Why Clinton’s Private Email Server Was Such a Security Fail
http://www.wired.com/2015/03/clintons-email-server-vulnerable/For a secretary of state, running your own email server might be a cleverif controversialway to keep your conversations hidden from journalists and their pesky Freedom of Information Act requests. But ask a few security experts, and the consensus is that its not a very smart way to keep those conversations hidden from hackers.
On Monday, the New York Times revealed that former secretary of state and future presidential candidate Hillary Clinton used a private email account rather than her official State.gov email address while serving in the State Department. And this was no Gmail or Yahoo! Mail account: On Wednesday the AP reported that Clinton actually ran a private mail server in her home during her entire tenure leading the State Department, hosting her email at the domain Clintonemail.com. Much of the criticism of that in-house email strategy has centered on its violation of the federal governments record-keeping and transparency rules. But as the controversy continues to swirl, the security community is focused on a different issue: the possibility that an unofficial, unprotected server held the communications of Americas top foreign affairs official for four years, leaving all of it potentially vulnerable to state-sponsored hackers.
Although the American people didnt know about this, its almost certain that foreign intelligence agencies did, just as the NSA knows which Indian and Spanish officials use Gmail and Yahoo accounts, says Chris Soghoian, the lead technologist for the American Civil Liberties Union. Shes not the first official to use private email and not the last. But there are serious security issue associated with these kinds of services When you build your house outside the security fence, youre on your own, and thats what seems to have happened here.
The most obvious security issue with Clinton running her own email server, says Soghoian, is the lack of manpower overseeing it compared with the State Departments official email system. The federal agencys own IT security team monitors State Department servers for possible vulnerabilities and breaches, and those computers fall under the NSAs protection, too. Since 2008, for instance, the so-called Einstein project has functioned as an umbrella intrusion-detection system for more than a dozen federal agencies; Though its run by the Department of Homeland Security, it uses NSA data and vulnerability-detection methods Clintons email wouldnt have the benefit of any of that expensive government security. If she had hosted her email with Google or even Yahoo! or Microsoft, there might be an argument that those private companies security teams are just as competent as the those of the feds. But instead, according to the Associated Press, Clinton ran her server from her own home. Any protection it had thereaside from the physical protection of the Secret Servicewould have been limited to the Clintons own personal resources.
A more specific threat to Clintons private email relates to its domain name. Unlike the State Departments State.gov domain, Clintons Clintonemail.com is currently registered with a private domain registrar, Network Solutions, as a simple Whois search reveals. The domain Clintonemail.com (and thus its registrar) was certainly known to at least one hacker: The notorious celebrity hacker Guccifer first revealed it in 2013 when he spilled the emails of Clinton associate Sydney Blumenthal. Anyone who hacked Network Solutions would be able to quietly hijack the Clintonemail.com domain, intercepting, redirecting, and even spoofing email from Clintons account. And Network Solutions is far from the Internets hardest target: Hundreds of its domains were hacked in 2010, a year into Clintons tenure at the head of the State Department. Even if Clinton used the account only for personal messages rather than those of international importance (say, something along the lines of: Lets go ahead and drop those bombs, Bibi) the notion that they could be both intercepted and spoofed through a common hacking vector is particularly troubling. Even the most mundane of communications can be interesting to an intelligence service, says the ACLUs Soghoian. The NSA, he points out, thought it was worthwhile to monitor German Chancellor Angela Merkels personal cell phone, for instance, as revealed in documents leaked by Edward Snowden. Theres no evidence, of course, that Clintonemail.com was ever actually compromised. University of Pennsylvania computer science professor Matt Blaze says judging its security versus the State Departments own email servers would require more information. But he notes that the control of the servers domain is a real issue. Its certainly true that the domain State.gov is probably harder to hijack than clintonemail.com, says Blaze.
