Home > News content

Google elite hacker team Project Zero: Guardian of the world's security

via:博客园     time:2017/6/27 18:29:15     readed:3256


Lei Feng Network Press: in this era of Internet of things, information security is an inevitable problem, however, we do not seem to pay enough attention to it. Fortunately, Google walked in the forefront of the times, set up a not only concerned about their own security issues, more concerned about the entire industry security team Project Zero.

It is like a lone hero, against the threat of global digital, it is a bit impatient, but also controversial. Team members maintain Internet Security in their own way.Fortune recently a long article carried out a detailed report on this teamLei Feng network on the article compiled as follows:


One Friday afternoon, in the California mountain view headquarters of Google, the God of Tavis Ormandy security research station is his executive routine

After gathering enough information, Ormandy called his colleagues to share everything they found. The Google team, named Project Zero, soon discovered the substance of the problem: large amounts of data were being leaked from the Cloudflare company in San Francisco. In most cases, Cloudflare's content distribution network can handle about 1/10 of world Internet traffic, and there is no delay. But Ormandy found that the company's servers actually leaked private data on the web. The information has been leaking for months.

Ormandy, who didn't know Cloudflare, hesitated to call Cloudflare's technical support team the night before on a three day Mini vacation. Finally, he took another solution, asking for help through his own Twitter account.

When it was released, it was five p.m. Pacific time.

Ormandy no @Cloudflare. He doesn't need to. Because fame popular community he gathered information security professionals in the road, in his press

John Graham-Cumming's cell phone woke him up at 1:26 a.m. local time in london. The Cloudflare CTO rubbed his eyes and picked up his cell phone. He missed the phone. The caller is the only one who is listed on the white list who can call him at midnight. He texted immediately to ask what had happened.

His colleagues immediately respond,

He sat up and reply,

The CTO from the bed up, rushed downstairs, took him for such occasions for equipment

The security team introduced him to the situation. Google's Project Zero team found a bug, a serious bug, in their infrastructure. Their help runs over 6 million server sites, and data leaks exist. These clients include FBI, NASDAQ and Reddit. Anyone can access a site supported by Cloudflare, and in some cases get the private tokens, cache, and private messages of another web site user on the network. These users include Uber, 1Password, OKCupid, and Fitbit.


Ormandy and Graham-Cumming

The information exposed under the watchful eyes of the people. To make matters worse, search engines and other web crawlers have cached data for months. Blocking the source of the leak does not completely solve the problem.

So Cloudflare engineers to work. Some part-time as American network hacker drama <> Mr. robot Cloudflare security consultant Marc Rogers led the diversion work. In less than an hour, the team launched an initial update, which will be the global vulnerability blocked. A few hours later, technical personnel successfully the recovery function of.Ormandy errors that lead to publish tweets for nearly seven hours later, Cloudflare engineers managed to require major search engines

This is the beginning of a small holiday. Cloudflare engineers spent the rest of their time assessing how much data and what types of data were leaked, and how much impact this would have on them.

Cloudflare's quick response impressed Google's Project Zero team. But as the two teams launched negotiations on the release of the date of the disclosure, their relationship began to become deadlocked. The two sides agreed to make a tentative announcement on Tuesday, February 21st, but Cloudflare failed to deliver on its promises and said it needed more time to clean up. The date of the announcement changed from Tuesday to Wednesday, and then to Thursday. Google beyond endurance: whether or not Cloudflare has completed its assessment and is sure to clear up the leaked data from the network cache, the leak will be announced on Thursday afternoon.

The two sides agreed to announce it in February 23rd. A week of Internet panic followed.


Even without Google's Project Zero membership, the information security crisis is growing globally. Every company has become a technology company, and hackers are becoming more and more common. These hackers steal in corporate bank accounts, pry into personal information and interfere in elections. Headlines are also outrageous: more than 1 billion of YAHOO's accounts are damaged. Hackers stole millions of dollars from the SWIFT financial network. Numerous private e-mails from the Democratic National Committee were exposed before the American presidential election in 2016.

According to the US Identity Theft Resource Center, there were more than 40% information leaks in 2016 in the US and government agencies, compared with 2015, which is only a conservative estimate. Meanwhile, the average cost of data breaches has risen to $3 million 600 thousand, according to a study conducted by Ponemon, a research group.

Whether it is a programmer's error or a hacker's fault in a country, data leakage is the new normal. The idea for executives, therefore, is to kill the code problem before it's even more productive, so as to prevent the problem from rolling like a snowball.

