Why there will be no patch for the Petraeus vulnerability

Security experts had four words of advice for those wondering over the implications of the sudden resignation last week of the U.S.'s Director of Central Intelligence, General David Petraeus: 'get used to it.'

emailme_300x226.jpgSource: CarbonNYC
Would-be lovers - stop using e-mail to communicate.

The history of Washington D.C. is filled with examples of brilliant and high-achieving men and women who decide to selectively under-achieve in their personal relationships. Think "Bill Clinton and Monika Lewinsky," "John Edwards and Rielle Hunter," or "Gary Condit and Chandra Levy." The list goes on and on (and on).

Still, the extra-marital affair that brought an abrupt end to the career of Gen. David Petraeus shocked even those in The Beltway used to such things. House Minority Leader Nancy Pelosi, a longtime acquaintance likened the news to a "bolt of lightning." After all, the retired four-star general was President Obama's Director of Central Intelligence. A West Point graduate, brilliant military strategist and a veteran of the wars in Iraq and Afghanistan, Petraeus were felled by the discovery of sexually explicit Gmail exchanges with his biographer and lover, Paula Broadwell.

That's the kind of 21st century indiscretion that has ended more than a few marriages, but never before the career of so highly-placed or highly-respected a figure. As of this writing, an FBI investigation of Broadwell is ongoing, centered on her possession of classified documents and whether the former CIA Director played a role in supplying her with classified information.

News of the affair and Petraeus's resignation prompted a predictable round of remonstration about the indiscretions and fragile egos of powerful men. As of this writing, there's not much to be done about that problem. For security-conscious organizations, however, there are deeper and more troubling questions raised by the Petraeus affair. Chief among them: how best to insulate organizations from the kind of risk that comes with increasingly wired employees? Is it even realistic for companies to guard against unknown threats - from the state sponsored hacker to the spurned paramour - given a population of workers who communicate and share information across a complex social graph that encompasses both personal and professional relationships?

For many organizations, the Petraeus affair crystallized an already sneaking suspicion many had that the web of connections binding their employees to the rest of the world had become complex enough to defy security controls and even comprehension.

Joe Gottleib, the CEO of the security firm Sensage, talks about the ways in which social networks "automate" trust online in ways that are unpredictable. By simply 'liking' or 'friending' someone, Gottlieb told the security blog Threatpost, you create "automated associations that lead to exposure of both good and bad social interactions," Gottlieb said. Social networks like Facebook or Twitter assume that, by taking those actions, you are prepared for all of the consequences, but that's hardly ever the case. And, once the connection is made, the implicit trust becomes a dangerous security exposure, lowering the target's defenses to attacks.

The Petraeus affair is a great example of this. After all, the General wasn't the target of the FBI investigation, but his surreptitious e-mail ties to Broadwell made him collateral damage in a case that began with anonymous exchanges between a jealous lover (his) and a well-connected Tampa, Florida socialite. No Robert Hansen making dead drops of classified information to the KGB in D.C. parks, General Petraeus's crime was sending saucy e-mails to his biographer and paramour - herself an Army intelligence officer. Should he be fired - or in couples therapy?

Richard Bejtlich, the Chief Security Officer at the firm Mandiant, said that the circumstances of the case are unusual. Still, it's illustrative of the ways in which organizations - even intensely security-conscious organizations like the CIA - have allowed the barriers between personal activity and work-related activity erode. Bejtlich, whose company helps companies understand cyber incidents and defend against them, said that the advent of web based e-mail, social networks and mobile devices like iPhones and iPads has brought about an erosion of policies that required employees to segregate work- and non-work related online activities.

E-mail may not be sexy anymore, but it's still an information goldmine for attackers and criminal investigators alike, Bejtlich says. Email spools for individual users might contain thousands or tens of thousands of messages, including user names, passwords, account information and a useful social graph.

And employees' use of Web-based services including web mail and social networks creates a risk that many organizations fail to properly account for. In just one example, Paula Broadwell's personal e-mail was among 800,000 leaked by the Hacktivist group Anonymous following the 2011 breach of the security intelligence firm Stratfor. As it turned out, that account wasn't hacked - to the best of anyone's knowledge. Under different circumstances, however, a sophisticated attacker could easily have made the connection between Broadwell and Petraeus, and access to that account could have provided a powerful, back channel link to Petraeus. In fact, FBI investigators observing Broadmore's email account initially assumed that the General's personal e-mail had been compromised and was being used by an unknown attacker to send out messages in the General's name.

What's to be done? That depends on who's asking the question.

For would-be lovers, the days following Petraeus's resignation have delivered a slew of advice: stop using e-mail to communicate. If you're going to use it, encrypt the messages in rest and in transit and use tools like the ToR browser and e-mail anonymizers to cover your tracks.

For security-conscious organizations, Bejtlich recommends that companies consider pursuing a "data minimization" strategy. Employers should train employees - especially high value employees - to regularly cull through e-mail and other data deposits to remove unneeded documents - either by deleting them or backing them up, in encrypted form, to an external storage device.

When incidents like the Petraeus affair do arise, Bejtlich says that the organizational response should be handled as an internal investigation, with Human Resources and a company's legal department in the lead, rather than an IT-focused incident response team, Bejtlich said.

Finally, organizations need to embrace the fact that few security problems can be solved with a software patch or a technical fix. Data leak protection software wouldn't have spotted Gen. Petraeus's illicit communications with Ms. Broadmore so long as sensitive data wasn't leaving the organization.

A better system might have relied on colleagues who had personal ties to the General and were vigilant to his increasingly intimate relationship with Ms. Broadmore. "There's a tendency to have engineering solutions," said Bejtlich. "But almost everything is a social problem." "We need much better management of the human - rather than the technical - side," he said.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon