Former U.S. Secretary of State, Senator and First Lady Hillary Rodham Clinton has come under fire for her decision...
to use a private email server rather than a government-issued email account during her four-year tenure as Secretary of State.
Compounding the issue is the fact that Clinton did not opt to use a commercial platform, such as Gmail or Yahoo, but rather her own domain on a personal server, believed to be housed at or near the Clinton family residence in Chappaqua, New York.
The story has been in the spotlight since The New York Times first reported it on March 2, not only because of the questionable legality of her actions, but also because numerous information security professionals have stated that confidential data may have been exposed to or exploited by malicious actors.
Email: Security versus convenience
"I thought it would be easier to carry just one device for my work and my personal emails instead of two," Clinton said. "Looking back, it would have been better if I'd simply used a second email account and carried a second phone. At the time, this didn't seem like an issue."
Clinton said she will not turn over the server for further investigation. She has, however, asked the State Department to make the emails public. State, meanwhile, last October asked her and three previous secretaries for email archives to fulfill Federal Records Act requirements.
A nine-page Q&A released by Clinton's office this week provided details about the matter. According to the report, Clinton submitted approximately 55,000 pages of work-related emails sent and received between March 18, 2009 and Feb. 1, 2013. It said 90% of Clinton's email correspondence from the period was already in the State Department's records as they were sent or received by .gov email accounts. The emails submitted were compiled by filtering for .gov email addresses, names of State Department and other officials, and keywords such as "Benghazi" or "Libya."
The report also said Clinton's account had a total 62,320 sent and received emails, 31,830 of which were personal in nature and were since deleted.
Was it legal?
The report maintains that Clinton acted lawfully in the use of her own email account.
"Under the Federal Records Act," the report reads, "records are defined as recorded information, regardless of its form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business [44 U.S.C. § 3301]."
According to attorney and cyberlaw expert Mark Rasch, Clinton's argument is sound due to the murkiness surrounding the policies. The Foreign Affairs Manual, Rasch wrote in a blog post Wednesday, is "clear as mud" as it does not explicitly state the permitted or prohibited nature of personal email, only saying, "employees must be cognizant of the sensitivity of the information and mandated security controls, and evaluate the possible security risks and then decide whether a more secure means of transmission is warranted."
Likewise, Rasch wrote, a memo sent from Clinton in June 2011 only reiterates the warning in the FAM.
Was it secure?
Legality aside, it is important to consider whether Clinton's home email server was properly secure -- or if it put the country at risk.
While government officials have used non-government-provided email accounts in the past, Clinton's case differs because it's unclear whether the independently managed server posed an email security risk. Without the defenses of a .gov email (the Department of Homeland Security uses the NSA's data and vulnerability detection technologies to secure its email servers), a home server could fall victim to several attacks, including spoofing, interception and man-in-the-middle attacks.
"Email is one of the least secure services you can run," forensic scientist Jonathan Zdziarski told Wired. "[Clinton's] people might be very good, but no one who really is at the top of their game is going to try to make the claim that they can catch 100% of the attacks."
The reality of email server security
Clinton's Q&A release said "robust protections" were in place, and additional "upgrades and techniques" were "employed over time as they became available, including consulting and employing third-party experts."
However, as Rasch pointed out in a blog post, several questions were left unanswered. "Who set up the server? If it had 'numerous safeguards,' what were they? Did it have NIST and ISO (and FISMA) compliant-layered security? What OS was it running?"
Former FBI cybersecurity expert and Kroll Associates Inc. Managing Director Timothy Ryan told the Washington Post that securing such a server would be a difficult task.
"The layers of security that would have to be employed to make a privately run exchange server as secure as something that is secured by the federal government would be pretty significant," Ryan told the Post. "It's not that it can't be done. I just find it improbable."
Clinton has declined to detail the technologies securing her home server because "given what people with ill-intentions can do with such information in this day and age, there are concerns about broadcasting specific technical details about past and current practices."
Former NSA Director of Information Assurance Richard C. Schaeffer Jr. said standard email security technology wouldn't cut it for an official such as Clinton.
