2016 Postmortem
Related: About this forumBreaking News: Clinton email server secure - never hacked.
New York Times:
The security logs bolster Mrs. Clintons assertion that her use of a personal email account to conduct State Department business while she was the secretary of state did not put American secrets into the hands of hackers or foreign governments.
[link:http://www.nytimes.com/2016/03/04/us/politics/security-logs-of-hillary-clintons-email-server-are-said-to-show-no-evidence-of-hacking.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=a-lede-package-region®ion=top-news&WT.nav=top-news&_r=0|
jeff47
(26,549 posts)"Installing malware"
"Copying all data to China"
BlueStateLib
(937 posts)jeff47
(26,549 posts)As for enterprise grade firewall, how'd that work for OMB, DoD, IRS, Blue Cross/Blue Shield, Target........
BlueStateLib
(937 posts)Enable logging to capture the details of the network traffic
http://cookbook.fortinet.com/logging-fortigate-traffic/
AgerolanAmerican
(1,000 posts)"Security logs" can refer to many different things. Could be the Windows security log for the OS, or could be the mail server's security log.
They should assign a reporter who knows enough about IT security to relay all the relevant information in a story.
The exact phrase used was "computer security logs from Mrs. Clintons private server". Might be reporter ignorance but my guess is that that is a different log than one made by a network security appliance.
BlueStateLib
(937 posts)Last edited Fri Mar 4, 2016, 05:09 AM - Edit history (1)
jeff47
(26,549 posts)Step 1 of your attack is to gain access to the system.
Step 2 of your attack is to erase all evidence of your attack from the system.
If Clinton's server was successfully compromised, there would be no record in any logs on her server.
Lizzie Poppet
(10,164 posts)No one competent enough to do the hack in the first place is likely to leave the logs intact. Basic shit...
MaggieD
(7,393 posts)Not in business. At least not my server.
jeff47
(26,549 posts)Or are you going to claim nation-state-level attacks would write to your log files?
It shows a stunning lack of knowledge about business level security. We aren't running servers in our basements.
jeff47
(26,549 posts)If you do, I really hope you're not storing anything important. 'Cause I assure you it does not leave anything you can grep.
Btw, "Business-level-security" has leaked my identity 4 times in the last 2 years. That I know about. "Government-level security" has leaked my identity once.
MaggieD
(7,393 posts)When business level security is in place. The government and the server in mom's basement are not in the same league has business level security, and I am sure that is exactly what the Clinton's employed.
jeff47
(26,549 posts)When they take complete control of your servers and network, they get to decide what you see.
So...skipped over the part where my information has been stolen from "business level security" far more frequently?
I'm well aware of what you think is so super secure. It isn't when you're facing nation-state-grade attacks. Just as you claim business security is in a league beyond home security, nation-state-grade is a league beyond business.
Then you haven't read any coverage of the security problems on her server.
Would you spend the first 4 months with all communications unencrypted? Clinton did.
Would you leave the default VPN keys on your VPN appliance? Clinton did.
Would you use self-signed certificates? Clinton did.
Would you use an easy-to-typosquat address when a .gov could be made available? Clinton did.
Does your ISP have a history of being repeatedly hacked by China? Clinton's did.
About the only good thing they did in regards to the server was not announce its existence on 4chan.
MaggieD
(7,393 posts)There is a reason the state department server was hacked and hers was not. Do you not think WikiLeaks would have gotten in if they could have?
The fact is her server was never hacked.
AgerolanAmerican
(1,000 posts)It's like proving a negative. With evidence one can prove a hack occurred, but a conclusion of not being hacked can only be based on the lack of evidence of a hack. There is no positive direct evidence that can be produced that a machine hasn't been hacked, although one can present evidence that proper security measures were taken.
Businesses do get hacked all the time, even big ones with nominally secure infrastructure. Off the top of my head, Target and SONY both experienced hacks that got 100 million+ customer records each. The IRS has been hacked in a big way at least twice recently, and of course OPM got its whole database stolen in an insider job. All these businesses use industry standard information security doctrine, but implementing them in detail is a whole different animal. A whole IT infrastructure can be penetrated through something as simple as a failure to protect a web application from an SQL injection attack in one input on one screen (as happened in the SONY case).
Then there's the infamous Ashley Madison hack which was not so long ago, either. Smaller organizations are even less likely to be properly secured than large ones.
jeff47
(26,549 posts)FFS, if you're going to claim to be an expert on security, you should at least know that an authorized user copying information they were authorized to access onto a CD is not a "hack".
Recursion
(56,582 posts)BlueStateLib
(937 posts)These certificates were obtained validly and enabled web-based encryption for applications. Based on TrustNet analyst, Venafi can conclude clintonemail.com was enabled for browser, smartphone, and tablet encryption since 2009 and can operate using encryption through at least 2018. However, for the first 3 months of Secretary Clintons term, access to the server was not encrypted or authenticated with a digital certificate.
https://www.venafi.com/blog/post/what-venafi-trustnet-tells-us-about-the-clinton-email-server
https://www.venafi.com/blog/post/what-venafi-trustnet-tells-us-about-the-clinton-email-server
Self-signed certificate are just as a secure as a TrustNet issued digital certificate. The only
difference is that you would see this warning when accessing https:// login page.
