Hillary Clinton used personal email for government business, putting security at risk

The New York Times has published claims that Hillary Clinton did not have a government email address throughout her four-year tenure at the US State Department, but instead used a personal email address.

The use of a private email account is likely to get Clinton, who is widely tipped to be the next Democratic presidential candidate, into some hot water.

Firstly, federal regulations require that emails sent and received by officials – such as the secretary of state – are government records that must be retained. With the exception of certain classified, personal and sensitive content, records are kept for congressional committees, historians and the news media.

According to The New York Times Mrs Clinton’s team only reviewed her email archive two months ago, weeding out personal emails and deciding which others to deposit with the State Department. In all, 55,000 pages worth of emails were given to the department.

It remains a mystery why Mrs Clinton chose to use a personal account, rather the one that would normally be supplied by the State Department’s IT experts, that would automatically preserve communications on departmental servers.

But more than that, what thought was being put into the email security of one of the world’s most powerful women?

We know that hackers like Guccifer have targeted senior US politicans in the past, including the Bush family, exposing their emails.

Hacked Bush email account

And in 2013 Guccifer released a series of emails he had stolen from the AOL account of former Clinton aide Sydney Blumenthal, including messages he had sent Hillary Clinton while she was Secretary of State.

One would hope that an email account supplied by the IT security experts at the State Department might have more and stronger defences in place to prevent exploitation by cybercriminals, than one set up for the personal use of Hillary Clinton.

You would certainly imagine that the State Department’s IT security team would have strict standards and layered protection in place to reduce the chances of malware, spam, phishing and targeted attacks reaching the inbox of a senior government official, as well as measures to prevent unauthorised access by hackers.

An analysis of the mail records used by the domain Hillary Clinton used for her personal inbox, clintonemail.com, reveals that it used the services of MX Logic, a email-filtering company since acquired by McAfee in 2009. McAfee is itself now part of Intel.

MX records for clintonemail.com

This isn’t an appropriate place to discuss the pros and cons of products which compete with ESET, the publishers of WeLiveSecurity.

But what’s important is that the US State Department will have made choices about which security products it would use to protect its staff from the threat of hackers, spammers, malware authors and targeted internet attacks.

It’s going to be more than a headache for any IT security team if their staff decide to go “off road”, setting up their own mail domains reliant on other security products – it’s a security risk.

There are good reasons why staff are asked to use corporate email accounts for their day-to-day work, and if they need to access work remotely that they do so securely via a company-configured VPN with strong authentication.

One has to wonder whether the IT team at the State Department was aware of Hillary Clinton’s independent streak when it came to email, but felt powerless to bring her into the fold.

Possible Republican presidential candidate Jeb Bush wasn’t slow to try to take advantage of Hillary Clinton’s discomfort, reminding Twitter users that he had made his own email archive public:

What George W Bush’s little brother has forgotten to add (or maybe he didn’t have room in the 140 characters that Twitter provided) is that when he released his email archive in the name of transparency, he unfortunately neglected to redact over 12,000 personal details of members of the public who had contacted him – including in some cases social security numbers.

Furthermore, the archive of email included malware that the former Florida governor had received in his inbox. Perhaps that was taking transparency too far…

The personal information in Jeb Bush’s email trove was subsequently redacted but, of course, it was too late by then. The horse had bolted before the stable door was shut.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.