Why David Petraeus’s Gmail Account is a National Security Issue

It may not be the bad judgement of having sex off the post but what that sex leads to, including use of the General’s e-mail account.

From Max Fisher at Washington Post:

The beginning of the end came for CIA Director David Petraeus when Paula Broadwell, a younger married woman with whom he was having an affair, “or someone close to her had sought access to his email,” according to the Wall Street Journal’s description of an FBI probe. Associates of Petraeus had received “anonymous harassing emails” that were then traced to Broadwell, ABC’s Martha Raddatz reported, suggesting she may have found their names or addresses in his e-mail.

The e-mail account was apparently Petraeus’s personal Gmail, not his official CIA e-mail, according to the Wall Street Journal. That’s a big deal: Some of the most powerful foreign spy agencies in the world would love to have an opening, however small, into the personal e-mail account of the man who runs the United States’ spy service. The information could have proved of enormous value to foreign hackers, who already maintain a near-constant effort to access sensitive U.S. data.

It was only in mid-August that Mat Honan at Wired magazine wrote how his life had been turned upside down by just what the investigators feared about Petraeus: one slip-up in one account can quickly daisy-chain into multiple accounts.  [Posted and my comments, here.]

*

As to the sex: birds do it, bees do it….I personally wish that such dalliances were less combustible in the sex-soaked minds of the public.  It will be interesting to watch, however, as Petraeus is pilloried for bad judgement and rampaging hormones while the partner, a married mother of two, will not have similar adjectives attached.

You and Your Virtual Life

This is a partial news posting and a partial do-something! posting, offered to you from beneath my computing hat.

As with cars and highways, the Internet is now big enough that it is generating the need for rules, right-of-way procedures, stop signs, stop lights, merge lanes,  all things that impede our older free-and-easy use. Before long we’ll see mandatory collision insurance, and knowledge based licensing.

Actually, what we’ll see, faster than we imagine, is the wide-scale adoption of biometrics for security purposes.  Everybody knows that the current password system, even with cumbersome two-step verification, described below, isn’t working.  Meanwhile, however, if you use on-line services, for anything, you better set aside time to learn the current rules of the road.

First, read Mat Honan’s very-scary personal report on how he was hacked and his life turned upside down.  It’s been available for a week on-line, and you may have read it.  If all you’ve done is skim, make this your evening read — before sitting down to dinner.

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.

Those security lapses are my fault, and I deeply, deeply regret them.

But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices. [this is just the start…keep reading...]

Christina Warren at Mashable Tech follows the article with several things you should be doing. including, of course BACKING UP.

PASSWORDS.  Of course they both tell you not to use the same password for similar things, like your Amazon account and g-mail.  Of course, this is the problem in a nut-shell.  We all already have too many passwords to keep track of, and so we simplify things by picking one or two.  Not a good idea.

I have lately been using LastPass, an on-line, encrypted, password-protected account that holds all my passwords-in the context of websites I go to and which, if it is launched, will log-in for me.  Because I don’t have to remember the passwords, they can be as complicated as security demands and I can use wildly different ones for each site .  In fact you can use the auto-generated passwords you’ve been avoiding.

I’ve been using it for two weeks and am generally satisfied.  However, there are a few things to know.

When you first set it up, you will be asked if LastPass can scan your computer, integrate the data it finds, and remove it from your computer.  I allowed this to happen.  It turns out it picks up passwords that were duplicates, and bad, or no longer in use.  In some cases LastPass will try to log-in to say, Amazon, with a password I’ve since changed.  I’ve spent a week, in short bursts, going through the LastPass record of sites and passwords, eliminating those no longer needed, or which are duplicates, and renaming some so I recognize them; instead of g-mail (1) and g-mail(2) I have g-mail (Will) and g-mail (Blog).  LastPass doesn’t do a good job of recognizing that you may be entering a password for a site already registered and asking if you want to change it.  Instead, it will register the new, mis-typed password, which you will then have to clean up.

Second, LastPass will do no good if you log in and stay logged in, for weeks. Hackers love that!  I’ve set mine to log itself out after an hour or two.  I log in when I start to work in the morning.

Thirdly, make this password super strong, and remember it!  You can give yourself a hint in case of loss, but don’t make it so obvious that a hacker could guess it.

Fourthly,  some sites, are accessed from different devices say, your iTunes account from a computer, an iPad and an Android phone. LastPass has apps for such devices, however they are limited to “Premium” Customers (i.e. those who pay.)  I haven’t tested it yet.  As an alternative you can log into your LastPass account and show yourself the password for a particular site and then manually type it on the iPhone.  It’s cumbersome, but until you become a Premium user it would seem to be the way to go.

Lastly.  For the year prior to this I’ve kept my 6 pages of passwords in an on-line account with Evernote.  That particular note was password protected, so if I needed to re-confirm say, a bank password, I have to open, with a password, my password list.  I’ll keep this current until I am completely satisfied with Last Pass.  If you are keeping your multiple passwords in some digital document — say, Word– I beg you to password protect it!

The other thing I consistently do is turn off my computer(s) at night, the theory being if it’s not turned on, a hacker can’t get in.  Of course if I inadvertently let a back-door trojan in during working hours, I could still be compromised, so I set my computer to turn itself on, an hour before I get to work, and do a thorough scan for malware, presenting me with a report when I arrive.

That’s it for now.  It’s a net!  Don’t fall through the openings….

[Cross posted at All In One Boat]