Hillary accessed her email server from her Blackberry through VPN not https login and clintonemail.com had an userbase of 1 (herself), so nobody had a need or reason to login through https
Recursion
(56,582 posts)The US Government doesn't use and never will use stock commercial CA's. That would be a horrible idea.
That page is exactly what you want to see.
Central CA's are a horrible, horrible idea, and I'm glad the government is avoiding them. Self-signed certificates are significantly more secure.
jeff47
(26,549 posts)You've got no idea if the server you're connecting to is the "real" server, or a man-in-the-middle or similar hijacking.
All they do is present a self-signed cert and say "trust me". That's why you get the big giant warning in Chrome.
Pre-shared self-signed certs give some security, but only as long as that certificate has not been stolen. The third-party authentication via root CAs give more security, because you have to steal more certificates from multiple sources in order to set up your man-in-the-middle attack.
Recursion
(56,582 posts)That's simply absurd. Your administrators *install known good keys*.
That's the entire point. The government can do that. Joe Schmoe can't, which is why the rest of us are stuck with the inferior PKI system.
jeff47
(26,549 posts)Again, that's only good as long as the certificates have not been stolen. You've got a single point of failure with a giant target on it.
Root CAs (assuming a competent root CA company) require hacking both the target server and a root CA server to exploit. That's significantly harder.
Recursion
(56,582 posts)Stop.
The root CA for a government server is a government server.
Government IT admins distribute that key, and only that key, to secure systems.
There are zero third party corporate/foreign servers involved, unlike for the rest of us.
That is more secure, and you know that.
jeff47
(26,549 posts)The certificate on a government server is not a root CA. The government has its own root CA servers that are separate from, say, a government web server.
The browser in this scenario still contacts a root CA to authenticate the remote server. It just contacts a government-only root CA instead of Verisign, et al.
Recursion
(56,582 posts)You still seem to be missing the fundamental point:
Replace Verisign and 170 other entities with USG. It's the same infrastructure, but 1 and only 1 certificate authority is trusted.
That's more secure.
jeff47
(26,549 posts)The web server has a certificate. It is not a root CA, and the public key from that certificate is not installed on the client.
Instead, that certificate chains to a government root CA. The client has that government root CA's public key to authenticate the web server's certificate.
There's (at least) 2 certificates involved.
Recursion
(56,582 posts)We actually agreed on this downthread.
I'm still curious why we started on this from the results of an HTTPS request when to my knowledge a WWW site was never involved.
jeff47
(26,549 posts)No root CA at all.
Recursion
(56,582 posts)None.
A web server located at that same IP address seems to have, but that's a very different question, isn't it?
jeff47
(26,549 posts)And what would a web server be doing at that address other than providing access to email?
Recursion
(56,582 posts)I agree, we also have no evidence of a non-self-signed cert.
We have literally no evidence about the certificates that were used by this mail server whatsoever.
If the web server was used only as a webmail gateway for Clinton and only Clinton, that's actually kind of the textbook use-case for a self-signed certificate because it removes literally any compromise pathways except her own admin.
For that matter, her email server like nearly every government mail server out there could well have just been taking SMTP connections unencrypted over port 25, in which case this entire point is completely moot.
jeff47
(26,549 posts)What's the point of Clinton even having a web server on the box if not to provide web-based access to email?
We know Bill, Hillary and several of Hillary's aides had accounts. I vaguely remember Chelsea having one, but I'm not sure about that and don't care to look it up.
The claim from camp Clinton is that she only accessed the server via VPN on her Blackberry (And that VPN appliance had the default certificates still installed, so it was insecure).
No one has said how the other account holders accessed the server.
Recursion
(56,582 posts)That's fine, and if she was the only client, that's a perfect use case for a self-signed certificate. Literally no pathway for compromise except her admin (who is a pathway in any other circumstance too). Ditto if it was here and some finite number of friends like Bill and Chelsea.
jeff47
(26,549 posts)Nope.
A self-signed certificate only encrypts the communication. It does not authenticate the remote server. So a self-signed certificate allows man-in-the-middle or similar connection hijacking attacks.
And the VPN appliance had the default, widely-known keys installed. Meaning anyone could connect to that VPN.
Nope. Hillary Clinton, Bill Clinton and at least 3 of Hillary Clinton's aides had accounts.
Recursion
(56,582 posts)are the Chinese government.
You're just wrong here. PKI is exactly the wrong solution for true security.
jeff47
(26,549 posts)There's a reason even the DoD uses a root CA system - they just have their own root CAs. It requires stealing more certificates from multiple places.
Recursion
(56,582 posts)A public key is very different from a shared key.
