Petraeus Affair: 7 Privacy Techniques To Avoid Trouble

  /     /     /  
Publicated : 22/11/2024   Category : security


Petraeus Affair: 7 Privacy Techniques To Avoid Trouble


A number of off-the-shelf technologies can help keep online communications private -- but beware the limits.



Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)
Pop quiz: Who said the following?
We have to rethink our notions of identity and secrecy. ... Every byte left behind reveals information about location, habits, and, by extrapolation, intent and probable behavior. The number of data points that can be collected is virtually limitless -- presenting, of course, both enormous intelligence opportunities and equally large counterintelligence challenges.
Those words belong to former CIA director David H. Petraeus, and were
delivered earlier this year
at the In-Q-Tel CEO Summit.
It was a byte left behind, and then some, that ultimately led to Petraeus resignation from the CIA. Briefly, his mistress and biographer Paula Broadwell sent emails -- allegedly of a threatening nature -- to Jill Kelley, a friend of Petraeus whom she saw as a rival. Tracing back the emails, FBI investigators identified Broadwell, found that she had classified information on her home PC, and also found that she was communicating with a third party
using draft Gmail email messages
, with both parties separately logging into the site, reading and erasing the previous message, and leaving a new one. Ultimately, the FBI identified Petraeus as the third party in question.
One of the many perplexing questions in this story remains technological: Couldnt the director of the CIA think of a better way to coordinate his liaisons than using a free webmail service? From a bigger-picture standpoint, meanwhile, the scandal raises this security question: Can two people
communicate securely online
, without a third party being able to intercept their communications, or even see that theyre communicating?
Here are seven related facts:
1. Techniques For Swapping Secret Messages Abound.
The techniques for sending secret communications, or indicating a desire to communicate, are endless. Theres Magic ink. Creating rudimentary codes to transmit communications via seemingly innocuous messages, such as making only the first letter of a sentence count.
Taping an X to your window.
Using a dead drop to leave a message in a predefined physical location. Leaving coded messages on Craigslist.
2. Burner Phones Make Traceability, Attribution Difficult.
When theres the threat of having your communications traced, every fan of
The Wire
or
Breaking Bad
knows about burner cell phones. Buy cell phones using cash, use them to communicate -- by voice or text message -- for a finite period of time, and then replace them with different phones. Anyone trying to follow your trail will have difficulty reconstructing the entire pattern of communication.
3. Numerous Technologies Offer Secure Communications.
Many technologies promise to encrypt digital communications so they cant be intercepted. Use Zip files, encrypted with a passphrase thats been agreed in advance, and swap them via email. Similarly, technologies such as PGP, or the open-source GPG alternative, enable emails to be encrypted, as do a number of other webmail services. Meanwhile, Wickr provides for
self-destructing messages
, while for secure voice communications, look to
Silent Circle
from PGP creator Phil Zimmermann for Android and iOS, or
Whisper Systems
for Android.
Although these services might hide the message, they wont disguise that the sender and receiver have been communicating. For that, the
Tor Projects anonymizing networks
offer the opportunity to mask the fact that communications are occurring at all.
4. Hide Data In Pictures, Videos.
Another widely used technique for hiding communications involves the practice of
steganography
. In the digital realm, it means hiding information inside files -- for example, in digital pictures or Sodoku images.
Based on a 2006 Department of Justice criminal complaint filed against eight people who were allegedly
working as agents for Russias foreign intelligence service
, known as SVR or Moscow Center, the practice of steganography might be in widespread use by intelligence agencies. Moscow Center uses steganographic software that is not commercially available. The software package permits the SVR clandestinely to insert encrypted data in images that are located on publicly-available websites without the data being visible, according to the complaint. The encrypted data can be removed from the image, and then decrypted, using SVR-provided software.
5. Beware VPNs.
When it comes to hiding the fact that two parties are in communication, beware VPNs. Many Anonymous and LulzSec suspects learned the hard way after
using VPN services such as HideMyAss.com
that VPN providers keep access records, and tend to comply with court orders requiring them to share those records. In other words, VPNs will secure your communications, but dont count on it to cover your tracks.
6. Avoid Free Webmail Services.
Its a bad idea, as Broadwell and Petraeus discovered, to rely on free webmail services to provide secure communications or cover your tracks. Webmail providers like Google, Yahoo and Microsoft retain login records (typically for more than a year) that reveal the particular IP addresses a consumer has logged in from, said Christopher Soghoian, principal technologist and senior policy analyst for the ACLU Speech, Privacy and Technology Project, in a
blog post
.
Those records helped the FBI
trace the anonymous emails
sent from Broadwell to Kelley back to the sender. Although Ms. Broadwell took steps to disassociate herself from at least one particular email account, by logging into other email accounts from the same computer (and IP address), she created a data trail that agents were able to use to link the accounts, he said.
7. With Eavesdropping, All Bets Are Off.
Theres a big caveat with the use of any digital security tool or technique, whether its PGP, GPG, Tor, or steganography. Namely, if a third party -- your government, a foreign intelligence service, unscrupulous competitors -- sneaks a keylogger or Trojan application onto your PC, they can see every message or voice communication you initiate or receive, full stop.
That was the
beauty of the Flame malware
, which was allegedly built by the U.S. government for spying purposes, and which wasnt detectable by antivirus software for a significant length of time after it was first deployed. Using
world-class crypto
, Flames creators were able to spoof Microsoft Update and automatically install their software on targeted PCs. For a target thats connected to the Internet, is there any way to reliably defend against that?
Likewise, last years compromise of digital certificate registrar DigiNotar would have allowed attackers to generate fraudulent digital certificates for Facebook, Google, Microsoft, Skype, Twitter, and WordPress, as well as the CIA, MI6, and Mossad intelligence services, and the
Tor Project
. As a result, the attackers -- who were likely allied with the Iranian government -- could have launched
man-in-the-middle attacks
that allowed them to eavesdrop on all communications made through those websites or services, for any country-wide network they controlled.
Curious Choices For Spy Chief
With so much secure communications technology on offer, why did Petraeus choose a hidden Gmail account for coordinating his affair? The likely answer is that because Petraeus extracurricular activities related solely to the marital, not espionage, realm, he thought simple track covering would suffice. Then again, security also involves a tradeoff between protection and usability -- easier to use typically means less secure, and harder to use means more secure -- and Petraeus and Broadwell might have simply opted for a simple communications technique. It strikes me that the recent downfall of the CIA director speaks less to his tradecraft than the usability of encryption/anonymity tools, said Canadian privacy researcher Christopher Parsons
via Twitter
.
Beyond the scarcity of reliable communications techniques that are both secure and invisible, what the Petraeus scandal has also highlighted is that when authorities begin
investigating your electronic communications
, the game can quickly be over, sometimes with nary a warrant or subpoena being required.
Regardless, with the array of techniques available for clandestine communications, one of the strangest aspects to the scandal -- for many -- remains a spy chiefs apparent lack of security finesse when it came to cloaking his own identity.
Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital
Digital Certificates
issue of Dark Reading gives five reasons to keep it going. (Free registration required.)

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Petraeus Affair: 7 Privacy Techniques To Avoid Trouble