This document summarizes a tool called Cloudsweeper that aims to help secure cloud-based storage. It works by scanning a user's Gmail account to identify any credentials or account information stored in plain text that could compromise other accounts if accessed by hackers. Cloudsweeper then provides options to encrypt any found sensitive information, remove it from the account, or estimate how much access to the user's various accounts would be worth to cybercriminals. The tool uses temporary and limited OAuth access to the Gmail account without requiring the user's credentials.
2. AGENDA
Introduction to cloud computing
Cloud storage
Examples
Concern for cloud storage
Talk of the town
Cloud sweeper
Email Tools
Authorization 2.0 Protocol
Q.R Code
Conclusion
3. INTRODUCTION TO CLOUD COMPUTING
Cloud computing is actually a resource delivery and usage
model.
Network of providing resource is called cloud.
It is an internet based computing where virtual shared
servers provide
Software,Infrastructure,Platform,Devices and other
resources and hosting to
customers on “pay as you use basis”.
4. CLOUD STORAGE
Cloud storage is a model of networked enterprise storage
where data is stored not only in the user's computer, but in
virtualized pools of storage which are generally hosted by third
parties.
Hosting companies operate large data centers, and people who
require their data to be hosted buy or lease storage capacity
from them.
Cloud storage services may be ccaccessed through a web service
Application programming interface or any web based user
interface
6. WORKING OF CLOUD STORAGE
It stores Web e-mail messages or digital pictures or any other
digital data.
The facilities that house cloud storage systems are called data
centers.
A cloud storage system needs just one data server connected to
the Internet.
A client (e.g., a computer user subscribing to a cloud storage
service)sends copies of files over the Internet to the
dataserver, which then records the information.
7. CONTD…
Cloud storage systems generally -rely on hundreds of data
servers because computers occasionally require
maintenance or repair, it's important to store the same
information on multiple machines.
This is called redundancy.
Most systems store the same data on servers that use
different power supplies.
They use cloud storage as a way to create backups of data.
If something happens to the client's computer
system, the data survives off-site.
8. EXAMPLES
Google Docs allows users to upload documents,
spreadsheets and presentations to Google's data servers.
Web e-mail providers like Gmail, Hotmail and Yahoo!
Mail store e-mail messages on their own servers.
Sites like Flickr and Picasa host millions of photographs
YouTube hosts millions of user-uploaded video file.
Social networking sites like Facebook and MySpace allow
members to post pictures and other content.
Services like Xdrive, MediaMax and Strongspace offer
storage space for any kind of digital data.
9. CONCERNS ABOUT CLOUD STORAGE
The two biggest concerns about cloud storage is security.
To secure data, most systems use a combination of
techniques, including:
Encryption, which means they use a complex algorithm to
encode information. To decode the encrypted files, a user
needs the encryption key.
Authentication processes, which require to create a user
name and password.
Authorization practices -- the client lists the people who are
authorized to access information stored on the cloud system.
Many corporations have multiple levels of authorization.
10. MY GMAIL IS PRICED $23…FOR A HACKER
To safeguard our personal data from falling into wrong hands a
service called CLOUDSWEEPER was launched.
This is done by putting price tag on our Gmail account.
This is a research project conducted by Peter Snyder and Chris
Kanich at the University of ILLINOIS at Chicago published in
THE HINDU Newspaper on JULY 4th 2013.
Cloudsweeper aims to help users understand the risks they face
Online and how it works at a systemic level.
11.
12. OAUTH 2
OAuth is an open standard for authorization.
OAuth provides a method for clients
to access Server resources on behalf
of a resource owner.
It also provides a process for end-users to authorize third-party
access to their server resources without sharing their credentials (a
username and password pair), using user-agent redirections.
It allows the User, to grant access to your private resources on one
site to another site .
OpenID is all about using a single identity to sign into many sites.
OAuth is about giving access to your stuff without sharing your
identity (secret data).
13. HISTORY OF OAUTH2
OAuth began in November 2006 when Blaine Cook was
developing the Twitter OpenID implementation.
The OAuth 1.0 Protocol was published in April 2010, an
informational request for Comments.
Since August 31, 2010, all third party Twitter applications have
been required to use OAuth.
The OAuth 2.0 Framework published standards to
track Requests for Comments, in October 2012.
15. PROTOCOL EXAMPLE
Request Token URL:
https://photos.example.net/request_token, using HTTP POST
User Authorization URL:
http://photos.example.net/authorize, using HTTP GET
Access Token URL:
https://photos.example.net/access_token, using HTTP POST
Photo (Protected Resource) URL:
http://photos.example.net/photo with required
parameter file and optional parameter size
Consumer Key :dpf43f3p2l4k3l03
Consumer Secret :kd94hf93k423kf44
16. Protected Resource
All together, the Consumer request for the photo is:
http://photos.example.net/photos?file=vacation.jpg&size=original
Authorization: OAuth realm="http://photos.example.net/",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_token ="nnch734d00sl2jdk",
oauth_signature_method="HMAC-SHA1",
oauth_signature ="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D",
oauth_timestamp="1191242096",
17.
18.
19.
20. ACCOUNT THEFT AUDITS
The account theft audit places a hypothetical worth for accessing a
Gmail account based on information gleaned from cybercriminal
marketplaces.
If you were to lose your phone, leave your computer logged in,
or have your account hacked, the possible harm might extend far
further than you expect.
Account theft audit tool can help you get a handle on just how
Much a cybercriminal could access were they to take over your
Email account.
This tool will scan your account and give you a visualization of
how many of your accounts hackers could take over if they got
access to your email account.
21. STEPS OF ACCOUNT THEFT AUDITS
1.Temporary Limited Access
Cloudsweeper uses OAuth2 to connect to your
GMail account, so that they never have to ask for your
Google credentials. OAuth means you stay in control of
your account, can revoke access anytime you'd like, and
your username and password stay secure and private.
2. Scanning for Risks
This system programtically checks your email
archives, looking for the kinds of things that hackers
are interested in. This includes things like access to
other accounts, account credentials, and other things
attackers are interested in stealing. Humans never see
your data, and statistics about your account are only
kept if you opt in.
22. 3. Threat Report
Once the scan is complete, the audit will show
what was found, and what other accounts you use an
attacker could gain access to through your GMail
account.
Recent underground prices for these accounts
will let you know a rough estimate of what your email
account is worth to these attackers.
23.
24.
25.
26.
27. STEPS FOR CLEAR TEXT PASSWORD
AUDITS
1. Temporary Gmail Access
Cloudsweeper uses OAuth2 to connect to your
GMail account, so that you never have to share your
GMail credentials. OAuth means you stay in control of
your account, can revoke access anytime you'd like, and
your username and password stay secure and private.
2. Scanning for Passwords
Our system programtically looks through your
email to find plain text passwords in the same way a
hacker or spy might. You'll then be presented with a list
of found passwords that you can, optionally, redact
from your account or encrypt.
28. 3. Encrypt or Redact
If you choose, they will remove or encrypt any of
the passwords found in your account. If you choose to
encrypt the found passwords, they use strong
encryption to secure these credentials, and then
present you with a key and a QR code you can use to
later decrypt this information.
Only you will have the key, so only you will be
able to access these credentials in the future, keeping
your account safer from hackers, spys and malicious
users.
29. How Does IT WORK?
Considering the intersection between security and long-term
cloud-based data storage the tool has been developed to help users
identify and redact private information.
You can log in with the following information:
Username: chrisk
Password: hunter3
By using this tool, you can preserve the useful but non-sensitive
text of an email like that pictured above while removing the private
information. After using this tool, the same email will still be in your
archive
Username: chrisk
Password: [wImYDaM5DBJZqgLrSYekjQ==
ZmwDVbzid7+7LQ6R3uDj+xPnDt1nuxEFDJTxhKPh5T0=]
30.
31.
32.
33. Q.R CODE
Quick Response Code is the trademark for a
type of matrix barcode(or two-dimensional
barcode) .
First designed for the automotive industry in Japan;
a barcode is an optically machine-readable label that is
attached to an item and that records information related
to that item
The information encoded by a QR code may be made up
of four standardized types of data namely numeric,
alphanumeric, byte / binary, kanji (漢字).