Tag Archives: hackers

Hillary Clinton’s Home Server: It’s Really Not About the Emails

A recent article posted in the Huffington Post (http://www.huffingtonpost.com/h-a-goodman/why-did-hillary-clinton-need-a-private-server-the-answer-makes-bernie-sanders-president_b_9397304.html) got me thinking: it’s really not about the emails – its about the network she used away from the State Department offices.

So as to keep the ‘geek speak’ to a minimum (and please, this isn’t about partisan politics: it’s about the network and security that’s being used) here’s the deal,…

The point this article brings up is that Clinton never once utilize her government issued email address – in fact, no official state department email addresses – was utilized by her during her tenure as Secretary of State. The Secretary instead utilized her private e-mail to conduct official state department business.

This naturally lends to several key questions – these being the following:

1) Private or Public service? Utilizing a private service / server in the conducting of official business leaves open questions of propriety: did any ‘spill-over’ take place? Did any (for example) Clinton Foundation work spillover into official State Department? Rule of thumb is (as many of you would agree) separate e-mails insure (for purpose of e-discovery) a separation of business and private work in the event of any legal actions. If there were private / foundational emails on the very same server (and using the same e-mail address; more on that shortly) then in the event of legal discovery it would leave open the possibility of classified e-mails being accessed in the course of answering a legal action.

Also, it all leads open the elephant in the room: how much work was done on the server that was foundational versus that of official state department business? Did ever the two get mixed in? One approach would be to have two totally separate servers utilizing a single switch: the two servers would be on two totally separate ‘virtual’ networks (an industry standard) and thus there would be no question of anything ‘spilling over’ while insuring far superior security. This is network management 101; was this done? And this is important to ask for,…

2) Was practicing safe emailing conducted? Separate e-mails create a ‘firewall’ in terms of keeping things said in the course of official business from that of anything that could be contrued as ‘classified’. With one using the same e-mail for governmental, private work or even personal work, such a practice can lead to potentially confusing scenarios (‘hey, where’s that e-mail about the latest bombing raid? Oh, its next to the e-mail about getting that new sofa we ordered for the living room’ and that meeting we got regarding the foundation). And speaking of e-mails,…

3) Got good security? You got some pretty big wolves out there in the Internet and frankly, it’s probably a good rule of thumb to insure a greater (note that I did not say complete) level of security. Every computer – regardless if it’s a Power Edge Server or a more modest system – has some 65,000+ ‘ports’ that are readily targeted by hackers.

Given the fact that Clinton uses a private server at her home I’d be willing to wager that her home server / network was, at some point, successfully hacked; it’s just the odds. On average there are over 50,000 types of ‘malware’ and ‘attack software’ developed every day (Don’t take my word – Google it; incredible). Think about that for a minute and let it sink in,…

And BTW: did anyone ever conduct a ‘pen test’ – a penetration test – to insure that the home system was secured? I’d be curious to know if the IT staff at State did their due diligence and kept a log of their security checks as they are required to do so (standard professional practice).

And understand this: with all the malware out there, if the Secretary was conducting any business at all – state department, ordering home furnishings or foundational work or whatever – then all it takes is one (1) bad e-mail with a virus / malware / bot – to truly wreck havoc. More often than not, not all anti-virus systems catch every ‘bad’ software that’s out there. Nobody and nothing is totally perfect or secure: its the nature of the software security beast.

4) What are the hardware and network schematics? Love to see the network schematic. I’m curious: was there a Cisco (or even Juniper) switch installed on her home system? If there was (and I would expect it to be) odds are (as recently reported) Cisco switches (the industry standard and most prevalent) were exposed to have a ‘zero day’ exploit – the very same exploit that virtually shut down the Australian national network not too long ago (seems as though somebody at the Cisco factory literally installed a “back door” – and then failed to mention it, leaving it wide open for access!). We can naturally assume that there was some kind of DMZ – i.e., a server (usually a proxy server or some such thing) placed on the ‘edge’ of the home network that would require to be accessed before the server containing the actual emails was accessed.

5) Adhering to federal records requirements. According to the article, if there are some 33,000 e-mails deleted, this is not good; this would be in clear violation of Federal records management standards as unless there is a duly submitted and processed ‘records destruction request’, then deletions are considered illegal. Bad enough that the creeps during the recent Bush administration did this; no reason to excuse another’s actions just because the creeps (who rightfully belong in jail) did so. Two wrongs don’t make a right.

