The 2016 presidential campaigns are heating up here in the U.S. and Hillary Clinton is regularly in the news over her use of a personal email server for official business while she was Secretary of State, including 1,200 classified messages and last week's revelation that 22 of the messages are classified as Top Secret. A few months ago we also learned that CIA Director John Brennan's personal AOL account was compromised revealing personal details of 20 CIA employees and Brennan's own application for security clearance. These incidents are reminiscent of a previous incident in 2008 when Sarah Palin's email account was compromised during her own campaign for Vice President by a college student looking for information to derail her campaign.
The hard information security lessons learned by Clinton, Brennan, and Palin about using home-grown or consumer grade email services are also applicable to businesses. It is fairly common to see executives, senior management, and other "rockstars" (e.g. doctors, lawyers, professors, programmers, sales executives, IT personnel, etc.) use their clout to exempt themselves from normal corporate policies and use personal systems or email accounts for company business. Although these individuals may not be handling state secrets, much of the information passed via email can still be valuable to an attacker either directly for industrial espionage or as information useful to launch attacks against the company's networks.
The security flaws on Clinton's personal email server have been extensively documented and are typical of small office or home office server setups, the most significant being the exposure of Remote Desktop Protocol (RDP) to the Internet. There is a long list of known vulnerabilities in RDP and it is a long-accepted best practice to disable it or firewall it off from the Internet as detailed in an advisory from the Department of Homeland Security released during the same time period as Clinton’s email server was in operation but amateur administrators often leave it running and accessible for convenient remote troubleshooting and maintenance access. Exposures like this provide even relatively unskilled attackers with an easy way to compromise a server.
Besides the obvious RDP issue on Clinton’s server, home and small office servers also don’t have the benefit of a large IT organization with the depth of experience and tools to properly harden the security configuration, test and apply security patches regularly, detect intrusion attempts, and respond to security incidents. Without these basic security controls in place a server exposed to the Internet is almost sure to be compromised in short order. Even if a breach doesn’t result in direct espionage on the emails the server will likely be infected with malware and repurposed as part of a botnet spreading spam and further malware infections. When major corporations are struggling to defend their systems from an onslaught of attacks, a server protected by a part-time admin who is not well versed in information security doesn’t stand a chance. Managing a server that contains sensitive information is best left to the professionals who have the resources to do it properly.
In contrast to Clinton, Palin and Brennan did use third-party email services (Yahoo Mail and AOL respectively) that are managed by professionals and should be less vulnerable than a home server but still fell victim to attackers. These breaches weren’t because of any technical vulnerability in the servers, but rather were the result of the attackers exploiting the way these services identify their customers.
In Palin’s case, Yahoo’s automated password reset process asked for 3 pieces of information: Palin’s date of birth, home zip code, and where she met her husband. The attacker simply looked up the answers to these questions and reset her password to give himself access. This attack was trivial as Palin is a public figure and this information about her is therefore relatively easy to find but with the rise of social media and connected government it would not be very difficult to find this information and more about most other individuals simply by looking at their profile information or querying public records.
The attack on Brennan’s account was similar, with the hacker claiming that he tricked Verizon into providing him with details from Brennan’s account with them, likely the last 4 digits of his credit card as we have seen in previous attacks, and then used this information to get AOL to reset his password.
Both of these attacks show the major problem with using 3rd party consumer-grade services for sensitive data: although they may take the technical security of their servers seriously they simply don’t know their customers and don’t have time to handle each password reset from millions of users manually. This forces them to rely on static identifiers that are fairly trivial for an attacker to get and use as detailed at length by Brian Krebs following the recent compromise of his PayPal account. This applies equally to email providers, social media accounts, financial institutions, and many others. Enterprise IT support has the advantage of a smaller number of users and a controlled environment where it is much easier to verify an individual’s identity.
It is worth noting that the risk to a company’s information security extends beyond the use of unauthorized email accounts by their own employees: internal employees may also be interacting with partner companies, contractors, or others who choose to use their own personal accounts. Any sensitive information sent to these third parties may also be exposed as a result. Highlighting this risk is the fact that Clinton’s use of a personal email address was first brought to light by an attacker who compromised the AOL account of Sidney Blumenthal, one of her political confidantes. The attacker began publicly posting sensitive emails exchanged between them with the addresses revealing Clinton’s use of a personal email account.
The attacks on Palin and Brennan, and the initial public disclosure of Clinton’s use of personal email may have all been the result of hacktivist activity but the threat of real espionage is more than just theoretical. Attacks against Gmail accounts dating back to 2011 involved compromising email accounts and redirecting email traffic to the attackers. Hacktivists, state sponsored attackers, and criminal organizations continue these activities today. We should consider Clinton very lucky if her email server was not compromised by one or more state sponsored attackers during the time it was in operation.
Companies, unlike individuals, have the staff to harden, patch, and monitor their systems yet are a closed enough environment to be able to reliably identify their users with a higher degree of certainty than consumer-oriented providers. Users, and especially high value targets, should leave sensitive data where it belongs on their company email accounts and when confronted with another individual’s personal email address should politely ask that they provide their company email account as well. After all, whether you’re running for president or aiming for a role as CEO you wouldn’t want your career derailed by a few wayward emails and if the director of the CIA can get breached it can happen to anybody.
The State Department acknowledged for the first time Friday that “top secret” information has been found in emails that passed through the private email server Hillary Clinton used while leading the agency