Texting away.

Photographer: Chip Somodevilla/Getty Images)

Hillary Clinton's E-Mail Was Vulnerable to 'Spoofing'

Josh Rogin is a former Bloomberg View columnist.
Read More.
a | A

Hillary Clinton didn't take a basic precaution with her personal e-mail system to prevent hackers from impersonating or "spoofing" her identity in messages to close associates, according to former U.S. officials familiar with her e-mail system and other cyber-security experts.

This vulnerability put anyone who was in communication with her clintonemail.com account while she was secretary of state at risk of being hacked. Clinton said at the United Nations last week that there were no security breaches of her personal e-mail server, which she used to send and receive more than 60,000 professional and personal e-mails. But former cyber-security officials and experts told us that there were gaps in the system.

According to publicly available information, whoever administrated the system didn't enable what’s called a Sender Policy Framework, or SPF, a simple setting that would prevent hackers sending e-mails that appear to be from clintonemail.com. SPF is a basic and highly recommended security precaution for people who set up their own servers.  Here is a security evaluation of Clinton's server by SenderScore:

Experts told us that oversight was just one flaw of a security system that would have been relatively easy for foreign intelligence services and others to exploit. "I have no doubt in my mind that this thing was penetrated by multiple foreign powers, to assume otherwise is to put blinders on,” said Bob Gourley, the chief technology officer at the Defense Intelligence Agency from 2005 to 2008 and the founder of Cognitio, a cybersecurity consultancy.

"If a Sender Policy Framework was not in use, they could send an e-mail that looks like it comes from her to, say, the ambassador of France that says, 'leave the back door open to the residence a package is coming,'" added Gourley. "Or a malicious person could send an e-mail to a foreign dignitary meant to cause an international incident or confuse U.S. foreign policy."

Spoofing a senior official’s e-mail identity is also an easy way to conduct "spear phishing" attacks, where an attacker sends a personally crafted e-mail that appears to come from a trusted source. Once the target opens it, his own system can be compromised. Clinton said she e-mailed with dozens of State Department and White House officials using her server, including President Barack Obama.

Spear phishing has caused problems for the government in the past. In October 2012, the White House confirmed that hackers linked to the Chinese government had penetrated sensitive but unclassified computer systems using the technique.  Just last week, the State Department shut down its entire e-mail system after attacks by hackers suspected to be Russian.

There’s no evidence that Clinton’s e-mail server was linked to those or any other specific attacks. And it's worth noting that the State Department’s e-mail domain does not have SPF enabled. Thus, experts point out, it may also have been vulnerable to hacking during her time as secretary.

Nick Merrill, a spokesman for Clinton’s personal office, declined to comment on the SPF issue, telling us that she took several security precautions when setting up her server, including hiring third-party experts. “Robust protections were put in place and additional upgrades and techniques were employed over time as they became available,” he said. “There was never evidence of a breach, nor any unauthorized intrusions.”

The problem with such confidence is that if hackers exploited the SPF vulnerability, Clinton's office would likely never have known her domain name, which has been public information since March of 2013, was being used surreptitiously.

Merrill declined to say who has been in charge of maintaining the server or ensuring its security since 2009. This would be a good question to have answered. It would be important to know, for instance, what sort of security vetting the employees overseeing the server received.

It would be useful to know, too, if the federal agencies that protect sensitive government communications -- the FBI and the NSA -- were aware of the server's existence and helped to provide security. Clinton has refused to clarify this issue, saying only that the server "had numerous safeguards and was on property guarded by the Secret Service In 2008. Chinese hackers penetrated the e-mail systems of both the Barack Obama and John McCain campaigns, which were operating on commercial systems. After the hacks were discovered, the FBI lent its assistance and the hacks stopped.

E-mails "that run on commercial services are vulnerable to collection,” said James A. Lewis, who held senior technology posts at the White House and State Department  and now directs the technology and public policy program at the Center for Strategic and International Studies. Lewis, who authored “Cybersecurity for the 44th Presidency,” a report commissioned by a bipartisan House panel in 2007, added: “I don’t think people realize how much of this information is available to foreign intelligence services.”  

Until team Clinton answers vital questions about exactly what safeguards were in place in Chappaqua, New York, we won't know how likely it was that sensitive communications at the highest level of government may have ended up in unfriendly hands. 

This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.

To contact the authors on this story:
Josh Rogin at joshrogin@bloomberg.net
Eli Lake at elake1@bloomberg.net

To contact the editor on this story:
Tobin Harshaw at tharshaw@bloomberg.net