McAfee, AV King Turned Fugitive, Surfaces In Guatemala

Fugitive John McAfee -- information security expert, founder of the McAfee antivirus firm, and prime suspect in a murder investigation in Belize -- was apparently outsmarted by a smartphone.

That revelation surfaced after Vice magazine Monday published an online story, titled "We Are With John McAfee Right Now, Suckers," that included a photograph of McAfee with the magazine's editor-in-chief, Rocco Castoro.

But the suckers now appear to be Vice staff and McAfee, after Twitter user "Simple Nomad" Monday tweeted that he'd found EXIF data, including geotagged location coordinates, embedded in the photograph.

[ For more on the McAfee murder investigation, see McAfee Founder Says Belize Framing Him For Murder. ]

"Presumably whoever took the photo on their iPhone 4S had forgotten to turn off location services," said Graham Cluley, senior technology consultant at Sophos, in a blog post, noting that "those co-ordinates suggest that John McAfee was photographed in Guatemala, having crossed the Belize border."

McAfee responded later that day with a blog post to a site that he maintains with friends, saying that he'd faked the EXIF data. "I openly apologize to Vice Magazine for manipulating their recently published photo. I have been ferocioously (sic) put my place by Mr. Rocco for 'interfering' with the objectivity of their reporting. I, for my own safety, manipulated the xif data on the image taken from my cellphone." But McAfee's claimed EXIF data spoof was dismissed by numerous security experts, including Cluley, who labeled it "baloney."

Indeed, Tuesday morning McAfee deleted that blog post and posted an admission that he had fled Belize for Guatemala. "I apologize for all of the misdirections over the past few days. It was not easy to exit Belize and required many supporters in many countries. I am in Guatemala and will be meeting with Guatemalan officials this morning. If all goes well I will do a press conference tomorrow," he said.

"Yesterday was chaotic due to the accidental release of my exact co-ordinates by an unseasoned technician at Vice headquarters," he said. "We made it to safety in spite of this handicap. I had to cancel numerous interviews with the press yesterday because of this and I apologize to all of those affected."

McAfee likewise deleted a post to his site uploaded by one of his public relations handlers, Brian Fitzgerald, which claimed that contact with McAfee had been lost Friday. "Soon after losing contact with Mr. McAfee we received a voicemail from an anonymous caller ID," said Fitzgerald. "In the message the gentleman stated, 'John was picked up crossing the Mexican border.'"

McAfee, who's been dogged by claims of increasingly erratic behavior, has maintained that he's innocent of the charges filed against him in Belize, instead accusing the government of framing him for the murder. Officials in Belize have denied those accusations, with the country's prime minister, Dean Barrow, criticizing the American for seeming "extremely paranoid" and "bonkers," reported ABC News.

Of course, it's ironic that McAfee was nearly "undone by sloppy IT security," said Cluley at Sophos. "The lesson that all of us should learn is to be very careful about what information a photograph might be secretly carrying within it regarding the when and where a picture was taken."

The McAfee location slipup echoes an error allegedly made earlier this year by Galveston, Texas-based Higinio O. Ochoa III, who's accused of hacking into the websites of the West Virginia Chiefs of Police, the Alabama Department of Public Safety, the Texas Department of Safety, and the police department in Mobile, Ala., under the banner of the hacking group CabinCr3w.

According to investigators, one of the Alabama website hackers left a provocative picture on the defaced site. According to court documents, "at the bottom of the website is a picture that shows a female, from the neck down in a bikini top with a sign pinned to her skirt which reads, 'PwNd by wOrmer & CabinCr3w <3 u BiTch's!'" Authorities said that GPS coordinates that had been automatically recorded in the image as EXIF data, when it was taken with an iPhone, led them directly to the house of Ochoa's girlfriend in Australia.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)