Is Hillary Clinton Vulnerable?
Hackers weigh in on the email coverup.
James Taranto
March 13, 2015 4:28 p.m. ET
263 COMMENTS
More details are emerging about Hillary Clinton’s private email server, and they don’t look good from either a transparency or security standpoint. Time reports on how she determined which emails to print out for the State Department:
For more than a year after she left office in 2013, she did not transfer work-related email from her private account to the State Department. She commissioned a review of the 62,320 messages in her account only after the department—spurred by the congressional investigation—asked her to do so. And this review did not involve opening and reading each email; instead, [Mrs.] Clinton’s lawyers created a list of names and keywords related to her work and searched for those. Slightly more than half the total cache—31,830 emails—did not contain any of the search terms, according to Clinton’s staff, so they were deemed to be “private, personal records.” In Tuesday’s press conference Mrs. Clinton claimed to have undertaken “a thorough process to identify all of my work-related emails” and to have “provided [printouts of] all my emails that could possibly be work-related.” If Time’s account is accurate, the process was not thorough, and the claim that the printouts included all work-related emails is almost certainly untrue. The search terms the lawyers employed were narrow enough to exclude more than half (51.1%) of all the emails on the server. Are we supposed to believe the terms were also broad enough to include every single email that involved official business?
Moreover, if Time’s account of the lawyers’ method is comprehensive, then they made no effort to shield from disclosure those personal emails that happened to include the selected keywords. Given Mrs. Clinton’s penchant for privacy, does that seem likely? One wonders if perhaps there was a second set of search terms flagging emails to bewithheld—and, since she said she “chose not to keep” them, destroyed.
“Hillary Clinton Is More Vulnerable in 2016 Than You Think” read a New York Times headline early this week. The article was an analysis of her approval and disapproval ratings in opinion surveys, but her use of a private server to conduct sensitive official business raises the prospect of another kind of vulnerability—questions even Vox.com raised after the press conference in a piece titled “Clinton Says She Had No Email Security Breaches. But She Doesn’t Know That.”
At the press conference, the former secretary laughably claimed that the server was secure because “it was on property guarded by the Secret Service.” Maybe she’s been watching “House of Cards,” whose second season has a hacking subplot that involves obtaining physical access to a server farm. But of course that’s not how hackers typically operate in the real virtual world.
In a Sunday article for GeekWire.com, Christopher Budd, a specialist in both computer security and public relations, argues that Mrs. Clinton’s use of a private server while secretary of state may “represent one of the most serious breaches in data handling that we’ve ever heard of.” He lists three reasons:
1. The Secretary of State is a very “high value target” from the standpoint of nation-state threat actors. The President, Secretary of Defense and the head of the CIA would also qualify in this top tier. These individuals handle the most important, most sensitive, most dangerous and therefore most interesting information to foreign intelligence. 2. Nation-state threat actors represent the top of the food chain in terms of adversaries in information security. Nation-states can bring the most talent and resources to bear in this arena. For all the worry about cybercriminals and terrorists, everyone in information security looks at nation-state threat actors as the most advanced and sophisticated threat to defend against. 3. Take #1 and #2 together and you have a situation where the very high value targets are threatened by the most advanced and sophisticated offensive information security capabilities out there. Put another way, the best of the best are gunning for those people to get their information. The third point is critical: if the best of the best are after your information, you need the best of your best protecting it. And there is simply no way that a “homebrew” server is EVER going to have the security and resources appropriate to defend it adequately. Since Budd wrote, experts and reporters have fleshed out some of these concerns. The Wall Street Journal reported yesterday that according to Venafi, an Internet security company, “the Clinton server was encrypting data it sent and received as of March 29, 2009.” But “during the first two months of her tenure . . . it doesn’t appear that Mrs. Clinton’s email had such protections.”
In a Wednesday blog post, Venafi’s vice president for security strategy and threat intelligence, Kevin Bocek, explains what this means: “During the first 3 months of Secretary Clinton’s term in office, web browser, smartphone, and tablet communications would not have been encrypted. Attackers could have eavesdropped on communications. As well, the server would not have been uniquely identified as being clintonemail.com and therefore could have been spoofed—allowing attackers to more easily trick an unsuspecting user of the site to hand over their [sic] username and password or other sensitive information.”
