Why Clinton’s Private Email Server Was Such a Security Fail

http://www.wired.com/2015/03/clintons-email-server-vulnerable/

For a secretary of state, running your own email server might be a clever—if controversial—way to keep your conversations hidden from journalists and their pesky Freedom of Information Act requests. But ask a few security experts, and the consensus is that it’s not a very smart way to keep those conversations hidden from hackers.

On Monday, the New York Times revealed that former secretary of state and future presidential candidate Hillary Clinton used a private email account rather than her official State.gov email address while serving in the State Department. And this was no Gmail or Yahoo! Mail account: On Wednesday the AP reported that Clinton actually ran a private mail server in her home during her entire tenure leading the State Department, hosting her email at the domain Clintonemail.com. Much of the criticism of that in-house email strategy has centered on its violation of the federal government’s record-keeping and transparency rules. But as the controversy continues to swirl, the security community is focused on a different issue: the possibility that an unofficial, unprotected server held the communications of America’s top foreign affairs official for four years, leaving all of it potentially vulnerable to state-sponsored hackers.

“Although the American people didn’t know about this, it’s almost certain that foreign intelligence agencies did, just as the NSA knows which Indian and Spanish officials use Gmail and Yahoo accounts,” says Chris Soghoian, the lead technologist for the American Civil Liberties Union. “She’s not the first official to use private email and not the last. But there are serious security issue associated with these kinds of services…When you build your house outside the security fence, you’re on your own, and that’s what seems to have happened here.”

The most obvious security issue with Clinton running her own email server, says Soghoian, is the lack of manpower overseeing it compared with the State Department’s official email system. The federal agency’s own IT security team monitors State Department servers for possible vulnerabilities and breaches, and those computers fall under the NSA’s protection, too. Since 2008, for instance, the so-called Einstein project has functioned as an umbrella intrusion-detection system for more than a dozen federal agencies; Though it’s run by the Department of Homeland Security, it uses NSA data and vulnerability-detection methods Clinton’s email wouldn’t have the benefit of any of that expensive government security. If she had hosted her email with Google or even Yahoo! or Microsoft, there might be an argument that those private companies’ security teams are just as competent as the those of the feds. But instead, according to the Associated Press, Clinton ran her server from her own home. Any protection it had there—aside from the physical protection of the Secret Service—would have been limited to the Clintons’ own personal resources.

A more specific threat to Clinton’s private email relates to its domain name. Unlike the State Department’s State.gov domain, Clinton’s Clintonemail.com is currently registered with a private domain registrar, Network Solutions, as a simple Whois search reveals. The domain Clintonemail.com (and thus its registrar) was certainly known to at least one hacker: The notorious celebrity hacker Guccifer first revealed it in 2013 when he spilled the emails of Clinton associate Sydney Blumenthal. Anyone who hacked Network Solutions would be able to quietly hijack the Clintonemail.com domain, intercepting, redirecting, and even spoofing email from Clinton’s account. And Network Solutions is far from the Internet’s hardest target: Hundreds of its domains were hacked in 2010, a year into Clinton’s tenure at the head of the State Department. Even if Clinton used the account only for personal messages rather than those of international importance (say, something along the lines of: “Let’s go ahead and drop those bombs, Bibi”) the notion that they could be both intercepted and spoofed through a common hacking vector is particularly troubling. “Even the most mundane of communications can be interesting to an intelligence service,” says the ACLU’s Soghoian. The NSA, he points out, thought it was worthwhile to monitor German Chancellor Angela Merkel’s personal cell phone, for instance, as revealed in documents leaked by Edward Snowden. There’s no evidence, of course, that Clintonemail.com was ever actually compromised. University of Pennsylvania computer science professor Matt Blaze says judging its security versus the State Department’s own email servers would require more information. But he notes that the control of the server’s domain is a real issue. “It’s certainly true that the domain State.gov is probably harder to hijack than clintonemail.com,” says Blaze.

To be fair, the State Department’s track record for its own email security isn’t exactly spotless, even relative to Clinton’s DIY approach. Consider this: Some critics have pointed out in recent days that Clintonemail.com currently uses an invalid TLS certificate, another method that a man-in-the-middle might use to intercept or spoof emails from the server; but Stanford researcher Jonathan Mayer points out to WIRED that the State Department’s own TLS certificate is currently invalid, too. Mayer believes that Clinton’s bad certificate is a result of a misconfiguration that occurred when the email service was transferred in 2013 to the McAfee-owned company MX Logic. The State Department, Mayer says, uses a “self-signed certificate,” a less-than-sterling security practice. “Against man-in-the middle attacks, both are currently insecure,” he says. In fact, the State Department has been the target of several successful hacker attacks over the past decade. The most recent one in November of 2014 forced the agency to temporarily shut down its email system as a response to concerns that unclassified communications had been breached by Russian hackers.

But at least, in that case, there was a response. If the same sort of highly resourced hackers had gone after the server in Clinton’s basement, there’s no guarantee that the same alarms would have gone off.