The Real Cyberforensics Used To Snoop On Petraeus (And You)

Anonymous, throwaway Google accounts aren't so anonymous, it turns out. Neither is a James Bond-like "digital dropbox." Here's a look into the forensics the FBI used to discover David Petraeus's affair and how it could be used to investigate any email account, anywhere.

In an increasingly weird and tangled affair, Former CIA director David Petraeus, Marine General John R. Allen, Paula Broadwell, Jill Kelley, an unnamed FBI Agent, and others all used various anonymous accounts and message-masking techniques pioneered by terrorists and teens alike. They thought they were communicating with each other with discretion and secrecy.

But FBI investigators found their way through almost all of it.

That's because they're practiced in the field of cyberforensics--detailed Internet and technology detective techniques used every day all around the world. When it comes to the vast majority of activity by Internet users, it's amazingly easy to trace fake email addresses and anonymous blogs back to their owners. Or, put another way, if the director of the CIA's undercover ops can be cracked, so can yours. Here's how.

Cyberforensics firms regularly show up on retainer or on the payroll of law enforcement, lawyers of all stripes, lobbyists, and even intelligence agencies. Every activity on the Internet leaves identity breadcrumbs in the form of activity logs, cookies, GPS activity from mobile phones, and even logs of camera activity and keyboard use secretly copied from targets' computers. Given enough manpower hours, cyberforensics experts can reconstruct the tiniest minutiae of any phone or computer owner's lives. Law enforcement agencies and intelligence agencies also retain their own in-house cyberforensics experts.

According to the ACLU's Chris Soghoian, Broadwell and Petraeus may have thought leaving unsent messages in draft folders in their anonymous throwaway Gmail account wouldn't leave a digital paper trail. They were wrong.

The FBI gained access to anonymous Gmail accounts traced to Petraeus and Broadwell through a law, more than 25 years old, that gives law enforcement carte blanche to snoop in email accounts. Provisions of 1986's Stored Communications Act (SCA) allow “government entities” to access email records in storage for less than 180 days “if there is reasonable cause to believe a crime has been committed.” For email records that are older than 180 days, a warrant is required. Using the SCA, FBI investigators were able to obtain access to emails Broadwell and Petraeus wrote via Gmail over the past six months. Google routinely discloses government queries into Gmail's archives, and the Electronic Frontier Foundation and others have raised concerns over the SCA, an email bill written back in the halcyon days of Compuserve and GEnie.

Both Petraeus and Broadwell were savvy enough to use Gmail accounts with fake names. But while Petraeus knew his way around email, he wasn't savvy enough for Broadwell and him to take precautions that could have hidden any incriminating emails. Neither used identity-obscuring VPNs and rerouting solutions such as the Tor Project, which could have hindered the FBI from tracing, for instance, Broadwell's fake email account back to her North Carolina home. Apart from Tor, commercially available end-user solutions such as Hotspot Shield and LogMeIn Hamachi obscure the origination points of email messages with varying levels of success. It is important to note that many of those services, especially those that use American servers, may keep IP address logs that are accessible to investigators or hackers.

Darren R. Hayes, the head of Pace University's Computer Information Systems program and a computer forensics expert, tells Fast Company that there are numerous ways for anonymous email accounts to escape detection, or to at least make the process much harder. Commercial services such as GuerillaMail and Mailinator offer disposable, throwaway email addresses whose data can be held on foreign servers outside the reach of the American government; VPNs also make tracing emails much harder.

If Petraeus or Broadwell used an email client like Outlook to send messages from their fake Gmail accounts, that likely did them in.

Spy techniques used by Petraeus and Broadwell to hide their missives did not work. According to the ACLU's Chris Soghoian, Broadwell and Petraeus may have thought leaving unsent messages in draft folders in their anonymous throwaway Gmail account wouldn't leave a digital paper trail. They were wrong. The James Bond-style technique, leaving draft messages in a "digital dropbox," didn't stop Gmail from retaining identifying metadata--data appended to files or messages or other forms of information.

Metadata varies for email depending on the service on which it originates. For instance, Yahoo Mail metadata differs from Gmail, which differs from Outlook servers. Metadata also varies depending on the client software users send their messages from; using metadata, a cyberforensics specialist can find out whether a message sent from a Gmail address was written in Gmail.com, Apple's mail client on the iPad or Mac, or from a user's Outlook client. In some cases, these services add identifying information that could lead investigators to the sender's real name and physical location.

