Security Experts Rap Clinton’s Email Practices

Former Secretary of State Hillary Clinton is in hot water over her use of a private email server for official business during her time in office. Aside from the apparent violation of federal rules, the practice is very risky cybersecurity behavior for everyone involved, critics have alleged.

In taking her mail outside the State Department’s systems, Clinton appears to have turned up her nose at the agency’s rules. For example, if employees use private email for official business, they should turn that correspondence over to the department so it can be stored on the agency’s computers, the department’s Foreign Affairs Manual stipulates.

Clinton eventually did that, but only after she had left the State Department.

Department rules bar employees from using private mail for “sensitive but unclassified” information, except for some very narrow exceptions.

The former secretary did not use her personal email system for that kind of correspondence, according to her aides.

After the department adopted its rules on the use of private email, a similar policy was adopted for the entire federal government through the U.S. Code of Federal Regulations, which provides that if an agency allows its employees to use a personal email account, it must ensure that the emails are “preserved in the appropriate agency recordkeeping system.”

Homeland Insecurity

Violating federal rules wasn’t Clinton’s only misstep in the email affair, according to her critics. She also engaged in very poor security practices.

“It is virtually impossible for individuals operating independently to maintain as secure and protected an environment as can an entire organization dedicated to it,” said Steve Hultquist,chief evangelist at RedSeal Networks.

“Attempting to do so is unwise,” he told TechNewsWorld, “and ignores the inherent complexity in modern systems.”

While there may be a scenario in which a personal Web server might make sense for a high-profile person, such situations would be rare, noted Jean-Philippe Taggart, a senior security researcher at Malwarebytes.

“In most cases, it simply isn’t cost-effective,” he told TechNewsWorld. “To do so would be like trading your high-profile position for a full-time job as a mail system admin.”

The security of government email has given some officials pause in the past. For instance, former Homeland Security Secretary Janet Napolitano once confessed that she had no email accounts and didn’t use email.

So security could have influenced Clinton’s decision to create a personal email channel for herself, but the secretary probably had less reason to worry about security than the rank-and-file members of her agency, suggested Bill Solms, CEO of Wave Systems.

“It would likely have been a much more highly protected account than those at State that were recently compromised by hackers,” he told TechNewsWorld.

Authentication Alternative

Authentication can be a pain for consumers. It can require answers to security questions they may have forgotten or impose delays as they wait for a code to be sent to their cellphones.

Those authentication methods can create friction for consumers, and friction isn’t good for online business. That’s why Iovation has launched a new service that allows consumers to be authenticated by the device they’re using to access their account.

“Our technology is founded on strong device recognition,” said Scott Olson, vice president of product at Iovation.

“We use that recognition technology to allow our customers to create explicit pairings between consumer devices and the accounts that they access,” he told TechNewsWorld.

Devices are recognized by collecting characteristics about them at the operating, application and browser level.

“Every device is personalized by the users that own them,” Olson said. “There are hundreds of device attributes that make a machine unique to an individual.”

When the device attempts to log into an account, those attributes are analyzed in milliseconds. It’s behind the scenes two-factor-authentication.

Current methods of two-factor authentication are inadequate, Olson noted.

“They deliver a very unsatisfying customer experience, so businesses are looking for a way to provide enhanced security while not having a negative impact on the customer experience,” he said. “By using the device that a customer is already using to access an account, this is completely transparent.”

Breach Diary

• March 2. Natural Grocers reports it has hired a data forensics company to investigate a potential security incident involving an unauthorized intrusion targeting a limited amount of customer payment card data.
• March 3. Javelin Strategy and Research reports that in 2014, 12.7 million consumers experienced identity fraud — a 3 percent decline from 2013. A series of extraordinary responses to high-profile data breaches contributed heavily to the drop, according to the firm.
• March 4. Brian Krebs reports Mandarin Oriental hotel group has confirmed to him that it is investigating a breach of its credit card systems at some of its U.S. and European hotels.
• March 4. Researchers discover vulnerability (CVE-2015-0204) they’re calling “FREAK,” which allows attackers to force browsers to use a weak form of encryption that makes HTTPS traffic easier to crack.
• March 6. Army and Air Force Exchange reports emails and technical information of some 98,000 military personnel stationed in Europe has been placed at risk due to a data breach at an on-base cellphone concessionaire operated by SIGA Telecom.
• March 6. U.K. National Cyber Crime Unit reports it arrested 56 suspected hackers in a week-long series of raids across England, Scotland and Wales. Among those arrested was Sutton Coldfield, 23, believed to have been involved in a network break-in at the U.S. Department of Defense in June 2014.
• March 6. Federal prosecutors in Atlanta unseal indictment against two Vietnamese men and a Canadian citizen in what’s being called “one of the largest data breaches in U.S. history.” The men allegedly made US$2 million from spam sent to more than 1 billion email addresses stolen from several email service providers.

Upcoming Security Events

• March 11. Intelligence Squared U.S. Debates: The U.S. Should Adopt The “Right To Be Forgotten” Online. 6:45 p.m. Merkin Concert Hall, Goodman House, 129 W. 67th Street, New York City.Tickets: $40; student, $12.
• March 11. How to Identify and Assess Data Incidents of all Shapes and Sizes. Noon ET. idExperts webinar. Free with registration.
• March 12. Crypto Wars 2.0: Has the United States Abandoned the Policy of “Secure by Design? 9-10:30 a.m. ET. Information Technology and Innovation Foundation, 1101 K Street N.W., 610 A, Washington, D.C. Free with registration.
• March 12. B-Sides Ljubljana. Poligon Creative Centre, Tobačna ulica 5, Ljubljana, Slovenia. Free.
• March 12-13. B-Sides Austin. WinGate Williamson Conference Center, Round Rock, Texas. Fee: $15/day.
• March 14. B-Sides Atlanta. Atlanta Tech Village, 3423 Piedmont Rd. NE, Atlanta. Free.
• March 16-17. B-Sides Vancouver. The Imperial Vancouver, 319 Main St., Vancouver, BC, Canada. Tickets (before March 1): supporter CA$25, plus $2.49 fee; professional $55, plus $4.29 fee; VIP $125 plus $8.49 fee.
• March 18-19. SecureWorld Philadelphia. DoubleTree by Hilton Hotel, Valley Forge, Pennsylvania. Open sessions pass: US$25; conference pass: $295; SecureWorld plus training: $695.
• March 19. Are You Hiding All You Intended? Probably Not. 2 p.m. ET. Black Hat webinar. Free with registration.
• March 19. A State Attorney General’s Office Perspective on Healthcare Data Breach Issues and Risks. 1 p.m. ET. Webinar sponsored by idExperts. Free with registration.
• March 20-21. B-Sides Salt Lake City. Sheraton Salt Lake City Hotel, Salt Lake City, Utah. Registration: before March 20, $40; $50 at the door.
• March 24-27. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.
• April 1. SecureWorld Kansas City. Kansas City Convention Center, 301 West 13th Street #100, Kansas City, Missouri. Registration: open sessions pass, $25; conference pass, $75; SecureWorld plus training, $545.
• April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.
• May 6-7. Suits and Spooks London. techUK, 10 Saint Bride St., London. Registration: government/military, $305; members, $486; industry, $571.
• June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.