Hillary Clinton used personal email for government business, putting security at risk

The New York Times has published claims that Hillary Clinton did not have a government email address throughout her four-year tenure at the US State Department, but instead used a personal email address.

The use of a private email account is likely to get Clinton, who is widely tipped to be the next Democratic presidential candidate, into some hot water.

Firstly, federal regulations require that emails sent and received by officials – such as the secretary of state – are government records that must be retained. With the exception of certain classified, personal and sensitive content, records are kept for congressional committees, historians and the news media.

According to The New York Times Mrs Clinton’s team only reviewed her email archive two months ago, weeding out personal emails and deciding which others to deposit with the State Department. In all, 55,000 pages worth of emails were given to the department.

It remains a mystery why Mrs Clinton chose to use a personal account, rather the one that would normally be supplied by the State Department’s IT experts, that would automatically preserve communications on departmental servers.

But more than that, what thought was being put into the email security of one of the world’s most powerful women?

We know that hackers like Guccifer have targeted senior US politicans in the past, including the Bush family, exposing their emails.

Hacked Bush email account

And in 2013 Guccifer released a series of emails he had stolen from the AOL account of former Clinton aide Sydney Blumenthal, including messages he had sent Hillary Clinton while she was Secretary of State.

One would hope that an email account supplied by the IT security experts at the State Department might have more and stronger defences in place to prevent exploitation by cybercriminals, than one set up for the personal use of Hillary Clinton.

You would certainly imagine that the State Department’s IT security team would have strict standards and layered protection in place to reduce the chances of malware, spam, phishing and targeted attacks reaching the inbox of a senior government official, as well as measures to prevent unauthorised access by hackers.

An analysis of the mail records used by the domain Hillary Clinton used for her personal inbox, clintonemail.com, reveals that it used the services of MX Logic, a email-filtering company since acquired by McAfee in 2009. McAfee is itself now part of Intel.

MX records for clintonemail.com

This isn’t an appropriate place to discuss the pros and cons of products which compete with ESET, the publishers of WeLiveSecurity.

But what’s important is that the US State Department will have made choices about which security products it would use to protect its staff from the threat of hackers, spammers, malware authors and targeted internet attacks.

It’s going to be more than a headache for any IT security team if their staff decide to go “off road”, setting up their own mail domains reliant on other security products – it’s a security risk.

There are good reasons why staff are asked to use corporate email accounts for their day-to-day work, and if they need to access work remotely that they do so securely via a company-configured VPN with strong authentication.

One has to wonder whether the IT team at the State Department was aware of Hillary Clinton’s independent streak when it came to email, but felt powerless to bring her into the fold.

Possible Republican presidential candidate Jeb Bush wasn’t slow to try to take advantage of Hillary Clinton’s discomfort, reminding Twitter users that he had made his own email archive public:

What George W Bush’s little brother has forgotten to add (or maybe he didn’t have room in the 140 characters that Twitter provided) is that when he released his email archive in the name of transparency, he unfortunately neglected to redact over 12,000 personal details of members of the public who had contacted him – including in some cases social security numbers.

Furthermore, the archive of email included malware that the former Florida governor had received in his inbox. Perhaps that was taking transparency too far…

The personal information in Jeb Bush’s email trove was subsequently redacted but, of course, it was too late by then. The horse had bolted before the stable door was shut.

Author Graham Cluley, We Live Security

  • Coyote

    “But more than that, what thought was being put into the email security of one of the world’s most powerful women?”
    Government security is an oxymoron. But indeed your point is valid.

    As for the dig output – those MX records… scary… there is nothing good that can come of that. As for Jeb Bush, I think of all people he should be the last one to be so snide (but that’s politicians for you – stabbing each other for personal gain, party gain and frankly just because they can). Especially ironic, though, since he thinks his blunder of personal information being leaked is somehow fixed after it being redacted (whether anything from Hillary is leaked or not is is only relevant in that if it ‘yes’ then he’s also being hypocritical on that part). To that end, he isn’t so aware of the risks, either. That is a good example of my first sentence in this response: security and government does not really mix.

  • Fempley Noodge

    Great…here we go again. The next presidential election will be, “Do you want Moron A or Moron B?” The one choice that makes the most sense of all — “None of the above” — is absent.

    Sounds like a joke, but I’m dead serious. These clowns can’t even manage simple, common-sense security practices, and we’re going to give one of them the power of life and death over us?

    But the people themselves aren’t the issue. We elect morons and expect them to be gods, plugged into a political state mechanism so big (and getting bigger every day, relentlessly) and so hopelessly complicated that it is impossible to secure. The bigger it gets, the worse the problem will become. There are no Band-Aids that can fix something that is so badly broken.

    Forget political bickering. It doesn’t matter who “wins”. With such a monstrous state juggernaut, even the most totalitarian control can’t provide security. The problem isn’t just the people, it’s the system itself.

    • RealityAlwaysBites

      The only thing left for the common man is to play flip the clown, what ever clown is in office, every election flip to the other clown.

  • tddial

    When I worked for a DoD organization where, essentially, the greatest security concern was personally identifiable information covered by the Privacy Act, it was required that all government work be done using government supplied and configured equipment and associated email use the agency’s internal email system. Telework was done using a VPN and access controlled by a smart card and PIN. Except for a limited number of system developers, users had no admin rights on their desktop or laptop workstations.

    This was prior to the time Ms. Clinton was Secretary of State; that the State Department would allow this exposure is appalling, as is the fact that they apparently left to Ms. Clinton’s staff the choice of emails to be returned to government control and archives. It is fairly clear that they learned nothing of significance from Bradly Manning’s release of several hundred thousand State Department messages.

  • MostInterestingManInTheCosmos

    The last thing the deep state trusts, is itself.

  • George Butel

    Considering how well the government seems to function on email and internet issues, at least in the last few years, I wouldn’t trust it for my email either. It seems like I have a memory of them not being able to find backups of someone’s emails, and I also have a vague recollection of them having numerous problems getting a certain new website to function properly not that long ago. Kudos to Clinton for not using technology that probably came over on Noah’s ark.

  • ” federal regulations require that emails sent and received by officials – such as the secretary of state – are government records that must be retained.”

    I’m Sure the NSA has a copy, so that’s OK then

    • joseph

      It’s probably how she got caught…Dianne Feinstein was sending out stuff on CIA and she got caught…that is why she was railing against CIA for ‘snooping around her emails’ and ‘tapping her phones’ (right) …Feinstein uses a cell phone and anyone can tap a cell phone…it’s even legal….So. just as there is no honor among thieves there is no honor among Clinton’s either..same thing….A Clinton by any other name is still a thief in my book.

  • Fordman

    The skank got away with being complicit in the murder of Vincent Foster and she will get away with this.

  • RealityAlwaysBites

    More crime is committed by those in authority than by those under it.

Follow us

Copyright © 2017 ESET, All Rights Reserved.