Risk
11/13/2012
11:51 AM
50%
50%

Petraeus Fallout: 5 Gmail Security Facts

Where did the former CIA director and the woman with whom he was having an affair go wrong? Learn from his experience with Gmail.

Want to avoid a fall from grace? Then ensure you're not the chief of a spy agency who coordinates your extramarital affairs using a free webmail service. That's one information security takeaway from the ongoing probe into the former director of the CIA, David Petraeus, who resigned after 14 months on the job.

Petraeus' fall from grace stemmed from an FBI investigation, which began after anonymous, threatening emails were sent to Jill Kelley, a friend of Petraeus. According to the The Wall Street Journal, Kelley -- who serves as a volunteer with wounded veterans and military families -- complained about the emails to an FBI agent who'd pursued a friendship with her. The agent passed case details to the bureau's cyber investigators, who ultimately found that the emails had been sent by someone who also had access to a Gmail account used by Petraeus. The resulting national security investigation ultimately revealed that the emails had been sent by Petraeus' biographer Paula Broadwell, and that the CIA director was having an affair with Broadwell.

Petraeus acknowledged the affair in a resignation letter sent to all CIA employees. "After being married for over 37 years, I showed extremely poor judgment by engaging in an extramarital affair," he said. "Such behavior is unacceptable, both as a husband and as the leader of an organization such as ours."

Morals aside, the Petraeus case raises multiple security-related questions, such as the ease with which emails from Gmail, Yahoo or other providers of free Web-based email services might be intercepted by foreign adversaries in the intelligence arena, or unscrupulous competitors in the business realm.

[ It's time to strengthen your Google security plan. See 9 Google Apps Security Secrets For Business. ]

Here are five related facts:

1. FBI Involvement In Cyber-Stalking Rare

The FBI's investigation has led to civil liberties groups questioning whether the bureau overstepped the mark when investigating what turned out to be an extramarital affair. But the FBI doesn't regularly investigate the types of behavior that led to it discovering Petraeus' affair. "I'm not aware of any case when the FBI has gotten involved in a case of online harassment," said Justin Patchin, an associate professor of criminal justice at the University of Wisconsin-Eau Claire, reported Wired. "The FBI definitely wouldn't get involved in your Joe Schmoe love triangle."

Furthermore, after the Petraeus matter came to light, multiple lawmakers said that he shouldn't have resigned. Notably, CIA regulations don't prohibit affairs, although employees are supposed to tell the agency about any affairs to help avoid the potential for being blackmailed.

2. Investigation Threshold: National Secrets

So, what might have driven the FBI to investigate the emails sent to Kelley? That's not clear, but FBI officials are set to brief House and Senate intelligence committee members Tuesday, which may lead to further details coming to light. But one likely explanation is that the FBI may have quickly found evidence of classified material being inappropriately handled.

Already, Kelley's emails have led to an investigation of Gen. John R. Allen, who commands 68,000 American troops in Afghanistan, and who had been set to assume command of all American forces in Europe, as well as the supreme allied commander of NATO. Under military law, adultery is a crime, but Allen has reportedly denied doing anything wrong. Bureau officials told The New York Times that Kelley and Allen had emailed repeatedly between 2010 and 2011, but provided no more details concerning the investigation.

3. Free Email Services Aren't Secure

How difficult is it to hack into a free webmail account? Earlier this year, an attacker launched a "life hack" of journalist Mat Honan, which was accomplished in part by hacking into Honan's Gmail account. The hacker's motivation was simple: he coveted Honan's three-letter Twitter handle ("mat").

Now imagine the implications for a foreign intelligence agency that discovered that the head of the CIA had a personal email account. In fact, that may have been the principal concern that continued to propel the FBI's investigation forward, given the ease with which personal email accounts can be hacked. Earlier this year, for example, a hacker with ties to Anonymous hacked -- and published an audio transcript of -- an FBI conference call discussing investigations into the Anonymous and LulzSec hacktivist groups. The attacker, who law enforcement officials identified as Donncha O'Cearrbhail, boasted that he'd gained access to the conference call after hacking into the Gmail account of Ireland's top cybercrime investigator.

4. Anonymous Webmail Accounts Can Be Traced

Still, how did the FBI identify that Broadwell's computer had been used to send the harassing emails? According to The New York Times, FBI agents spent weeks matching up metadata from the emails -- most likely the IP addresses that were used to send the emails, which some webmail providers include with their sent emails -- and then reconciling the locations from which the emails had been sent with Paula Broadwell's known locations. From there, investigators were able to obtain a probable-cause warrant, which they used to actively monitor Broadwell's email accounts.

Ultimately, investigators found that Broadwell and Petraeus had set up private accounts, using Gmail, through which they communicated. Because Petraeus used a pseudonym, it took investigators some time to identify him as the owner of the other account, but they were able to successfully do so.

5. Don't Use Draft Emails To Evade Detection

Don't trust draft emails to help you evade detection. Law enforcement officials told AP that Petraeus and Broadwell exchanged some messages by leaving them as drafts in Gmail to avoid leaving a communications trail. Once investigators gained access to Broadwell's email account, however, they apparently uncovered the ruse.

This isn't the first time people have attempted to communicate covertly via draft webmail emails. Last month, during a hearing involving Canadian Sub-Lt. Jeffrey Delisle in Halifax, Nova Scotia, who was accused of being a Russian spy, prosecutors told the court that Delisle had access to a secure computer and would save information to a floppy disk. He'd then transfer the information to a removable USB memory stick, take the information home and copy it into a draft email, using a webmail account provided by the Russians. The Russians would then access and read the draft emails, reported Canada's CBC News. Delisle, a naval officer, last month pled guilty to spying for Russia between 2007 and 2011.

