As the FBI investigates the private email account Hillary Clinton used while serving as Secretary of State, more questions are being raised about just how safe and secure her private email server really was. Of course, the biggest question of all is, could it have been hacked?
While the government has yet to indicate that any such breach actually took place, email software and servers certainly are vulnerable to attack. In fact, earlier this year hackers (believed to be Russian) breached the unclassified email systems of both the State Department and White House. However, what makes Clinton's use of a private server more concerning is that we may never know whether or not it was breached, and if so, how much sensitive information was actually compromised.
Unlike government-hosted email accounts which are regularly monitored and logged by government IT staff, Clinton's privately owned and operated server did not have to follow such steps -- and it appears they didn't. Therefore, since there aren't any records that would help investigators to determine if unusual activity was occurring on the server, we may never really know if the server was breached.
Due to how Clinton configured her private email server, there are several ways state-sponsored hackers could have compromised her account:
- Remote Code Execution - One way to hijack an email account is by exploiting flaws in the software used to manage it. In Clinton's case, her email account was hosted on a Microsoft Exchange 2010 server, running on a Windows Server 2008 instance (with Internet Information Server 7.5) -- the latter of which had a number of significant vulnerabilities reported around the time she would have been using it. These vulnerabilities included buffer overflows, cross-site scripting, cross-site request forgery and memory corruption. There's a strong possibility that foreign governments may have uncovered these as "zero-day" exploits before Microsoft was able to issue patches to fix them or before the patches were applied by the hosting provider. If that is indeed the case, foreign intelligence services could have used these vulnerabilities to get inside her email account without her realizing it.
- Password Attacks - Another way into an email account is to simply guess the password. Weak passwords trump strong security. A good example of this is the Romanian hacker Guccifer. In 2014 he showed just how easy it was to spy on the emails of high-level politicians, government/military officials and celebrities, by guessing passwords or answering security questions. In Clinton's case, however, she had an added problem: her hosted mail server had Outlook Web Access enabled. OWA is vulnerable to brute-force attacks. Brute-forcing is the same technique that was believed to have been used in last year's highly publicized "Find My iPhone" hack that led to celebrity photos being exposed.
- Man-in-the-Middle - Hackers may also have attempted a man-in-the-middle (MiTM) attack to gain access to Clinton's email account. This could have been done in a couple of ways, such as domain name system (DNS) poisoning, which redirects a user trying to connect to a legitimate server -- like clintonemail.com -- to a fake one, such as a Russian- or Chinese-spoofed version of the same website. Because her email server was originally kept at her house in New York, this may have been easier to pull off initially rather than after it was moved to third-party hosting providers. Additionally, foreign hackers could have spoofed a digital certificate -- this is what's used to prove identity -- to intercept her email. In 2014, for instance, it was discovered that dozens of phony SSL certificates were circulating on the web for sites like Google, Facebook, GoDaddy and others. Clinton used a GoDaddy digital certificate in 2013.
- Heartbleed - Clinton opened her private email account in January of 2009, and it wasn't until October of 2010 that she moved it to a hosted Microsoft Exchange 2010 server. Those dates are important, because it wasn't until 2014 that an extremely dangerous vulnerability known as "Heartbleed" was discovered in the SSL/TLS encryption scheme that could allow hackers to eavesdrop on protected communications. It's unclear if the original server configuration Clinton used for the first 22 months of her government term was susceptible to this security flaw, but chances are, it was. (However, once Clinton moved her account to a Microsoft server, it would no longer have been vulnerable.)
- Sniffing Email Traffic - By default, most email is sent in clear text and can be intercepted. However, even if the email is encrypted, it may still be possible to decrypt it if the encryption tool isn't strong enough, or a mistake is made by the user. In the case of Clinton's email, one security firm found that she hadn't encrypted the server for the first three months it was in use, nor did she have a valid digital certificate. During that time, Clinton traveled widely, to China, the Middle East, and elsewhere -- and her email was highly vulnerable to hackers. Had she used a government-run email account, she would have benefited from its industry standard digital certificates and military-grade encryption, which are designed specifically to thwart foreign intelligence services.
- Backdooring the IT Provider - Clinton used a few different IT companies to set up, manage and upgrade her personal mail server. At the end of her tenure as Secretary of State, she hired a small IT firm in Colorado (which had not been cleared to handle classified material and had never landed a federal contract before) to take over the email server she had used while in office. Each one of these private entities was a potential target for state-sponsored hackers, who could have used social engineering, web application exploits or blackmail/bribery to gain a foothold on their networks in order to infiltrate Clinton's email server or obtain access to any backups that may have been created.
No email account is 100 percent safe from hackers, ever -- but the federal government does have better capabilities for defending classified communications, since it has access to military-grade security controls. Going forward, our government needs to do a better job of making sure that public officials keep their communications within these more fortified networks, in order to improve both security and accountability.