Cybersecurity 101: A Case Study of Clinton’s E-Mail

clinton-email

Originally I wrote this blog post in the summer of 2016 after reading this article from Gawker.com. Nearly a year later I am surprised to see that we still do not have closure on the issue of Hillary Clinton’s e-mail servers. In 2016 I did not want to draw negative attention to me for being one of the obviously right-wing nut-jobs who would do anything to prevent a female from being President. Two years later, it is still not safe for people to support Donald Trump, criticize Hillary Clinton, or speak out against Barack Obama. Despite the negative attention I may draw, here is a modified version of the blog post that I have kept in draft status here on WordPress since May 2016, with edits extending to August 2016 and today’s edit in August 2017.

Clinton’s Cuckoo’s Egg–Scrambled, Over Easy

Cybersecurity experts and students alike are no doubt familiar with the book, “The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage“, the story of Clifford Stoll’s hunt for a computer hacker. If Mr. Stoll had to write a story about Hillary Clinton’s folly in mishandling of computer data and subsequent duplicity and outright arrogance that followed, I am certain that book would be called, “The Cuckoo’s Egg–Scrambled, Over Easy: Tracking a Politician Through the Maze of Cyber Insecurity”. Hillary Clinton and her staff repeatedly exposed classified information to America’s adversaries through the repeated, constant incompetence and arrogance. As is the nature of cyber, we as a nation may never know the degree that Mrs. Clinton’s transgressions have harmed national security and cast doubt as to the competence of the United States as a government worthy of safeguarding information.

Here is a quick timeline of the events that transpired:

  • 2008 – Clinton’s staff registers clintonemail.com.
  • 2009 – Clinton’s staff begins using the personal server for government communication. Note: The U.S. Government has acknowledged at various times that the practice of using private servers for government work was not illegal at the time (it was banned by policy later in the year), it was discouraged and was permitted as long as Government employees followed Government regulations regarding preservation of official copies and proper handling of classified data.
  • 2012 – Clinton’s private server re-architected to use Google cloud for backup. Later in the year, Congress begins an investigation into the servers.
  • 2013 – Alleged hacker “Guccifer” exposes Mrs. Clinton’s inappropriate use of the server. Hillary Clinton changes accounts once her staff informs her of a security compromise and moves the backups to a company associated with McAfee.
  • 2013 – The U.S. Government clarifies and amplifies its rules concerning use of personal e-mails and the need to maintain official copies of all e-mails used in an official capacity. Note: Government policy states that Government employees using e-mail accounts from official accounts are still subject to Government record-keeping and security practices.
  • 2014 – The U.S. Government, namely the U.S. State Department, requests all former secretaries of state hand over any records in their possession for proper record keeping. (As the State Department cleaned up its cybersecurity policies, it decided to grandfather the rules to all former secretaries of state.) Hillary Clinton handed over 30,000 e-mails. Some reports show that 7,500 of those messages were classified. Some estimates show that a rather large number of messages from 2009 to 2011 were deleted using an application called “Bleach Bit”.
  • 2015 – The State Department and Congress independently discover proof that Hillary Clinton deleted e-mails that she was not authorized to delete, and that her reports to the State Department and Congress were inconsistent. The State Department begins releasing Clinton’s e-mails for public inspection at the behest of a federal judge. The State Department determines that approximately 300 e-mails pertaining to Benghazi were either classified or inappropriately safeguarded, and 15 messages known to have been exchanged with the State Department had been deleted from Clinton’s servers. Later that year, Congress independently assesses a large, undetermined number of the Clinton e-mails to be classified. An intelligence community (IC) assessment declares five messages to be classified, and a follow-up assessment with other IC classification authorities later in the year increased that number to about 125. Note: The Congressional panel more than likely made the assessment that hundreds of Clinton’s e-mails were classified as “Secret Collateral” or “Confidential”; the IC assessment likely focused on the few messages that would have been “Top Secret, Sensitive Compartmented Information” or “Secret, Sensitive Compartmented Information”. Media reports appear to be confusing, because members of the media do not have the background to ascertain contextual differences between the assessments. In October, a Congressional inquiry with Datto Inc shows that one of the older servers had been moved into the basement of a private residence, and had not been included in the earlier data dumps.
  • 2016 – The State Department fails to meet its goals with public release of Clinton’s e-mails and extends its own release deadline. 22 e-mails are withheld from public release due to classification issues, possibly “Top Secret, Special Access Required” at most, “Top Secret, Sensitive Classified Information” at least–to be determined by other agencies outside the State Department. The State Department releases another batch of e-mails and withholds 84 one week deemed to be “Secret Collateral”, then withholds another 64 the following week that were “Confidential”. FBI Director James Comey makes a statement that Clinton did mishandle classified information, but that the case would not go far in court. The FBI publishes its findings in the summer of 2016.
  • Summary: The State Department deemed that hundreds of Hillary Clinton’s e-mails were classified as high as “Secret Collateral”. The Intelligence Community deemed that dozens of the e-mails were classified as high as “Top Secret, Sensitive Compartmented Information” or, possibly, “Top Secret, Special Access Required”. The FBI generally states that Hillary Clinton mishandled classified information, but should not face criminal charges.

My co-worker and I ran our own security scans against https://mail.clintonemail.com/owa/ and https://sslvpn.clintonemail.com/ and discovered that despite repeated exposure of the server weaknesses, Clinton’s cybersecurity experts had not significantly improved computer security.

Screen Shot 2017-08-27 at 2.16.17 PM

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s