Early this month, security firm Venafi reported that former Secretary of State Hillary Clinton used her private email in conjunction with a private server at her house to conduct formal State Department business. It is State Department security policy that any official correspondence be done on the State Department secured system, or, under certain circumstances, military or CIA equipment.
Not only did Clinton keep her entire email correspondence outside the State Department system, for the first three months she was Secretary of State, access to her personal email server was not encrypted or authenticated by a digital certificate. During that time, she traveled to China, Egypt, Israel, South Korea and other places outside the U.S.
We have invited our own web site host, Jay Donovan of Techsurgeons, LLC, to explain the security implications.
~ Piper Bayard & Jay Holmes
* * * * * * * * * * * * *
Hillary’s Unencrypted Emails – What Difference Does It Make?
By Jay Donovan
As Vice President Biden once said, “It’s a big ****ing deal.”
To understand why this lack of encryption is significant, we need to go a little bit into the tech. Don’t worry, I’ll keep it brief.
Digital certificates are used to prove that a site is run by the actual person or group. Certificates vary in strength depending on the submitted proof of identity. Certificates are created and validated by Certificate Authorities.
With a certificate, “keys” can be created for securely encrypting network connections and files. If you suffer from insomnia, Wikipedia has a fine technical explanation of how key cryptography works.
Okay, that’s all the technical background we need. Now, let’s talk a little about how an email server without a certificate is insecure.
Without a certificate and the related keys, a mail server cannot encrypt anything. Not only would any email be transmitted “in the clear,” but passwords would be, as well. Anyone with the ability to view the information transmitted over the network path between the device and the server could eavesdrop on the conversation. This includes anyone on the same Wi-Fi network. When former Secretary of State Clinton was abroad, and she was behind a foreign national firewall or on a foreign government network, you can bet that country’s intelligence officers were monitoring and recording all of her communications.
It’s not just the link between the users and the private email server that’s insecure. It’s also the link between the private mail server and government mail servers. Without a certificate, all communications between mail servers is, again, “in the clear.”
Here’s the dirty little secret about email.
Messages are almost always stored on the servers in plain text. Anyone with administrator access to a server can read any email stored on said server. There are ways to encrypt email on the server so the admin can’t easily read it, but if the email is encoded or decoded on the server, an unethical administrator can see it. This is especially bad if the server administrators do not have security clearance.
Buying a reasonably secure certificate and configuring the mail server to require encrypted connections for devices can be done in half a day. If the server didn’t require encrypted conversations, any device that wasn’t reconfigured to use encryption would still be transmitting email and passwords “in the clear.” For safety sake, all passwords should have been changed during the switch from the communications being unencrypted to being encrypted.
And the grand finale – why former Secretary of State Clinton’s email server made classified information ripe for the picking.
Having read the above, you’re probably a few steps ahead and realize that the idea that Secretary of State Clinton did not receive classified information on her phone is implausible. In her press conference, she made a specific reference to classified documents. Technically and legally, there is a difference.
Classified documents are generally physical documents and have specific handling procedures. Classified electronic documents are on a separate network and require clearance – this is why Edward Snowden’s ability to copy what he did is such a big deal. He breached the security on the ‘secure’ network.
There are many classified mailings that go out, including daily status reports regarding the assorted diplomatic hot spots and troubled areas. It’s just inconceivable (and yes, I know what the word means) to think that not a single classified email was sent to the Secretary of State.
And if her email password was not changed regularly, someone who grabbed her password when communications were insecure could simply have set up an email program to log in to the server with Sec State Clinton’s email credentials and copied every message sent or received from her account.
My feelings regarding SecState Clinton’s private email server are best described by the German word “fremdschämen.” The word means “vicarious embarrassment,” as I’m embarrassed for the people involved with the creation and use of a dangerously misconfigured email server.
* * * * * * * * * * * * *
Jay Donovan of TechSurgeons, LLC, has done it all, from remotely debugging the Internet connection for a US aircraft carrier deployed to *REDACTED*, to building the servers & networks for one of the largest Internet sites in the world. He’s trained as a Certified Ethical Hacker and always uses his geeky powers for good. When he’s not neck deep in wires and computer parts, you’ll find him hanging out on Twitter as @jaytechdad or on Facebook. He is the co-founder of TechSurgeons, LLC and can be contacted at firstname.lastname@example.org.