If Petraeus or Broadwell used an email client like Outlook to send messages from their fake Gmail accounts, that likely did them in. According to Digital Trends' Andrew Couts, messages sent from Gmail.com strip identifying IP address metadata, while Gmail messages sent via Outlook, Thunderbird, or Apple's Mail clients all append IP addresses to an email message's metadata. Using an IP address, it is easy to extrapolate the physical location from which an email was sent. Gmail.com, while not including an IP address, attaches routing information that indicates a message's journey through the digital ether and can provide important clues to the original sending location. Similar metadata is appended to image files posted on Facebook, Twitter, Picasa, Flickr, and other popular image-sharing sites, making the lives of cyberforensics specialists incredibly easy when investigating cases. Smartphones routinely attach the GPS coordinates where a photograph was taken and even standard digital photographs include identifying information about the make and model of the camera, Hayes said.

Once FBI investigators traced Broadwell's throwaway email account to her North Carolina home and physical locations that matched her travel schedule, the agency gained access to her primary email accounts. As of press time, it appears they used information obtained there to confirm her and Petraeus were conducting an extramarital affair. The spy chief's involvement in a relationship outside of his marriage, according to press reports, was considered a blackmail risk.

Smartphones routinely attach the GPS coordinates where a photograph was taken.

The FBI, NSA, local police departments, and other government entities can all access email account records and histories via sending requests to Google, AOL, and others. These accounts customarily request all information associated with an IP address--meaning that all the email addresses from a household, whether involved in an investigation or not, are culled by law enforcement.

Cyberforensics, though not regularly discussed in the press, are a booming industry. “These days, virtually all cases involve digital evidence. Whether the case is counterterrorism, kidnapping, drugs, or a white collar crime, digital evidence is key,” AccessData's Erika Lee tells Fast Company. AccessData, which sells computer forensics software to investigators parsing electronic records and corporations tracing the perpetrators of hacking attacks, is part of a field that does everything from parse the physical locations Facebook status updates were posted from to uncovering the Chinese cybercafes where multimillion dollar attacks on banks were launched from.

In the end, it's important to remember that--as The Week's Marc Ambinder put it--this whole story began “based on the complaints of one person in Tampa who knew a bunch of generals.” Based on those complaints, the FBI was able to gain easy access to multiple email addresses, including that of the head of the CIA, without a warrant. Meanwhile, investigators outside the government such as hackers and criminals can always break into anonymous email accounts and trace them back to their owners fairly easily. The important cybersecurity takeaway from L'Affaire Petraeus? For those anonymous emails you absolutely don't want traced back to you, send them via Gmail.com. And use Tor.

Or, you know, don't cheat.

For more stories like this, follow @fastcompany on Twitter. Find Neal Ungerleider, the author of this article, on Twitter.

Source : fastcompany[dot]com

Weekend Reading: In Social Business - Context is Everything

The Jain legend of the blind men and the elephant came up at this week's Dachis Social Business Summit during David Gray's presentation. 

The story goes a little like this: six blind men are led up to an elephant, each left in front of a different part. One man feels the tail and says, "It's a rope." Another feels the ear and says, "It's a fan."  You get the idea. The story is usually told to show the value of collective intelligence, but I think it works for many of this week's articles as well. 

If you segment and analyze your data without keeping in mind the bigger context, you lose value. If you search for information in your DAM system and it's missing context, your results will be irrelevant. If technology continues to explode at a pace faster than people can adapt to, we run the risk of losing perspective on its place in our lives. 

Curious? Read on.

Creating the Best Customer Experience

Secondary Dimensions: Getting the Most Out of Google Analytics

Michael Wiegand (@mwiegand): 

Google Analytics (GA) is a wondrous thing. Simple to install. Easy to use. 

But for all its ubiquity, very few users do more with Google Analytics than just scratching the surface of the reports. And that’s a shame. There’s so much to be gleaned from a few clicks.

According to W3Techs Surveys, GA now possesses a staggering 82 percent market share in the web analytics industry. So what can all of those users do to transform ordinary GA reports into extraordinary?

