15 November 2004
Desktop search engines threaten network security
SSL not so much secure sockets layer as suspect sockets layer.
By Tim Greene, Network World Fusion
New PC indexing tools such as Google's Desktop Search pose security
risks to businesses that use SSL remote access, experts have warned.
The search tools copy material accessed during SSL sessions and make
it available to unauthorised people who later use the same PC,
bypassing the measures in place to purge cached session data. These
so-called cache-cleaning agents wipe out temporary files created
during SSL sessions, but they don't wipe out the copies made by the
search tools.
"You could end up caching and indexing files you don't want cached
and indexed on machines outside your control," says Dan Harman,
remote access administrator for real estate developer Lewis Group,
which uses SSL remote-access gear made by Whale Communications.
One touted benefit of SSL remote-access technology is that any
machine with a Web browser can be used to access a corporate network
securely. The downside is that the PCs might not be owned by the
corporation, so any number of unauthorised users could have access to
them. "This tends to negate user authentication," says Rick Fleming,
CTO of Digital Defense, a vulnerability assessment company.
Besides Google's product, such search engines are made by Blinkx,
Copernic, ISYS Search Software and X1. Yahoo and Microsoft are said
to be on the verge of having them, too.
SSL VPN vendor Aventail says its Secure Desktop, a virtual desktop
for SSL sessions that is destroyed when the session closes, prevents
files downloaded during the session from being viewed by Google
Desktop Search.
To solve the problem for its customers, Whale has a software upgrade
that detects whether Google Desktop Search is running on a remote PC.
If so, access to the corporate network is denied or restricted. The
company is developing similar "upgrades" to address nine other
desktop search engines, says Whale CTO Noam Ben-Yochanan.
Google Desktop Search makes it easier to find data on PC hard drives
and doesn't address these security concerns, a Google spokesman says.
Customers can manually turn off Desktop Search or put it on pause
during SSL remote-access sessions to avoid having the sessions cached
by the search engine, he says.
Ben-Yochanan says he installed Google Desktop Search on a PC, opened
an e-mail attachment, altered the document, sent it as an attachment
then deleted the file from the hard drive. Desktop Search retained a
copy of the original attachment and the modified version.
Fleming says such tools pose similar threats to shared PCs on
corporate LANs. So a person working a late shift could access all the
data accessed by the person working during the day, including
personal human resources data or Internet banking information, he
says.
Similarly, if a network administrator uses a random desktop to
reconfigure a firewall, a desktop search engine will record those
settings and the password used to gain access, Fleming says.
It also makes it easier for attackers to search machines they have
taken over, says Fred Felman, vice president of marketing for Zone
Labs.
---
* Origin: [adminz] tech, security, support (192:168/0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:04:02
