Is desktop search secure?
Analysts say free desktop search tools pose security threats.
A popular free desktop search tool poses several security threats to federal agencies, analysts say.
Government employees have been using Google Desktop Search to sift through the full-text contents of their local hard drives, including e-mail messages, documents, bookmarks and Web pages. Microsoft and Yahoo! also offer free, downloadable applications for desktop search.
Desktop search tools create an image of files that is quicker and more effective than the “I think I’ll click around until I find something” model, said Whit Andrews, a Gartner research director.
“That is great for enterprise -- and the intruder,” Andrews said.
Two main problems plague all desktop search appliances, he said.
If security is breached on machines using desktop search, prowlers can find sensitive information faster. Computers at law enforcement agencies, the Food and Drug Administration, and other regulatory bodies can easily expose confidential investigations.
In addition, when users download free software, agencies do not have the same level of control as with purchased applications installed by information technology personnel. Agency officials cannot claim the company is not supporting the search tools properly, nor can they administer the software from a console.
“These are issues for all desktop search and they need to be addressed,” Andrews said, though he added that free desktop search could be appropriate for some workers.
He said he is concerned about the search tools’ potential for revealing private information to third parties, since the desktop searches generate Web pages with targeted advertising. And government interests may not be aligned with those of the corporations making those resources freely available, Andrews said.
“There is an enormous difference between the interests of Linus Torvalds and the interests of Coca-Cola or Microsoft or Google,” he said.
Other analysts point to a specific Google Desktop Search flaw. By default, the tool indexes and searches cached copies of everything the users see, so they can view older versions of documents and Web pages, even off-line. If an unauthorized individual were to enter the password or e-mail, the intruder could easily filch entry codes and private messages, said Dave Goebel, who runs Goebel Group, a search consulting company.
“I would be surprised if any federal agency was putting this on its desktops,” he said.
But some federal agencies are experimenting with Google’s application. Agriculture Department officials are independently testing the product for broader use within the agency and will start working with Google in about 60 days. Some Food and Drug Administration employees use Google Desktop Search, but there is no agencywide deployment of the tool.
Company officials say the product is not ready for enterprise use yet. “There are certain features that need to be built giving greater control to the administrator,” said Nathan Tyler, a Google spokesman, adding that an enterprise version of the tool will meet government’s needs.
NEXT STORY: GAO: SEC systems vulnerable to attack