Clinton Email Server was Not Encrypted for Her First Three Months of Foreign Travel

March 13, 2015

Tags: 2016, Clinton, encryption
Posted in: Democracy, Post-Constitution America

At her recent press conference, Clinton assured America that her personal email server was secure, that there had never been any security breaches and in fact it was “at a location” guarded by the Secret Service as if Spetsnaz ninjas might attack. Nothing to worry about here folks, time to move on.

Except that is not true.

Clinton’s email was extremely vulnerable. This is not a partisan attack; it is technology.

Clinton’s Email Domain was Accessible Over the Internet and Cell Phones

Online security company Venafi TrustNet has the world’s largest database of digital certificates and associated metadata, allowing it to go back in time and identify how digital certificates were used in the past, a kind of forensics capability for IT security. Here’s what they found on the now-infamous clintonemail.com server, and it is not good.

Using non-intrusive Internet scanning tests routinely performed throughout by IT security teams (meaning foreign intelligence agencies have them too), Venafi learned the Clinton server was enabled for logging in via web browser, smartphone, and tablets. That automatically makes it vulnerable to interception, as the information Clinton was sending and receiving abroad was traveling via other nations’ web infrastructure and open-air cellular networks.

Clinton’s email log-in page was also hung out on the web all pink and naked, meaning anyone who stumbled on it could try and log in, or employ the standard array of password hacking and brute force attacks against it, much like they could with your Gmail account.

Had Clinton used a legitimate State Department email account, none of this would have been a problem. Unclassified State accounts can be accessed only one of three ways (for security purposes!) A) From inside a State Department facility; B) Using a State Department-issued Blackberry running exclusively on a State Department-owned server or C) Using a one-time code generated by a physical fob device hand-carried by a State employee. No web access. No straight-line cell access. Nope.

Luckily all her communications were encrypted so someone couldn’t just pluck them from the air like some rube sitting in Starbucks using the public WiFi, right? Wrong.

No Encryption

Oops. Clinton’s email traffic was not encrypted for the first three months of her term as Secretary of State.

But luckily Clinton stayed around Washington for that time, right?

Travels with Hillary

Wrong. State Department records show during her first three months in office Clinton had her walking shoes on. Among the 19 locations visited were spying hotspots like China, South Korea, Egypt, Israel, Palestine, a NATO event and a meeting in Switzerland with her Russian counterpart.

But how could she know she was at risk? Well, her own State Department says this about China:

Security personnel carefully watch foreign visitors and may place you under surveillance. Hotel rooms (including meeting rooms), offices, cars, taxis, telephones, Internet usage, and fax machines may be monitored onsite or remotely, and personal possessions in hotel rooms, including computers, may be searched without your consent or knowledge. Business travelers should be particularly mindful that trade secrets, negotiating positions, and other business-sensitive information may be taken and shared with local interests.

Now we’ll grant you that Hillary’s hotel room was closely guarded, but go back and re-read that warning, the part about how electronic communications might be monitored remotely.

Clinton Unclassified

Well, heck, Clinton claims none of the 30,000 some work emails were classified, so what?

Leaving aside exactly what Clinton had to say 30,000 times that somehow never crossed the line into classified, it seems there must have been some sensitive information tucked in there somewhere. For example, the one, single Clinton (unclassified) email that has been released was entirely redacted by the State Department, including Clinton’s personal server email address. The multi-months State Department review process now underway on Clinton’s turned-over emails is designed to redact sensitive information.

So there is something to hide. Too bad it appears likely that the Chinese government has access to information on Clinton the American people can’t be trusted to see.

There’s more.

Spoofing the Secretary

Without a security certificate and encryption for three months, Clinton’s server would not have been uniquely identified as being clintonemail.com and therefore could have been spoofed, allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password. She was also running a standalone Microsoft Windows Server, which is very vulnerable to attack, with at least 800 known trojans/spyware in existence that can steal keys and certificates. If the credentials on the server were compromised in those first three months (nah, the Chinese and the Israelis would never try that) then the next four years of encryption might have meant nothing.

But don’t worry. Clinton’s most recent digital security certificate was issued by GoDaddy. The domain’s blank landing page is hosted by Confluence Networks, a web firm in the British Virgin Islands, which is sorta a foreign country.

Questions of the Candidate

So, would some reporter please ask Hillary Clinton these two questions:

Where was the NSA? Where was the State Department’s Diplomatic Security technical security staff? Did they just miss all this, or did they report it to Clinton’s staff and were ignored?

What is the price America paid for your personal convenience?

BONUS: By claiming her server was secure, Clinton threw down the gauntlet to America’s geek and hacker communities, who do not take kindly to their moms pretending to know their business. Big tactical mistake…

Copyright © 2020. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.