To be fair, the State Departments track record for its own email security isnt exactly spotless, even relative to Clintons DIY approach. Consider this: Some critics have pointed out in recent days that Clintonemail.com currently uses an invalid TLS certificate, another method that a man-in-the-middle might use to intercept or spoof emails from the server; but Stanford researcher Jonathan Mayer points out to WIRED that the State Departments own TLS certificate is currently invalid, too. Mayer believes that Clintons bad certificate is a result of a misconfiguration that occurred when the email service was transferred in 2013 to the McAfee-owned company MX Logic. The State Department, Mayer says, uses a self-signed certificate, a less-than-sterling security practice. Against man-in-the middle attacks, both are currently insecure, he says. In fact, the State Department has been the target of several successful hacker attacks over the past decade. The most recent one in November of 2014 forced the agency to temporarily shut down its email system as a response to concerns that unclassified communications had been breached by Russian hackers.
But at least, in that case, there was a response. If the same sort of highly resourced hackers had gone after the server in Clintons basement, theres no guarantee that the same alarms would have gone off.
TwilightGardener
(46,416 posts)she had ERIC HOTEHAM--fuck yeah!
Autumn
(45,042 posts)way to keep her emails safe from Freedom of Information Act requests. Is that true?
Demeter
(85,373 posts)Hillary's been around the privacy issue with Bill's term in office, so I wouldn't be surprised.
BUT, She may be assuming the NSA is on her side, which would be foolish, to say the least.
Erich Bloodaxe BSN
(14,733 posts)since she would have control over turning over emails and could choose to not turn over all of them, and the only people who could probably prove her to be lying would be the NSA, but she'd have to trust that any she didn't turn over were sent to people who wouldn't turn around and say 'Hey, she didn't send you the emails she sent to me'. Or that the NSA weren't monitoring her to use such as blackmail.
Anything you REALLY don't want foia'd, you should have face to face unrecorded conversations for.
4139
(1,893 posts)Demeter
(85,373 posts)[Hillary] Clinton did not have a government email address during her four-year tenure at the State Department. Her aides took no actions to have her personal emails preserved on department servers at the time, as required by the Federal Records Act [New York Times]. One might wonder if Jebbie released all his email (albeit clumsily) because he got a heads-up?
http://www.nakedcapitalism.com/2015/03/200pm-water-cooler-3315.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+NakedCapitalism+%28naked+capitalism%29
The fact that Clintons emails were not a part of official State Department records until recently means many of them would not have been located in response to Freedom of Information Act requests, subpoenas or other document searches conducted over the past six years. That omission seems certain to generate controversy, litigation and more news coverage as various entities demand access to the email trove just as Clintons campaign for the White House is expected to be getting underway [Politico].
Its like meta-oppo!
http://www.vox.com/2015/3/2/8138203/clinton-emails-bush
There is simply no way that, when Clinton decided to use her personal email address as Secretary of State, she was unaware of the national scandal that Bush officials had created by doing the same. [Vox]
I hate to admit this, but Vox is right. They refer to the gwb43.com scandal of 2007, where the Bush administration fired a bunch of U.S. attorneys and got investigated by Congress, whereupon Congress discovered that not all internal White House mail was available, because it had been sent via gwb43.com, a domain controlled by the RNC (!). Clintons behavior is consistent with a dynastic member who regards their correspondence as family property, but not with that of an official who regards their office as a public trust...
Sancho
(9,067 posts)"Let's assume that Clinton's e-mail setup during her tenure in the White House was managed more tightly than it is today. She set up strong encryption. She had reliable threat monitors in place. Theoretically, all this could have afforded Clinton more security than either a state.gov email or consumer email clients, like Gmail.
In fact, the anonymous security expert who goes by the Twitter handle Infosec Taylor Swift tells Mashable that if Clinton had a "top-flight engineer" managing the mail server, it wouldn't be inconceivable to think that a private set-up could be more secure than that offered by the state."
I suspect no one really knows how secure the email server was unless someone hacked it and proves it was not secure. If the emails are released to the public, it doesn't matter.