Officials close to the matter at the Department of Justice are concerned the emails Hillary Clinton sent from her personal devices while overseas on business as U.S. Secretary of State were breached by foreign telecoms in the countries she visited—a list which includes China.
Continue Reading Below
“Her emails could have easily been hacked into by telecoms in these countries. They got the emails first, and then routed them back to her home server. They could have hacked into both,” one Justice Department official close to the matter says.
Another Justice Department official adds: “Those telecommunications companies over there often have government workers in there. That telecom in that foreign country could then follow the trail of emails back to her server in the U.S. and break into the server” remotely over the Internet. At various points in this process, there were multiple entry points to hack into Clinton’s server to steal information, as well as eavesdrop, the Justice Department officials say.
This is the first indication that officials at the Justice Department are concerned that foreign telecom workers may have broken into Clinton’s emails and home server. The Federal Bureau of Investigation is currently investigating the national security issues surrounding Clinton’s emails and server.
The Justice Department officials also used the words “reckless", “stunning,” and “unbelievable” in discussing the controversy swirling around Clinton’s use of a private, nongovernment email account, as well as her use of a personal Blackberry (NASDAQ:BBRY), an Apple (NASDAQ:AAPL) iPad, and home server while U.S. Secretary of State. The officials did not indicate they have any knowledge of a breach at this point.
As for the effort to designate Clinton’s emails as classified or unclassified, the Justice Department officials agreed that, as one put it: “Every email she sent is classified because she herself is classified, because she is both Secretary of State and a former first lady.”
In addition, there’s a growing belief among cyber security experts at web security places like Venafi and Data Clone Labs that Clinton’s emails were unprotected in the first three months of her tenure in 2009 as the nation’s top diplomat, based on Internet scans of her server Venafi conducted at that time.
“For the first three months of Secretary Clinton’s term in office, from early January to late March, access to her home server was not encrypted or authenticated with a digital certificate,” Kevin Bocek, vice president of security strategy and threat intelligence at Venafi tells FOX Business. “That opens the risk that Clinton’s user name and password were exposed and captured, particularly in places she traveled to at this time, like China or Egypt. And that raises issues of national security,” adding “Attackers could have eavesdropped on communications, particularly in places like China, where the Internet and telecom infrastructure are built to do that.”
Digital certificates are the bedrock of Internet security. They verify the Web authenticity and legitimacy of an email server, and they let the recipient of an email know that an email is from a trusted source. Essentially, digital certificates are electronic passports attached to an email that verifies that a user sending an email is who he or she claims to be.
Because it appears Clinton’s server did not have a digital certificate in the first three months of 2009, “a direct attack on her server was likely at this time, and the odds are fairly high it was successful,” says Ira Victor, director of the digital forensic practice at Data Clone Labs.
In and around January 13, 2009, the day of Clinton’s Senate confirmation hearings, the clintonemail.com domain name was registered. An estimated 62,320 emails were sent and received on Clinton’s private email account during her tenure as U.S. Secretary of State. Later, 31,830 emails were erased from her private server because they were deemed personal.
Although Clinton previously has argued that there was no classified material on her home server in Chappaqua, N.Y., the U.S. Department of State has deemed 403 emails as classified, with three designated “top secret” (the State Dept. itself has been the subject of cyber hacking).
Clinton has maintained her home server did have “numerous safeguards,” but it’s unclear specifically what security measures were installed, and what those layers were. In September, Clinton apologized on ABC News for using a home server to manage her U.S. Department of State electronic correspondence.
Although Clinton and her team have indicated her emails were not hacked, not knowing about a breach is different from being hacked, cyber analysts tell FOX Business. Her campaign staffers did not return calls or emails for comment. “Even the NSA, the CIA, and Fortune 500 companies know they cannot make that claim that they have not been hacked. Everyone can be hacked,” says Bocek.
FOX News recently reported that an intelligence source familiar with the FBI’s probe into Clinton’s server said that the FBI is now focused on whether there were violations of the federal Espionage Act pertaining to "gross negligence" in the safeguarding of national defense information. Sets of emails released show that Clinton and top aides continuously sent information about foreign governments and sensitive conversations with world leaders, among other things, FOX News reported.
Secure communications and devices are routine in the federal government. For example, President Barack Obama received a secure Blackberry from the National Security Agency after he was elected, a former top NSA official tells FOX Business.
“I could not recall that I ever heard that a secure Blackberry was provided to Hillary Clinton. No one else can either,” the former NSA official says, adding, “There is no way her calls were properly secured if she used her [personal] Blackberry.” Blackberry declined comment.