Privacy researcher Christopher Soghoian noted that in 2001, shoe bomber Richard Reid attempted to use the same "draft email 'trick' used by Petraeus" to disguise his communications, too. According to court documents, Reid left copies of three emails--one of which outlined to his mother what he planned to do aboard Flight 63 -- in his Yahoo draft email folder. "Didn't work back then. Doesn't work now," said Soghoian via Twitter.

Apparently, some security lessons have yet to be learned--even by the newly retired director of the CIA.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Xira
50%
50%
Xira,
User Rank: Apprentice
11/13/2012 | 9:32:15 PM
re: Petraeus Fallout: 5 Gmail Security Facts
They watch everything you do.

Every email is read, every phone call is listened to. Maybe not by a human, but computers are better at it anyway. They don't get tired. They don't miss anything. They have no mercy for minor so-called 'crimes'.

If you don't want it screamed in a police station or social studies class, don't type it in.
Boons
50%
50%
Boons,
User Rank: Apprentice
11/14/2012 | 12:51:22 AM
re: Petraeus Fallout: 5 Gmail Security Facts
The drafts aspect of this is interesting. This probably is true for Google docs and all other documents stored on the cloud?
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
11/14/2012 | 1:34:24 AM
re: Petraeus Fallout: 5 Gmail Security Facts
We think of these high level, uniformed men in charge of agencies guarding the nation as highly disciplined, intelligent, responsible and invulnerable. Instead it's just the first two or three. When you look at his Gmail use, 'intelligent' also momentarily falls under suspicion. .
ANON1252035144238
50%
50%
ANON1252035144238,
User Rank: Apprentice
11/14/2012 | 7:31:12 AM
re: Petraeus Fallout: 5 Gmail Security Facts
Why did Jill Kelley received those threatening email?

Care to explain/
Mathew
50%
50%
Mathew,
User Rank: Apprentice
11/14/2012 | 11:41:43 AM
re: Petraeus Fallout: 5 Gmail Security Facts
Thanks for the question. On the Jill Kelley front, the FBI said that Broadwell sent them, because she perceived Kelley to be a threat to her relationship with Petraeus.
ANON1243361309294
50%
50%
ANON1243361309294,
User Rank: Apprentice
11/20/2012 | 3:26:31 PM
re: Petraeus Fallout: 5 Gmail Security Facts
was curious about that too, thanks for answering Mathew.
indiffer3nce
50%
50%
indiffer3nce,
User Rank: Apprentice
11/14/2012 | 6:00:15 PM
re: Petraeus Fallout: 5 Gmail Security Facts
any chance you can provide ANY actual empirical data to backup your statement "Free Email Services Aren't Secure"...its quite a nice FUD statement and lacks almost any truth.
PhilAnderer
50%
50%
PhilAnderer,
User Rank: Apprentice
11/14/2012 | 8:50:57 PM
re: Petraeus Fallout: 5 Gmail Security Facts
One would have thought that 2 top ranking military men would have been better at hiding their extra-marital manoeuvres and had the good sense to not cheat so close to home, especially when it is so easy to meet strangers on websites such as Undercover Lovers and Ashley Madison nowadays.
macker490
50%
50%
macker490,
User Rank: Ninja
11/15/2012 | 12:18:55 PM
re: Petraeus Fallout: 5 Gmail Security Facts
learn to use GnuPG/ENIGMAIL or its equivalent Outlook/PGP

short of that just agree to a password -- preferably in a private meeting -- and then use WinZIP: Edit your message any way you like. Then ZIP it using the agreed password and send it as an attachment. Be sure to check the scrub original option. AES128 is sufficient but you can use AES256 if you like.

once you have done this your remaining concerns are: (1) you must be sure of the physical security of you endpoint computers.... and (this is the tough one) (2) you must be sure you do not have any un-authorized programming -- virus -- in your computer. If you do: your computer is an open book. I recommend starting by switching computers handling sensitive information to Linux/Ubuntu. Use a separate user logon for all sensitive activity.

this will not cover up any traffic analysis that may be employed. who you talk to can be discovered.
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
11/15/2012 | 3:45:29 PM
re: Petraeus Fallout: 5 Gmail Security Facts
Seems they would have been better off using disposable cell phones to communicate. Hard to believe our top dog would use Google services... for an affair no less. Sheesh.
ANewNickname
50%
50%
ANewNickname,
User Rank: Apprentice
11/16/2012 | 11:39:34 AM
re: Petraeus Fallout: 5 Gmail Security Facts
Maybe he's an Edgar Allan Poe fan.
FT1
50%
50%
FT1,
User Rank: Apprentice
11/16/2012 | 4:18:46 AM
re: Petraeus Fallout: 5 Gmail Security Facts
The director of the CIA doesn't know about Email encryption like PGP or ofshore VPN and email services like Unspyable. I worry about the jokers running governments these days, top down.
majenkins
50%
50%
majenkins,
User Rank: Apprentice
11/19/2012 | 4:15:41 PM
re: Petraeus Fallout: 5 Gmail Security Facts
"Want to avoid a fall from grace? Then ensure you're not the chief of a spy agency who coordinates your extramarital affairs using a free webmail service."

How about don't have an affair in the first place!!! If you are disciplined enough to remember to hide your activities well then how about being disciplined enough remain faithful to your spouse then there is nothing to hide.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?