Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Communications Democrats Government Politics

Clinton's Private Email System Gets a Security "F" Rating 315

Penguinisto writes According to a scan by Qualys, Hillary Clinton's personal e-mail server, which has lately generated more than a little controversy in US political circles, has earned an "F" rating for security from the security vendor. Problems include SSL2 support, a weak signature, and only having support for older TLS protocols, among numerous other problems. Note that there are allegations that the email server was possibly already hacked in 2013. (Note: Mrs. Clinton plans on Giving a press conference to the public today on the issue.)
This discussion has been archived. No new comments can be posted.

Clinton's Private Email System Gets a Security "F" Rating

Comments Filter:
  • Makes sense (Score:5, Insightful)

    by Trailer Trash ( 60756 ) on Tuesday March 10, 2015 @10:55AM (#49225529) Homepage

    I mean, the only security they seemed to be interested in was keeping the emails out of the hands of people with subpoenas, FOIA requests and such.

    • It must never have occurred to them that Fox News and the FBI use hackers too.

    • Re:Makes sense (Score:5, Informative)

      by bill_mcgonigle ( 4333 ) * on Tuesday March 10, 2015 @11:07AM (#49225651) Homepage Journal

      I mean, the only security they seemed to be interested in was keeping the emails out of the hands of people with subpoenas, FOIA requests and such.

      Plus, it's in her house, so she gets 4th Amendment protections as well, which is pretty smart.

      But Qualsys's SSL scan grade is relevant to a server open to the public. Looking at the generated report, the main problem, in a situation where the client software is highly controllable and very likely hand-configured, is the lack of perfect-forward-secrecy ciphersuites. And that only helps prevent future attacks, not past ones (she's "retired" at the moment).

      If somebody wanted to attack this system, attacking TLS would not be the way to do it - the configuration is good enough to make so many other vectors much cheaper attacks. I see the engineer used GoDaddy as the SSL vendor. This doesn't speak well for the budget of the project which has implications for the degree of configuration hardening that was done, which is especially crucial for a Windows machine.

    • They've gotta be kicking themselves after seeing how easily the IRS handled sending dirty laundry down the memory hole without (overtly) breaking the law.

  • B is the new F? (Score:5, Informative)

    by GAATTC ( 870216 ) on Tuesday March 10, 2015 @11:04AM (#49225623)
    Funny - I clicked on the link and the rating is a B. No ambiguity about it and not the result of a hasty recent security update (the site was assessed on Sat Mar 07 22:39:37 PST 2015). Where does this headline and summary come from?
    • by lazlo ( 15906 )

      Hrm, I click on the link and see "SSL Report: mail.clintonemail.com (64.94.172.146) Assessed on: Fri Mar 06 12:35:49 PST 2015", and an F.

      Are we both looking at the same thing? (clearly not, but *which* things are different, other than the grade?)

      • by Slamtilt ( 17405 )

        Here's the copy'n'paste:

        1 64.94.172.146
        Ready

        mail.clintonemail.com
                Tue Mar 10 09:23:03 PDT 2015
        Duration: 55.370 sec
        B

        The date appears to be the difference.

      • Re:B is the new F? (Score:5, Interesting)

        by Penguinisto ( 415985 ) on Tuesday March 10, 2015 @11:34AM (#49225941) Journal

        I suspect it was crash-updated recently.

        It was listed as "F" when the story was submitted earlier this morning, but now it's suddenly bumped to a "B" (Assessed on: Tue Mar 10 09:31:29 PDT 2015).

        All it would take is a patch or two to bump it up, I suspect.

        I wonder if one can get the mods to update the submission.

        • Exactly. (Score:4, Insightful)

          by hey! ( 33014 ) on Tuesday March 10, 2015 @12:01PM (#49226167) Homepage Journal

          The first thing I did when I saw the discrepancies is look for a test date listed on the page, and here it was: ue Mar 10 09:50:02 PDT 2015 .

          So this "B" score was earned literally minutes ago. People who are seeing an "F" are probably seeing cached data.

    • by Jhon ( 241832 )

      I just checked and it says "F" in a bright red box.

      SSL Report: mail.clintonemail.com (64.94.172.146)

      What IP address did YOU see? Maybe there's more than one server being polled?

      • by pahles ( 701275 )
        I clicked and see a B for the IP address you mention!
        • by Jhon ( 241832 )

          Check my other post in this thread. Sat morning it's "F". The parent of this thread sees a "B" sat evening. Looks like they fixed something.

    • Re:B is the new F? (Score:5, Informative)

      by Jhon ( 241832 ) on Tuesday March 10, 2015 @11:25AM (#49225835) Homepage Journal

      Interesting. I've got two tabs open -- both to the same URL. I see the following:

      SSL Report: mail.clintonemail.com (64.94.172.146)
      Assessed on: Sat Mar 07 15:10:39 PST 2015 | Clear cache
      RATING: "F"

      SSL Report: mail.clintonemail.com (64.94.172.146)
      Assessed on: Tue Mar 10 09:18:02 PDT 2015 | Clear cache
      RATING "B"

      The difference is Protocol support is zero on the F and notes SSL 2.0 support (automatic "F").

