In the wake of Edward Snowden’s actions exposing NSA’s Prism programme, people across the globe are viewing their security online with increasing uneasiness.
But Cloudsweeper (https://cloudsweeper.cs.uic.edu/), a service launched recently, tries to safeguard personal data by putting a price tag on our Gmail account, were it to fall into wrong hands.
A research project conducted by Peter Snyder and Chris Kanich at the University of Illinois at Chicago, Cloudsweeper aims to help users understand the risks they face when online. Through their research, they hope to interpret how these risks work at a systemic level, while also providing users tools to control them.
In order to safeguard cloud-based storage, it offers three email based tools — account theft audit, cleartext password audit and decrypt messages. The account theft audit places a hypothetical worth for accessing a Gmail account based on information gleaned from cybercriminal marketplaces.
This Correspondent used the “Account theft audit” on his Gmail account to find out its estimated price, which also depends on the third party services that a hacker might gain access to, were they to scan emails. The Cloudsweeper valued it at $23 owing to the fact that Apple and Amazon accounts would also be vulnerable. With a little bit of additional information, hackers would also be able to control this Correspondent’s Facebook and Twitter presence, priced together at $5.30.
Open Authorisation (OAuth2) protocol is used to connect and scan through the Gmail account, meaning none of the credentials are stored and the visit is forgotten after one logs out, or within one hour of inactivity. An open standard for online authorisation, it ensures that one need not have to enter a password if already logged into the Gmail account that needs to be scanned.
What this service effectively does is to throw light on the amount of sensitive information that we store in our email accounts. This takes us to the next tool that Cloudsweeper offers, a cleartext password audit. This scans our email account and identifies those passwords that are available as plain text.
Once identified, we are given the option to either encrypt or redact these messages selectively. While redaction would irreversibly remove the passwords from the messages, encryption places an encrypted blob in its place, which can only be decrypted using the decrypt messages option available in their website.