During her first month on the job in 2009, former Secretary of State Hillary Clinton used a private email server that lacked a digital certificate - either one issued by a domain registrar or self-generated - that would have ensured encrypted and authenticated email communications. This is the conclusion reached by IT security firm Venafi, after analyzing publicly available data.
Kevin Bocek, Venafi vice president of security strategy and threat intelligence, says in an interview with Information Security Media Group that the clintonemail.com domain received a digital certificate from issuer Network Solutions on March 29, 2009, 39 days after Clinton took office as secretary of state. Until then, he says, the email server was exposed to unauthorized intrusions.
Bocek contends the lack of proper certification opened the system to a breach even after the Clinton server received a digital certificate. "Likely those credentials (on the server) used in the first three months probably were not changed frequently, [allowing] someone normal access to the server [without] even trying to hack it," he says.
Without a digital certificate, Clinton's email server could have been spoofed, allowing attackers to trick unsuspecting users of the site to hand over their usernames and passwords or other sensitive information, he says.
Clinton: 'No Security Breaches'
At a March 10 news conference, Clinton said the server was secure. "It had numerous safeguards; it was on property, guarded by the Secret Service, and there were no security breaches," she said. "I think the use of that server, which started with my husband, certainly proved to be effective and secure." Clinton didn't provide any documentation to back up her claims about the security of the servers.
Bocek dismisses Clinton's comment about the Secret Service protecting the server. "I believe ... she refers to the physical protection, actually, and control of the server, not the digital or logical access across the Internet," he says.
Clinton did not use the government's state.gov domain for email during her four years as secretary of state, saying in the news conference that she found it more convenient to use a single email server for government and personal correspondence. The privately owned server she used, situated at her Chappaqua, N.Y., home, was initially set up for her husband, former President Bill Clinton.
The use of a personal email server has become a political tempest for the former secretary of state as she gears up for a possible run for the presidency later this year. Clinton says she turned over to the State Department 50,000-plus pages of email correspondence that she contends were related to her job. She says other email messages she deemed personal were destroyed. Detractors and even some supporters criticized Clinton because she - and not some independent body - decided which messages to turn over to the State Department and which ones to destroy.
In the audio report (click Listen Now), you'll hear:
- How Venafi security experts concluded that the Clinton server went more than a month without using a digital certificate;
- Clinton being quizzed on whether she cleared use of the personal server with the State Department and whether security personnel at the agency had access to it; and
- What the former secretary of state should do to prove that the private email server wasn't breached.