Fallout from Clinton’s Private Emails: How Secure are Agency Email Systems?

Bebeto Matthews/AP File Photo

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Aliya Sternstein By Aliya Sternstein,
Senior Correspondent

By Aliya Sternstein

|

Official government email accounts are no locked fortresses, and some shirk key federal security regulations.

It's still unclear what, if any, security measures former Secretary of State Hillary Clinton deployed on the ad hoc personal email system she used for government business.

Some cyber specialists and transparency advocates are voicing outrage over the potential presidential candidate possibly flouting federal security rules with a “homebrew” server arrangement.

But official government email accounts are no locked fortresses, and her agency's official email systems were also shirking some of those regulations. Hackers wishing to leak private documents of high-profile people -- or “dox” them -- could have captured an eyeful from State Department networks, according to a White House report.

Just this week, State systems, along with those at many other cabinet-level agencies, were discovered sending emails in a way that is susceptible to interception. Their networks also lacked two-step identity verification to access networks.  

To prevent hackers from opening official email messages by guessing or stealing passwords, departments are required to use two-factor authentication – the process of checking a password and a second physical or digital credential, like a smart card. 

"Agencies which have the weakest authentication profile allow the majority of [users] to log on with user ID and password alone, which makes unauthorized network access more likely as passwords are much easier to steal through either malicious software or social engineering," stated the annual White House report on compliance with the Federal Information Security Management Act. 

These 16 agencies fall into this category:

State, Labor, Housing and Urban Development, Office of Personnel Management, Nuclear Regulatory Commission, Small Business Administration, National Science Foundation, U.S. Agency for International Development,Agriculture, Energy, Transportation, Interior, Veterans Affairs, Justice, Treasury, NASA 

A subset of these agencies also failed to use standard FIPS 140-2 encryption on outgoing messages, according to the report card. Specifically, hackers who attempt eavesdropping on State, SBA, NSF, Transportation, Labor or Agriculture employee communications can see the contents in plain text, rather than in scrambled secret code. 

"The fact that they aren’t encrypted is appalling," said Gregg Housh, one of the few computer programmers affiliated with hacktivist group Anonymous who speaks somewhat openly. "Without proper encryption and/or two-factor authentication, it is relatively simple," to open a federal employee's official emails, because "the only thing needed is the password."

To their credit, State officials report all department email systems have the ability to analyze links or attachments for malicious code, and 85 percent of their computer assets can automatically block unauthorized software. 

The dangers of lax online security are made public almost every week.

Last month, security researcher Mark Burnett posted 10 million passwords and usernames on his blog to demonstrate the weaknesses of such codes -- including government account credentials. 

Burnett said he removed accounts belonging to government or military users from the cache, when their affiliations were evident. But he might not have been able to redact all agency account credentials.

"Sometimes, these log-ins get posted without the domains, without mentioning the source, or aggregated on other lists and therefore it is impossible to know if I have removed all references,” he said.

In the summer of 2013, Anonymous released a link to a document with 2,000 email addresses and some passwords, with the vast majority of the credentials belonging to the House of Representatives, along with some from the U.S. attorney general's office and the Senate, according to Gizmodo. The hacker group also in 2011 allegedly dumped a list of about 90,000 military emails and passwords, after breaking into systems at defense contractor Booz Allen Hamilton. 

"You should be surprised (but might not be) by the amount of government email addresses that appear in all of these big data breaches from the last few years," said Housh, who worked as a consultant for the Netflix political drama "House of Cards."

"It isn’t just teenage boys in their mothers’ basement any more; there are other governments with well-funded hacking teams attempting to get into these emails," he added.

The Online Trust Alliance, a nonprofit data privacy group, is pushing for wider use of a protocol called TLS, or transport layer security, for encrypting email in transit -- to stymie such interlopers.

“It’s a problem for the public sector in communicating with the private sector and vice versa,” alliance founder Craig Spiezle said. “Can I trust that mail from a government agency is actually from that agency? If I transfer mail back to them, can my ISPs or others snoop on that mail for other purposes?”

Obama administration officials Wednesday acknowledged that network defenses at State and even the Oval Office could use tightening, with intruders roaming around both of their systems recently.

Addressing concerns about the security of Clinton's home email, White House spokesman Josh Earnest told reporters his own office email is not impenetrable and there has been "activity of concern detected on what otherwise are very strong federal government computer systems."

As for whether Clinton's personal apparatus might have been more vulnerable than the government's technology, Earnest deferred to computer science experts. But, he said, "I could imagine a scenario where you would say that a smaller network is less likely to attract the attention of hackers or others who might want to do harm."

NEXT STORY: IT Support Agent at Canadian Telco Rogers Provides Imposter Employee with Company Email Access

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.