Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Clinton Email Server Vulnerable for 3 Months: Venafi

Access to the personal email server used by former U.S. Secretary of State Hillary Clinton was not encrypted or authenticated by a digital certificate for the first three months of her term, research from security firm Venafi has found.

Access to the personal email server used by former U.S. Secretary of State Hillary Clinton was not encrypted or authenticated by a digital certificate for the first three months of her term, research from security firm Venafi has found.

Clinton’s use of a private email address for work as secretary of state has been the source of controversy recently. During a press conference at the United Nations this week, she said she used the email for “convenience” because she thought it would be easier to carry one device for her work and personal emails instead of two.

Clinton said she gave the State Department about 55,000 pages worth of emails that she sent and received with the private server for review. The remaining emails covered non-work issues such as yoga and wedding plans for her daughter, she said, and were deleted.

Hilary Clinton's Email Server a Security RiskAccording to Venafi, questions have been raised about the security of Clinton’s personal email. Using its TrustNet certificate reputation service, Venafi found that at least three digital certificates were used with clintonemail.com since 2009. The certificates were obtained validly and enabled web-based encryption for applications.

“Based on TrustNet analyst, Venafi can conclude clintonemail.com was enabled for browser, smartphone, and tablet encryption since 2009 and can operate using encryption through at least 2018,” blogged Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “However, for the first 3 months of Secretary Clinton’s term, access to the server was not encrypted or authenticated with a digital certificate. During this time, Secretary Clinton travelled to China, Egypt, Israel, South Korea and other locations outside the U.S.”

“Starting in late March 2009, mail.clintonemail.com was enabled with a Network Solutions’ digital certificate and encryption for web-based applications like Outlook Web Access. This was 3 months after Secretary Clinton took office,” he continued. “The clintonemail.com domain was registered with Network Solutions in January 2009 – 8 days before Secretary Clinton was confirmed by the U.S. Senate. Therefore, from January to end of March 2009 access to clintonemail.com did not use encryption.”

Once the digital certificate was installed in March 2009, all access with a desktop web browser, smartphone or tablet was encrypted, even on government networks designed to inspect traffic, he blogged.

“Clintonemail.com operated for 3 months without a digital certificate,” Bocek blogged. “This means that during the first 3 months of Secretary Clinton’s term in office, web browser, smartphone, and tablet communications would not have been encrypted. Attackers could have eavesdropped on communications. As well, the server would not have been uniquely identified…and therefore could have been spoofed – allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password or other sensitive information.”

According to a study released today by the Ponemon Institute, the number of keys and certificates deployed on infrastructure such as web servers, network appliances and cloud services jumped more than 34 percent to almost 24,000 per enterprise. Fifty-four percent of the 2,371 IT security professionals surveyed admitted they do not know where all their keys and certificates are located.

“With the rising tide of attacks on keys and certificates, it’s important that enterprises really understand the grave financial consequences,” said Larry Ponemon, founder of the Ponemon Institute, in a statement. “We couldn’t run the world’s digital economy without the system of trust they create. This research is incredibly timely for IT security professionals everywhere – they need a wake-up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals.”

Written By

Click to comment

Expert Insights

Related Content

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.