and wreak incredible havoc, but Google claims to have “primarily altruistic” motives when it comes to Project Zero. (Evans) Since their announcement, the project has been interpreted in many other ways by top industry experts. Some have insinuated that Google might be using the platform as recruiting tool to catch and keep top talent. Any great mind would be drawn to the freedom of banging around, trying to break things on the internet while receiving a steady paycheck. (Fox­Brewster) Once they are a member of the Google family, these people can then be utilized within other projects to make Google’s own software safer. George Hotz was lauded as a hacking prodigy after jailbreaking the iPhone 3 and dismantling the security of the operating system. Hotz was brought into the company as an intern for Project Zero, but now has the opportunity for a bright future within Google’s many other projects. The idea of altruism is also minimized by just how directly Google benefits from increased internet security. A safer internet means a safer experience for Google users. The actions the company has taken with Project Zero so far point to a delayed gratification system. Although its position at the top of the cyber hierarchy is undeniable, Google behaves just like every other company in the game. Just like any other software vendor and it pays “bug bounties”. These bounties rarely reach over $3,133.70, a number that spells out elite in hacker slang­­nowhere near the competitive rates of the black market. There are plenty of benefits to having Google’s own software engineers researching possible flaws instead of strangers, and many aspects of the project point to Google’s infatuation with a safer user experience.

The Future of Internet Security The internet needs a policing force to keep its users safe. It is clear that the every­man­for­himself approach has left users unprotected. Google’s Project Zero was designed and marketed to seem like a very viable next step in internet security. Unfortunately the program has been regarded as nothing more than a marketing stunt by some industry experts. Whether or not Google is as altruistic as they claim to be, the internet needs an overarching structure devoted to security. In order to increase security, the internet needs more than a handful of Google employees trying to break things before the bad guys can. The project is still young, but soon we will begin to see the effects that Project Zero has on the security community and the prices of zero days on the black market. Project Zero may mark the beginning of a new era of internet security. No matter the level of success the project receives, Google has presented that community with a new idea. Security cannot be so compartmentalized. A universal approach for the future of internet security is the only option.

References:

Beer, Ian. "Pwn4fun Spring 2014 ­ Safari ­ Part I."Googleprojectzero.blogspot.com. N.p., 24 July 2014. Web. .

Bright, Peter. "Google." Ars Technica. N.p., 15 July 2014. Web. 28 Oct. 2014. .

Evans, Chris. "Project Zero." : Announcing. Google, July 15, 2014. http://googleprojectzero.blogspot.com/2014/07/announcing­project­zero.html

Fisher, Dennis. "Google Project Zero May Prove a Big Win for Security ­ See More At: Http://threatpost.com/google­project­zero­may­prove­a­big­win­for­security/107206#sthash.t3 2MqlgJ.dpuf." Threatpost. N.p., 15 July 2014. Web. .

Fisher, Dennis. "The Internet Is Broken, Act Accordingly." Threatpost. N.p., n.d. Web. 7 Feb. 2014. .

Fox­Brewster, Thomas. "Why The World Needs Google Project Zero To Be More Than A 'Marketing Ploy'" Forbes. N.p., 6 July 14. Web. .

Greenberg, Andy. "Meet ‘Project Zero,’ Google’s Secret Team of Bug­Hunting Hackers." Wired. N.p., n.d. Web. .

Greenberg, Andy. "Shopping For Zero­Days: A Price List For Hackers' Secret Software Exploits." Forbes. Forbes Magazine, 23 Mar. 2012. Web. 28 Oct. 2014. .

"Heartbleed." Heartbleed. Codenomicon, Apr. 2014. Web. 12 Dec. 2014. .

Lemos, Robert. "Bugzilla 0­day Can Reveal 0­day Bugs in OSS Giants like Mozilla, Red Hat." Ars Technica. N.p., n.d. Web. 28 Oct. 2014. .

"OpenSSL Security Advisory." OpenSSL. N.p., 07 Apr. 2014. Web. 12 Dec. 2014. .

Peterson, Andrea. "What Is a ‘zero Day’ Vulnerability?" Washington Post. The Washington Post, 15 July 2014. Web. 28 Oct. 2014. .