More Concerns About the Security Of Hillary’s Email Server

AP Photo/Seth Wenig
AP Photo/Seth Wenig

While the legal ramifications of Hillary Clinton’s private email server are debated, questions continue to swirl around just how secure the system was. Of course, she could answer many of those swirling questions by handing the machine over for independent review, but she adamantly refuses to do so, leaving cybersecurity experts to dissect the server’s home page, and emails Clinton has sent in the past.

A note on the latter point: it was widely claimed by Clinton defenders in the early days of the scandal that she handed some 55,000 emails to the State Department when it asked for her correspondence, long after she left office. That’s not true.

The actual number of emails tendered by Hillary Clinton is zero. She produced 55,000 pages of printed copy concerning her email, which may not include all of the information that would be contained in the electronic records – a point that can be made without even getting into the matter of whether her hard copies were deliberately doctored. There is data built into electronic mail that would not be included in printouts, even those made in good faith.

The Wall Street Journal passed along an eye-opening revelation about the security profile of Clinton’s server from the early days of her Secretary of State tenure: “Kevin Bocek, a vice president at the Internet security company Venafi, said the Clinton server was encrypting data it sent and received as of March 29, 2009, about two months after she took office, based on a search he did of Internet records. During the first two months of her tenure, however, it doesn’t appear that Mrs. Clinton’s email had such protections, Mr. Bocek said.”

Two months without encryption for the Secretary of State’s emails?

James Rosen of Fox News rounded up some security experts and “white hat” hackers to poke the system with virtual sticks and see what they could learn about it. For starters, they were able to piece together its current physical location – it appears to have been moved from the Clinton estate in Chappaqua and relocated to somewhere near City Hall in Manhattan, “most likely former President Clinton’s Harlem office.” Clinton has been boasting that the server’s physical security was guaranteed by the Secret Service; are they on duty at the Harlem office as well?

The server is still online, or at least it was as of the time Rosen’s security experts performed their tests. They found it unsettling that they were able to learn its location, and so much else about the machine, so easily. They dismantled its front page and learned the system is running obsolete versions of Microsoft Outlook Web Application and, more disturbingly, Microsoft Internet Information Service… which basically leaves Clinton’s homebrew server vulnerable to numerous documented security flaws fixed in later releases. Included among a list of those flaws reviewed by Fox News were memory corruption, password disclosure vulnerability, and the ability of remote attackers to “execute arbitrary code or cause a denial of service.”

One of Fox News’ security experts called this “a big deal, and just the thing real-world hackers look for in a target and will exploit to the max.” Some of the vulnerabilities present on Clinton’s server date back to 2010.

Just for good measure, it turns out the encryption software Clinton’s system began running after two months was configured improperly. A security expert working for Bloomberg News found that the encryption system was using the default security certificate provided by the manufacturer, rather than a customized certificate. That wouldn’t automatically leave Clinton’s communications wide open, but it was described as a “bewildering” decision for someone in a sensitive position.

Then there’s the question of the portable device or devices Clinton was using to access her private mail server. She’s been inconsistent about how many such devices she uses, claiming in her news conference at the U.N. that she only bothered with creating a private mail system because she didn’t want to carry more than one device, but previously describing herself as a “hoarder” of electronics who has at least four of them.

The State Department now claims that Clinton was never issued an official departmental BlackBerry… which would argue against one of the excuses offered in Clinton’s defense, that she couldn’t have checked both personal and State Department mail accounts from such a device. She wasn’t using one.

So what was she using? She’s been ostentatiously photographed holding a BlackBerry – inconveniently during one of those “no email” blackout windows congressional investigators have been complaining about. In her memoir, she said she used an iPad, which she said she had “fallen in love with” and took everywhere she travels. According to Fox News, she was told not to use an iPad by State Department security, but she did it anyway, and the security of the device cannot be verified.

Watchdog group Judicial Watch has a source inside the State Department who said Clinton’s team badgered the Office of Security Technology with at least half a dozen demands to approve the use of Apple phones and tablets… all of them denied, because Apple devices didn’t meet the strict security standards of the agency. The source said “there was a lot of head-scratching” about Clinton’s dogged determination to use the unapproved devices.

Her memoirs say she loved her iPad and took it everywhere, but she made a point of getting herself photographed with a BlackBerry… and the whole reason she built her off-the-books, Federal Records Act-defying mail system was because she didn’t want to carry two devices? If Clinton fans had enough self-respect to keep track of Bill and Hillary’s fibs, that would cause her some embarrassment.

If her security lapses were exploited by hackers or foreign intelligence agencies, the fallout will be worse than embarrassing. Clinton’s cavalier attitude toward security is astonishing, and no amount of parakeet chirping from her flacks about how the best possible practices were followed will obscure the reality of what outside experts are learning about the Clinton email system.


Please let us know if you're having issues with commenting.