Did hackers uncover Petraeus' saucy affair webmails before FBI?

Biographer previously exposed in Stratfor caper


FBI agents may not have been the first to rumble the affair between CIA director David Petraeus and his biographer that led to the four-star general's resignation on Friday.

Anyone with a copy of the leaked Stratfor databases, a half-decent PC, some political nous and a barrel of luck could have uncovered the fling months ago, it has emerged.

Paula Broadwell, the former spy chief's mistress and biographer, was a customer of Stratfor, the private intelligence outfit that was attacked by Anonymous hackers last year. Buried in the megabytes of subsequently leaked information was Broadwell's Yahoo! email address and her hashed Stratfor login password.

A security researcher says he spent the weekend recovering her original password from the MD5 hash, or at least a passphrase that will generate an identical hash value, using a brute-force approach and 17 hours of number-crunching on his computer. If the password is indeed the same one she used for Stratfor, and she also used it for her Yahoo! account, then anyone before now could have used the information at hand to compromise her webmail and follow a trail of messages to her illicit liaison with America's spook supremo.

How a top general came to fall on his sword

Petraeus, 60, resigned on Friday after the Feds discovered his dalliance with Broadwell, a married 40-year-old former military officer. An FBI probe was launched months ago when another woman alleged Broadwell had sent her “harassing” emails, the New York Times reports. This is contrary to earlier reports suggesting agents began monitoring on the spy boss's personal Gmail account over concerns it had been compromised by Chinese hackers.

An anonymous "senior US military official" named Jill Kelley, a 37-year-old from Tampa in Florida, as the woman who complained to the FBI; she is an executive on the State Department's liaison to the military's Joint Special Operations Command, and is known to both Petraeus and Broadwell.

It is alleged Broadwell used her paulabroadwell@yahoo.com address to send unpleasant emails to Kelley, possibly perceiving her as a love rival, that included extracts of sexually suggestive messages copied from a Gmail account setup by Petraeus. The emails sent to Kelley warned her to "stay away from" the general, the Wall Street Journal claims. This linked the complaint to Petraeus, a breadcrumb trail picked up by investigators - and potentially anyone else who was able to log into the Yahoo! account.

Cracking her Stratfor password - and potentially unlocking her Yahoo! inbox too

Broadwell's Stratfor password was fairly strong; if it was one character longer, it would have been beyond the grasp of security researcher Robert Graham of Errata Security. He used a cracking utility called oclHashcat and a GPU accelerator to brute force the original password from its MD5 hash value, or at least a phrase that would generate the same value, eventually finding out the password after 17 hours of exhaustive crunching.

It is possible she used the same combination of eight characters elsewhere, perhaps even for her Yahoo! account. This would have given anyone who cracked her password a way to access her webmail, assuming they had decided to target Broadwell months before she hit the headlines.

However, Graham can find no reference to the password after a Google search, suggesting that if a hacker had compromised the password then it wasn't an Anonymous or LulzSec bod, who often like to brag in public and reveal stolen credentials.

Graham said his exercise in cracking Broadwell's password was justified because her account and password had already been blown.

Meanwhile some are beginning to speculate that Google's location tracking of IP addresses of Gmail accounts might have betrayed the identity of the adulterous CIA chief. The Atlantic reports Petraeus used a pseudonym to set up his private Google mail account, but this didn't prevent his identity from being gleaned by investigators monitoring Broadwell's email accounts. It is believed that rather than exchanging emails, the two lovers swapped explicit messages using shared access to the same Gmail account.

Tinker, tailor, shagger, spy

‪Petraeus‬' affair with Broadwell began after the former architect of the US counterinsurgency strategy in Iraq retired from the military and joined the CIA last year, according to a former aide.

‪Petraeus has been married ‬for ‪37 years to Holly Petraeus and the couple have two children, including a son serving in Afghanistan.‬ Justice Department and high-level administration officials, including Attorney General Eric Holder, have reportedly been aware of the investigation into Broadwell since spring but things only came to a head over the last fortnight.

FBI agents interviewed Petraeus, who admitted the fling. A report was submitted to Director of National Intelligence James Clapper last week by the Feds. They noted no crime had been committed‪, ‬but the spy chief‪ nonetheless‬ understood his position was untenable.

In a resignation statement, ‪Petraeus‬ said:

Yesterday afternoon, I went to the White House and asked the President to be allowed, for personal reasons, to resign from my position as D/CIA.  After being married for over 37 years, I showed extremely poor judgment by engaging in an extramarital affair. Such behavior is unacceptable, both as a husband and as the leader of an organization such as ours. This afternoon, the President graciously accepted my resignation.

