11:51 AM
Connect Directly

Petraeus Fallout: 5 Gmail Security Facts

Where did the former CIA director and the woman with whom he was having an affair go wrong? Learn from his experience with Gmail.

Want to avoid a fall from grace? Then ensure you're not the chief of a spy agency who coordinates your extramarital affairs using a free webmail service. That's one information security takeaway from the ongoing probe into the former director of the CIA, David Petraeus, who resigned after 14 months on the job.

Petraeus' fall from grace stemmed from an FBI investigation, which began after anonymous, threatening emails were sent to Jill Kelley, a friend of Petraeus. According to the The Wall Street Journal, Kelley -- who serves as a volunteer with wounded veterans and military families -- complained about the emails to an FBI agent who'd pursued a friendship with her. The agent passed case details to the bureau's cyber investigators, who ultimately found that the emails had been sent by someone who also had access to a Gmail account used by Petraeus. The resulting national security investigation ultimately revealed that the emails had been sent by Petraeus' biographer Paula Broadwell, and that the CIA director was having an affair with Broadwell.

Petraeus acknowledged the affair in a resignation letter sent to all CIA employees. "After being married for over 37 years, I showed extremely poor judgment by engaging in an extramarital affair," he said. "Such behavior is unacceptable, both as a husband and as the leader of an organization such as ours."

Morals aside, the Petraeus case raises multiple security-related questions, such as the ease with which emails from Gmail, Yahoo or other providers of free Web-based email services might be intercepted by foreign adversaries in the intelligence arena, or unscrupulous competitors in the business realm.

[ It's time to strengthen your Google security plan. See 9 Google Apps Security Secrets For Business. ]

Here are five related facts:

1. FBI Involvement In Cyber-Stalking Rare

The FBI's investigation has led to civil liberties groups questioning whether the bureau overstepped the mark when investigating what turned out to be an extramarital affair. But the FBI doesn't regularly investigate the types of behavior that led to it discovering Petraeus' affair. "I'm not aware of any case when the FBI has gotten involved in a case of online harassment," said Justin Patchin, an associate professor of criminal justice at the University of Wisconsin-Eau Claire, reported Wired. "The FBI definitely wouldn't get involved in your Joe Schmoe love triangle."

Furthermore, after the Petraeus matter came to light, multiple lawmakers said that he shouldn't have resigned. Notably, CIA regulations don't prohibit affairs, although employees are supposed to tell the agency about any affairs to help avoid the potential for being blackmailed.

2. Investigation Threshold: National Secrets

So, what might have driven the FBI to investigate the emails sent to Kelley? That's not clear, but FBI officials are set to brief House and Senate intelligence committee members Tuesday, which may lead to further details coming to light. But one likely explanation is that the FBI may have quickly found evidence of classified material being inappropriately handled.

Already, Kelley's emails have led to an investigation of Gen. John R. Allen, who commands 68,000 American troops in Afghanistan, and who had been set to assume command of all American forces in Europe, as well as the supreme allied commander of NATO. Under military law, adultery is a crime, but Allen has reportedly denied doing anything wrong. Bureau officials told The New York Times that Kelley and Allen had emailed repeatedly between 2010 and 2011, but provided no more details concerning the investigation.

3. Free Email Services Aren't Secure

How difficult is it to hack into a free webmail account? Earlier this year, an attacker launched a "life hack" of journalist Mat Honan, which was accomplished in part by hacking into Honan's Gmail account. The hacker's motivation was simple: he coveted Honan's three-letter Twitter handle ("mat").

Now imagine the implications for a foreign intelligence agency that discovered that the head of the CIA had a personal email account. In fact, that may have been the principal concern that continued to propel the FBI's investigation forward, given the ease with which personal email accounts can be hacked. Earlier this year, for example, a hacker with ties to Anonymous hacked -- and published an audio transcript of -- an FBI conference call discussing investigations into the Anonymous and LulzSec hacktivist groups. The attacker, who law enforcement officials identified as Donncha O'Cearrbhail, boasted that he'd gained access to the conference call after hacking into the Gmail account of Ireland's top cybercrime investigator.

4. Anonymous Webmail Accounts Can Be Traced

Still, how did the FBI identify that Broadwell's computer had been used to send the harassing emails? According to The New York Times, FBI agents spent weeks matching up metadata from the emails -- most likely the IP addresses that were used to send the emails, which some webmail providers include with their sent emails -- and then reconciling the locations from which the emails had been sent with Paula Broadwell's known locations. From there, investigators were able to obtain a probable-cause warrant, which they used to actively monitor Broadwell's email accounts.

Ultimately, investigators found that Broadwell and Petraeus had set up private accounts, using Gmail, through which they communicated. Because Petraeus used a pseudonym, it took investigators some time to identify him as the owner of the other account, but they were able to successfully do so.

