How Unsafe Was Hillary Clinton's Secret Staff Email System?
When Hillary Clinton ditched government email in favor of a secret, personal address, it wasn't just an affront to Obama's vaunted transparency agenda—security experts consulted by Gawker have laid out a litany of potential threats that may have exposed her email conversations to potential interception by hackers and foreign intelligence agencies.
"It is almost certain that at least some of the emails hosted at clintonemails.com were intercepted," independent security expert and developer Nic Cubrilovic told Gawker.
Within the instant classic "ClintonEmail.com" domain, it appears there are three separate servers. The domain's blank landing page is hosted by Confluence Networks, a web firm in the British Virgin Islands, known for monetizing expired domain names and spam.
But the real worry comes from two other public-facing ClintonEmail.com subdomains, which can allow anyone with the right URL to try to sign in.
One is sslvpn.clintonemail.com, which provides a login page that apparently uses an SSL VPN—a protocol that allows your web browser to create an encrypted connection to a local network from any internet connection—to users to access their email. That sounds secure, and under the right circumstances, for regular users, it can be. But there are two huge problems with using it for the Secretary of State's communications with her staff and others.
First: Anyone in the world with that URL can attempt to log in. It's unclear what exactly lies on the other side of this login page, but the fact that you could log into anything tied to the Secretary of State's email is, simply, bad. If the page above is directly connected to Clinton's email server, a login there could be disastrous, according to Robert Hansen, VP of security firm WhiteHat Labs:
It might be the administrative console interface to the Windows machine or a backup. In that case, all mail could have been copied.
What's more troubling is the fact that, at least as of yesterday, the server at sslvpn has an invalid SSL certificate. Digital certificates are used to "sign" the encryption keys that servers and browsers use to establish encrypted communications. (The reason that hackers can't just vacuum the internet traffic between your browser and Google's Gmail servers and read your email is that your browser is encrypting the data to a public encryption key. The reason that you know that you are encrypting to Google's key and not to, say, the People's Liberation Army's, is that the Gmail servers have a digital certificate from a trusted third-party confirming that the key is theirs.)
When you attempt to access sslvpn.clintonemail.com using Google's Chrome browser, this is what you see:
The apparent reason for that message is that the certificate used by Clinton's server is self-signed—verified by the authority that issued it, but not by a trusted third party—and therefore regarded by Google's Chrome browser as prima facie invalid. The government typically uses military-grade certificates and encryption schemes for its internal communications that designed with spying from foreign intelligence agencies in mind. But the ClintonEmail.com setup? "If you're buying jam online," says Hansen, "you're fine." But for anything beyond consumer-grade browsing, it's a shoddy arrangement.
Security researcher Dave Kennedy of TrustedSec agrees: "It was done hastily and not locked down." Mediocre encryption from Clinton's outbox to a recipient (or vice versa) would leave all of her messages open to bulk collection by a foreign government or military. Or, if someone were able to copy the security certificate Clinton used, they could execute what's called a "man in the middle" attack, invisible eavesdropping on data. "It's highly likely that another person could simply extract the certificate and man in the middle any user of the system without any warnings whatsoever," Hansen said.
The invalid certificate would have also likely left Clinton vulnerable to widespread internet bugs like "Heartbleed," which was only discovered last spring, and may have let hackers copy the entire contents of the Clinton servers' memory. Inside that memory? Who knows: "It could very well have been a bunch of garbage," said Hansen, or "it could have been her full emails, passwords, and cookies." Heartbleed existed unnoticed for years. A little social engineering, Hansen said, could give attackers access to Clinton's DNS information, letting them route and reroute data to their own computers without anyone realizing. "It's a fairly small group of people who know how to do that," Hansen noted, but "it's not hard—it's just a lot of steps."
"It was done hastily and not locked down."