The former NSA official says the same issue is at play for Clinton’s iPad. “While there have been recent advances in securing iPhones and iPads, these were not available, in my opinion, when she was Secretary of State and there would have to be a record that she sought permission to use them with encryption,” the former NSA official says.
When traveling overseas, U.S. secretaries of states use secure phones that ensure end-to-end encryption, and in some cases, mutual authentication of the parties calling, the former NSA official said. Communications are conducted via secured satellite, digital networks or Internet telephony.
“I think I can say, with some confidence, that once any decent foreign intelligence service discovered she was using her personal phone and iPad, she would be targeted and it would be a high priority operation,” the former NSA official said, adding, “if the calls were unencrypted, it would be no challenge at all while she was overseas -- they just have to get to the nearest cell tower.”
The first three months of her tenure as Secretary of State would have been an ideal time for hackers to break in, cyber security experts say.
Specifically, experts point to work done by cyber security experts at Venafi, which has revealed a three-month gap in security for Clinton’s home server after the Palo Alto, Calif. firm’s team had conducted routine, “non-intrusive Internet scanning” in January 2009.
Venafi’s Bocek tells FOX Business that he and his team had picked up Clinton’s domain, clintonemail.com, at that time, and found that her home server had not been issued a digital certificate. That means email traffic to and from her server was unprotected from early January to late March 2009. During that time, Clinton traveled as U.S. Secretary of State to China, Indonesia, South Korea, Japan, Egypt, Palestine, Israel, Belgium, Switzerland, and Turkey.
“It also means anyone accessing her home server, including Clinton and other people, would have unencrypted access, including from devices and via web browsers,” says Bocek. “This means that during the first three months of Secretary Clinton’s term in office, web browser, smartphone, and tablet communications would not have been encrypted.”
Digital certificates are vital to Internet security. All “online banking, shopping, and confidential government communications wouldn’t be possible without the trust established by digital certificates,” says Bocek. “Computers in airplanes, cars, smartphones, all electronic communications, indeed trade around the world depend on the security from digital certificates.”
The Office of Management and Budget has now mandated that all federal web servers must use digital certificates by the end of 2016, Bocek notes.
If cyber hackers broke into Clinton’s server, they also could have easily tricked it into handing over usernames, passwords, or other sensitive information, Bocek noted.
“The concern is that log-on credentials could have been compromised during this time, especially given travel to China and elsewhere,” Bocek says opening the door to more lapses. “As we've seen with so many other breaches, to long-term, under-the-radar compromise by adversaries, hacks that Clinton and her team may not be aware of.”
Bocek adds: “Essentially, the cyber hacker would have looked to Clinton’s server like it was Secretary Clinton emailing.”
Digital forensic analyst Victor agrees. “It’s highly likely her emails sent during this time via her devices and on her server were not encrypted. More significantly, her log-on credentials, her user name and passwords, were almost certainly not encrypted,” says Victor, who has testified in cyber security cases as an expert forensic witness. “So that means emails from Clinton’s aides, like Huma Abedin, or anyone who had email accounts on her server, their communications were also likely unencrypted.”
Victor adds: “It’s highly likely all of their user names and passwords were being exposed on a regular basis to potential cyber attackers, with the high risk they were stolen by, for instance, government employees who could get the passwords for everyone Clinton was communicating with.”
Victor explains how Clinton’s emails from her devices could have been hacked, and malware could have been planted on her server. “Say Clinton emailed from her device during her Beijing trip in that 2009 period. Her emails would first get routed through the local, state-controlled Chinese telecom. The Chinese telecom captures those bits of emails that are broken up into electronic packets by the device she uses,” Victor explains.
Any device Clinton emailed from, Victor says, was constantly “polling and authenticating communications” between her device and her server. But all of the back-and-forth communication goes through, say, the Chinese telecom. When the device is polling her server with non-secure communications, it’s giving attackers repeat opportunities to breach.”
He continues: “If the connection was not protected, a state actor at the China telecom transmitting her email back to her server in the U.S. could breach both the device and the server at that point.”
Martin C. Libicki, a senior management scientist and cyber expert at Rand Corp., says that security on Clinton’s devices could have been higher than feared. But he says that, while the Blackberry device does have strong encryption, once Clinton zoomed emails from her Blackberry through the foreign telecom networks during those first three months of her tenure, “it was much easier to hack both the device and the server then.”
Venafi’s team, which included analysts Hari Nair and Gavin Hill, found Clinton and/or her team did eventually purchase digital certificates for the server and the clintonemail.com domain name starting in March 2009.
Victor added: “But the question that needed to be asked then was, once the certificate was installed, did Clinton and her team warn anyone she had emailed during those first three months about the poor security during that time, did they warn them to reset their security passwords on all their devices?”