- Record-keeping vs. security
- Who was snooping on Hillary?
- Why Clintonemail.com?
- Was it encrypted?
- Back it up.
Record-keeping vs. security
If you hold a high position in government, keeping your own server would be tempting. It could be an effective way to keep your data out of the hands of reporters while maintaining compliance with the Freedom of Information Act, as indicated by Gawker. However, security professionals agree that it makes your communications much more vulnerable.
On Monday, March 2, the New York Times reported that Hillary Clinton used a private email address rather than communicating via State.gov during her tenure as Secretary of State. On the 4th, the Associated Press noted that the email account was operated through a server at Clinton’s New York home and used a domain she owned herself, Clintonemail.com.
The focus of substantial discussion has suggested that Clinton may have broken public record and accountability regulations, although the law still doesn’t forbid private accounts and didn’t require backing up email by Ccing an official government address until 2014.
“[As] the controversy continues to swirl,” explains Andy Greenberg ominously in Wired, “the security community is focused on a different issue: the possibility that an unofficial, unprotected server held the communications of America’s top foreign affairs official for four years, leaving all of it potentially vulnerable to state-sponsored hackers.”
One key consideration is whether or not her emails were encrypted, as discussed below.
Who was snooping on Hillary?
The fact that Clinton was using her own server for email is a revelation to the American public in 2015, but spy agencies of other countries likely were aware of what Clinton was doing, just as the NSA is aware of top leaders in Spain and India who use consumer email, says Chris Soghoian of the ACLU.
Building one’s own private email system is a ridiculously bad idea from a security perspective, Soghoian argues. First of all, you don’t have the same level of expertise watching over a random private server as you would at the State Department, unless Clinton was personally investing heavily in security – and it seems that would have been mentioned.
The State Department has technologists on staff checking for unauthorized activity on a continual basis. The NSA also guards the infrastructure. One of the defense mechanisms State had available – a tool in place at several major agencies – is the Einstein initiative, a Homeland Security effort that benefits from NSA information and security practices.
The domain name chosen by Clinton makes her decision especially problematic, says Greenberg. Unlike the federal websites, Clintonemail.com was listed with a private registrar.
Greenberg elaborates, “The domain Clintonemail.com (and thus its registrar) was certainly known to at least one hacker: The notorious celebrity hacker Guccifer first revealed it in 2013 when he spilled the emails of Clinton associate Sydney Blumenthal.”
Since the account was with a private registrar, a hacker could get into the registrar, Network Solutions, and grab email going in either direction or send it to an outside address. They could even send bogus emails that looked as if they were coming from Clinton. Well, is Network Solutions safe? Not exactly. Hundreds of its sites were invaded while Clinton held her Cabinet position. http://krebsonsecurity.com/2010/01/hundreds-of-network-solutions-sites-hacked/
Even if the account were only used for nonessential communications, the fact that someone could hijack messages and write false emails from a top United States official is deeply disturbing in the eyes of Soghoian. Personal details are considered valuable by spy agencies, he says, giving the example of NSA surveillance of the private phone of German Chancellor Angela Merkel.
Was it encrypted?
A specific important question regarding Clinton’s data is whether or not it was encrypted. Why is encryption so incredibly important for her emails or for your own?
Email encryption is a form of data security that makes it more difficult for anyone other than the intended recipient to read a message. Sending email without the security function leaves users vulnerable. Encryption scrambles all the information within your messages so that you can only see their contents if you have a private key. Encryption has grown in adoption since the Snowden disclosures on the NSA.
As Debbie Jones of Teach-ICT explains, the concept has been evolving for millennia – if you consider it just a way to hide information from unauthorized parties. In ancient Greece, a general wanted to send a message to another city and didn’t want anyone to be able to detect it. He wrote a message on his soldier’s shaved head. When the soldier’s hair grew out, the message was concealed. For the recipient of the message, the “private key” was to shave off the hair to access the communication.
Now, encryption of emails and other data is a bit more complex. A private digital key is created out of a huge number of possibilities. As Jones notes, the algorithms used to achieve encryption are extraordinarily advanced. Industrial-grade options, typically composed of 128 or 256 bits, represent a nearly impossible hacking proposition.
Indeed, “[t]he current standard specification for encrypting electronic data is the Advanced Encryption Standard (AES),” explains the information security team at Indiana University. “Almost all known attacks against AES’ underlying algorithm are computationally infeasible — in part due to lengthier key sizes (128, 192, or 256 bits).”
If Clinton’s data wasn’t encrypted, it would be extraordinarily easy for third parties to read if they ever breached her server. Imagine the intelligence that Clinton’s outbox could have provided to foreign governments or military personnel. Or, if someone were to copy the SSL certificate Clinton used, they could eavesdrop on incoming data.
Back it up
With more and more high-profile hacks occurring, businesses and consumers alike are becoming increasingly aware of the vulnerabilities associated with the Information Age.