Risk
11/20/2012
05:06 PM
Connect Directly
RSS
E-Mail
50%
50%

Petraeus Affair: 7 Privacy Techniques To Avoid Trouble

A number of off-the-shelf technologies can help keep online communications private -- but beware the limits.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Pop quiz: Who said the following?

"We have to rethink our notions of identity and secrecy. ... Every byte left behind reveals information about location, habits, and, by extrapolation, intent and probable behavior. The number of data points that can be collected is virtually limitless -- presenting, of course, both enormous intelligence opportunities and equally large counterintelligence challenges."

Those words belong to former CIA director David H. Petraeus, and were delivered earlier this year at the In-Q-Tel CEO Summit.

It was a "byte left behind," and then some, that ultimately led to Petraeus' resignation from the CIA. Briefly, his mistress and biographer Paula Broadwell sent emails -- allegedly of a threatening nature -- to Jill Kelley, a friend of Petraeus whom she saw as a rival. Tracing back the emails, FBI investigators identified Broadwell, found that she had classified information on her home PC, and also found that she was communicating with a third party using draft Gmail email messages, with both parties separately logging into the site, reading and erasing the previous message, and leaving a new one. Ultimately, the FBI identified Petraeus as the third party in question.

One of the many perplexing questions in this story remains technological: Couldn't the director of the CIA think of a better way to coordinate his liaisons than using a free webmail service? From a bigger-picture standpoint, meanwhile, the scandal raises this security question: Can two people communicate securely online, without a third party being able to intercept their communications, or even see that they're communicating?

Here are seven related facts:

1. Techniques For Swapping Secret Messages Abound.

The techniques for sending secret communications, or indicating a desire to communicate, are endless. There's Magic ink. Creating rudimentary codes to transmit communications via seemingly innocuous messages, such as making only the first letter of a sentence "count." Taping an "X" to your window. Using a "dead drop" to leave a message in a predefined physical location. Leaving coded messages on Craigslist.

2. Burner Phones Make Traceability, Attribution Difficult.

When there's the threat of having your communications traced, every fan of The Wire or Breaking Bad knows about burner cell phones. Buy cell phones using cash, use them to communicate -- by voice or text message -- for a finite period of time, and then replace them with different phones. Anyone trying to follow your trail will have difficulty reconstructing the entire pattern of communication.

3. Numerous Technologies Offer Secure Communications.

Many technologies promise to encrypt digital communications so they can't be intercepted. Use Zip files, encrypted with a passphrase that's been agreed in advance, and swap them via email. Similarly, technologies such as PGP, or the open-source GPG alternative, enable emails to be encrypted, as do a number of other webmail services. Meanwhile, Wickr provides for self-destructing messages, while for secure voice communications, look to Silent Circle from PGP creator Phil Zimmermann for Android and iOS, or Whisper Systems for Android.

Although these services might hide the message, they won't disguise that the sender and receiver have been communicating. For that, the Tor Project's anonymizing networks offer the opportunity to mask the fact that communications are occurring at all.

4. Hide Data In Pictures, Videos.

Another widely used technique for hiding communications involves the practice of steganography. In the digital realm, it means hiding information inside files -- for example, in digital pictures or Sodoku images.

Based on a 2006 Department of Justice criminal complaint filed against eight people who were allegedly working as agents for Russia's foreign intelligence service, known as SVR or "Moscow Center," the practice of steganography might be in widespread use by intelligence agencies. "Moscow Center uses steganographic software that is not commercially available. The software package permits the SVR clandestinely to insert encrypted data in images that are located on publicly-available websites without the data being visible," according to the complaint. "The encrypted data can be removed from the image, and then decrypted, using SVR-provided software."

5. Beware VPNs.

When it comes to hiding the fact that two parties are in communication, beware VPNs. Many Anonymous and LulzSec suspects learned the hard way after using VPN services such as HideMyAss.com that VPN providers keep access records, and tend to comply with court orders requiring them to share those records. In other words, VPNs will secure your communications, but don't count on it to cover your tracks.

6. Avoid Free Webmail Services.

It's a bad idea, as Broadwell and Petraeus discovered, to rely on free webmail services to provide secure communications or cover your tracks. "Webmail providers like Google, Yahoo and Microsoft retain login records (typically for more than a year) that reveal the particular IP addresses a consumer has logged in from," said Christopher Soghoian, principal technologist and senior policy analyst for the ACLU Speech, Privacy and Technology Project, in a blog post.

Those records helped the FBI trace the anonymous emails sent from Broadwell to Kelley back to the sender. "Although Ms. Broadwell took steps to disassociate herself from at least one particular email account, by logging into other email accounts from the same computer (and IP address), she created a data trail that agents were able to use to link the accounts," he said.

7. With Eavesdropping, All Bets Are Off.

There's a big caveat with the use of any digital security tool or technique, whether it's PGP, GPG, Tor, or steganography. Namely, if a third party -- your government, a foreign intelligence service, unscrupulous competitors -- sneaks a keylogger or Trojan application onto your PC, they can see every message or voice communication you initiate or receive, full stop.

That was the beauty of the Flame malware, which was allegedly built by the U.S. government for spying purposes, and which wasn't detectable by antivirus software for a significant length of time after it was first deployed. Using world-class crypto, Flame's creators were able to spoof Microsoft Update and automatically install their software on targeted PCs. For a target that's connected to the Internet, is there any way to reliably defend against that?

Likewise, last year's compromise of digital certificate registrar DigiNotar would have allowed attackers to generate fraudulent digital certificates for Facebook, Google, Microsoft, Skype, Twitter, and WordPress, as well as the CIA, MI6, and Mossad intelligence services, and the Tor Project. As a result, the attackers -- who were likely allied with the Iranian government -- could have launched man-in-the-middle attacks that allowed them to eavesdrop on all communications made through those websites or services, for any country-wide network they controlled.

Curious Choices For Spy Chief

With so much secure communications technology on offer, why did Petraeus choose a hidden Gmail account for coordinating his affair? The likely answer is that because Petraeus' extracurricular activities related solely to the marital, not espionage, realm, he thought simple track covering would suffice. Then again, security also involves a tradeoff between protection and usability -- easier to use typically means less secure, and harder to use means more secure -- and Petraeus and Broadwell might have simply opted for a simple communications technique. "It strikes me that the recent downfall of the CIA director speaks less to his tradecraft than the usability of encryption/anonymity tools," said Canadian privacy researcher Christopher Parsons via Twitter.

Beyond the scarcity of reliable communications techniques that are both secure and invisible, what the Petraeus scandal has also highlighted is that when authorities begin investigating your electronic communications, the game can quickly be over, sometimes with nary a warrant or subpoena being required.

Regardless, with the array of techniques available for clandestine communications, one of the strangest aspects to the scandal -- for many -- remains a spy chief's apparent lack of security finesse when it came to cloaking his own identity.

Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital Digital Certificates issue of Dark Reading gives five reasons to keep it going. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OttoWest
50%
50%
OttoWest,
User Rank: Apprentice
11/24/2012 | 2:38:55 AM
re: Petraeus Affair: 7 Privacy Techniques To Avoid Trouble
Best security measure ever: Don't cheat on your spouse.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.