Sophos Cloud Optix
It turns out that a surprisingly naïve trust in the supposed anonymity of pseudonymous email accounts has triggered the downfall of the US’s top spy chief.
FBI agents who were investigating what they initially thought was a cyber breach stumbled onto intimate messages on Gmail passed between David Petraeus, who on Friday abruptly resigned from his job as head of the Central Intelligence Agency, and his biographer, Paula Broadwell.
According to the New York Times, the scandal began when a Florida woman, Jill Kelley, received threatening, harassing email from an anonymous person who accused her of flirting with an unidentified man.
Kelley is a volunteer social planner for events at MacDill Air Force Base in Tampa, Florida, also home to the military’s Central Command, where Petraeus served as commander from 2008 to 2010 before stepping into his role as head of the CIA.
Wired reports that the anonymous harassment was contained in between five and 10 emails that began to arrive last May and that reportedly warned Kelley to “back off” and to “stay away” from an unnamed man.
Kelley contacted a friend at the FBI, unsure of whether the threats constituted cybercrime.
Investigators took it up, eventually tracing the anonymous account that sent the threatening emails (it’s not clear whether this was a Gmail or some other type of account) to a home in North Carolina that belongs to Broadwell and her husband.
As Wired points out, it’s unclear exactly how investigators tracked Broadwell down, but given our knowledge of email headers, we can make some guesses.
If the threatening mail came from a Gmail account, the FBI would have had to get the IP address from Google, given that Gmail headers only include the IP address and domains of the servers that pass along the email.
But other webmail providers, such as Yahoo, include the sender’s IP address in their email header metadata.
However they did it, FBI agents spent weeks piecing together the identity of the harassing emails, the Wall Street Journal reports.
To do so, they determined the locations from which the emails were sent, including not only the Broadwell home but also hotels where Ms. Broadwell was staying when some of the emails were sent.
FBI agents and federal prosecutors then used the information as probable cause to seek a warrant to monitor what other email accounts Ms. Broadwell might have used.
They learned that Broadwell and Petraeus had set up a private Gmail account to communicate, exchanging heaps of sexually explicit messages.
Eventually, in late summer, investigators determined the real identity behind Petraeus’s psuedonym.
As it turns out, Petraeus didn’t pass on classified documents during his relations with Broadwell. That had been a national security worry when the story first emerged.
The saga continues as details emerge, but from a security standpoint, there’s a takeaway for all of us who believe that an anonymous email account shields our identities.
If you’d like to see what your own Gmail, Yahoo or other email header is telling the world about you, I found this handy guide for looking at the information of 19 different webmail clients, third-party email applications and third-party webmail clients.
The X-Originating-IP header, which you can find in headers such as Yahoo’s, will tell you the IP address of the computer that sent a given email.
You can then use an IP address locator such as WhatIsMyIPAddress to find out the ISP or webhost to which an email account belongs, plus its geolocation.
That’s handy when tracking spam email, if you want to track down the owner of the originating IP address of spam in order to lodge a complaint.
It’s also handy to do it to yourself, to see how easily people can find information on you, even when you’re tucked away behind a supposedly anonymous email account.
Remember, that invisibility cloak has plenty of holes.
IP address image from Shutterstock.
Naivete from a spy who didn't follow basic tradecraft.
where is this mans professionalism?
Obviously not even the minimum of technical skills since he's in upper management ;>)
I have to agree with Dagwood Bumstead in this. mail accounts are not the best place for privacy and if in doubt don't use them unless you are encrypting your messages in some manor. So think before you supply information to mail accounts that you don't want anyone else to see.. it seems to me that the law is also inadequate in protecting our e-g- and other accounts however my opinion is that the law should protect any data be online or not. something has to change.
If he had he used VPN, he would not have been caught 🙂
I suspect his only intention was to not have the email on company servers from a privacy perspective. I doubt he would have figured there would be any kind of investigation into his personal email accounts, particularly if there is no sensitive "business information involved". I don't use my work email accounts for personal email either.
Though from the article it sounds like they shared the one account (unless I'm mis-reading) which is a bit odd then for Broadwell to email threats from that same account to someone is plain stupid. Maybe I'm missing something and Broadwell used a different account which the FBI used the contents of to work back to who she was corresponding with and found Petraeus.
Broadwell did, in fact, use a separate account from which to email the accounts.
I find it amazing that the director of the CIA would not use freely available and public means to secure his communications like Enigmail email encryption and offshore VPN and email like Unspyable. Where do we find these guys and put them in such positions. Of course being so dumb as to get involved in such a thing in the first place speaks volumes in itself.
Sometime you do not need to install or buy any software for making fake email id. You can make fake email id using free site and after making fake email you can still receive all emails on your real email ID anonymous email address
What about traceability if the emails are sent from an anonymous email account from a public wifi using a cell phone, tablet or laptop?