Feeds

Did hackers uncover Petraeus' saucy affair webmails before FBI?

Biographer minx previously exposed in Stratfor caper

Providing a secure and efficient Helpdesk

FBI agents may not have been the first to rumble the affair between CIA director David Petraeus and his biographer that led to the four-star general's resignation on Friday.

Anyone with a copy of the leaked Stratfor databases, a half-decent PC, some political nous and a barrel of luck could have uncovered the fling months ago, it has emerged.

Paula Broadwell, the former spy chief's mistress and biographer, was a customer of Stratfor, the private intelligence outfit that was attacked by Anonymous hackers last year. Buried in the megabytes of subsequently leaked information was Broadwell's Yahoo! email address and her hashed Stratfor login password.

A security researcher says he spent the weekend recovering her original password from the MD5 hash, or at least a passphrase that will generate an identical hash value, using a brute-force approach and 17 hours of number-crunching on his computer. If the password is indeed the same one she used for Stratfor, and she also used it for her Yahoo! account, then anyone before now could have used the information at hand to compromise her webmail and follow a trail of messages to her illicit liaison with America's spook supremo.

How a top general came to fall on his sword

Petraeus, 60, resigned on Friday after the Feds discovered his dalliance with Broadwell, a married 40-year-old former military officer. An FBI probe was launched months ago when another woman alleged Broadwell had sent her “harassing” emails, the New York Times reports. This is contrary to earlier reports suggesting agents began monitoring on the spy boss's personal Gmail account over concerns it had been compromised by Chinese hackers.

An anonymous "senior US military official" named Jill Kelley, a 37-year-old from Tampa in Florida, as the woman who complained to the FBI; she is an executive on the State Department's liaison to the military's Joint Special Operations Command, and is known to both Petraeus and Broadwell.

It is alleged Broadwell used her paulabroadwell@yahoo.com address to send unpleasant emails to Kelley, possibly perceiving her as a love rival, that included extracts of sexually suggestive messages copied from a Gmail account setup by Petraeus. The emails sent to Kelley warned her to "stay away from" the general, the Wall Street Journal claims. This linked the complaint to Petraeus, a breadcrumb trail picked up by investigators - and potentially anyone else who was able to log into the Yahoo! account.

Cracking her Stratfor password - and potentially unlocking her Yahoo! inbox too

Broadwell's Stratfor password was fairly strong; if it was one character longer, it would have been beyond the grasp of security researcher Robert Graham of Errata Security. He used a cracking utility called oclHashcat and a GPU accelerator to brute force the original password from its MD5 hash value, or at least a phrase that would generate the same value, eventually finding out the password after 17 hours of exhaustive crunching.

It is possible she used the same combination of eight characters elsewhere, perhaps even for her Yahoo! account. This would have given anyone who cracked her password a way to access her webmail, assuming they had decided to target Broadwell months before she hit the headlines.

However, Graham can find no reference to the password after a Google search, suggesting that if a hacker had compromised the password then it wasn't an Anonymous or LulzSec bod, who often like to brag in public and reveal stolen credentials.

Graham said his exercise in cracking Broadwell's password was justified because her account and password had already been blown.

Meanwhile some are beginning to speculate that Google's location tracking of IP addresses of Gmail accounts might have betrayed the identity of the adulterous CIA chief. The Atlantic reports Petraeus used a pseudonym to set up his private Google mail account, but this didn't prevent his identity from being gleaned by investigators monitoring Broadwell's email accounts. It is believed that rather than exchanging emails, the two lovers swapped explicit messages using shared access to the same Gmail account.

Tinker, tailor, shagger, spy

‪Petraeus‬' affair with Broadwell began after the former architect of the US counterinsurgency strategy in Iraq retired from the military and joined the CIA last year, according to a former aide.

‪Petraeus has been married ‬for ‪37 years to Holly Petraeus and the couple have two children, including a son serving in Afghanistan.‬ Justice Department and high-level administration officials, including Attorney General Eric Holder, have reportedly been aware of the investigation into Broadwell since spring but things only came to a head over the last fortnight.

FBI agents interviewed Petraeus, who admitted the fling. A report was submitted to Director of National Intelligence James Clapper last week by the Feds. They noted no crime had been committed‪, ‬but the spy chief‪ nonetheless‬ understood his position was untenable.

In a resignation statement, ‪Petraeus‬ said:

Yesterday afternoon, I went to the White House and asked the President to be allowed, for personal reasons, to resign from my position as D/CIA.  After being married for over 37 years, I showed extremely poor judgment by engaging in an extramarital affair. Such behavior is unacceptable, both as a husband and as the leader of an organization such as ours. This afternoon, the President graciously accepted my resignation.

Lawmakers left in the dark are beginning to raise questions over the Petraeus affair and the timing of his resignation days before an important hearing. ‪Petraeus‬ was due to testify before Congress regarding the Obama administration’s handling of a terrorist attack in Benghazi that led to the death of four Americans, including US ambassador Chris Steven.

"We received no advanced notice. It was like a lightning bolt," said Democratic Senator Dianne Feinstein of California, who heads the Senate Intelligence Committee, AP reports.

Some commentators are upset ‪Petraeus has been obliged to resign‬ for behaviour that in other Western countries may have passed almost without notice. Predictably the whole business has quickly become a butt of jokes.

Patriot hacker ‏th3j35t3r joked: "Give Petraeus a break, having sex w/ ur biographer is unquestionably more exciting than having sex w/ ur autobiographer. Right ‪#assange‬?" ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.