Security Basics mailing list archives
RE: Google Desktop and Security
From: "Joe George" <j.george () conservation org>
Date: Mon, 6 Feb 2006 15:23:47 -0500
I go by the rule, "If you have any reservations about any application, you're probably right to have them." I like certain services Google has available, but Google Desktop is not one of them. If you have the resources, you may wish to download and install on a workstation with non-critical data. Just a thought... JG -----Original Message----- From: Snehal Kumar [mailto:snehal.kumar () emirates com] Sent: Sunday, February 05, 2006 6:49 AM To: Mark; security-basics () securityfocus com Subject: RE: Google Desktop and Security Hi Mark, Here are some inputs from me... Google Desktop Search lets users search documents, spreadsheets, e-mail, instant messages and Web pages that have been visited by that PC. To enable this, it creates cached versions of Web content -- which could include sensitive corporate information stored on servers and accessed via a Web interface. There are some security issues, though. The problem is that GDS indexes and finds documents that you may prefer not be found. For example, GDS searches your browser's cache. This allows it to find old Web pages you've visited, including online banking summaries, personal messages sent from Web e-mail programs and password-protected personal Web pages. GDS can also retrieve encrypted files. No, it doesn't break the encryption or save a copy of the key. However, it searches the Windows cache, which can bypass some encryption programs entirely. And if you install the program on a computer with multiple users, you can search documents and Web pages for all users. GDS isn't doing anything wrong; it's indexing and searching documents just as it's supposed to. The vulnerabilities are due to the design of Internet Explorer, Opera, Firefox, PGP and other programs. First, Web browsers should not store SSL-encrypted pages or pages with personal e-mail. If they do store them, they should at least ask the user first. Second, an encryption program that leaves copies of decrypted files in the cache is poorly designed. Those files are there whether or not GDS searches for them. Third, GDS' ability to search files and Web pages of multiple users on a computer received a lot of press when it was first discovered. This is a complete nonissue. You have to be an administrator on the machine to do this, which gives you access to everyone's files anyway. Some people blame Google for these problems and suggest, wrongly, that Google fix them. What if Google were to bow to public pressure and modify GDS to avoid showing confidential information? The underlying problems would remain: The private Web pages would still be in the browser's cache; the encryption program would still be leaving copies of the plain-text files in the operating system's cache; and the administrator could still eavesdrop on anyone's computer to which he or she has access. The only thing that would have changed is that these vulnerabilities once again would be hidden from the average computer user. In the end, this can only harm security. GDS is very good at searching. It's so good that it exposes vulnerabilities on your computer that you didn't know about. And now that you know about them, pressure your software vendors to fix them. Don't shoot the messenger. Ref. http://www.internetnews.com/security/article.php/3434981 Thanks and regards, Snehal Kumar -----Original Message----- From: Mark [mailto:elihusmails () gmail com] Sent: 02 February 2006 23:27 To: security-basics () securityfocus com; elihusmails () gmail com Subject: Google Desktop and Security I am interested in using Google Desktop, but am concerned about the potential for security leaks from my computer. I am uncomfortable with Google indexing my hard drive. I have read that you can turn off indexing, so I feel better about that. Could someone please provide more information about what other security issues the Google Desktop may present. Thank you. ------------------------------------------------------------------------ --- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Google Desktop and Security Mark (Feb 05)
- Re: Google Desktop and Security Neil Kathok (Feb 06)
- Re: Google Desktop and Security Albert Gonzalez (Feb 07)
- Re: Google Desktop and Security Hunter Barrington (Feb 06)
- Re: Google Desktop and Security Alice Bryson (Feb 06)
- <Possible follow-ups>
- RE: Google Desktop and Security Snehal Kumar (Feb 06)
- RE: Google Desktop and Security Joe George (Feb 06)
- Re: Google Desktop and Security Neil Kathok (Feb 06)