RE: Google Desktop and Security

["Joe George" <j.george () conservation org>]

I go by the rule, "If you have any reservations about any application,
you're probably right to have them."  I like certain services Google has
available, but Google Desktop is not one of them.  If you have the
resources, you may wish to download and install on a workstation with
non-critical data.  Just a thought...

JG

-----Original Message-----
From: Snehal Kumar [mailto:snehal.kumar () emirates com] 
Sent: Sunday, February 05, 2006 6:49 AM
To: Mark; security-basics () securityfocus com
Subject: RE: Google Desktop and Security

Hi Mark,

Here are some inputs from me...

Google Desktop Search lets users search documents, spreadsheets, e-mail,
instant messages and Web pages that have been visited by that PC. To
enable this, it creates cached versions of Web content -- which could
include sensitive corporate information stored on servers and accessed
via a Web interface. 

There are some security issues, though. The problem is that GDS indexes
and finds documents that you may prefer not be found. For example, GDS
searches your browser's cache. This allows it to find old Web pages
you've visited, including online banking summaries, personal messages
sent from Web e-mail programs and password-protected personal Web pages.

GDS can also retrieve encrypted files. No, it doesn't break the
encryption or save a copy of the key. However, it searches the Windows
cache, which can bypass some encryption programs entirely. And if you
install the program on a computer with multiple users, you can search
documents and Web pages for all users.

GDS isn't doing anything wrong; it's indexing and searching documents
just as it's supposed to. The vulnerabilities are due to the design of
Internet Explorer, Opera, Firefox, PGP and other programs.

First, Web browsers should not store SSL-encrypted pages or pages with
personal e-mail. If they do store them, they should at least ask the
user first.

Second, an encryption program that leaves copies of decrypted files in
the cache is poorly designed. Those files are there whether or not GDS
searches for them.

Third, GDS' ability to search files and Web pages of multiple users on a
computer received a lot of press when it was first discovered. This is a
complete nonissue. You have to be an administrator on the machine to do
this, which gives you access to everyone's files anyway.
Some people blame Google for these problems and suggest, wrongly, that
Google fix them. What if Google were to bow to public pressure and
modify GDS to avoid showing confidential information? The underlying
problems would remain: The private Web pages would still be in the
browser's cache; the encryption program would still be leaving copies of
the plain-text files in the operating system's cache; and the
administrator could still eavesdrop on anyone's computer to which he or
she has access. The only thing that would have changed is that these
vulnerabilities once again would be hidden from the average computer
user.

In the end, this can only harm security.

GDS is very good at searching. It's so good that it exposes
vulnerabilities on your computer that you didn't know about. And now
that you know about them, pressure your software vendors to fix them.
Don't shoot the messenger.

Ref. http://www.internetnews.com/security/article.php/3434981


Thanks and regards,

Snehal Kumar

-----Original Message-----
From: Mark [mailto:elihusmails () gmail com]
Sent: 02 February 2006 23:27
To: security-basics () securityfocus com; elihusmails () gmail com
Subject: Google Desktop and Security

I am interested in using Google Desktop, but am concerned about the
potential for security leaks from my computer.  I am uncomfortable with
Google indexing my hard drive.  I have read that you can turn off
indexing, so I feel better about that.

Could someone please provide more information about what other security
issues the Google Desktop may present.

Thank you.

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------