Experts tell Gawker: Hillary’s shoddy private e-mail security is a potential national security disaster
posted at 3:21 pm on March 5, 2015 by Allahpundit
We already knew it was bad. Not until you read this will you understand how bad. In fact, I debated with myself whether to even include the word “potential” in the headline. The reason it’s there is because cybersecurity experts can’t say for an absolute fact that foreign governments infiltrated her server. All they can say is that it’s a virtual certainty given how high a priority she is for enemy hackers and how clumsy her defenses were. It’s like a business owner knowing that his store is being cased and choosing to leave the vault unlocked anyway.
You need to read it all to appreciate the extent of the failure. The threshold problem with using private e-mail is that your own cybersecurity is only as good as the company you’re using. If hackers know a way into a commercial server — and Hillary’s e-mail apparently used three different servers — then they have a way into your account potentially. That’s not a major problem for average people but it’s huge when the target is someone being watched by the most sophisticated cyber outfits in the world. Instead of conducting State Department business behind one very well fortified door, i.e. the federal government’s, Hillary placed it behind three less fortified ones. The only reason to do that is if she was more worried about the American public knowing what she was doing than, say, China knowing.
But even that doesn’t fully explain the security lapse. If you’re going to hide behind three less fortified doors, you should at least want to make sure those doors are as fortified as possible. Hillary didn’t:
Security researcher Dave Kennedy of TrustedSec agrees: “It was done hastily and not locked down.” Mediocre encryption from Clinton’s outbox to a recipient (or vice versa) would leave all of her messages open to bulk collection by a foreign government or military. Or, if someone were able to copy the security certificate Clinton used, they could execute what’s called a “man in the middle” attack, invisible eavesdropping on data. “It’s highly likely that another person could simply extract the certificate and man in the middle any user of the system without any warnings whatsoever,” Hansen said.
The invalid certificate would have also likely left Clinton vulnerable to widespread internet bugs like “Heartbleed,” which was only discovered last spring, and may have let hackers copy the entire contents of the Clinton servers’ memory. Inside that memory? Who knows: “It could very well have been a bunch of garbage,” said Hansen, or “it could have been her full emails, passwords, and cookies.” Heartbleed existed unnoticed for years. A little social engineering, Hansen said, could give attackers access to Clinton’s DNS information, letting them route and reroute data to their own computers without anyone realizing. “It’s a fairly small group of people who know how to do that,” Hansen noted, but “it’s not hard—it’s just a lot of steps.”
And that’s not all. Hillary’s server appears to be configured with a public login page, allowing her — or anyone else — to access the server from anywhere in the world with the right login and password. In other words, not only was she beaming confidential information out onto the Internet, where it could have been intercepted at various points, instead of routing it through secure federal government servers, she actually placed a doorway into the server on the Internet so that people with the right key (namely, her) could access it easily. That’s “pretty much the worst thing you can do” to a network that’s meant to be private, let alone sufficiently top secret to serve a cabinet member, said one security expert to Gawker. And on top of all that, there’s a chance that by using a .com domain, Hillary may have inadvertently steered classified government info to innocent people who had no intention of receiving it. From Gizmodo:
He pointed out that there is another valid domain, clintonmail.com, owned by somebody else with the last name Clinton since 2002 (note the lack of an “e,” which is the only difference between it and Hillary Clinton’s domain). “How many emails meant for the Secretary of State has the owner of clintonmail.com received?” Nielsen asked, adding that this isn’t a problem with .gov domains since only the government can register them.
The question is why. Why, if she was resolved to use private e-mail, wouldn’t she pay some cybergenius a half million dollars or whatever rate the Clintons get for an hour’s work these days and get him to build one of the most tightly secured private e-mail servers in the world? We all understand why she wouldn’t want American voters being able to sift through her correspondence at State. What I don’t understand is why she wouldn’t take precautions to keep them away from prying Russian/Chinese eyes too. Remember, she was warned by State’s IT people that private e-mail wasn’t secure. Even if she was a total tech ignoramus, that was her wake-up call to pay someone to secure this server. She didn’t. Even if you think, as I do, that most voters won’t care about this, it’s still a major unforced error by someone who’s been planning to run for president in 2016 since before she became Secretary of State. As it is, imagine President Hillary arguing with Putin over Ukraine circa 2018 and him warning her to stand down or else a few damaging e-mails from her time at State might just end up mysteriously being leaked to the New York Times. She’s left herself wide open to foreign blackmail. Inexplicably.