Lawmakers left in the dark are beginning to raise questions over the Petraeus affair and the timing of his resignation days before an important hearing. ‪Petraeus‬ was due to testify before Congress regarding the Obama administration’s handling of a terrorist attack in Benghazi that led to the death of four Americans, including US ambassador Chris Steven.

"We received no advanced notice. It was like a lightning bolt," said Democratic Senator Dianne Feinstein of California, who heads the Senate Intelligence Committee, AP reports.

Some commentators are upset ‪Petraeus has been obliged to resign‬ for behaviour that in other Western countries may have passed almost without notice. Predictably the whole business has quickly become a butt of jokes.

Patriot hacker ‏th3j35t3r joked: "Give Petraeus a break, having sex w/ ur biographer is unquestionably more exciting than having sex w/ ur autobiographer. Right ‪#assange‬?" ®


Other stories you might like

  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • How can we make the VC world less pale and male, Congress wonders
    'Combating tech bro culture' on the agenda this week for US House committee

    A US congressional hearing on "combating tech bro culture" in the venture capital world is will take place this week, with some of the biggest names in startup funding under the spotlight.

    The House Financial Services Committee's Task Force on Financial Technology is scheduled to meet on Thursday. FSC majority staff said in a memo [PDF] the hearing will focus on how VCs have failed to invest in, say, fintech companies founded by women and people of color. 

    We're told Sallie Krawcheck, CEO and cofounder of Ellevest; Marceau Michel, founder of Black Founders Matter; Abbey Wemimo, cofounder and co-CEO of Esusu; and Maryam Haque, executive director of Venture Forward have at least been invited to speak at the meeting.

    Continue reading
  • DataStax launches streaming data platform with backward support for JMS
    Or move to Apache Pulsar for efficiency gains, says NoSQL vendor

    DataStax, the database company built around open-source wide-column Apache Cassandra, has launched a streaming platform as a service with backwards compatibility for messaging standards JMS, MQ, and Kafka.

    The fully managed messaging and event streaming service, based on open-source Apache Pulsar, is a streaming technology built for the requirements of high-scale, real-time applications.

    But DataStax wanted to help customers get data from their existing messaging platforms, as well as those who migrate to Pulsar, said Chris Latimer, vice president of product management.

    Continue reading
  • Infor to stop developing on-prem software for IBM iSeries
    ERP vendor had promised containerized options, but looks set to focus on the cloud

    ERP vendor Infor is to end development of on-premises and containerized versions of its core product for customers running on IBM iSeries mid-range systems.

    Born from a cross-breeding of ERP stalwarts Baan and Lawson, Infor was developing an on-premises containerized version of M3, dubbed CM3, to help ease migration for IBM hardware customers and offer them options other than lifting and shifting to the cloud.

    Infor said it would continue to run the database component on IBM i (Power and I operating system, formerly known as iSeries) while supporting the application component of the product in a Linux or Windows container on Kubernetes.

    Continue reading
  • Intel demos multi-wavelength laser array integrated on silicon wafer
    Next stop – on-chip optical interconnects? Plus it's built with 300mm tech, meaning potential volume production

    Intel is claiming a significant advancement in its photonics research with an eight-wavelength laser array that is integrated on a silicon wafer, marking another step on the road to on-chip optical interconnects.

    This development from Intel Labs will enable the production of an optical source with the required performance for future high-volume applications, the chip giant claimed. These include co-packaged optics, where the optical components are combined in the same chip package as other components such as network switch silicon, and optical interconnects between processors.

    According to Intel Labs, its demonstration laser array was built on the company's well-established 300mm wafer manufacturing technology which is already used to make optical transceivers, paving the way for high-volume manufacturing in future. The eight-wavelength array uses distributed feedback (DFB) laser diodes, which apparently refers to the use of a periodically structured element or diffraction grating inside the laser to generate a single frequency output.

    Continue reading
  • Ex-Uber security chief accused of hushing database breach must face fraud charges
    Company execs and their lawyers are paying close attention to this one

    A US judge yesterday threw out an attempt to dismiss wire fraud charges against a former Uber employee accused of trying to cover up a computer crime.

    Former Uber security chief Joseph Sullivan is set to face criminal charges after US District Judge William Orrick yesterday [PDF] rejected his claim that prosecutors did not "adequately" allege that the goal of the claimed misrepresentation of the security breach was to get Uber's drivers to stay with the platform and continue paying service fees.

    In December last year, a federal grand jury handed down a superseding indictment adding wire fraud to the list of charges pending against Sullivan for his role in the alleged attempted cover-up of the 2016 security breach at Uber. The incident led to around 57 million user and driver records being stolen.

    Continue reading

Biting the hand that feeds IT © 1998–2022