Are Your Digital Actions Action-packed or Action-less?

Brent Dykes: The renowned business author Peter Drucker has been attributed with the familiar quote, “what gets measured, gets managed.” This statement highlights why most companies invest in analytics. But the critical question remains, why do companies invest in data but fail to act on this valuable resource?

After working in digital analytics for more than eight years with multiple large corporations, I’ve discovered that the belief that captured data will be subsequently optimized or improved doesn’t always hold true. In fact, data frequently doesn’t translate into actions.  

Wildervoices: John Kennedy on the Changing Role and Challenges of Today's CMO 

Scott K. Wilder (@skwilder): CMOs today face a shifting landscape in terms of their roles within companies and the challenges inherent in creating better customer experiences in a multi-channeled, socially connected, data-driven world. To get a better sense of where this trend is going, I spoke with John Kennedy of IBM.

How To: Getting Started In User Experience (UX)

Stephen Fishman (@trivoca): I have seen the question on Quora. I have seen the question on LinkedIn. I have seen the question on so many different online properties that I have lost count. The summarized question is: "How do I get started in learning about UX (User Experience)?". I have yet to see an answer that makes me believe that someone could take it and really move forward into learning the field and ultimately get a job. The biggest problem is that I don't find the question to be phrased in a way that a highly experienced UX professional can meaningfully answer without completely reframing the question. 

 

Continue reading this article:

1 2 3 Next Page >

 

 

Source : cmswire[dot]com

Welcome To Tiny Elkhart County, Indiana, Which Just Got $125 Million Richer

Thanks to a donation from the late Hollywood producer David Gundlach, a place where nobody locks their doors is swimming in cash. What happens now?

Pete McCown is the president of the Elkhart County Community Foundation. The county, only about 200,000 strong, just inherited a reported $125 million from the late David Gundlach, an Elkhart native son who made good as an entrepreneur and Hollywood producer, while retaining an apparent soft spot for his hometown. (Gundlach died of a heart attack last year, at 56.) We caught up with McCown to learn more about the newly-flush Elkhart, a county of RV manufactories, Amish horse-and-buggies, and feral cats.

FAST COMPANY: When did you first meet David Gundlach?

PETE McCOWN: David and I were introduced to each other last summer. I was president elect of the community foundation at the time. David’s attorney called me and said, I’d like you to meet a client. In the first 10-15 minutes of our acquaintance Dave said, “Pete, I just wanted you to know I’ve updated my estate plan, and I included the community foundation.” That was the extent to which he disclosed anything. I pressed him on things he was interested in as a philanthropist. I said, “Dave, you need to shape this. It may be 40 years from now that the foundation realizes your gift, and the two of us will be old men playing golf, but tell me what your values are, what you’re hoping to accomplish.” He said, “Kiddo, it seems to me that your organization is better qualified than me to make those decisions.” Three months later, I came home on a Sunday after church and lunch with my family, and on the answering machine was the estate attorney saying he’d just learned Dave passed away in his sleep.

The gift is massive.

The Chronicle of Philanthropy, which in its own industry is like the Wall Street Journal or the Rolling Stone Magazine for the not-for-profit community, said Dave’s gift would have been the fifth- or sixth-largest gift last year in North America in 2011. It will likely be one of the ten largest gifts of this year. The remarkable thing here is this is a modest-sized county of just a couple hundred thousand people.

Pete McCown

Tell me about Elkhart County.

Elkhart County is a collection of small cities or mid-sized towns. We have Elkhart the city, which has 50-60,000 people, then Goshen’s the next largest, about 10 miles down the road, with 25-30,000 people. Then there’s Middlebury and Nappannee, and much smaller communities as well. Our economic engines would be blue-collar manufacturing and the farming and agricultural communities. I’m told the majority of trailers, motor homes, and RVs are manufactured out of Elkhart County or in one of our RV companies’ auxiliary plants around the country. When economic times are good, this community’s booming, but when people don’t have the money to buy motor homes, this community suffers some of the worst of the economic downturn.

Is it a friendly, no-one-locks-their-doors sort of place?

