Risk
11/13/2012
11:51 AM
50%
50%

Petraeus Fallout: 5 Gmail Security Facts

Where did the former CIA director and the woman with whom he was having an affair go wrong? Learn from his experience with Gmail.

Want to avoid a fall from grace? Then ensure you're not the chief of a spy agency who coordinates your extramarital affairs using a free webmail service. That's one information security takeaway from the ongoing probe into the former director of the CIA, David Petraeus, who resigned after 14 months on the job.

Petraeus' fall from grace stemmed from an FBI investigation, which began after anonymous, threatening emails were sent to Jill Kelley, a friend of Petraeus. According to the The Wall Street Journal, Kelley -- who serves as a volunteer with wounded veterans and military families -- complained about the emails to an FBI agent who'd pursued a friendship with her. The agent passed case details to the bureau's cyber investigators, who ultimately found that the emails had been sent by someone who also had access to a Gmail account used by Petraeus. The resulting national security investigation ultimately revealed that the emails had been sent by Petraeus' biographer Paula Broadwell, and that the CIA director was having an affair with Broadwell.

Petraeus acknowledged the affair in a resignation letter sent to all CIA employees. "After being married for over 37 years, I showed extremely poor judgment by engaging in an extramarital affair," he said. "Such behavior is unacceptable, both as a husband and as the leader of an organization such as ours."

Morals aside, the Petraeus case raises multiple security-related questions, such as the ease with which emails from Gmail, Yahoo or other providers of free Web-based email services might be intercepted by foreign adversaries in the intelligence arena, or unscrupulous competitors in the business realm.

[ It's time to strengthen your Google security plan. See 9 Google Apps Security Secrets For Business. ]

Here are five related facts:

1. FBI Involvement In Cyber-Stalking Rare

The FBI's investigation has led to civil liberties groups questioning whether the bureau overstepped the mark when investigating what turned out to be an extramarital affair. But the FBI doesn't regularly investigate the types of behavior that led to it discovering Petraeus' affair. "I'm not aware of any case when the FBI has gotten involved in a case of online harassment," said Justin Patchin, an associate professor of criminal justice at the University of Wisconsin-Eau Claire, reported Wired. "The FBI definitely wouldn't get involved in your Joe Schmoe love triangle."

Furthermore, after the Petraeus matter came to light, multiple lawmakers said that he shouldn't have resigned. Notably, CIA regulations don't prohibit affairs, although employees are supposed to tell the agency about any affairs to help avoid the potential for being blackmailed.

2. Investigation Threshold: National Secrets

So, what might have driven the FBI to investigate the emails sent to Kelley? That's not clear, but FBI officials are set to brief House and Senate intelligence committee members Tuesday, which may lead to further details coming to light. But one likely explanation is that the FBI may have quickly found evidence of classified material being inappropriately handled.

Already, Kelley's emails have led to an investigation of Gen. John R. Allen, who commands 68,000 American troops in Afghanistan, and who had been set to assume command of all American forces in Europe, as well as the supreme allied commander of NATO. Under military law, adultery is a crime, but Allen has reportedly denied doing anything wrong. Bureau officials told The New York Times that Kelley and Allen had emailed repeatedly between 2010 and 2011, but provided no more details concerning the investigation.

3. Free Email Services Aren't Secure

How difficult is it to hack into a free webmail account? Earlier this year, an attacker launched a "life hack" of journalist Mat Honan, which was accomplished in part by hacking into Honan's Gmail account. The hacker's motivation was simple: he coveted Honan's three-letter Twitter handle ("mat").

Now imagine the implications for a foreign intelligence agency that discovered that the head of the CIA had a personal email account. In fact, that may have been the principal concern that continued to propel the FBI's investigation forward, given the ease with which personal email accounts can be hacked. Earlier this year, for example, a hacker with ties to Anonymous hacked -- and published an audio transcript of -- an FBI conference call discussing investigations into the Anonymous and LulzSec hacktivist groups. The attacker, who law enforcement officials identified as Donncha O'Cearrbhail, boasted that he'd gained access to the conference call after hacking into the Gmail account of Ireland's top cybercrime investigator.

4. Anonymous Webmail Accounts Can Be Traced

Still, how did the FBI identify that Broadwell's computer had been used to send the harassing emails? According to The New York Times, FBI agents spent weeks matching up metadata from the emails -- most likely the IP addresses that were used to send the emails, which some webmail providers include with their sent emails -- and then reconciling the locations from which the emails had been sent with Paula Broadwell's known locations. From there, investigators were able to obtain a probable-cause warrant, which they used to actively monitor Broadwell's email accounts.

Ultimately, investigators found that Broadwell and Petraeus had set up private accounts, using Gmail, through which they communicated. Because Petraeus used a pseudonym, it took investigators some time to identify him as the owner of the other account, but they were able to successfully do so.

5. Don't Use Draft Emails To Evade Detection

Don't trust draft emails to help you evade detection. Law enforcement officials told AP that Petraeus and Broadwell exchanged some messages by leaving them as drafts in Gmail to avoid leaving a communications trail. Once investigators gained access to Broadwell's email account, however, they apparently uncovered the ruse.

This isn't the first time people have attempted to communicate covertly via draft webmail emails. Last month, during a hearing involving Canadian Sub-Lt. Jeffrey Delisle in Halifax, Nova Scotia, who was accused of being a Russian spy, prosecutors told the court that Delisle had access to a secure computer and would save information to a floppy disk. He'd then transfer the information to a removable USB memory stick, take the information home and copy it into a draft email, using a webmail account provided by the Russians. The Russians would then access and read the draft emails, reported Canada's CBC News. Delisle, a naval officer, last month pled guilty to spying for Russia between 2007 and 2011.

Privacy researcher Christopher Soghoian noted that in 2001, shoe bomber Richard Reid attempted to use the same "draft email 'trick' used by Petraeus" to disguise his communications, too. According to court documents, Reid left copies of three emails--one of which outlined to his mother what he planned to do aboard Flight 63 -- in his Yahoo draft email folder. "Didn't work back then. Doesn't work now," said Soghoian via Twitter.

Apparently, some security lessons have yet to be learned--even by the newly retired director of the CIA.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
11/14/2012 | 1:34:24 AM
re: Petraeus Fallout: 5 Gmail Security Facts
We think of these high level, uniformed men in charge of agencies guarding the nation as highly disciplined, intelligent, responsible and invulnerable. Instead it's just the first two or three. When you look at his Gmail use, 'intelligent' also momentarily falls under suspicion. .
Boons
50%
50%
Boons,
User Rank: Apprentice
11/14/2012 | 12:51:22 AM
re: Petraeus Fallout: 5 Gmail Security Facts
The drafts aspect of this is interesting. This probably is true for Google docs and all other documents stored on the cloud?
Xira
50%
50%
Xira,
User Rank: Apprentice
11/13/2012 | 9:32:15 PM
re: Petraeus Fallout: 5 Gmail Security Facts
They watch everything you do.

Every email is read, every phone call is listened to. Maybe not by a human, but computers are better at it anyway. They don't get tired. They don't miss anything. They have no mercy for minor so-called 'crimes'.

If you don't want it screamed in a police station or social studies class, don't type it in.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

CVE-2014-6395
Published: 2014-12-19
Heap-based buffer overflow in the dissector_postgresql function in dissectors/ec_postgresql.c in Ettercap before 8.1 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted password length value that is inconsistent with the actual length of the password...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.