Feeds

Did hackers uncover Petraeus' saucy affair webmails before FBI?

Biographer minx previously exposed in Stratfor caper

Securing Web Applications Made Simple and Scalable

FBI agents may not have been the first to rumble the affair between CIA director David Petraeus and his biographer that led to the four-star general's resignation on Friday.

Anyone with a copy of the leaked Stratfor databases, a half-decent PC, some political nous and a barrel of luck could have uncovered the fling months ago, it has emerged.

Paula Broadwell, the former spy chief's mistress and biographer, was a customer of Stratfor, the private intelligence outfit that was attacked by Anonymous hackers last year. Buried in the megabytes of subsequently leaked information was Broadwell's Yahoo! email address and her hashed Stratfor login password.

A security researcher says he spent the weekend recovering her original password from the MD5 hash, or at least a passphrase that will generate an identical hash value, using a brute-force approach and 17 hours of number-crunching on his computer. If the password is indeed the same one she used for Stratfor, and she also used it for her Yahoo! account, then anyone before now could have used the information at hand to compromise her webmail and follow a trail of messages to her illicit liaison with America's spook supremo.

How a top general came to fall on his sword

Petraeus, 60, resigned on Friday after the Feds discovered his dalliance with Broadwell, a married 40-year-old former military officer. An FBI probe was launched months ago when another woman alleged Broadwell had sent her “harassing” emails, the New York Times reports. This is contrary to earlier reports suggesting agents began monitoring on the spy boss's personal Gmail account over concerns it had been compromised by Chinese hackers.

An anonymous "senior US military official" named Jill Kelley, a 37-year-old from Tampa in Florida, as the woman who complained to the FBI; she is an executive on the State Department's liaison to the military's Joint Special Operations Command, and is known to both Petraeus and Broadwell.

It is alleged Broadwell used her paulabroadwell@yahoo.com address to send unpleasant emails to Kelley, possibly perceiving her as a love rival, that included extracts of sexually suggestive messages copied from a Gmail account setup by Petraeus. The emails sent to Kelley warned her to "stay away from" the general, the Wall Street Journal claims. This linked the complaint to Petraeus, a breadcrumb trail picked up by investigators - and potentially anyone else who was able to log into the Yahoo! account.

Cracking her Stratfor password - and potentially unlocking her Yahoo! inbox too

Broadwell's Stratfor password was fairly strong; if it was one character longer, it would have been beyond the grasp of security researcher Robert Graham of Errata Security. He used a cracking utility called oclHashcat and a GPU accelerator to brute force the original password from its MD5 hash value, or at least a phrase that would generate the same value, eventually finding out the password after 17 hours of exhaustive crunching.

It is possible she used the same combination of eight characters elsewhere, perhaps even for her Yahoo! account. This would have given anyone who cracked her password a way to access her webmail, assuming they had decided to target Broadwell months before she hit the headlines.

However, Graham can find no reference to the password after a Google search, suggesting that if a hacker had compromised the password then it wasn't an Anonymous or LulzSec bod, who often like to brag in public and reveal stolen credentials.

Graham said his exercise in cracking Broadwell's password was justified because her account and password had already been blown.

Meanwhile some are beginning to speculate that Google's location tracking of IP addresses of Gmail accounts might have betrayed the identity of the adulterous CIA chief. The Atlantic reports Petraeus used a pseudonym to set up his private Google mail account, but this didn't prevent his identity from being gleaned by investigators monitoring Broadwell's email accounts. It is believed that rather than exchanging emails, the two lovers swapped explicit messages using shared access to the same Gmail account.

Tinker, tailor, shagger, spy

‪Petraeus‬' affair with Broadwell began after the former architect of the US counterinsurgency strategy in Iraq retired from the military and joined the CIA last year, according to a former aide.

‪Petraeus has been married ‬for ‪37 years to Holly Petraeus and the couple have two children, including a son serving in Afghanistan.‬ Justice Department and high-level administration officials, including Attorney General Eric Holder, have reportedly been aware of the investigation into Broadwell since spring but things only came to a head over the last fortnight.

FBI agents interviewed Petraeus, who admitted the fling. A report was submitted to Director of National Intelligence James Clapper last week by the Feds. They noted no crime had been committed‪, ‬but the spy chief‪ nonetheless‬ understood his position was untenable.

In a resignation statement, ‪Petraeus‬ said:

Yesterday afternoon, I went to the White House and asked the President to be allowed, for personal reasons, to resign from my position as D/CIA.  After being married for over 37 years, I showed extremely poor judgment by engaging in an extramarital affair. Such behavior is unacceptable, both as a husband and as the leader of an organization such as ours. This afternoon, the President graciously accepted my resignation.

Lawmakers left in the dark are beginning to raise questions over the Petraeus affair and the timing of his resignation days before an important hearing. ‪Petraeus‬ was due to testify before Congress regarding the Obama administration’s handling of a terrorist attack in Benghazi that led to the death of four Americans, including US ambassador Chris Steven.

"We received no advanced notice. It was like a lightning bolt," said Democratic Senator Dianne Feinstein of California, who heads the Senate Intelligence Committee, AP reports.

Some commentators are upset ‪Petraeus has been obliged to resign‬ for behaviour that in other Western countries may have passed almost without notice. Predictably the whole business has quickly become a butt of jokes.

Patriot hacker ‏th3j35t3r joked: "Give Petraeus a break, having sex w/ ur biographer is unquestionably more exciting than having sex w/ ur autobiographer. Right ‪#assange‬?" ®

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.