Google’s Project Zero and the Future of altruistic Internet Security By Katie Kurtz Abstract Google announced its new, web security initiative known as Project Zero in July 2014. Project Zero aims to address security flaws in popular third­party software that may be utilized by the networking giant. The goal is to identify and alert these companies to any vulnerabilities that could put internet users at risk. Zero­day vulnerabilities, or when unnoticed bugs allow attackers the chance to target thousands of users, are one of the biggest threats to web users. These vulnerabilities have been exploited by predators, state­sponsored hackers, and government agencies alike. Project Zero is the first example of a single team attempting to secure the entire web for primarily altruistic reasons. This paper will examine the risks of the current every­man­for­himself system of cyber security and the steps already taken by Google and Project Zero to secure the web, as well as the future implications of altruistic and universal web security and threat analysis. Introduction A brief look at the security structure of the internet The security of the internet has no form of regulation. At this point, safety and security is up to individual vendors. This system has not left internet users very secure. Google recently made the first step toward a perceived change. The internet giant announced in July that it created a team with the single responsibility of discovering zero­day vulnerabilities in third party software. They claim that they hope to offer a more secure browsing experience for Google users, but that their motivation is primarily altruistic. As an industry leader, it makes sense that Google would be the first major player to step into the world of universal internet security, but the project has come under scrutiny from some experts. Industry leaders have denounced Project Zero as a publicity stunt or marketing ploy, while others have called is a recruiting tool to catch and keep some of the world’s top talent. No matter where the motivation for this project arises, it is clear that this is the first step in a new direction for internet security. In a world where there already exists a black market for information on security bugs, Google’s Project Zero may mark a turning point in how internet users, software developers, and security experts approach the tricky sphere of online security. To the Community Why do we need to change how we secure the internet? Our dependency on the internet is incredible. People, businesses, and economies all rely on an international network of easy communication to function properly. For such a heavily utilized resource, the measures taken to secure it are minimal. There is no single body tasked with securing what might be one of the most important aspects of modern day society. According to Costin Raiu, a security expert from the Kaspersky Lab’s Global Research and Analysis Team, the internet is broken. Vulnerabilities and threats are so common, Raiu says that he behaves as if his computer is compromised at all times. (Fischer) The internet has been compromised by both attackers and government agencies. In fact, “intelligence agencies have spent the last decade systematically penetrating virtually every portion of the Internet and are conducting surveillance and exploitation on a scale that a year ago would have seemed inconceivable to all but the most paranoid among us.” (Fischer, The Internet is Broken) It is not one piece of the internet that is broken, it is the entire network. Email, web traffic, and cryptology are all broken. Mobile communication is not safe. The number of security breaches that have made national headlines in just the last calendar year is entirely noteworthy in itself. There has also been an increase in the number of attacks geared toward specific groups. Syrian citizens, Human Rights activists, the defense industry, and the aerospace industry have all been targeted. (Greenberg) Even the giants are not safe. There was an uproar from Google engineers when the company discovered that the NSA “was spying on Google user information as it moved between the company’s data centers.”(Greenberg) Protection has lagged behind development for so long that it is becoming an issue of personal, national, and international security. Moving Forward with Google In July, Google announced Project Zero, and the security community responded with a flourish of hype, excitement, and skepticism. Google created the task force to make the internet safer, citing concerns such as “fear that a criminal or state sponsored actor is exploiting software bugs to infect your computer, steal your secrets or monitor your communications.” (Evans) Google claims that they simply want to “get the ball rolling” in terms of vulnerability analysis and threat prevention from an altruistic standpoint. (Evans) The project is being led by longtime Chrome security engineer Chris Evans, with the help of some of Google’s best minds including hacking prodigy George Hotz and notable researcher Ben Hawkes. (Fisher, Project Zero) The groundbreaking aspect of Project Zero is that it extends beyond Google software to any major 3rd party software commonly utilized by Googlers. In his introduction to the project, Evans claims that his team will work with total transparency. All information regarding vulnerabilities will go directly to the host company. After 60­90 days, less in serious cases, that information will be released to the Project Zero database where the team is already amassing information on bugs they have discovered since the project began. (Evans) Google has made security a priority since Edward Snowden released documents explaining how the NSA had been intercepting user information while it traveled between the company’s data centers. Since the leak, Google has invested a significant amount of time and energy into improving the security of its many products. Dennis Fisher, a writer and security expert explained that Gmail “now employs SSL as the only connection option for Web connections. The service also delivers warnings to users about potential advanced attacks against their accounts. And the company has now encrypted the links among its data centers worldwide, making life much more difficult for high­level attackers such as the NSA and other intelligence agencies.” Clearly, despite a mixed history when it comes to protecting users’ private information, Google has made an effort to be more security minded in recent years. Offering Google users an even safer browsing experience can only benefit the company in the long run. Project Zero appears to be the obvious next step. Google seems to be covering all of its bases and expanding the project in every necessary direction, claiming that Project Zero is an attempt to protect users who are “a constant target for not just run of the mill attackers, but also for those at the top of the food chain.” (Evans) Google has been upfront about what it intends to do with Project Zero, but the company’s motivation has been called into question. The security industry has never seen any form of popularized, good­samaritan security development. With prices increasing on the black market for information on zero­day vulnerabilities and Google’s general stance as one of the most influential companies in the world, Project Zero might be the marker of the beginning of a new era of cyber security, or it may play out as nothing more than a clever marketing stunt from the current king of the internet. Why the internet needs Project Zero to be more than a publicity stunt Software development is a business, and like all businesses, money causes trouble. Discovering and selling information on zero days can be extremely lucrative, if you sell to the right people. Unfortunately, those people are rarely the developer. There is a black market for selling and buying information on zero days. Like most black markets, 3rd party zero day dealers can get a hacker much more money than he or she will receive by providing the information straight to the company with the vulnerability. Companies like Google often reward a few thousand dollars, while IOS flaws can sell for up to $250,000 through a third party. (Greenberg) Dealers have cited that most of their clients are US and European companies and government contractors, trying to purchase information about zero days for their own purposes. One dealer claims that 80% of his revenue comes from the US. (Greenberg) With such a powerful price discrepancy between the good guys and the questionable guys, it is no surprise that this market is currently flourishing. One dealer claims that there are 12­14 zero days showing up every month, a huge increase in numbers from just a couple of years ago. (Greenberg) Hackers who discover zero days are faced with a tough decision. If a hacker is less concerned with the general safety of the internet, they can make a small fortune by selling their information to an undisclosed government agency under the condition that they do not ask questions about the buyer and their purpose. Price depends on the scope that the bug affects. A Windows exploit will make more than one affecting Mac OSX, just like any OS bug can sell for five times more than an Android. One dealer claims that his market works just like any other, “You’re basically selling commercial software, like anything else. It needs to be polished and come with documentation… The only difference is that you only sell one license, ever, and everyone calls you evil.”(Greenberg) Evil may be one of the nicer sentiments lobbed at these merchants. Chris Soghoian, a privacy activist, called these middle­men “the modern­day merchants of death” who are in the business of selling “the bullets of cyberwar.” He also believes that “security researchers should not be selling zero­days to middle man firms…These firms are cowboys and if we do nothing to stop them, they will drag the entire security industry into a world of pain.” Beyond dealers, there are small firms that buy and sell software exploits.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages7 Page
-
File Size-