Email lessons from Gen. Petraeus' downfall

It may be easier than you think to trace emails, so be mindful of what you're sending

Email is at the center of the scandal that brought down CIA Director David Petraeus, one of the country's most decorated generals.

The incident, which has shined a spotlight on cyber harassment, online privacy and digital forensics, has left a lot of people wondering if the head of the country's intelligence community and his girlfriend, a former counterintelligence officer, can't keep their emails private, do most of us even stand a shot?

"The best way to protect yourself is to simply realize that privacy doesn't necessarily exist in the electronic world," said Dan Ring, a spokesman for the security company Sophos. "Simply put, if you don't want it out there in the world, don't put it in the electronic world."

Petraeus, who took over as head of the Central Intelligence Agency (CIA) just 14 months ago, announced his resignation last Friday, putting the blame on an extra-marital affair.

The affair, which reportedly was with Petraeus' biographer and Army reservist Paula Broadwell, came to light at the hands of an FBI investigation that had originally focused on a potential cybercrime.

This past summer, Jill Kelley, a fundraiser for the U.S. military, is reported to have told a friend in the FBI that she'd received five to 10 anonymous harassing emails. The FBI began to investigate.

What they found was a trail of emails between two people -- Petraeus and Broadwell -- who were trying to hide an affair.

Using a pseudonym, Petraeus had reportedly set up various email accounts, including Gmail accounts, that he used to send Broadwell messages. One email account was actually a shared account, created so they could leave each other draft messages.

The idea was that if they left unsent emails in a draft folder, which is known as an electronic drop box, they wouldn't leave a trail and would then be more difficult for anyone to find or trace.

The FBI tracked all of this down when they began investigating the harassing emails being sent to Kelley.

Using metadata footprints left by the emails to determine where the emails had been sent from, investigators traced the emails to an account that Broadwell shared with her husband, the Wall Street Journal reported. They used that information to get a warrant to monitor her email accounts.

Then the rest began to fall into place.

"If you're just a normal person sending email, then it's pretty easy to trace," said Keith Jones, a computer forensic investigator and co-owner of Jones Dykstra & Associates. "Every server [an email] hits going to its destination puts a little identifying line in there... It's like a chain of custody, showing who had the email when."

Simply put, emails generally lay out the tracking information - where they originated and what servers they touched along the way.

However, Jones also said with some work it is possible to hide that trail when sending emails.

"It's very easy to not be traced," said Jones, who noted that he's able to use email in about half the digital investigations they do. "If you take a little bit of effort, you can make it look like it came from someplace else... You can fake the originating address by using an anonymizer."

An anonymizer -- also known as an anonymous proxy -- is a tool specifically designed to make online activity, like emails, untraceable. With email, it hides the sender's identifying information by accessing the Internet on the sender's behalf.

Jones explained that it's akin to someone handing him an envelope to deliver. Jones makes the delivery instead of the other person and he puts his own information in the return address space on the envelope.

The issue is that most people, whether they're sending emails about corporate marketing plans, threats or messages to mistresses, don't bother to use an anonymizer. They simply think that no one, other than the intended recipient, will ever see the messages that they're sending.

"Most individuals and businesses don't think twice about sending private or confidential information over email," said Patrick Moorhead, an analyst with Moor Insights & Strategy. "All it takes is one person knowing your PC, phone, or email password and your email could be read by another person."

And when it comes to company email systems, people should think twice when assuming that no one is paying attention.

"For work email, assume someone is reading your email as someone or something probably is," said Moorhead. "Most companies have filters that read every email, looking for offending words and images that don't comply with corporate standards."

Jones also noted that for most people sending illicit emails, they are going to be fairly easy to trace.

"You know, they could be texting too," he added. "If I were to cheat, I would be texting instead of emailing. Text message retention policies are usually very short -- just a couple of days with the provider.

"If you're cheating or threatening someone, email isn't the smartest tool to use unless you really know what you're doing," said Jones.

Sharon Gaudin covers the Internet and Web 2.0, emerging technologies, and desktop and laptop chips for Computerworld. Follow Sharon on Twitter at @sgaudin, on Google+ or subscribe to Sharon's RSS feed. Her email address is

See more by Sharon Gaudin on

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags sophossecurityintelfbiinternetprivacy

More about FBIGoogleSophosTopicWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sharon Gaudin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts