Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/14/2012
01:19 PM
50%
50%

Petraeus Mission Impossible: Cloaking Email, Online Identities

So-called security experts making basic information security errors isn't a new occurrence. Arguably, it even led to the rise of the Anonymous hacktivist collective.

Is there any way to keep online identities and the content of email communications hidden?

Clearly, covering one's tracks is tough to do, as demonstrated by David Petraeus, the highly decorated general who last year became director of the CIA. Notably, his affair with Paula Broadwell -- hardly a national security matter -- came to light this week after the FBI found that the couple was using a Gmail account to communicate.

Still, for the director of a U.S. intelligence agency to have been caught in this manner is, frankly, a security embarrassment. Rather than using a VPN to mask their IP addresses or encryption to scramble the contents of their messages, or simply avoiding email altogether, Petraeus and Broadwell communicated using saved Gmail drafts. Having gone to the trouble to hide what they were doing, why didn't they find a more secure communications mechanism?

Then again, no amount of hiding their online tracks may have helped foil determined investigators. Even supposedly master hackers have been identified after just one small misstep.

[ Seems it's getting harder to maintain your privacy. See Google Says Government Surveillance Growing. ]

Consider the example of LulzSec leader Sabu -- real name, Hector Xavier Monsegur. He reportedly failed to mask his IP address just once or twice before logging into an IRC chat room, which ultimately allowed the FBI to pinpoint his real IP address and then identity. Meanwhile, Backtrace Security also found, hidden in a LulzSec chat file, a domain name that led to a subdomain that mirrored a page where Monsegur had posted a picture of his beloved Toyota AE86.

Seeing so-called security experts commit basic information security errors isn't a new occurrence. Arguably, it even led to the rise of the Anonymous hacktivist collective. According to journalist Parmy Olson's book We Are Anonymous, the collective had lost steam after its Church of Scientology and PayPal exploits. Then HBGary Federal CEO Aaron Barr launched a PR stunt meant to drum up business, publicly boasting that he would soon unveil the identities of key Anonymous players. That led the key players, including Sabu, to see just what Barr knew -- he turned out to not have identified them at all -- as well as make a lesson of him to any other would-be Anonymous enemies.

As Olson recounts, Sabu scanned the HBGary Federal website and found -- ironically, for an information security firm -- that it was built using a commercial content management system that contained a known vulnerability. Using a SQL injection attack, the hacktivists retrieved a list of HBGary employees' usernames and passwords, although the latter had been hashed using MD5. While that temporarily stymied Sabu -- the group was still sharpening its technical skills -- he uploaded three of the passwords to the hashkiller.com forum. Its members quickly cracked the hashes and shared the plaintext passwords, including Barr's work password, which was "kibafo33."

The hackers then tested whether Barr's password worked for any of his other website accounts. Remarkably, Barr, a self-described information security expert, had reused his work password on numerous sites -- including Facebook, Flickr, Twitter, Yahoo as well as World of Warcraft. On Super Bowl Sunday 2011, Anonymous owned those accounts and began issuing vulgar tweets in Barr's name and providing links to a torrent file containing over 70,000 HBGary emails that it had surreptitiously copied and deleted from the company's servers.

Compared to the HBGary episode, Petraeus' Gmail missteps -- still surprising for the head of an intelligence agency -- appear less galling. In the end, however, his story isn't just about the startling ease with which one's supposedly hidden communications or identity can be uncloaked, our country's poor privacy protections or an investigation that should never have begun. Rather, it's also about human errors.

Namely, Broadwell was jealous of Jill Kelley, a married Tampa socialite who volunteers with wounded veterans and military families, and her friendship with Petraeus, which she saw as a threat. So Broadwell sent threatening emails to Kelley, who passed them to FBI agent Frederick W. Humphries II, which triggered the investigation. Given that Broadwell, who was married, was having an affair with the director of the CIA, shouldn't more discretion have been the order of the day?

With information security--as in life--the biggest wildcard remains the human factor.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
11/16/2012 | 12:21:13 PM
re: Petraeus Mission Impossible: Cloaking Email, Online Identities
the simplest way to secure your e/mail is WinZIP: just compose your message in any manner you like and then zip it with AES128 security. exchange the password in the "dimly lit corner".

attach the .zip and send the message

of course it will still be evident that you are communicating with Alice via Traffic Analysis

truth be known it would be better if everyone used PGP or ENIGMAIL all the time.

using a properly configured proxy would leave your "John Doe" joint e/mail account rather more difficult to trace back. we may see transient proxies start to crop up on VM base servers for this reason. The Proxy Server then would exist only while you used it and you would address it using an ip address -- something like that "10 minute " service I read about someplace.

still there remains the issue regarding tracing the sequence needed to activate the ghost~proxy. an inactive IP address would be used on a temporary basis
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Apprentice
11/16/2012 | 11:49:56 AM
re: Petraeus Mission Impossible: Cloaking Email, Online Identities
Everyone who uses Gmail knows how open it is, and how Google tracks everything you do (for advertising). Plus, the 'draft' email tactic has been use by others before, and cracked easily by investigators.
pkohler01
50%
50%
pkohler01,
User Rank: Apprentice
11/15/2012 | 9:27:21 PM
re: Petraeus Mission Impossible: Cloaking Email, Online Identities
I haven't been paying much attention to this fiasco but, Mr. Schwartz makes a point that stirs my interest: that the head of the CIA was caught using such a tactic for elicit communications. Gmail e-mail drafts? Really? If this was all about something that was far less serious than an affair, that might actually have been funny. Since it's not, though, it really is somewhat chilling.

The other examples cited here, which all demonstrate the authors point about one misstep unraveling big investments in secrecy, is thought provoking. I fortunately don't recycle login credentials anywhere but, that point alone is one that even that average user should be reminded of frequently.
lgarey@techweb.com
50%
50%
[email protected],
User Rank: Apprentice
11/15/2012 | 5:26:27 PM
re: Petraeus Mission Impossible: Cloaking Email, Online Identities
That's the big lesson, right - if you're the director of the CIA and can't keep email private, then clearly, no email can be considered private. If even a small portion of the general public finally learns that lesson, maybe some good will come out of this fiasco.
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...
CVE-2021-3197
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.