Here's how to secure your email and avoid becoming a 'Petraeus'

Take a look at where Petraeus and Broadwell went wrong so you can better secure your email and protect your privacy online.

It was a shock when David Petraeus--a respected and highly-decorated Army general--abruptly stepped down from his post as the director of the CIA earlier this week. It was even more of a jolt to learn that his resignation was due to an extramarital affair. But, the real story might be the fact that the affair came to light more or less accidentally as a result of poor email and privacy practices.

First, a little background on how things went down. The affair between David Petraeus and his biographer Paula Broadwell seems like something from the Showtime series "Homeland," or perhaps a James Bond plot line, but the events that led to the FBI investigation that uncovered the affair are a bit more "Fatal Attraction."

Broadwell sent anonymous threatening emails to another woman she considered to be competition for Petraeus' affection, and that woman--Jill Kelley--initiated the investigation that eventually unraveled the affair and led to the downfall of one of this generation's greatest American heroes.

I don't want to teach anyone how to cover their illicit tracks better, or how to have a more clandestine affair, but let's take a look at where Petraeus and Broadwell went wrong so you can understand how to cover your tracks better in general, and how to secure your email and protect your privacy online.

Hide your IP address

Broadwell thought she was being clever by sending emails from an anonymous Gmail account originating from different locations as she travelled about. What she failed to do, though, is hide her IP address.

Your IP address is the online equivalent of your fingerprints. In Petraeus's case, the email account he and Broadwell used was anonymous, but the FBI was able to trace the emails back to the source IP addresses--which turned out to be assigned to hotels. FBI agents simply compared the guest lists of the various source hotels to narrow down the potential suspects and determine that Paula Broadwell was coincidentally the only person it could be.

All of the major Web browsers include some sort of private mode, but private mode browsing does not obscure your IP address--it just prevents the browser from saving cached data or your browsing history. To hide your IP address, you need to connect using a VPN of some sort--like Anonymizer Universal. Keep in mind, though, that the VPN provider will still have a record of the true source IP that could be subpoenaed or surrendered upon a government request.

Use different email services

The investigation into the anonymous threatening emails might not have led to General Petraeus or uncovered the affair, but the FBI discovered that someone at the same suspect IP address was also accessing another Gmail account--an account that belonged to the director of the CIA.

General Petraeus and Paula Broadwell didn't actually send emails to each other: They used a trick from the terrorist playbook and simply wrote messages that were saved as drafts in a Gmail account that belonged to Petraeus, and they would each log into the same account to read the drafts and respond.

If you wish to remain anonymous, and avoid having someone connect the dots that lead back to you, you should use different service providers. While it would still be possible with enough digging to determine all of the activity for a given IP address, it would not immediately jump out as a red flag as it did in this case.

Don't leave your messages online

Petareus and Broadwell had their reasons for using secret drafts rather than sending emails to each other. Perhaps the two reasoned that the email messages couldn't possibly be intercepted or traced if they were never sent. That is true to an extent, but it means that the messages are stored online--more or less permanently--allowing them to be stumbled upon at a later date.

While it's true that messages might be intercepted in transit, it would be more secure to download the emails to a local email client and remove them from the server. At least then you only need to worry about securing and protecting your own PC, and you don't need to be as concerned about a possible breach or violation of privacy on the email server or webmail provider end.

You may not be a decorated military officer or high-profile government official, and you probably aren't even the biographer of one. But, this sordid affair is a stark illustration of just how easy it can be to trace someone's tracks online, and uncover information that was meant to be secret. Make sure you follow the tips here to avoid falling victim yourself.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityfbiprivacy

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place