Beware Your Desktop Search

In past few years desktop searching has become very popular. Finding programs and documents on computers was dependent on the user remembering where the file was saved, or under what menu it was filed. Users would remember having a conversation, but not be able to recall if it was via e-mail, instant messenger, on a web page, or in a shared document.

Enter desktop search applications to the rescue. Dozens of applications exist today, two of the most popular come from Google and Microsoft. Desktop search is even built into Mac OS X and Windows 7. Google Desktop Search, for example, can index a large selection of data from a computer. The list includes e-mail (Gmail, Outlook, Thunderbird), web sites (Internet Explorer, Firefox), Instant Messenger (AOL, MSN, Google Talk), Microsoft Office documents, Adobe PDFs, music, videos, images, and zip archive files.

These indexing programs do a very thorough job. They will index everything without regard for sensitivity of the data being indexed. They will find the 5 year old document buried in your "My Documents" folder that contains student social security numbers. They will index the payroll data and salary adjustment spreadsheets that you received via e-mail.

This index is typically stored in a file on your computer. This file could become a target for criminals that break into computers and therefore should be treated carefully. While it may slow down the search performance, encrypting the file or containing folder would help prevent the database being transferred to another computer.

Some search applications include a feature that will store your search results and data on a remote server so you can search and access the data from multiple computers. At this point, the risk of data disclosure becomes unacceptable for most University users. Remember the documents our indexing program found earlier? With this option enabled, you actually transfer your files, or at least a portion of your files, to a 3rd party.

Desktop search applications can be very useful, but you need to be very aware of the data you access on your computer and what data is indexed by the search application. Remember that while these programs make it easy for you to find data on your computer, the data may be uploaded to a 3rd party or the search application can be used by a criminal to easily find data.

Security & Policy Blog Posts

  • May 17, 2013 at 12:52 PM

    • Critical Linux Kernel Security Update
    A local, unprivileged user can use a Linux kernel flaw to gain escalated privileges, without authentication, on a system running a Linux kernel. Technical details, as well as exploit code, have been publically released.
  • April 10, 2013 at 4:07 PM

    • S/MIME certificates available
    S/MIME certificates are now available to all IU personnel at no cost.
  • March 13, 2013 at 4:00 PM

    • Policy Draft IT-28 Provisioning of IT Services
    IU VP for IT and Chief Information Officer, Brad Wheeler, spoke at a town hall meeting on March 8th on the subject of, “Mitigating Cyber Risks,” including the current risk environment, and the development of IT-28.
  • March 1, 2013 at 5:06 PM

    • Domain 12: Compliance
    As Jacqueline Simmons explains, IU operates in a complex legal, regulatory, & contractual environment, with responsibilities to comply with applicable legal, regulatory, & contractual requirements regarding safeguards over information and information assets. Doing so protects the university's reputation & minimizes the risk of negative financial consequences associated with noncompliance.

    Recent Security Bulletins

  • February 12, 2013 at 11:03 AM

    • Vulnerabilities in Adobe ColdFusion
    This bulletin details four recently published, critical rated, vulnerabillies in Adobe ColdFusion and ways to mitigate the risk of them being exploited including the hotfix for supported versions.
  • January 22, 2013 at 9:02 AM

    • Java Security Recommendations
    As the use of Java applets on websites continues to diminish and in light of the rash of recent vulnerability exploits, the implications of installing Java for use in web browsers should be considered carefully.
  • January 10, 2013 at 1:59 PM

    • Zero Day Java 7 Vulnerability
    On January 10, 2013, security researchers reported a zeroday vulnerability in Oracle Java 1.7u10.
  • November 8, 2012 at 3:50 PM

    • Vulnerability in Symantec Endpoint Protection
    On November 5th, 2012, the United States Computer Emergency Readiness Team (US-CERT) website announced their researcher had discovered a vulnerability in the way some versions of Symantec Endpoint Protections handle CAB files. This vulnerability may allow an unauthenticated remote or local attacker to execute arbitrary code with SYSTEM privileges on a targeted computer.