If you use Gmail and have ever wondered how much your account might be worth to cyber thieves, have a look at Cloudsweeper, a new service launching this week that tries to price the value of your Gmail address based on the number of retail accounts you have tied to it and the current resale value of those accounts in the underground.
The brainchild of researchers at the University of Illinois at Chicago, Cloudsweeper’s account theft audit tool scans your inbox and presents a breakdown of how many accounts connected to that address an attacker could seize if he gained access to your Gmail. Cloudsweeper then tries to put an aggregate price tag on your inbox, a figure that’s computed by totaling the resale value of other account credentials that crooks can steal if they hijack your email.
In a blog post earlier this month titled The Value of a Hacked Email Account, I noted that many people do not realize how much they have invested in their email account until that account is in the hands of cyber crooks. That post quoted prices from one seller in the cybercrime underground who buys compromised accounts, such as hacked iTunes accounts for $8, or credentials to Groupon.com for $5, for example.
Chris Kanich, assistant professor at UIC’s computer science department and principal organizer of the project, said Cloudsweeper’s pricing model is built on prices collected from multiple sellers across multiple underground forums and services. I ran one of my Gmail accounts through Cloudsweeper, and it determined my account would be worth approximately $28.90 to bad guys. While this is not a Gmail account I use every day, I was surprised at how many third party services I had signed up for using it over the years. According to Cloudsweeper, bad guys with access to my account could also hijack my accounts at Amazon, Apple, Groupon, Hulu, Newegg, Paypal, Skype, UPlay and Yahoo, to name a few.
Cloudsweeper uses the Open Authentication (OAuth2) protocol to connect to your Gmail account and search through messages. OAuth is an open standard for online authorization, and using it with Cloudsweeper does not require you to type in your password as long as you are already logged into the Gmail account that you’d like scanned. Cloudsweeper doesn’t keep your credentials, and it forgets about your visit and inbox after you log out of the service, or within 60 minutes of inactivity.
PLAIN TEXT OFFENDERS
Prior to performing a scan, the service asks users if they wish to participate in a study, which Kanich said gathers and securely stores non-personally identifiable information about Cloudsweeper users who opt-in. That data includes how many types of accounts each user has tied to their Gmail. The study also draws on data from the second core feature of Cloudsweeper: The ability to discover and then redact or encrypt passwords that various services may send to users in plain text.
UIC’s Kanich said the project would like to maintain anonymized statistical information — such as how many accounts and what type — about visitors’ use of the tool.
“So with the user’s expressed permission only, we’ll store stuff like, ‘there was a password that was duplicated in seven different emails and the user chose to redact them all,’” Kanich said. “It’s a little bit funny because you don’t have to give us your password for Cloudsweeper to work, but a big reason you’re coming to us is so we can find your other account credentials.”
Click the blue “Cleartext Password Audit” button from the Cloudsweeper homepage and the service will scour your inbox for passwords that various third-party services may have sent to you in plain text. Cloudsweeper then lists the plaintext passwords alongside the names of the sites that sent them to you, and offers the options to encrypt or redact some or all of the passwords (or to do nothing, of course).
This process works by loading your messages via the Internet Message Access Protocol (IMAP), which lets users edit messages in their inboxes. Using IMAP, Cloudsweeper can redact or encrypt just the plaintext password in any email, leaving the rest of the message intact and untouched. Depending on how many messages you have in your inbox, this process may take quite some time.
Upon encrypting the password(s), the service presents a QR code that you can take a picture of with your mobile phone. You can also copy a longish decryption key and keep it somewhere safe. If you ever wish to un-encrypt the now obfuscated passwords, simply revisit Cloudsweeper and click the orange “Decrypt Messages” button from the homepage. Type or paste in your decryption key, or hold the QR code up to your computer’s Webcam and Cloudsweeper’s site will unscramble your encrypted passwords.
The password redaction/encryption feature is nifty, but it might be more trouble than it’s worth. After all, crooks who gain access to your Gmail account can simply request a new password from the site that sent it in the first place.
“That’s the biggest argument against this: That if you have access to the email account, you can just reset the password anyway,” Kanich said. “Right now, redacting the password is the closest thing to simply deleting the messages [containing plaintext passwords]. A lot of people do want to keep all of their email and don’t want to delete a lot of messages, even those that may have their passwords in them.”
Interestingly, as evidenced by the screenshot above, many of the passwords this tool detected as having been sent to my Gmail inbox in plain text came from antivirus vendors. Storing passwords in plaintext is a security no-no, and these firms should know better. I’ve encouraged readers to name-and-shame companies that perpetuate this practice by forwarding such emails to plaintextoffenders.com, which redacts and publishes these missives each day. Passwordfail.com maintains another list of plaintext offenders, and even has a browser extension to warn users before they register at a site that stores passwords in the clear.
As I noted in several recent posts, Gmail and other Webmail providers — Yahoo! and Hotmail/Live.com — all offer multi-step authentication; if you haven’t already protected your accounts with these features, please take a moment to click the relevant links in this sentence to learn more about how to do that (UIC’s Kanich said his group is looking at adding Yahoo to Cloudsweeper, but that Live.com doesn’t work with IMAP). See this post for a primer on picking and managing strong passwords.
Did you use Cloudsweeper to price your Gmail account? If so, leave a comment below and tell us about your experience.