6) Why not letting somebody else assume the responsibility and the blame? Assuming that the Secretary of State purchased the home server and network on her own dime, why not instead let the government professionals and the taxpayer pay for all of this? Save money, time and hassle. Avoid all of this nonsense and be assured that if things do go south, it’s not the candidates fault and thus avoid the hassle of this entire subject matter.

7) Any backups? In the event of a power surge, a lightning strike or some other act of God taking place at the Clinton home, were there any backups conducted with regard to the home server so that any official emails wouldn’t be lost? If so, where are those backups and how are they secured? Are they backed up on tape? In the cloud? In another server? And how are those back ups (if any) secured? And if there are no backups, what the hell: don’t we want to insure that we don’t lose official state department e-mails that could be important for future reference?

In the end, that’s what this all is: a distraction. There’s a lot to be done and a lot to be focused on, but frankly, somebody wasn’t thinking when they undertook this approach of using a dedicated home system: it only raise more questions than answers.

Put it this way: I don’t think a private financial firm or a health service would utilize a home server in the course of conducting business.

In the meantime, I truly hope that nothing comes of this – and that somewhere out there, we won’t later hear about how Clinton’s home system was hacked and the resulting exposure akin to a ‘Snowden’ effect, with classified state department e-mails spilling all over the internet. After all, far bigger players – both private and government – have been hacked.

As to this issue insuring Sander’s getting the Presidency? Well, I personally think it’ll take more than just what’s being said in here – but it certainly does not diminish the importance of the issue and does indeed raise a series of concerns, especially as it relates to matters of national security.

Please set aside your partisan arguments or denouncements; I’m merely asking some basic 101 hardware and software questions that are standard for anyone working within the realm of computer security, particularly as it relates to higher level governmental service.

These points need to be answered. As a taxpayer (and a professional) I’d like to make sure that nothing comes out of this that would hurt Clinton’s fair chance at getting a higher office, nor expose me or my community to any dangers lurking by way of individuals seeking to harm my country.

But if this is turns out to be standard practice by Mrs. Clinton, I have to ask: what else is taking place and are we all being placed at risk?

Bank Robbery as a Relative Notion

bremertonA long, long time ago in a place far, far away (called the 1980’s) a (infamous) series of collective /  anarchistic technofetishists known as “hackers” developed.

At the time, the home-based consumer computer (not to mention the telephone system with its BBS’s – Bulletin Boards!) was new and exciting: the (now old and removed POTS (Plain Old Telephone System) was THE game in town, with the intent of gathering information and the joy of learning new routines the primary goal. Various stratagems and means were utilized, inclusive of dumpster-diving (going through the telephone companies trash), ‘social engineering’ (a fancy word for sweet talking somebody into giving you restricted access) along with regular stops to nearest ‘Rat’ (Radio) Shack and ‘trade gatherings’ where others of ‘their’ kind would come together.

This is all mentioned in light of the recent news development regarding a group of hackers involved in a massive worldwide effort regarding banks to the (publicly reported and admitted) amount of $45 million.

As the so-called experts point out:

Hackers got into bank databases, eliminated withdrawal limits on pre-paid debit cards and created access codes. Others loaded that data onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card worked fine as long as it carried the account data and correct access codes.

A network of operatives than fanned out to rapidly withdraw money in multiple cities, authorities said. The cells would take a cut of the money, then launder it through expensive purchases or ship it wholesale to the global ringleaders. Lynch didn’t say where they were located.

Some things still haven’t changed; nothing new here.

The idea of using a plastic code with a pre-coded magnetic tape is as old as dirt itself: as to how this is done, much of this can be found through various sources.

As to accessing banking records to undertake such things (after all, the only way in which this job could be pulled is by matching the actual account information to the physical magnetic cards used for downloading cash), during the 1990’s Citibank’s interoffice telephone exchange was openly used by “hackers” for free conferencing calls, openly planning their next round of activities, exchanging chit-chat or teaching each other on the latest trends and routines – no different from any other major corporate personnel utilizing a corporate telephone network (its worth noting that, at the time, users had to be mindful of the (slight) distance delays differential owing to the then weird practice of Citibank having all its calls routed through it’s Paris, France office network).

