Fallout from Clinton’s Private Emails: How Secure are Agency Email Systems?

Bebeto Matthews/AP File Photo

Official government email accounts are no locked fortresses, and some shirk key federal security regulations.

It's still unclear what, if any, security measures former Secretary of State Hillary Clinton deployed on the ad hoc personal email system she used for government business.

Some cyber specialists and transparency advocates are voicing outrage over the potential presidential candidate possibly flouting federal security rules with a “homebrew” server arrangement.

But official government email accounts are no locked fortresses, and her agency's official email systems were also shirking some of those regulations. Hackers wishing to leak private documents of high-profile people -- or “dox” them -- could have captured an eyeful from State Department networks, according to a White House report.

Just this week, State systems, along with those at many other cabinet-level agencies, were discovered sending emails in a way that is susceptible to interception. Their networks also lacked two-step identity verification to access networks.  

To prevent hackers from opening official email messages by guessing or stealing passwords, departments are required to use two-factor authentication – the process of checking a password and a second physical or digital credential, like a smart card. 

"Agencies which have the weakest authentication profile allow the majority of [users] to log on with user ID and password alone, which makes unauthorized network access more likely as passwords are much easier to steal through either malicious software or social engineering," stated the annual White House report on compliance with the Federal Information Security Management Act. 

These 16 agencies fall into this category:

State, Labor, Housing and Urban Development, Office of Personnel Management, Nuclear Regulatory Commission, Small Business Administration, National Science Foundation, U.S. Agency for International Development,Agriculture, Energy, Transportation, Interior, Veterans Affairs, Justice, Treasury, NASA 

A subset of these agencies also failed to use standard FIPS 140-2 encryption on outgoing messages, according to the report card. Specifically, hackers who attempt eavesdropping on State, SBA, NSF, Transportation, Labor or Agriculture employee communications can see the contents in plain text, rather than in scrambled secret code. 

"The fact that they aren’t encrypted is appalling," said Gregg Housh, one of the few computer programmers affiliated with hacktivist group Anonymous who speaks somewhat openly. "Without proper encryption and/or two-factor authentication, it is relatively simple," to open a federal employee's official emails, because "the only thing needed is the password."

To their credit, State officials report all department email systems have the ability to analyze links or attachments for malicious code, and 85 percent of their computer assets can automatically block unauthorized software. 

The dangers of lax online security are made public almost every week.

Last month, security researcher Mark Burnett posted 10 million passwords and usernames on his blog to demonstrate the weaknesses of such codes -- including government account credentials. 

Burnett said he removed accounts belonging to government or military users from the cache, when their affiliations were evident. But he might not have been able to redact all agency account credentials.

"Sometimes, these log-ins get posted without the domains, without mentioning the source, or aggregated on other lists and therefore it is impossible to know if I have removed all references,” he said.

In the summer of 2013, Anonymous released a link to a document with 2,000 email addresses and some passwords, with the vast majority of the credentials belonging to the House of Representatives, along with some from the U.S. attorney general's office and the Senate, according to Gizmodo. The hacker group also in 2011 allegedly dumped a list of about 90,000 military emails and passwords, after breaking into systems at defense contractor Booz Allen Hamilton. 

"You should be surprised (but might not be) by the amount of government email addresses that appear in all of these big data breaches from the last few years," said Housh, who worked as a consultant for the Netflix political drama "House of Cards."

"It isn’t just teenage boys in their mothers’ basement any more; there are other governments with well-funded hacking teams attempting to get into these emails," he added.

The Online Trust Alliance, a nonprofit data privacy group, is pushing for wider use of a protocol called TLS, or transport layer security, for encrypting email in transit -- to stymie such interlopers.

“It’s a problem for the public sector in communicating with the private sector and vice versa,” alliance founder Craig Spiezle said. “Can I trust that mail from a government agency is actually from that agency? If I transfer mail back to them, can my ISPs or others snoop on that mail for other purposes?”

Obama administration officials Wednesday acknowledged that network defenses at State and even the Oval Office could use tightening, with intruders roaming around both of their systems recently.

Addressing concerns about the security of Clinton's home email, White House spokesman Josh Earnest told reporters his own office email is not impenetrable and there has been "activity of concern detected on what otherwise are very strong federal government computer systems."

As for whether Clinton's personal apparatus might have been more vulnerable than the government's technology, Earnest deferred to computer science experts. But, he said, "I could imagine a scenario where you would say that a smaller network is less likely to attract the attention of hackers or others who might want to do harm."