Petraeus Fallout: 5 Gmail Security Facts
Where did the former CIA director and the woman with whom he was having an affair go wrong? Learn from his experience with Gmail.
Want to avoid a fall from grace? Then ensure you're not the chief of a spy agency who coordinates your extramarital affairs using a free webmail service. That's one information security takeaway from the ongoing probe into the former director of the CIA, David Petraeus, who resigned after 14 months on the job.
Petraeus' fall from grace stemmed from an FBI investigation, which began after anonymous, threatening emails were sent to Jill Kelley, a friend of Petraeus. According to the The Wall Street Journal, Kelley -- who serves as a volunteer with wounded veterans and military families -- complained about the emails to an FBI agent who'd pursued a friendship with her. The agent passed case details to the bureau's cyber investigators, who ultimately found that the emails had been sent by someone who also had access to a Gmail account used by Petraeus. The resulting national security investigation ultimately revealed that the emails had been sent by Petraeus' biographer Paula Broadwell, and that the CIA director was having an affair with Broadwell.
More Security Insights
White PapersMore >>
Petraeus acknowledged the affair in a resignation letter sent to all CIA employees. "After being married for over 37 years, I showed extremely poor judgment by engaging in an extramarital affair," he said. "Such behavior is unacceptable, both as a husband and as the leader of an organization such as ours."
Morals aside, the Petraeus case raises multiple security-related questions, such as the ease with which emails from Gmail, Yahoo or other providers of free Web-based email services might be intercepted by foreign adversaries in the intelligence arena, or unscrupulous competitors in the business realm.
[ It's time to strengthen your Google security plan. See 9 Google Apps Security Secrets For Business. ]
Here are five related facts:
1. FBI Involvement In Cyber-Stalking Rare
The FBI's investigation has led to civil liberties groups questioning whether the bureau overstepped the mark when investigating what turned out to be an extramarital affair. But the FBI doesn't regularly investigate the types of behavior that led to it discovering Petraeus' affair. "I'm not aware of any case when the FBI has gotten involved in a case of online harassment," said Justin Patchin, an associate professor of criminal justice at the University of Wisconsin-Eau Claire, reported Wired. "The FBI definitely wouldn't get involved in your Joe Schmoe love triangle."
Furthermore, after the Petraeus matter came to light, multiple lawmakers said that he shouldn't have resigned. Notably, CIA regulations don't prohibit affairs, although employees are supposed to tell the agency about any affairs to help avoid the potential for being blackmailed.
2. Investigation Threshold: National Secrets
So, what might have driven the FBI to investigate the emails sent to Kelley? That's not clear, but FBI officials are set to brief House and Senate intelligence committee members Tuesday, which may lead to further details coming to light. But one likely explanation is that the FBI may have quickly found evidence of classified material being inappropriately handled.
Already, Kelley's emails have led to an investigation of Gen. John R. Allen, who commands 68,000 American troops in Afghanistan, and who had been set to assume command of all American forces in Europe, as well as the supreme allied commander of NATO. Under military law, adultery is a crime, but Allen has reportedly denied doing anything wrong. Bureau officials told The New York Times that Kelley and Allen had emailed repeatedly between 2010 and 2011, but provided no more details concerning the investigation.
3. Free Email Services Aren't Secure
How difficult is it to hack into a free webmail account? Earlier this year, an attacker launched a "life hack" of journalist Mat Honan, which was accomplished in part by hacking into Honan's Gmail account. The hacker's motivation was simple: he coveted Honan's three-letter Twitter handle ("mat").
Now imagine the implications for a foreign intelligence agency that discovered that the head of the CIA had a personal email account. In fact, that may have been the principal concern that continued to propel the FBI's investigation forward, given the ease with which personal email accounts can be hacked. Earlier this year, for example, a hacker with ties to Anonymous hacked -- and published an audio transcript of -- an FBI conference call discussing investigations into the Anonymous and LulzSec hacktivist groups. The attacker, who law enforcement officials identified as Donncha O'Cearrbhail, boasted that he'd gained access to the conference call after hacking into the Gmail account of Ireland's top cybercrime investigator.
4. Anonymous Webmail Accounts Can Be Traced
Still, how did the FBI identify that Broadwell's computer had been used to send the harassing emails? According to The New York Times, FBI agents spent weeks matching up metadata from the emails -- most likely the IP addresses that were used to send the emails, which some webmail providers include with their sent emails -- and then reconciling the locations from which the emails had been sent with Paula Broadwell's known locations. From there, investigators were able to obtain a probable-cause warrant, which they used to actively monitor Broadwell's email accounts.
Ultimately, investigators found that Broadwell and Petraeus had set up private accounts, using Gmail, through which they communicated. Because Petraeus used a pseudonym, it took investigators some time to identify him as the owner of the other account, but they were able to successfully do so.
5. Don't Use Draft Emails To Evade Detection
Don't trust draft emails to help you evade detection. Law enforcement officials told AP that Petraeus and Broadwell exchanged some messages by leaving them as drafts in Gmail to avoid leaving a communications trail. Once investigators gained access to Broadwell's email account, however, they apparently uncovered the ruse.
This isn't the first time people have attempted to communicate covertly via draft webmail emails. Last month, during a hearing involving Canadian Sub-Lt. Jeffrey Delisle in Halifax, Nova Scotia, who was accused of being a Russian spy, prosecutors told the court that Delisle had access to a secure computer and would save information to a floppy disk. He'd then transfer the information to a removable USB memory stick, take the information home and copy it into a draft email, using a webmail account provided by the Russians. The Russians would then access and read the draft emails, reported Canada's CBC News. Delisle, a naval officer, last month pled guilty to spying for Russia between 2007 and 2011.
Privacy researcher Christopher Soghoian noted that in 2001, shoe bomber Richard Reid attempted to use the same "draft email 'trick' used by Petraeus" to disguise his communications, too. According to court documents, Reid left copies of three emails--one of which outlined to his mother what he planned to do aboard Flight 63 -- in his Yahoo draft email folder. "Didn't work back then. Doesn't work now," said Soghoian via Twitter.
Apparently, some security lessons have yet to be learned--even by the newly retired director of the CIA.
Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)