5. Don't Use Draft Emails To Evade Detection

Don't trust draft emails to help you evade detection. Law enforcement officials told AP that Petraeus and Broadwell exchanged some messages by leaving them as drafts in Gmail to avoid leaving a communications trail. Once investigators gained access to Broadwell's email account, however, they apparently uncovered the ruse.

This isn't the first time people have attempted to communicate covertly via draft webmail emails. Last month, during a hearing involving Canadian Sub-Lt. Jeffrey Delisle in Halifax, Nova Scotia, who was accused of being a Russian spy, prosecutors told the court that Delisle had access to a secure computer and would save information to a floppy disk. He'd then transfer the information to a removable USB memory stick, take the information home and copy it into a draft email, using a webmail account provided by the Russians. The Russians would then access and read the draft emails, reported Canada's CBC News. Delisle, a naval officer, last month pled guilty to spying for Russia between 2007 and 2011.

Privacy researcher Christopher Soghoian noted that in 2001, shoe bomber Richard Reid attempted to use the same "draft email 'trick' used by Petraeus" to disguise his communications, too. According to court documents, Reid left copies of three emails--one of which outlined to his mother what he planned to do aboard Flight 63 -- in his Yahoo draft email folder. "Didn't work back then. Doesn't work now," said Soghoian via Twitter.

Apparently, some security lessons have yet to be learned--even by the newly retired director of the CIA.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Apprentice
11/13/2012 | 9:32:15 PM
re: Petraeus Fallout: 5 Gmail Security Facts
They watch everything you do.

Every email is read, every phone call is listened to. Maybe not by a human, but computers are better at it anyway. They don't get tired. They don't miss anything. They have no mercy for minor so-called 'crimes'.

If you don't want it screamed in a police station or social studies class, don't type it in.
User Rank: Apprentice
11/14/2012 | 12:51:22 AM
re: Petraeus Fallout: 5 Gmail Security Facts
The drafts aspect of this is interesting. This probably is true for Google docs and all other documents stored on the cloud?
User Rank: Apprentice
11/14/2012 | 1:34:24 AM
re: Petraeus Fallout: 5 Gmail Security Facts
We think of these high level, uniformed men in charge of agencies guarding the nation as highly disciplined, intelligent, responsible and invulnerable. Instead it's just the first two or three. When you look at his Gmail use, 'intelligent' also momentarily falls under suspicion. .
User Rank: Apprentice
11/14/2012 | 7:31:12 AM
re: Petraeus Fallout: 5 Gmail Security Facts
Why did Jill Kelley received those threatening email?

Care to explain/
User Rank: Apprentice
11/14/2012 | 11:41:43 AM
re: Petraeus Fallout: 5 Gmail Security Facts
Thanks for the question. On the Jill Kelley front, the FBI said that Broadwell sent them, because she perceived Kelley to be a threat to her relationship with Petraeus.
User Rank: Apprentice
11/14/2012 | 6:00:15 PM
re: Petraeus Fallout: 5 Gmail Security Facts
any chance you can provide ANY actual empirical data to backup your statement "Free Email Services Aren't Secure"...its quite a nice FUD statement and lacks almost any truth.
User Rank: Apprentice
11/14/2012 | 8:50:57 PM
re: Petraeus Fallout: 5 Gmail Security Facts
One would have thought that 2 top ranking military men would have been better at hiding their extra-marital manoeuvres and had the good sense to not cheat so close to home, especially when it is so easy to meet strangers on websites such as Undercover Lovers and Ashley Madison nowadays.
User Rank: Ninja
11/15/2012 | 12:18:55 PM
re: Petraeus Fallout: 5 Gmail Security Facts
learn to use GnuPG/ENIGMAIL or its equivalent Outlook/PGP

short of that just agree to a password -- preferably in a private meeting -- and then use WinZIP: Edit your message any way you like. Then ZIP it using the agreed password and send it as an attachment. Be sure to check the scrub original option. AES128 is sufficient but you can use AES256 if you like.

once you have done this your remaining concerns are: (1) you must be sure of the physical security of you endpoint computers.... and (this is the tough one) (2) you must be sure you do not have any un-authorized programming -- virus -- in your computer. If you do: your computer is an open book. I recommend starting by switching computers handling sensitive information to Linux/Ubuntu. Use a separate user logon for all sensitive activity.

this will not cover up any traffic analysis that may be employed. who you talk to can be discovered.
User Rank: Apprentice
11/15/2012 | 3:45:29 PM
re: Petraeus Fallout: 5 Gmail Security Facts
Seems they would have been better off using disposable cell phones to communicate. Hard to believe our top dog would use Google services... for an affair no less. Sheesh.
User Rank: Apprentice
11/16/2012 | 4:18:46 AM
re: Petraeus Fallout: 5 Gmail Security Facts
The director of the CIA doesn't know about Email encryption like PGP or ofshore VPN and email services like Unspyable. I worry about the jokers running governments these days, top down.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.