SSL VPN security threatened by desktop search engines

New PC indexing tools such as Google Desktop Search pose security risks to businesses that use SSL remote access because the tools copy material accessed during SSL sessions and make it available to unauthorized people who later use the same PC.

Caches created by PC search tools get around security many SSL vendors have put in place to purge cached data from remote machines as secure sessions shut down. These so-called cache-cleaning agents wipe out temporary files created during SSL sessions, but they don't wipe out the copies made by the search tools.

"You could end up caching and indexing files you don't want cached and indexed on machines outside your control," says Dan Harman, remote access administrator for real estate developer Lewis Group in Upland, Calif., which uses SSL remote-access gear made by Whale Communications.

One touted benefit of SSL remote-access technology is that any machine with a Web browser can be used to access a corporate network securely. The downside is that the PCs might not be owned by the corporation, so any number of unauthorized users could have access to them. "This tends to negate user authentication," says Rick Fleming, CTO of Digital Defense, a vulnerability assessment company.

Besides Google's product, such search engines are made by Blinkx, Copernic, ISYS Search Software and X1. Yahoo and Microsoft are said to be on the verge of having them, too.

SSL VPN vendor Aventail says its Secure Desktop, a virtual desktop for SSL sessions that is destroyed when the session closes, prevents files downloaded during the session from being viewed by Google Desktop Search.

To solve the problem for its customers, Whale has a software upgrade that detects whether Google Desktop Search is running on a remote PC. If so, access to the corporate network is denied or restricted. The company is developing similar upgrades to address nine other desktop search engines, says Whale CTO Noam Ben-Yochanan.

Google Desktop Search makes it easier to find data on PC hard drives and doesn't address these security concerns, a Google spokesman says. Customers can manually turn off Desktop Search or put it on pause during SSL remote-access sessions to avoid having the sessions cached by the search engine, he says.

Ben-Yochanan says he installed Google Desktop Search on a PC, opened an e-mail attachment, altered the document, sent it as an attachment then deleted the file from the hard drive. Desktop Search retained a copy of the original attachment and the modified version.

Fleming says such tools pose similar threats to shared PCs on corporate LANs. So a person working the 4 p.m.-to-midnight shift could access all the data accessed by the person working the 8 a.m.-to-4 p.m. shift, including personal human resources data or Internet banking information, he says.

Similarly, if a network administrator uses a random desktop to reconfigure a firewall, a desktop search engine will record those settings and the password used to gain access, Fleming says.

It also makes it easier for attackers to search machines they have taken over, says Fred Felman, vice president of marketing for Zone Labs.