iscover
ReporterShare this article on:
Powered by
MOMENTUM
MEDIA
Breaking news and updates daily. Subscribe to our Newsletter
Google has unveiled a raft of new initiatives to improve collaboration between stakeholders in the cyber security industry, designed to support both businesses and researchers while ameliorating the risk of zero-day exploits.
According to Google, the new initiatives are designed to help cyber professionals get “out of the endless merry-go-round” of identifying vulnerabilities, patching them and waiting for the next risk.
As part of a company announcement on 13 April, the digital giant unveiled a raft of new initiatives to enhance industry cooperation and improve cyber resilience.
These include supporting the formation of a new Hacking Policy Council, providing seed funding for the Security Research Legal Defense Fund and establishing new company transparency policies.
A company statement explained that the new Hacking Policy Council, of which Google is a founding member, brings together industry leaders to advocate for policies and regulations that support “best practices for vulnerability management and disclosure”.
The newly formed council aims to ensure that laws surrounding disclosure of vulnerabilities between governments and private businesses are developed and rolled out correctly.
Under the announcement, the global giant also confirmed that it had provided seed funding for the Security Research Legal Defense Fund, designed to provide legal support to “good faith” independent researchers who face legal threats when alerting organisations to their vulnerabilities.
“In many cases, individuals act independently and in good faith to find and report vulnerabilities — giving vendors a chance to address them before attackers can develop exploits,” the company revealed.
“Unfortunately, these individuals often face legal threats that can cause setbacks to security research and vulnerability disclosure, especially for individuals without access to legal counsel.”
Their raft of new initiatives also included new transparency measures, with Google committing to “publicly disclose” when they believe that any of the company’s vulnerabilities had been exploited.
It is expected that the move will help lead to better protections across the industry by sharing knowledge and encouraging other businesses to follow similar transparency measures.
Together, Google hopes that the measures will create a stronger cyber security ecosystem.
“Making progress on these issues requires cooperation among stakeholders, including industry, who develop the platforms and services that attackers seek to exploit; researchers, who not only find vulnerabilities but identify and drive mitigations that can close off entire avenues of attack; users, who unfortunately still bear too high of a burden of security; and governments, who create incentive structures that shape the behaviour of all these other actors,” the company explained in a statement.
To Google, practitioners need to go beyond relying on patching vulnerabilities to secure their threat vectors.
“While the notoriety of zero-day vulnerabilities typically makes headlines, risks remain even after they’re known and fixed, which is the real story,” the company wrote.
“Those risks span everything from lag time in OEM adoption, patch testing pain points, end-user update issues and more.
“Additionally, over one-third of the zero-day vulnerabilities exploited in the wild we’ve analysed in 2022 are variants of earlier patched vulnerabilities, which is the result of vendors applying incomplete fixes to the original vulnerability.”
The announcement comes shortly after reports surfaced that malicious apps are being sold on Google Play.
In mid-April, a report shed light on the trading and selling of malware and other malicious software on the Google Play app store for Android devices.
Researchers from Kaspersky studied nine dark web forums between 2019 and 2023 and found a range of services being offered, for a range of prices.
At the lower end of the market, the cheapest services include malicious access to developer accounts, starting at about US$60, while the most expensive services on offer are for an actual loader capable of injecting malicious code into an app hosted on the Google Play Store, which costs between US$2,000 and US$20,000.
But there is a wide range of other services on offer as well, and some services can even be rented long term and come with ongoing support from the seller.
For instance, one enterprising hacker offers a malicious Google Play loader that will operate for one week; if the affected app — which in this case could be anti-virus apps, QR scanners, or even mobile games — is removed within that week, the hacker promises to provide a new app for free.
Be the first to hear the latest developments in the cyber industry.
