How Clinton could have avoided the Wikileaks fiasco

People who are upset that Hillary Clinton’s personal email server may have been hacked are missing the big picture. Nearly everything that is worth hacking and connected to the internet is already hacked — and that which is not can be hacked at will.

I don’t want to get into the morass of whether Clinton’s use of personal email while she was Secretary of State was legal or ethical. That’s been debated to death.

Instead, I’m talking about whether it was hacked. Could it have been? I’ll say it again: Everything is hackable. Stuxnet took down Iranian centrifuges that were running on an air-gapped private network. The State Department’s email was hacked — very likely before, during, and after Clinton’s tenure there.

Was Clinton’s email server hacked?

As for Clinton’s personal email server, the fact is we’ll never know whether it was hacked.

Her server ran Microsoft Exchange 2010. Arrested Romanian hacker Marcel Lazăr (aka Guccifer) claimed he had hacked it. But beyond his public claim no evidence has come to light to back up his statement.

The FBI forensic investigation into the server did not corroborate his statement. As far as I can tell, Guccifer socially engineered her aide, Sidney Blumenthal, out of his AOL account password and nothing more. The same hacking technique was used against her senior adviser John Podesta for the thousands of emails now shared via Wikileaks. I’ve yet to hear any evidence that the server itself was exploited.

Could someone have hacked the server without leaving evidence?

Yes, although it seems unlikely. Most hackers leave behind lots of evidence because it doesn’t matter if they do. Almost no one gets caught, much less prosecuted. Thus, hackers have become lazy and don’t attempt to clear log files or cover up evidence of their crimes.

For the sake of argument, let’s say a Russian superhacker broke into Clinton’s server without leaving behind signs of compromise. In that case, wouldn’t we see emails other than those coming from two aides? It’s highly unlikely that a hacker would gain complete access, download every email, and fail to leak emails from Hillary and Bill Clinton.

Don’t get me wrong — I think plenty of hackers are capable of hacking her server and not leaving behind evidence. But I seriously doubt those hackers realized the importance of the email server serving up the @clintonemail.com domain. The FBI’s own investigation revealed the server was scanned and a few hacks were attempted, but none seemed to get through.

How would you hack Clinton’s email server?

This is penetration testing 101. First, you canvas your target. It’s Microsoft Exchange 2010 running on Microsoft Windows — you can get that much by sending a few SMTP query commands to the email service port or running a port scanner like Nmap against the IP address. Using a port scanner and a few fingerprinting apps, you’d likely come away with the Windows version and perhaps even its patch status, along with whatever other services it was running.

We know from reports that it was running Microsoft Outlook Web Access (OWA) and Remote Desktop Protocol (RDP) for remote access. That helps a lot. OWA means it’s also running Microsoft’s Internet Information Services (IIS). Any hacker worth his or her salt already has all the possible exploits that might work against Microsoft Windows, IIS, Exchange, and RDP. Lots of hackers like to use the Metasploit Framework, but I’m partial to custom code for each vulnerability.

RDP and OWA also give you remote logons to try. Even if they have account lockout enabled, you can guess slowly. Better yet, you can guess against the Administrator account. As long as it hasn’t been renamed, you can guess forever as many times as you like and you won’t get locked out. If you have Bill’s or Hillary’s email address, the logon account name is likely to be the same as their email address.

One of my favorite penetration tests, when I have the time, is to identify all  running software and wait until a new vulnerability appears. Microsoft releases new patches at least once a month, and almost every Windows server needs to be patched each time. All you need to do is wait for the patch announcement and exploit the identified vulnerability before the system administrator can patch it. You usually have a day or so before the admin patches a server, if not longer.

If the exploit gets you on the email server, you can then configure Exchange to forward copies of all new emails. Or you can use a program like ExMerge to suck up every existing email, including deleted ones. Once you’re on the server, you can create new accounts, add backdoors, or do pretty much anything else.

A few critics have noted that Clinton’s email server didn’t have SSL protection. The SSL page was available, but the system admin didn’t populate it with an SSL certificate. This means the connections to the server were in plaintext. While not having an SSL cert to protect the server isn’t great, it isn’t necessarily game over. It isn’t easy to pop onto someone else’s network streams simply because you know they are there. You have to get close to the server’s original point and perform a man-in-the-middle attack on the main connection. It’s easy to do if you’re already on the local network, but not so easy if you’re not.

One of the more interesting feats you can perform with a public email server is to try and take over its domain. Perhaps Clinton’s server is bulletproof — fully patched and unhackable. Email hackers are famous for gaining control over DNS domains (in this case, clintonemail.com and wjcoffice.com) and, if successful, redirect all email and connections headed to those domains to a fraudulent email server. You wouldn’t be able to see preexisting emails, but you’d be able to capture new inbound emails (and all the long threads of previous emails they probably contain).

What would have stopped the leak?

In the social engineering instances, using a system that required two-factor authentication (2FA) would have helped. Gmail had 2FA available back then, although I’m not sure about AOL. Clinton should have been using the State Department systems for all business email, and her personal email server should have required 2FA (although the system admin would have to know how to set it up and show the Clintons how to use it).

That’s water under the bridge now.

What I’m sure Clinton really wishes she had used, besides the State Department email system, is a mechanism that prevents private email from being easily read by unauthorized parties. There are myriad solutions, including Microsoft’s Rights Management System (RMS).

Information protection software such as RMS is pretty nifty. It encrypts all protected email and requires the user to retrieve an authorized personal digital certificate to view, print, or copy the email. At any time the personal certificate can be revoked. Hence, if a hacker stole the email, as soon as someone noticed, the certificate could be revoked and the email would become unreadable. Try posting that to Wikileaks.

After all the huge corporate hacking incidents, in which embarrassing private emails were leaked, I’m surprised the email information protection market isn’t growing faster. Remember, we are either hacked or the attackers haven’t gotten around to it yet. Your confidential emails should be protected in a manner that prevents your emails from being so easy to share.

What happened to Clinton could absolutely happen to any person in any company who fails to use strong information protection for email. That’s the real lesson we all should take away.