If you were Vladimir Putin, or President Xi of China, what would you do if you had the entire archive of Hillary Clinton’s emails, classified and unclassified, “deleted” and not, in your hands? What value to you would that be in your next round of negotiations with the president of the United States?
Hillary Clinton traveled to 19 foreign locations during her first three months in office, inlcuding China, South Korea, Egypt, Israel, Palestine, and a meeting in Switzerland with her Russian counterpart. During that period of time her email system was unencrypted. She transmitted data over wireless networks in those countries, networks almost certainly already monitored 24/7 by intelligence and security officials. To say her email was not collected is to say the Russian, Chinese, Israeli and other intelligence services are complete amateurs.
They are not complete amateurs.
A System Wide Open to Monitoring
While FBI director James Comey said his investigators had no “direct evidence” that Hillary Clinton’s email account had been “successfully hacked,” both private experts and federal investigators, according to the New York Times, “immediately understood his meaning: It very likely had been breached, but the intruders were far too skilled to leave evidence of their work.”
Comey described a set of email practices that left Clinton’s systems wide open to monitoring. She had no full-time cyber security professional monitoring her system. She took her BlackBerry everywhere she went, “sending and receiving work-related emails in the territory of sophisticated adversaries.” Her use of “a personal email domain was both known by a large number of people and readily apparent… Hostile actors gained access to the private commercial email accounts of people with whom Secretary Clinton was in regular contact.”
The FBI director was generous in his assessment. See, no hacking was really necessary.
But No Hacking was Really Needed
Online security company Venafi TrustNet has the world’s largest database of digital certificates and associated metadata, allowing it to go back in time and identify how digital certificates were used in the past, a kind of forensics capability for IT security. Here’s what they found on the clintonemail.com server, and it is not good.
Using non-intrusive Internet scanning tests routinely performed throughout by IT security teams (meaning foreign intelligence agencies have them too), Venafi learned the Clinton server was enabled for logging in via web browser, smartphone, Blackberry, and tablet. That automatically makes it vulnerable to interception, as the information Clinton was sending and receiving abroad was traveling via other nations’ web infrastructure and open-air cellular networks.
Clinton’s email log-in page was also on the web, meaning anyone who stumbled on it could try and log in, or employ the standard array of password hacking and brute force attacks against it, much like they did with your Gmail account that was hacked.
The Clinton email setup also was initially running a standalone Microsoft Windows Server, which is very vulnerable to attack, with at least 800 known trojans/spyware in existence that can steal keys and certificates. If the credentials on the server were compromised in those first three months, then the next years of encryption might have meant nothing.
How could someone have gained access to the credentials? Clinton’s most recent digital security certificate was issued by GoDaddy. Her domain’s landing page was at one time hosted by Confluence Networks, a web firm in the British Virgin Islands.
No Smoking Gun?
If anyone had picked up Clinton’s emails from the airwaves or in transit over the Internet (as we know, via Snowden, the NSA does), while they were encrypted, or had acquired the encrypted versions and used the resources of a state security apparatus to decrypt them, there would of course be no forensic evidence to find. Persons working at NSA-like levels actually breaking into systems expend significant energies hiding their intrusions, and such high level “hacks” have been known to stay hidden for years.
Sure, if the standard is a “smoking gun,” there is none. But such proof is rarely available in the world of global espionage, and decisions and conclusions are made accordingly on a daily basis.
Clinton’s email was extremely vulnerable, and her decision to run it off a private server put at significant risk the security of the United States. This is not a partisan attack or a conspiracy; it is technology.
Copyright © 2017. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity. Follow me on Twitter!