I have seen quite a few articles and posts asking why we should care about the email server. In this post I will tell you why. I will not delve into the political or legal aspects of the case. This will only deal with the technical aspects of it. You can make the call about the rest. I am a sysadmin and I have been in IT for 20 years now. I am by no means a major league IT all star but I am competent in what I do. When the story broke a few months back I decided to take a gander and see what I could find. I did not attempt to actively access anything, everything I did was passive in nature. I will try and keep the technical mumbo-jumbo down to a minimum.
The domain itself - If I were brought on this project the last name I would select would be clintonemail.com. I would go with acmevegetables.org or something similar. Security through obscurity is a very good way to start to protect things on the internet. The primary reason is that ICAAN (people who run the Internet) keep a publicly accessible database called WHOIS. You can lookup any domain and find out who owns it as well as their contact information. This is for clintonemail.com. The contact information has changed, but it was registered to a Clinton company if I remember correctly. Every government in the world is monitoring this database. Each one probably flags anything that looks odd or needs more attention. Let me ask you this. Do you think any flags were raised when clintonemail.com was registered to a company belonging to the Clintons a few days before Obama's inauguration?
The site - Technical mumbo-jumbo incoming. The Internet works off of something called Domain Name Service (DNS). This service translates domain names like voat.co into the IP address 18.104.22.168. This is done by something called an Address record or A record for short. I am able to use tools for DNS to find all A records for a particular domain. If I remember there were three A records. Two were innocuous while the last was mail.clintonemail.com. Security through obscurity people, c'mon. The company I work for does have a mail.company.com, but we do not handle Top Secret documents. I went to the website and was immediately greeted with a Outlook Web Access page. This page told me they were using Exchange 2010 as the mail server. I checked the program settings in the web page properties and found that the server was a few versions behind in patching. That is a problem. Another huge issue is that I was even able to get to the site in the first place. You can configure the firewall (barrier between the Internet and the server) to only allowed approved connections through. This step is extremely easy to do. The fact that it wasn't done seems to point someone's cousin set it up.
The MX record - For me, this was the biggest hole in the entire system. When a server sends email it looks up the Mailbox Exchange record for the receiving domain. This record says all emails for this domain should go to this server. The record pointed to the domain mxlogix. I actually know this company and have used it in the past. It is a rebranding site and was most likely McAfee or SpamSoap. It is excellent at filtering spam. The massive security leak though is that all email is in plain text while on their server. They give you a 7 day archiving for free or you can purchase more if you wish. This means that the Secretary of State's personal email was sitting in plain text behind a single password login for at least 7 days.
If I was able to find all of this out within 20 minutes of passive probing, imagine what someone could do with that was an IT major league all star and had the resources of a government agency behind them. I would be freaking amazed if that server was not compromised within a few weeks of it going online.
That is why it is a BFD
Holy crap did this post explode. :) I logged in and saw I had 78 messages and wondered wth I said. I have read through most of them, and may people bring up solid points. Let me try and answer the common ones.
Since Bush or other politicians did it, it doesn't matter that Clinton did.
This post was never meant to be a pro-GOP post. This was a straight analysis of the knowledge at hand. If Hillary came to me and asked how to make her system more secure, this would be my response. It is looking at the situation and finding the flaws. That is all
Security through obscurity is stupid, it doesn't stop any attacks
People seem to have latched on to that nugget for some reason. If you read the whole sentence you would see that I said it was a great place to start. I was not advocating that a name change alone would have solved all her problems. I would say making the target as small as possible would be the goal. Would it eventually get out that even some obscure domain name belongs to Clinton, yes. Does it make sense to try and hide the fact a little, yes.
All modern businesses have public web sites. You can't fault her for that.
That is 100% true, but she is not most businesses. She was the Secretary of State. By any yardstick you care to use, that makes her a giant target. This would make me, as her IT consultant, go crazy as much as I could on her security. This would include putting her website behind a VPN. This is very easy to configure and substantially increases security. I refuse to even let a terminal server accessible on the internet without a VPN. This is for small businesses. How about MAC address filtering, IP address filtering, etc. Yes, I know that every single one of these can be defeated by a competent person. This remains true for every system though. The point of this section is that there was no security.
All businesses hold off on installing updates
The server was not a simple update behind, it was a version behind. That is not just a simple update, that is a lot of updates.
The government is getting hacked left and right, her mail was probably safer on that server
It is entirely possible that a hack could have compromised State's servers, heck they could be compromised even now and we wouldn't know it. The point is that they have a small army of techs to try and prevent security breaches. I have no idea what kind of staffing Clinton has, but it is a fair bet that State's computers are probably looked after a little more closely.