"It would be merely a speed bump for a sophisticated adversary to gain access to everything there," he told the Post. And while home servers may help filter out some attackers, it would have little effect on such a high-profile target.
"On a scale of 1 to 10, she's a 10," Schaeffer added. "When you think of treaties, trade negotiations, anything that the secretary of state would be involved in, she would be an incredibly lucrative target -- maybe even more so than the president."
David Felton, owner of Canaan Technology, told CRN using a home server is risky.
"I would always choose a government-run email system over a civilian-run one," Felton said, "You don't run a mail server out of your house when you have the ability to run it by someone much better and more securely."
Felton also noted the resources needed to run continuous security would have been an arduous task. He also said finding criminals that hacked federal systems would be far easier than finding someone who hacked a personal server due to the additional resources government systems are privy to.
Also of note, Wired reported the domain name was registered with Network Solutions, the registrar noted hacker Guccifer infiltrated to expose the emails of Clinton associate Sydney Blumenthal. Hundreds of other websites registered with Network Solutions were also hacked in January 2010.
Venafi TrustNetwork finds security gap
According to digital certificate security vendor Venafi Inc., Clinton's email server was vulnerable for nearly three months at the beginning of her term as Secretary of State.
Using its TrustNet enterprise certificate reputation service, which identifies certificate misuse, Venafi researchers were able to investigate past digital certificate usage on the server. They found that while digital certificates used for the clintonemail.com domain since 2009 were obtained validly, they identified a stretch lasting nearly three-months during which proper security controls were not used.
"During the first three months of Secretary Clinton's term in office, Web browser, smartphone and tablet communications would not have been encrypted," Venafi Vice President of Security Strategy and Threat Intelligence Kevin Bocek wrote in a blog post Wednesday.
"Attackers could have eavesdropped on communications," Bocek wrote. "As well, the server would not have been uniquely identified as being clintonemail.com and therefore could have been spoofed -- allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password or other sensitive information."
In other news
- Cisco Systems Inc. announced Tuesday several of its products contained a vulnerable version of OpenSSL that could put enterprise systems at risk. The version of OpenSSL, the open source cryptographic library that fell victim to the Heartbleed flaw last year, predates the latest version released Jan 8, 2015 that fixed eight known flaws. A list of affected products is available on Cisco's website; the company will release free software updates to address the issues.
- In separate OpenSSL news, NCC Group announced in a blog post Monday that the company was ready to start an audit of OpenSSL, one of the "most widely deployed pieces of software in the world," as part of the Linux Foundation's Core Infrastructure Initiative, organized by the Open Crypto Audit project. The company said the code is ready to receive its audit, citing the "effort OpenSSL has been making" lately in achieving milestones on its roadmap, including reducing code library complexity, addressing new issues quickly ,and providing better documentation. The audit will focus on TLS stacks, protocol flows, state transitions, memory management, BIOs, cryptographic algorithms and fuzzing. NCC Group said preliminary results should be released at the end of the summer.
- Blue Coat Systems Inc. announced Tuesday that it will be acquired by private equity firm Bain Capital in an all-cash $2.4 billion transaction. Blue Coat CEO Gregory S. Clark said the acquisition will help the company better serve its customers and prepare it for a return to the public market. The Sunnyvale, Calif.-based Web security vendor was taken private following its 2012 purchase by Thoma Bravo for $1.3 billion. The deal is expected to be finalized during the first half of 2015, following closing conditions and regulatory approvals.
- Kaspersky Lab released additional details Wednesday about the Equation Group espionage. According to Kaspersky, the group used a platform dubbed "EquationDrug" that further solidified it as one of the most advanced and sophisticated hacking groups ever discovered. New research reveals the group's malware dates back to at least 2003, and perhaps even as early as 1996. While Kaspersky researchers did not specifically call out those behind the nation state-sponsored attacks, other outlets have recognized code names in Kaspersky's research that bear a striking resemblance to those used by the NSA, most notably the "BACKSNARF-AB25" code name found embedded in a recent EquationDrug sample was also mentioned in document about NSA TAO projects.
Worried about your organization's email security tactics? Check out SearchSecurity's latest email security tips and advice.
Learn about the reality of open source software security after Heartbleed.