Yes, it’s a Midwestern town in the classic sense, where people have grown up together and know each other. It’s the kind of place where at the local diner there’s a table with five or ten guys drinking coffee and catching up on how the local basketball team did. It’s the kind of place where you sell your house and at the closing you have to go find the keys, and you can’t, because you haven’t locked your doors in the last 20 years. Another interesting thing about Elkhart is that 10% of our population is Amish, so you’ll have horses and buggies going up and down the streets, with cars going around them.

How do you spend all this money while keeping the down-to-earth spirit of the community?

Every morning in my inbox I have 250-350 emails from people with ideas. We’re working on creating venues in our community for people in our community to be participants in shaping the direction we take.

Were there any issues in the community that you weren’t aware of until now?

The Feral Cat Society would be one. There is an organization of large-hearted individuals who are worried about wild cats, and they care for wild cats. They trap and sterilize these wild cats so they don’t reproduce, since for them to be actively reproductive in the wild would create a burdensome population of wild cats in our community. They believe there’s a dignity to the life of that wild cat, but there aren’t enough homes to take in the hundreds if not thousands of wild cats out there. So they feed and provide some degree of shelter and trap and sterilize these cats so they don’t produce continued litters of kittens. That’s an issue I wasn’t aware of, but I have great regard for people who are aware of that and are doing something about that. Do feral cats rise to the level of child hunger? Most would argue no. But is the way we treat our wildlife in our community an important reflection of our values? Absolutely.

Do you have a philosophy of how to use all this money you’ve been given?

The grant-making model I’m most enamored with is the model of the Kresge Foundation. Kresge is the “challenge grant foundation.” They inspire other organizations across the country to raise more money, and if they achieve that, then Kresge steps in with a matching grant. There’s an impression now in Elkhart of, “Well, what good does my $10,000 gift to the Boys and Girls Club do?”

So you worry some local people may feel their smaller gifts can no longer make a difference?

Right. I’m reminded that there’s a little girl in this community who for the last four to five years sends us a dollar a year at the end of December to add to the funds for Elkhart County. Her parents have done some good work, and encouraged her to be generous at Christmastime. That’s going into the same fund, the same grant-making tools that Dave’s $150 million are gonna go into. Dave’s story, while it’s newsworthy for the sheer magnitude of it, is the same story that’s gonna get told next week when someone gives money to the homeless shelter in our community.

This interview has been condensed and edited. For more from the Fast Talk interview series, click here. Know someone who'd be a good Fast Talk subject? Mention it to David Zax.

Source : fastcompany[dot]com

Former Foursquare Exec Tristan Walker Shares His Secrets On How Brands And Social Can Coexist

Brands and hot social media platforms can succeed--but only by working together.

Illustration by David Schwen

I was the first business guy at Foursquare, the social check-in service. Almost every major brand wanted to work with us. A bunch of brand folks would ask me something like, "Hey, let's create a mayonnaise badge on Foursquare. We're doing this campaign for sustainable farming, so wouldn't it be cool if people checked in at three farms, a retail location, and a bodega to unlock our mayonnaise badge?" They're willing to pay tons of money for that. We would say, "Well . . . that doesn't make any sense. Probably not for you, definitely not for our users."

Brands say they want to use social to engage with their customers. They say that because they have nothing else to measure against. My hope and goal has always been to change that. When faced with that kind of mayonnaise-badge proposal, I'd just keep asking them why until we've really narrowed it down and get to, "Hey, we want to do all this stuff so we can drive sales." From there, we can move toward a solution where we can help measure the effectiveness of any advertising and resulting sales.

Follow Fast Company's roadmap to social media: surefire rules, data, and expert wisdom guaranteed to show why this market is completely unpredictable.

In Silicon Valley, there's usually this product-is-everything, you-need-nothing-else mentality--and I don't believe that one bit. You need to understand how advertising can fit into your product and what you do well. At Foursquare, our big ethos was making things that make the world more interesting to explore. That helped us pick partners where integration would be more natural. The perfect example is our first major deal, which was with the Bravo TV network. It already had fantastic local content online, and we brought that onto the Foursquare platform. It encouraged people to get out and explore new things, based on shows like Real Housewives, which felt very much in line with the product but without a sales pitch. It benefited our users and us: Bravo puts us on its commercials, helping us reach a different demographic and a wider audience.

Source : fastcompany[dot]com