      Looks like somebody fixed something between Saturday and today.

    • Re:B is the new F? (Score:4, Informative)

      by celtic_hackr ( 579828 ) on Tuesday March 10, 2015 @11:28AM (#49225875) Journal

      The rating is an F because it supports SSL2. Yet, they didn't show a single example where it permitted an SSL2 handshake or connection. Every email server supports SSL2. The real question is does it actually permit SSL2 connections. Hell my server "supports" SSL2, but I have it connections disabled in the configuration. This security rating is just a load of political crap. Everyone picking on poor ol' Hillary for using a private server. It must be weak because it's not based at the State Department. Because we all know the best and brightest computer nerds work for the Fed?

      Now given what I see there from this scan, she's using SHA-1 for signatures. Definitely not best practice. I'd rate that server as a C or a D. The server appears to be an IIS server. A hardened Linux server would have been the way to go. Just because it's not a guvmint server doesn't mean it is automatically weak. My server gets attacked all day long and hasn't been hacked. Sure, I'm not a big target either. I once conducted an experiment to see how long it would take for someone to hack my Linux system. So I put one out there, and didn't patch it, did a minimal security setup, like you might get from a Linux Servers for Dummies tutorial (there are plenty out there). It took 4 months for my relatvely unknown server. But that was years ago. I haven't been hacked since, and no that is not an invitation to try. I get DDOSed on a semi-regular basis. Not much I can do about that, other than what I am doing. I haven't got a 1000 servers to offload attacks to.

      In the end, a well configured and maintained server stands as much of a chance of being secure as any server out there, save perhaps the DOD. Bigger is not necessarily better.

      • Re:B is the new F? (Score:5, Insightful)

        by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Tuesday March 10, 2015 @12:35PM (#49226493) Homepage Journal

        The biggest difference is that no one gives a shit about your toy server, but they might have a fuckload of interest in the personal server of a US Senator and Secretary of State. Yes, I believe that State Department is likely to have better security than the random dipshit she seems to have hired who snagged a cheap GoDaddy cert. It's almost certainly going to have better availability, backup, and disaster recovery.

        It is absolutely, 100% not acceptable to run state secrets through a personally maintained server that seems to exist only for the legal reason of giving the owner 4th amendment privacy rights. An officeholder acting in official capacity should have zero expectation of privacy from the organizations they work for. I'm "picking on poor ol' Hillary" for having every appearance of attempting to circumvent disclosure laws.

        • It is absolutely, 100% not acceptable to run state secrets through a personally maintained server

          Oh, she's got that covered: she just claimed that she never used email for anything secret or confidential. If you can believe that. I don't.

      • It took four months for my relatively unknown server.

        This smells funny. How specifically did your server get hacked? If I put out a server running nothing but Apache serving static HTML and SSH with a good password, I would expect it to be hacked approximately never or until the next sshnuke exploit. Which, again, would be approximately never. What were you running where you got hacked in four months?

  • "F" rating? (Score:2, Funny)

    by Tablizer ( 95088 )

    Bad H! She should have used them gov't servers, which are D-

    • by tricorn ( 199664 )

      I'd be curious to know what problems would have been found AT THE TIME (not now, a few years later), with the e-mail server itself (not web front-ends other than as actual vectors to compromise the system, not just an individual connection; is there any indication Clinton ever used a web front-end?), and compare that with the state.gov e-mail server (also at the same time).

      Comparing this to someone using a gmail account is irrelevant. The biggest threat to security is probably going to be the people at a c

  • I Disagree (Score:3, Insightful)

    by Anonymous Coward on Tuesday March 10, 2015 @11:16AM (#49225763)

    I have been in the IT field for 30 years and I specialize in information security. Penetration testing and forensic investigations is what I do.

    I do not agree with the assessment. Many argue that homes are more vulnerable, but even if it's the average home, it's far easier to find a disgruntled employee in some "cloud" service company and if you look at headlines in recent years like DRM, Target, SONY, and a number of others, you can see they are very vulnerable and for a lot of reasons.

    It only takes one person on the inside, to screw things up. Edward Snowden did it with the NSA and Bradley Manning with the CIA.

    Most homes are very vulnerable becuase they are all WIFI and not setup correctly. For those that do, they can be more secure. Add secret service to the mix and you have physical security.

    Do you really think Clinton set up her own email server? No. She knows a lot of people in the industry and can be very selective. He data also remains under HER control, HER ownership, and if any of you idiots think your "cloud" data is safe, it just proves how inept you are.

    I have to give her security grade a 'C', only because I don't have enough information to do a complete assessment.

    • Re: (Score:3, Interesting)

      It appears that whoever set up Clinton's email used GoDaddy as the SSL vendor. Seriously. Go Daddy.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      He[r] data also remains under HER control, HER ownership, and if any of you idiots think your "cloud" data is safe, it just proves how inept you are.