But it's not that simple. Many companies do not have the information security in the first place, also do not regard it as the product before delivery index. According to the investigation of CA Technologies at the beginning of this year the acquisition of Software Secure Inc Veracode application, 500 IT managers involved in the investigation, there are 83% admitted before testing the bug and solve the security problem on the release of the code. At the same time, the information security industry is also facing a shortage of talent. CISCO expects 1 million vacant information security jobs worldwide. Symantec expects the vacancy to increase to 1 million 500 thousand by 2019. It is expected that by 2021, this figure will increase to 3 million 500 thousand.

Even a wealthy, aspiring and prestigious company that supports information security can not avoid the impact of flawed code. The best quality monitoring procedures and agile development methods are also unable to capture every error.

Many companies, including Microsoft and apple, have in-house security research teams to investigate their own software. But few teams have enough to study other companies' software. That's why Google is so unusual. For more than a dozen of Ormandy and Project Zero, their jurisdiction has no boundaries, and anywhere they touch the Internet, they can touch it. Monitoring the whole network space is not only good for mankind, but also good for the enterprise.


Google Project Zero was formally established in 2014, the team's origins can be traced back to 2009. Faced with the problem of information security, many companies often have to face an emergency only aware of its seriousness. For Google, the moment is

In 2009, China related cyber espionage groups attacked Google and other technology giants, destroying their servers, stealing their knowledge, and trying to monitor their users. The attack angered Google executives and made Google finally out of china.

The incident made Google co-founder Sergey Brin feel particularly troubled. Computer forensics companies and investigators have determined that Google's attacks were not about their software errors, but through intrusions in Microsoft's IE6. He wants to know why Google's security depends on other companies' products?

Over the next few months, Google began to be more aggressive in demanding competitors to address their software flaws. The battle between Google and its peers soon became a legend. Bug Tavis Ormandy hunter by virtue of their own way in time, reach the acme of perfection, the center of the dispute.

Some people condemn the behavior of Ormandy, claimed that the damage to the safety. In a blog post, Verizon two information security experts say, these researchers chose to fully disclose the route is

2014, Google secretly identified the Project Zero team (the name implies the 0Day vulnerability, a term used by information security experts to describe an unknown security vulnerability that has no time to solve). The company set up an agreement to allow Chrome's former security director, Chris Evans, to work. Evans then recruited Google employees and other people to the team.

He recruited in Switzerland - security researcher Ian Beer, he found that Apple code error has a special preference; Ormandy, due to an open conflict with Microsoft's famous British Tahan; Ben Hawkes, a famous for the discovery of Adobe Flash and Microsoft Office bug in New Zealand; and juvenile George Hotz intern, he earlier in a hacker contest hacked into the Chrome browser, winning $150 thousand.

Project Zero publicly for the first time in April 2014, when apple in a short text in praise of a Google researcher, because it found a will give hackers control can run Apple's Safari browser to the software vulnerabilities.

In Twitter, the security community are on the secret team curious.



Tweets from Dan and Chris

Project Zero is getting more and more thanks. In May, apple thanked Beer for finding several bug in its OS X system. A month later, Microsoft patched a bug and thanked Project Zero Tavis Ormandy.

At that time, the team concerned with security concerns was an inseparable topic.Evans finally decided to officially announce their presence in the company blogHe said:

A year after the Evans left the team to join Tesla, now as a bug bounty company HackerOne consultant.Hawkes Project Zero is now the leader. Now, Evans is more careful to describe the origin of the team, he said:

This seems to be a difficult challenge. Private funds attract many of the world's best hackers, luring them into secret work, and governments and other teams pay a high reward for their findings through brokers. "If the research can't be published, someone will suffer for it," Evans says.

In the three years since the official Zero Project team, the elite hacker team has become one of the most efficient computer vulnerability terminator on earth. Although ordinary consumers do not know these people: James, Forshaw, Natalie, Silvanovich, Gal, Beniamini.

But the world owes them a debt of gratitude, because they contribute a lot to the security of our digital equipment and services. The team is also responsible for a series of improvements to other company products, including finding and helping to fix more than 1000 security vulnerabilities in operating systems, antivirus software, password managers, open source libraries, and other software. Project Zero has released more than 70 blog posts on its work so far, some of which are the best online public security research resources on the web.

The team's work indirectly benefits Google's main business: online advertising. Protecting Internet users from threats means protecting the company's ability to provide advertising for these users. The efforts of Project Zero have forced vendors into trouble and forced them to fix the bug that led to the crash of Google products.