We don't know, of course, if the current state of Clinton's servers is representative of the security precautions that were in place while she was using it as Secretary of State. The system could have previously been hardened against attack, and left to get weedy and vulnerable after she left government. We don't know. But that's part of the problem—at the Department of State, there is accountability for the security of email systems. If we learned that State's email servers had been hacked or left needlessly vulnerable, there would be investigations and consequences. With Clinton's off-the-books scheme, there are only questions.
The final address behind ClintonEmail is a mail host, mail.clintonemail.com, which will kick back an error message when visited directly:
But if you plug in a different URL with the same mail server, you're presented with a user-friendly, familiar Outlook webmail login:
This is basically no more secure than the way you'd log into AOL, Facebook, or any other website. There's no evidence that Clinton (or her staffers) used this web interface to check their emails, as opposed to logging in through a smartphone or other email software. But its mere existence is troubling enough: there have been five separate security vulnerabilities identified with Outlook Web Access since ClintonEmail.com was registered in 2009. These security bugs include doozies like "a flaw that may lead to an unauthorized information disclosure" (2010) and "a remote attacker can gain access to arbitrary files" (2014).
But even without exploiting software bugs, Hansen says leaving a public login page for something that's meant to be private is "pretty much the worst thing you can do." Clinton's Outlook form could've been susceptible to a brute force attack—where random combinations of words and characters are tried until one of them works—or an old fashioned denial of service assault. "Even if she had a particularly strong password," Hansen said, a brute force attack will "either work eventually—foreign militaries are very good at trying a lot—or it'll fail and block her from accessing her own email."
If Clinton had been using a government account, Hansen explained, her messages with colleagues would all be held within one relatively tidy system, monitored by the federal government. It's the difference between doing your laundry at home and dropping it off. But with a private account, you're introducing many separate points of failure; every single company in this custom system is a place to pry and attack. "Any joe hacker" could get inside with enough knowledge and time, according to Hansen.
"Pretty much the worst thing you can do."
Cubrilovic echoed Hansen's concern: "When you are a staffer in a government department, internal email never leaves the network that the department has physical control over," he told me. But "with externally hosted email every one of those messages would go out onto the internet," where they're subject to snooping.
Security researcher Kenn White agrees that private internet access stirs up too many dangerous variables while emails bounced from person to person:
I think the bigger security concern here is the complete lack of visibility into who has been administering, backing up, maintaining, and accessing the Secretary's email. If classified documents were exchanged, who viewed them? Were they forwarded? Where multiple devices (ie, mobile phones and tablets) configured to access the account? Was encryption required or optional for remote access?
Cubrilovic agreed that opting out of the government's system is an awful idea for someone with a hacker bullseye on her back: "having a high profile target host their own email is a nightmare for information security staff working for the government," he told me, "since it can undo all of the other work they've done to secure their network." The kind of off-the-shelf email service it appears Clinton used comes with a lot of inherent risk, especially since a pillar of her job is overseas travel:
With your own email hosting you're almost certainly going to be vulnerable to Chinese government style spearphishing attacks—which government departments have enough trouble stopping—but the task would be near impossible for an IT naive self-hosted setup.
While some of these hacking scenarios may sound outlandish or far-fetched, keep in mind that Clinton's emails would have been a prime target for some of the globe's most sophisticated state-sponsored cyberwarriors—the Chinese, the Israelis, the Iranians. The very existence of Clinton's private account was revealed by the hacker Guccifer, an unemployed Romanian taxi driver who managed to gain access to former Clinton aide Sidney Blumenthal's AOL account with relative ease. The Hillary account was reported by Gawker in 2013, and White House spokesman Eric Schultz used that story to argue that the Clinton email story was old news: "This was public years ago," he told Business Insider, linking to the 2013 Gawker story.
Which is another way of saying that foreign intelligence agencies have had two years to work on the target.
Photo: Getty
Contact the author at biddle@gawker.com.
Public PGP key
PGP fingerprint: E93A 40D1 FA38 4B2B 1477 C855 3DEA F030 F340 E2C7