The Associated Press is exposing the security flaws in Hillary Clinton’s email setup, and it’s devastating. Some of the details they amassed have been known or suspected since early in the scandal, but seeing them all together, with some new details, paints a picture of hair-raising reckless vulnerability.
One cyber-security expert quoted in the piece described Clinton’s server as “total amateur hour.”
The big news comes right up front:
Clinton’s server, which handled her personal and State Department correspondence, appeared to allow users to connect openly over the Internet to control it remotely, according to detailed records compiled in 2012. Experts said the Microsoft remote desktop service wasn’t intended for such use without additional protective measures, and was the subject of U.S. government and industry warnings at the time over attacks from even low-skilled intruders.
Records show that Clinton additionally operated two more devices on her home network in Chappaqua, New York, that also were directly accessible from the Internet. One contained similar remote-control software that also has suffered from security vulnerabilities, known as Virtual Network Computing, and the other appeared to be configured to run websites.
Good Lord. Closing off Remote Desktop access is Security 101 stuff. If zero-day exploits were drunken party guests, even “Dead Broke” Clinton’s vast estate in Chappaqua wouldn’t have enough bedrooms to put them all up for the night.
The AP exclusively reviewed numerous records from an Internet “census” by an anonymous hacker-researcher, who three years ago used unsecured devices to scan hundreds of millions of Internet Protocol addresses for accessible doors, called “ports.” Using a computer in Serbia, the hacker scanned Clinton’s basement server in Chappaqua at least twice, in August and December 2012. It was unclear whether the hacker was aware the server belonged to Clinton, although it identified itself as providing email services for clintonemail.com. The results are widely available online.
Remote-access software allows users to control another computer from afar. The programs are usually operated through an encrypted connection — called a virtual private network, or VPN. But Clinton’s system appeared to accept commands directly from the Internet without such protections.
“That’s total amateur hour,” said Marc Maiffret, who has founded two cyber security companies. He said permitting remote-access connections directly over the Internet would be the result of someone choosing convenience over security or failing to understand the risks. “Real enterprise-class security, with teams dedicated to these things, would not do this,” he said.
The government and security firms have published warnings about allowing this kind of remote access to Clinton’s server. The same software was targeted by an infectious Internet worm, known as Morta, which exploited weak passwords to break into servers. The software also was known to be vulnerable to brute-force attacks that tried password combinations until hackers broke in, and in some cases it could be tricked into revealing sensitive details about a server to help hackers formulate attacks.
“An attacker with a low skill level would be able to exploit this vulnerability,” said the Homeland Security Department’s U.S. Computer Emergency Readiness Team in 2012, the same year Clinton’s server was scanned.
But Hillary thought it was good enough for a Cabinet secretary’s server, which ended up improperly handling classified and Top Secret information. The AP notes for the record that remote-access connections are banned on official State Department systems.
Several other security experts are quoted in the article expressing astonishment that such basic network security principles were ignored. Alas, we may never have the answer to the question professionals always ask when confronted with an amateur-hour performance – what were they THINKING? – because the amateurs refuse to answer questions. Clinton’s IT adviser, Bryan Pagliano, pled the Fifth to avoid discussing her server. When was the last time you heard about a computer tech invoking his Fifth Amendment rights against self-incrimination to avoid answering reasonable questions about his work?
As for the proprietor of this shaky server, she’s taken to shrieking about Vast Right Wing Conspiracies and the House Benghazi Committee every time she’s asked about cyber-security. I wouldn’t hold my breath waiting for the CNN debate anchors on Tuesday night to hit Hillary Clinton the way they would hit a Republican, by asking a bunch of technical questions about her server and forcing her to stammer out the admission that she doesn’t understand the nuances of computer security. The devastating follow-up would then be, “In that case, Republican Candidate, why did you take it upon yourself to ignore State Department regulations, wave aside the concerns of government security specialists, and set up your own mail server?”
Fortunately, Democrats don’t have to worry about such things, so for the moment Team Clinton’s rhetorical Band-Aid – claiming there’s no proof her server actually was hacked – is holding, barely. That’s a silly evasion, because getting lucky and escaping the attention of hackers wouldn’t let Clinton off the hook for putting U.S. national security at risk.
Also, the kind of exploits her server was vulnerable to are precisely the sort that allow hacking with minimal traces of the intruder’s presence. Most of the big hacking capers making the headlines involved intruders who went undetected for months or years, in systems vastly better secured and maintained than Hillary Clinton’s. Foreign intelligence services take pains to keep secrets they have pilfered, and their methods, quiet for as long as possible, since stolen information loses much of its value once the target becomes aware of the theft.
The AP’s review makes it clear hackers were aware of Clinton’s email system – which the SecState and her crack cyber squad helpfully named “clintonemail.com,” so the hackers knew exactly what they were looking at – so it would be a minor miracle if none of those Amateur Hour vulnerabilities were exploited.