Network security entrepreneurs, famous apple hackers and former Square mobile security chief Dino Dai Zovi said:


In April, three members of the Project Zero went to Miami to attend the Infiltrate security conference, which basically focused on the offensive end of the hacker domain.

In a room full of sunshine, beach and sports cars in the city, the hacking team looks a bit misfits.Hawkes, Ormandy and German security researcher Thomas Dullien (a member of the Zero team, nicknamed

The Ormandy had to face to allow manufacturers to repair their code this thing, Dave Aitel said:


Loopholes in various equipment bonuses

At that time, Ormandy just shrugged and smiled. He may be a troublesome person, but his goal is pure.

Although the outside world looks like Project Zero hard-edged, but because of the conflicts between the ideal and the reality of the complexity of the world, the team had to become more flexible. They originally prescribed a strict 90 Day Disclosure deadline, and only seven days for those that are being actively exploited. But after several times when the company released updates before the disclosure of the vulnerability, such as Microsoft used to release patches every Tuesday, resulting in a lot of criticism of the team. It also added a 14 day extension to the 90 day deadline, in case the vendor was ready for the patch, but it had not been released yet.

Katie Moussouris says Project Zero has the industry's most explicit disclosure policy. She helped to develop Microsoft's disclosure policy and now runs its own vulnerability bounty consultancy, Luta Security. She thinks it's a good thing. Many companies have no guidelines on how to report vulnerabilities, and there is a lack of guidelines on how and when researchers publish vulnerabilities. Some organizations have less time to fix software for companies than Google. Cert CC, a group born out of Carnegie Mellon University, gave deadlines only 45 days, but they would adjust according to circumstances.

The Project Zero team will quickly take action to repair the praise of bug company, will be severely criticized the company who responded slowly. Earlier this year, Ormandy said on twitter, he and his colleague Natalie Silvanovich


Technology companies may be afraid of the boldness of Project Zero, but they should be comforted because the hackers are willing to resist incentives that have prompted some researchers to sell their research results. In the years that hackers have become more specialized, these bug Project Zero have sprouted in the market. Governments, intelligence agencies and criminals want to have these loopholes and are willing to pay a lot of money. Fortunately, more and more software companies launched a loophole reward program, so that the balance will not only tilt to the malicious side. These rewards compensate researchers for their time, energy and expertise. But the bounty may never be better than the price the city can offer.

IBM security master and Bruce Schneier well-known executives said:

Dullien also said that now for the hacker skills needs to feel surprised, once it was only in the dark basement of the hobby, but it has now become the government hall is an occupation.


According to Cloudflare CEO and co-founder Matthew Prince, the vulnerability found by Google's top security researcher initially caused his company to lose almost a month of revenue.

But if this experience really makes him feel very bad, he may not say it. Of course he knew was truly malicious hackers is what feeling. A few years ago, a

Prince regrets not telling all of the company's problems before Google and Cloudflare released their preliminary findings. He wants the company to remind customers when it comes to news reports. Even so, he recalled, still felt that the Project Zero team was right about when to disclose the vulnerability. As far as he knows, no significant losses related to it were found after the vulnerability was announced. No password, credit card number or health record was leaked.

Prince says Cloudflare has developed new controls to prevent such an incident from happening again. The company began reviewing all the code and hiring external testers to do the same. It also creates a more complex system for identifying common software crashes, which often indicates vulnerabilities.

For vulnerabilities and their consequences, he says, it is a blessing that Tavis and his team have discovered vulnerabilities instead of some crazy hackers.

Of course, he could never rule out the possibility that another person or organization would have a copy of the leaked data. This is also the Project Zero's point of view, for every team member, there are countless other researchers working in private, their goals are not too noble. This is the evil that you know and don't know.

Lei Feng network attached to small knowledge of the vulnerability market:

There are two loopholes in the market: attack and defense. The former include nation states, organized crime syndicates and other hacker attackers. The latter includes vulnerability bounty programs and sales security products company.

Offensive market prices are higher, there is no ceiling. They don't just buy vulnerabilities, they also buy exploits that aren't detected. Buyers are low-key.

Defense market affordability is not strong, basically no vendors will find loopholes for top developers to compensate millions of dollars. Although the quality of the code for major companies is improving, the complexity continues to increase, which means more errors.

Security researchers are likely to take action on specific vulnerabilities that often depend on their financial needs, their subjective currency on a software or vendor, and their own personal risk preferences. This is not just a simple no confusion.

China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments