Intrusion Mitigation through Sensitive Data Redaction
Monday, April 15th at 2:00 p.m. in Room 1000 SEO.
The popularity of free, ubiquitous and large-scale email services like Gmail pose unique security issues. Users rely on these services to store sensitive information, such as passwords, financial records, and personal conversations, for long periods of time. Email providers though, maintain plain text access to their users' information in order to provide services like spam filtering, search, and ad placement. The result is that many years worth of sensitive information is accessible from a single location, and often only secured by a
single password. This creates a very attractive target for malicious users.
With this in mind we present Cloudsweeper, a tool to help measure and mitigate the problem of sensitive information in long term email storage. Cloudsweeper allows users to search their Gmail account for passwords. Users are then able to redact or encrypt-in-place any passwords they find, while preserving the plain text of the rest of the email message. Our goals are three-fold: (1) measuring the frequency and distribution of password sharing through email, (2) identifying websites and companies that send their users credentials in plain text through email, and (3) providing users a way to mitigate the harm they would face if their account was breached.
Pete is a first year PhD student in the Department of Computer Science at UIC working with
Professor Chris Kanich in the BITS Networked Systems Laboratory. His research interests
are in security issues, networking, and application development.