Tempest in an Email Server: Hillary Clinton and the Politics of IP Addresses

September 23, 2015
By: Special Guest
Ken Simpson, CEO, MailChannels

The political controversy stirred up by Hillary Clinton’s use of a private email server for U.S. government correspondence when she was Secretary of State reached a tipping point on September 9, 2015 – the date she finally apologized during an ABC News interview, saying she was “sorry for that.”

Clinton’s initial stance following the revelation of her email use back in March was that the private email account was “aboveboard” and allowed under State Department rules. In fact, Colin Powell used a private email account when he was Secretary of State.

But times have changed since Powell’s tenure ended in 2005. The war against cyber criminals has heated up to the point where it’s a constant arms race. Web hosting companies and Internet service providers use increasingly sophisticated weapons to fight hackers, yet they still find ways to compromise servers and infect machines, applications and network users.

With Clinton choosing a secret, personal IP address for email instead of government email there lies a number of potential threats that may or may not have exposed her email conversations (or classified information) to interception by hackers and foreign intelligence agencies. Despite Secret Service providing physical security for Clinton’s server (which is awesome – most servers don’t have that kind of blue chip physical security), nobody knows how well her server was secured against electronic attacks.

It’s all about the outbox

Industry has mostly focused on the email inbox to fix the cybercrime problem. Spam filters now enable the average email user to avoid unwanted email most of the time.

But email messages sent by hackers trying to compromise specific accounts are difficult to stop at the inbox because, by their nature, they are targeted. Which means it’s unlikely an organization will see more than a handful of samples of each attack – not enough to mount an effective defense through data mining techniques?

The real war is happening in the email outbox, not the inbox. One way for cybercriminals to infiltrate inboxes is to first gain access to outbound mail servers, or the applications and services that use them. They use this back door to gain access to a hosting company’s email system and its users, and can send out thousands of spam or phishing emails before being discovered.

Unknowing users see an email come from a trusted name and IP, never anticipating that simply opening the email could result in the hack of sensitive data with the ability to cause immeasurable monetary, business and personal damage. Meanwhile the sender whose outbox was hacked is blacklisted while the spammer moves on to another service provider and a new set of victims. 

Did Clinton or her staff even think about the potential damage her outbox could do while setting up her personal mail server? Imagine emails supposedly from Clinton, but sent by an adversary? It's the ultimate state level phishing attack vector.

Sophisticated adversaries such as China and Russia could have exploited vulnerabilities in her personal server and gained access to sensitive information being discussed over email via that server.

Adversaries would definitely have known about the server because the domain names to which their heads of state and key staff were sending emails were known. Anyone working at Mossad or another intelligence agency could locate the server hosting the email for that domain, and it would immediately become a target for a concerted attack. Clearly the value of knowing what Clinton was discussing with a range of key people around the world would be valuable intelligence.

Although this is total speculation, Clinton’s server is now in the hands of the FBI for forensic testing. A number of her emails have been classified retroactively due to the nature of the information.

Assuming Clinton had a capable system administrator – someone keenly aware of operational security – her server would have been kept up to date with the latest security patches, would have been locked down with minimal services running to minimize the attack surface, and would have been monitored closely for anomalies.

However, the Washington Post reported that the server was installed by Clinton staffers who had little IT security knowledge. That suggests a poor security posture was taken initially and increases the likelihood that the server was successfully exploited at some point.

Did Clinton later engage a skilled system administration or security expert to lock the server down? By then was it too late? Why did she set up her own server when the State Department is able to provide highly robust infrastructure?

Privacy vs. security

Clinton says she used her personal server and email account for convenience. But there is speculation that the real reason is privacy and control – that her personal server allowed her to delete information in a more permanent and untraceable manner than if it were stored on State Department infrastructure.

If I was Secretary of State, I might set up a personal server to ensure that I could have private electronic communications with international contacts via email. World leaders can’t always meet face to face when there is important business to discuss. There is probably nothing unlawful about having such private discussions, and they are vitally important to diplomacy because both parties need to know that certain conversations will never come to light.

One can only imagine the types of conversations Hillary Clinton would have had with people like the Israeli Prime Minister, or Vladimir Putin, or other heads of state where fraught and drawn-out negotiations constantly occur. Just watch a few seasons of House of Cards to get an idea.

I think this is probably the real reason she had the personal server: for quiet, off-the-record email conversations, which would be impossible using government equipment.

In the end, this whole affair is probably a tempest in a teapot. Assuming Clinton implemented a strong security posture at some point – hopefully early in her tenure as Secretary of State – the likelihood that the server was compromised is relatively small.

There is nothing to suggest that even the government-maintained servers are immune to attack. In some ways, a small server in someone’s basement is more secure than a massive fortress containing hundreds or thousands of machines. With a single box there is much less to lock down. And in the world of computer security, keeping it simple is the best policy.

About the Author

Ken Simpson is the co-founder and CEO of MailChannels, the world’s foremost provider of outbound anti-spam and email delivery technology. Ken also runs the botnet and web abuse sub-committees at the Messaging Anti-Abuse Working Group (MAAWG).

Edited by Peter Bernstein