      You are right but not for the reasons you believe. By owning the server she controls who can get the emails, and that includes from government investigators. When they review the emails she turns over, what proof is there that any problematic emails were not first erased? If it was in a "cloud" system, including a government system, then she would have lost the ability to sanitize the email trove before investigators get access. Regarding your calling people idiots who think differently than you and for

    • So you are working on the assumption that the person that setup her server and maintained was vetted, had security clearance?
    • Re:I Disagree (Score:5, Informative)

      by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Tuesday March 10, 2015 @12:39PM (#49226543) Homepage Journal

      He data also remains under HER control, HER ownership

      That's cute, except that it's not her data. That data is owned by the American people via its government, as are all official communications. When you're an officeholder, you don't "own" your official email.

  • People's memory is remarkably short. There is an (IIRC) official annual survey of the web (and other) servers in the USG's estate. That survey has regularly comes up with many, many poor security ratings. This is just one more example.
  • by WaffleMonster ( 969671 ) on Tuesday March 10, 2015 @11:21AM (#49225797)

    In my view assuming there was a need for security the entire fault should lie with state dept allowing emails to be sent and received to and from any domains outside of their administrative influence when conducting "official business".

    SMTP Email always get an "F" security rating no matter what. Checking whether webmail interface has a secure cert is like making sure the front gate of your castle is locked and secured while east and west gates remain open to the creepers at the gates.

    • Since she was running the State Department I'm not clear on what you expect them to do. "No boss, you can't have that thing, we won't allow it"?
      • by sumdumass ( 711423 ) on Tuesday March 10, 2015 @01:01PM (#49226727) Journal

        Yes. That is exactly what is expected. And if she overrulled them or retaliated, there are official channels to report it that carry whistle blower protections when department rules and laws are not being followed.

        My guess is that it likely did not get that far because there likely isn't an auditing system in place to catch it. Even the president who learned about it in the news paper like the rest of us was sending and revieving mail from her in this manner and it was not caught.

  • by schwit1 ( 797399 ) on Tuesday March 10, 2015 @11:23AM (#49225817)
    If you treat federal law the way the secretary of state does, you go to prison.
    If you treat IRS rules the way the IRS treats IRS rules, you go to prison
    If you treat immigration controls the way our immigration authorities do, you go to prison.
    If you’re as careless in your handling of firearms as the ATF is, you go to prison.
    If you cook your business’s books the way the federal government cooks its books, you go to prison.
    • Spot on. We just found out the the Ferguson "judge" responsible for jailing people who owe a few hundred dollars on a parking fine actually owes $170,000 to the IRS.

      The bottom line is that people in power don't think the rules apply to them. Under rule of law, the rules do apply to them. But as we've seen more and more lately it's difficult to enforce the rules when they rule the enforcement mechanisms.

  • by wisnoskij ( 1206448 ) on Tuesday March 10, 2015 @11:37AM (#49225977) Homepage
    These are just politicians. They probably just forward porn and memes to eachother all day long, and occasionally mail some billionaire to ask for a donation..
    • by hey! ( 33014 ) on Tuesday March 10, 2015 @12:06PM (#49226225) Homepage Journal

      You're joking, but people would be shocked how much time politicians spend begging for money. A typical congressman spends more time on an average day raising money than he does on legislative business. And if he's successful at fundraising, his reward is to be forced to spend more time raising money for his less successful colleagues. It's actually kind of a big deal.

  • by DigitalPagan ( 1040586 ) on Tuesday March 10, 2015 @11:38AM (#49225989)
    Now there's no excuse. The NSA should definitely have backups of those emails. Crisis averted everyone.
  • Why do you think clouds and BYD are so popular?

    Because those annoying cost centers keep getting in the way with their change controls and tickets

    We don't have time for that! The big boss needs this done now and will get his way in the end. We can focus on change management later etc.

    Why is Hillary no different than any other boss who can't afford to wait on IT?

    Right now I am in a dilemma? Our policy is to leave our computers on. No one follows it. We have a big update tonight and this app will throw an exc

  • The Social Security website gets and "F", too. And it has been that way for quite some time.
    https://www.ssllabs.com/ssltes... [ssllabs.com]
    So damned if you do, damned if you don't.
  • by bfwebster ( 90513 ) on Tuesday March 10, 2015 @12:53PM (#49226665) Homepage

    I had someone who did SECRET-grade e-mails setup in the military write the following to me [andstillipersist.com]:

    So, if for example Clinton only dealt with SECRET materials and they were sent or received in her email, all of the equipment (routers, switches, etc.) would have to be rated for that SIPRNet connection. Also, the space in which the equipment and servers and client computers resided in would also have to meet the specifications for SECRET material. This would include various forms of physical access to the space in the form of secure cards, biometrics, etc. No space rated for SECRET opens with a key from the local hardware store. . . .

    The biggest issue I see here would be is if the server was connected to the public Internet and it resided in a non-DoD-approved space.

    Not sure there are biometrics installed in the Clinton home in Chappaqua. ..bruce..

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...