Reading the article in Network World this week, (11/22/2004, Google search cache spawns SSL fears) a reaffirmation of the obvious was once again proven true - for most people (including developers, Companies, end users, Infrastructure techs, etc.) security is ABSOLUTELY the last thing that is ever considered.
The article contends - and correctly so, that the Google Desktop Engine caches content to the local system - even that stuff that you're trying to protect on your Corporate network that you've set the VPN up to protect. Typically, when a user logs off, the data is gone as well. Yes - there is some data that is cached via various browsers, etc. but this is typically mitigated by most VPN clients and tools that are distributed by the knowledgeable InfoSec group or Network Security group that will clean the cache of any elements that were stored there while on the VPN. Sadly, Google is using a proprietary cache mechanism that is currently not controlled or controllable by these methods.
It's also stated that most people using the engine would not be very happy if the cache was purged anyway. Simply put, the security of the Corporate network comes second to the user of the engine who would have to rebuild the cache each time they left the VPN - taking some amount of time. Knowing most users, any inconvenience is too much.
However, Google is "Thinking" about implementing hooks to allow the engine to be purged. The scenario above, of purging the cache, is only fantasy today. Google would need to enable this possibility. I'm glad to hear that Google is "Thinking" about it.....
Some might wonder, OK - so what's the big deal? Well, let's just say that you used a friend's PC at their home to log into the office to check your e-mail, OK some documents, whatever. Your e-mail contains an urgent message that requires your approval on a document that consummates a deal that has been in the works for some time - the acquisition of a company that will allow your company to heavily leverage a new segment of business. But, the only way that it can succeed is if the acquisition remains confidential until the public announcement, which is not for some three weeks once the deal is final. No problem - you're on the VPN. The e-mail stream is encrypted in the VPN tunnel, and the attached document is protected. You open the attachment, read over the document, send your approval and ensure that the document is gone - erasing any possibility of the disclosure before the appropriate time.
Little do you know that you've unknowingly compromised this very confidential secret.
Your friend has installed the Google Desktop and it has cached and indexed your acquisition document. Your 'friend' finds it later that night and makes a public disclosure that ends up killing the deal. You lose your job, your company goes under, and a virus takes over your town and raises the dead....(ooops...sorry - that's Resident Evil.....)
I'll bet that Google had no intent of harm in respect to their engine. However, I'll also bet that, if they even built a threat model detailing the vulnerabilities, side effects, and the problems that needed to be addressed with the Desktop Engine, it never took into account the 'VPN Problem'. It never really addressed the 'Corporate Desktop' issues. More likely, the threat model assessed the threat to their product - not the security of their customers data.
Developers are vital in the Security battle. There is no greater example than Microsoft itself. Network Engineers, InfoSec personnel, etc. can put policy, standards, models, procedures, etc. all in place - and be completely circumvented by a poorly written application that has not taken any precaution, any effort in implementing even the simplest of practices for securing an application. No checks for proper data behavior, input validation, url strings, buffer overflow, stack checking, etc, etc, etc. Sadly, most attack vectors that we watch are going to catch the compromise of a badly written app.
The other question - that I'll leave for thought on another day is this:
What should Corporate America be doing to protect themselves from the software like the Google Desktop installed on their user's desktops or laptops? Granted, we can have policy and measures for the Corporate asset, but it's a bit harder (read: Impossible) to control a non-Corporate asset. Know that NAP (Microsoft's Network Access Protection) and NAC (Cisco's Network Access Control) are some couple of years off - the dreaded "Longhorn Timeframe".
What is the Corporate environment to do with the daily new and interesting threats? I'll talk about my thoughts in the next couple of days.
-rtk
Posted
Nov 25 2004, 03:53 PM
by
rickking