Any system or service is only as secure as it’s people make it to be.

As for accessing bank records, why stop at digging in, when you can have the information come to you? Some years ago, there were a group of hackers who went one step further: actually setting up fake ATM’s in shopping malls and other public areas. The average user would go to withdraw money, only to be told that the machine was out of service; the information the user had entered was then stored and taken to be placed on a magnetic printer strip for later withdrawal (these were among a sub-grouping who, as part of their routine, would withdraw cash from ATM machines while wearing masks of  such individuals as Ronald Reagan,  zombies, Richard Nixon, or a host of others for the amusing benefit of bank security cameras).

During the 1990’s, banks had a situation wherein “hackers” (ah, that word again) would be accused of replacing security cameras with one of their own, ‘shoulder surfing’ over user’s to capture this account information (an insidious procedure which may sound perfectly suitable for nefarious purposes, but in fact can be a real pain to undertake). The smarter ones, however, would set up capture items in and around the keyboard such that users were not aware that their information was being captured,…

And then there were the legendary moves on the part of certain “hackers’ of the Russian Federation who captured inter-bank transfers, placing ‘blocks’ or ‘capture point / redirects’ on the ports where the data were being swapped (in simplistic terms, placing listening devices to the internet / telephone networks, decrypted the data being sent and then using that data to actually access the raw accounts being managed). The results of this effort? Estimates range widely, with bank losses estimated to reach at high as $50 million in just one such incident alone! Interestingly, the impacted banking houses sought to drop the charges (naturally they settled for financial restitution – but remarkably, settled for an amount far less than what many suspected was actually taken, suggesting that the action was deeply than anyone wished to admit and that the skill set involved insured that the money was untraceable – or, more likely the appropriate officials were sufficiently given ‘inducements’ top avoid any further prosecutorial action) in exchange for the “hackers” to be their security consultants so as to avoid any further public publicity over the matter, for if the public were to truly know the extent of the lack of security, banking confidence would plummet.

And can you blame them? I’d hate to be the one to tell my clients ‘gee, several millions of (insert your currency of choice here) was taken from your account, but you still want to do business with us – right?’

Which brings us to the other side of the coin, so to speak,…

As reported two months ago, HSBC was directly involved in what governmental officials stated was ‘money laundering’ (http://www.bbc.co.uk/news/business-21840052) for major narco-criminal enterprises worldwide (which is interesting how this particularly publicized group of “hackers” targeted money reserves set aside for pre-paid cards, wisely avoiding other accounts,…).

The reality is that the only innocents involved in the entire arena are the average bank account holders (the ‘little people’), for many banks themselves are involved in criminal activities of their own, ranging from money laundering, to passing along sub-prime housing funds, or just simply overcharging people with various account charges just because, well, the banks can do this sort of thing (I deliberately fail to mention the investors as insurance will cover the costs of such losses; as to those who may object I merely point out that it’s all just business and to please check your company pride at the door,…).

Much of what is taking place in recent years regarding banking is increasingly a matter of degree and viewpoint. As banks become larger, they will utilize whatever resources they can to ensure their protection, which may include the hiring of those who penetrated their security, indulging in questionable investment practices and serving ‘interesting’ clientele.

It’s all part of doing “normal” business in the 21st century.

Similarly, as banks handle larger and larger amounts of “money” (and we won’t get into the discussion of ‘Bitcoin’ and the significance of that development as it relates to international banking and financial systems as after all, when you think about, what truly defines the financial value of any given currency?) banks are involved in realms and investment practices which they did not dream of doing but twenty (20) years ago  – witness the role of banks in the recent housing bubble and the sub-prime mess along with their various other financial / investment practices (we’re still awaiting the final report on the offshore accounts held in the Bahama involving high-ranking international governmental officials and other ‘outstanding’ members of society – $32 TRILLION and rising,…!).

Realize this: we’ve reached a point in our culture(s) and society(ies) where –  like the intrinsic value of money and the actual stability of our financial systems – the very notion of a bank robbery is now relative.

Here’s one brief overview of this incident: http://www2.macleans.ca/2013/05/10/sophisticated-network-of-global-thieves-drain-cash-machines-in-27-countries-of-45m/