[ISN] Desktop search engines threaten SSL VPN security

[InfoSec News]

http://www.nwfusion.com/news/2004/111504googledesktop.html

By Tim Greene
Network World
11/15/04

New PC indexing tools such as Google Desktop Search pose security
risks to businesses that use SSL remote access because the tools copy
material accessed during SSL sessions and make it available to
unauthorized people who later use the same PC.

Caches created by PC search tools get around security many SSL vendors
have put in place to purge cached data from remote machines as secure
sessions shut down. These so-called cache-cleaning agents wipe out
temporary files created during SSL sessions, but they don't wipe out
the copies made by the search tools.

"You could end up caching and indexing files you don't want cached and
indexed on machines outside your control," says Dan Harman, remote
access administrator for real estate developer Lewis Group in Upland,
Calif., which uses SSL remote-access gear made by Whale
Communications.

One touted benefit of SSL remote-access technology is that any machine
with a Web browser can be used to access a corporate network securely.  
The downside is that the PCs might not be owned by the corporation, so
any number of unauthorized users could have access to them. "This
tends to negate user authentication," says Rick Fleming, CTO of
Digital Defense, a vulnerability assessment company.

Besides Google's product, such search engines are made by Blinkx,
Copernic, ISYS Search Software and X1. Yahoo and Microsoft are said to
be on the verge of having them, too.

SSL VPN vendor Aventail says its Secure Desktop, a virtual desktop for
SSL sessions that is destroyed when the session closes, prevents files
downloaded during the session from being viewed by Google Desktop
Search.

To solve the problem for its customers, Whale has a software upgrade
that detects whether Google Desktop Search is running on a remote PC.  
If so, access to the corporate network is denied or restricted. The
company is developing similar upgrades to address nine other desktop
search engines, says Whale CTO Noam Ben-Yochanan.

Google Desktop Search makes it easier to find data on PC hard drives
and doesn't address these security concerns, a Google spokesman says.  
Customers can manually turn off Desktop Search or put it on pause
during SSL remote-access sessions to avoid having the sessions cached
by the search engine, he says.

Ben-Yochanan says he installed Google Desktop Search on a PC, opened
an e-mail attachment, altered the document, sent it as an attachment
then deleted the file from the hard drive. Desktop Search retained a
copy of the original attachment and the modified version.

Fleming says such tools pose similar threats to shared PCs on
corporate LANs. So a person working the 4 p.m.-to-midnight shift could
access all the data accessed by the person working the 8 a.m.-to-4
p.m. shift, including personal human resources data or Internet
banking information, he says.

Similarly, if a network administrator uses a random desktop to
reconfigure a firewall, a desktop search engine will record those
settings and the password used to gain access, Fleming says.

It also makes it easier for attackers to search machines they have
taken over, says Fred Felman, vice president of marketing for Zone
Labs.