Even the belated security measures might not have been enough, Bocek explains:
Obtaining the cryptographic key and digital certificate for clintonemail.com would be an important step for attackers seeking to compromise Secretary of State Clinton or others [who] might access the server. With them, bad guys could masquerade as the legitimate site or decrypt what was thought to be private communications. As a standalone Microsoft Windows Server, the site is very vulnerable. In 2013, over 800 trojans were known to steal keys and certificates—and that number has swelled since then. The use of digital certificates on clintonemail.com provides users with the confidence that they are connecting to the real site and communications cannot be inspected. But when on government networks, anyone accessing the site and depending on the certificate needs to be highly suspicious. The site has received tremendous attention and its contents and certificate are likely targets for compromise and misuse. Fox’s James Rosen reports that “a determined band of hackers, IT bloggers, and systems analysts have trained their specialized talents and state-of-the-art software on clintonemail.com . . . and uncovered serious lapses in security, according to data shared with Fox News”:
Perhaps most concerning, private analysts determined that clintonemail.com has been running an older model of Microsoft Internet Information Services, or IIS—specifically version 7.5, which has been documented to leave users exposed on multiple fronts. The website CVEDetails.com, which bills itself as “the ultimate security vulnerability datasource,” is awash with descriptions of serious security vulnerabilities associated with version 7.5, including “memory corruption,” “password disclosure vulnerability,” and the enabling of “remote attackers to execute arbitrary code or cause a denial of service.” The cyberlab technician who discovered the Clintons’ use of version 7.5 marveled at “the vulnerabilities the Clintons are ignoring” in an email to Fox News. “This is a big deal and just the thing real-world hackers look for in a target and will exploit to the max,” the source said. “Several of these vulnerabilities have been known since 2010 and yet HRC is running official State comms through it.” Mrs. Clinton insisted during her press conference that “I did not email any classified material to anyone on my email.” Even if true, there are three reasons that is not reassuring.
First, as the Journal notes in a Wednesday editorial,”emails between a Secretary of State and others in government don’t have to be classified to be valuable to foreign hackers.” Second, as the Journal points out in a Thursday editorial, “Mrs. Clinton didn’t say she never received classified information via email.”
Third, as former federal prosecutor Andrew McCarthy argues at National Review Online, it depends on what the meaning of “material” is:
In the government, classified documents are maintained on separate, super-highly secured systems. Yes, if security gets lax or you have a determined Ed Snowden type with sufficient expertise, the protections can be defeated. But in general, Mrs. Clinton would not have been able to access classified documents even from a .gov account, much less from her private account—she’d need to use the classified system. In fact, many government officials with security clearances read “hard copies” of classified documents in facilities designed for that purpose rather than accessing them on computers. That said, there are two pertinent caveats. First, since we’re dealing with Clintonian parsing here, we must consider the distinction between classified documentsand classified information—the latter being what is laid out in the former. It is not enough for a government official with a top-secret clearance to refrain from storing classified documents on private e-mail; the official is also forbidden to discuss the information contained in those documents. The fact that Mrs. Clinton says she did not store classified documents on her private server, which is very likely true, does not discount the distinct possibility that she discussed classified matters in private e-mails. We would not be able to judge that absent reviewing the e-mails. If any of the 31,830 withheld e-mails from the private, non-secure system—involving America’s top diplomat who was in constant discussions with other important diplomats, top military and national-security officials, her trusted advisers, and even the president of the United States—touched on classified matters, that could land Mrs. Clinton in very hot legal water. It would be a powerful incentive to hit the “delete” key. A frequent complaint from journalists and other advocates of government transparency is that agencies dealing with national security classify far too much material. “I would assume that more than 50 percent of what the secretary of state dealt with was classified,” a “former senior State Department official who served before the Obama administration” tells the New York Times. “Was every single email of the secretary of state completely unclassified? Maybe, but it’s hard to imagine.” (The official requested and was granted anonymity “because he did not want to seem ungracious to Mrs. Clinton.”)
In light of all this, it’s fair to say Mrs. Clinton’s press conference raised more questions than it answered. About the only thing we know for sure is that she is determined “the server will remain private.” |