In a secure government system, one and only one public key is trusted, and that is the key whose private key is owned by a government server (again, this is not a shared-key cryptosystem; I suspect you'll realize this if you think about it for a second). This is the exact same cryptosystem that we use, except that the only trusted root certificate is from the US government.
In contrast, my browser (on OpenBSD, which is fairly paranoid) trusts by default 171 different public keys.
The government's way is more secure.
jeff47
(26,549 posts)Not quite.
Let's say you're setting up a web server. You'll be given a certificate for that server's secure connections. That certificate is authenticated via a government root CA, and not Verisign's root CA (or any other root CA). Depending on what the client is used for, it will only have that government root CA, or it will have a stripped-down list of root CAs.
You seemed to be espousing generating a self-signed certificate for that web server, and then sharing that with the client in order to authenticate the connection. Which is secure as long as that one certificate is not stolen.
Recursion
(56,582 posts)Nope. I'm espousing not even sharing the CA's public key with anybody outside of the network. Which looks the same as a self-signed key.
As a separate issue, I think it's absurd that browsers treat a self-signed certificate as less secure than plaintext, when it's strictly better, but that's a completely different question (and I'd imagine you agree with that...)
(And at any rate it's odd that what started this was the results of an HTTPS request, when nobody yet has claimed there was a problem with her website.)
jeff47
(26,549 posts)That typically triggers self-signed behavior, but it's technically not self-signed - the same server is not authenticating the certificate, so it's technically not self-signed.
IMO, it's based on what the user is more likely to see. Plaintext is "normal" to a typical user. Authenticated via a root CA is also "normal" to a typical user.
Self-signed is not what you'd expect when going to your bank or similar. So the browser says 'Holy shit this is weird! Do you REALLY want to do this?"
Recursion
(56,582 posts)In that it prevents all passive attacks (you might be being phished by the Russian mob, but at least you know the NSA can't listen in).
I still stand by my main point: the results of an HTTPS request don't actually tell me much about the cert an email server was using.
Recursion
(56,582 posts)TheBlackAdder
(28,076 posts)MaggieD
(7,393 posts)TheBlackAdder
(28,076 posts).
And Windows is one of the last places to do it!
.
MaggieD
(7,393 posts)State Department server was hacked. Hers was not. And lots of companies with "billions" don't seem to know about or deploy the proper security. If you think it depends on "bus architecture" you are severely behind the times.
TheBlackAdder
(28,076 posts).
Are you freakin' kidding me?
.
AgerolanAmerican
(1,000 posts)I can tell you have first hand experience from both the content of your comments and the level of exasperation.
I can only imagine the nightmare of trying to secure that machine. I doubt it was really tried, anyone competent would have raised bloody murder over the configuration.
Bob41213
(491 posts)From what I read about that server it set up so many red flags in my mind. I'd never run anything like this on a server like that. I can't imagine any foreign government who wanted to get in wouldn't have a handful of zero day hacks they could use to get real time access to that server. This assumes of course that they knew about her use of the server, which seems reasonably likely but I can't say for sure. I can't imagine the Russians or Chinese wouldn't have waltzed right into this server if they tried.
Secondly, the claim that there was only 1 person using the server is ridiculous. In my mind it's quite obvious the whole point of this server was to avoid freedom of information requests. In order to effectively do that is to get all your aids on the server. When it leaks out onto other servers is when you no longer control the records (like the Sidney Blumenthal emails).
I also wonder why the server admin was in possession of the logs and required an immunity agreement to turn them over. If I own that server, I should be the one in possession of the logs. One of my employees doesn't keep a copy of the server logs at home and require immunity to turn them over, those should be owned by the employer since she paid him.
jeff47
(26,549 posts)Surely the compromise won't involve disabling the ability to detect the compromise!!!
LittleBlue
(10,362 posts)Concocted by some flack who doesn't understand or care about cybersecurity.
DesertRat
(27,995 posts)tularetom
(23,664 posts)But then, you knew that.
jillan
(39,451 posts)It's about classified info.
HereSince1628
(36,063 posts)In this particular case the absence of evidence that the server was hacked is akin to a drunk driver stopped for speeding in the wrong direction in a school zone who says 'But I didn't have an accident.'
Press Virginia
(2,329 posts)would be over and there wouldn't be a need to grant anyone immunity from prosecution.
nichomachus
(12,754 posts)The computer guy said "there were no signs of foreign hacking in the security logs."
No signs of it. Doesn't mean it didn't happen. Any hacker worth his or her salt knows how to erase his footprints amd fingerprints from the server logs. That's what they do.
Any time they do leave a trail is when they want a quick in and out and don't care if the victim knows. Mossad, the KGB, the Chinese, and the Iranians know exactly how to hack a server and not leave any trail behind. Give them some credit.
kstewart33
(6,551 posts)You can bet that the best experts we have examined and concluded that no breaks occurred. That's what the FBI does.
JonLeibowitz
(6,282 posts)If they're even slightly better, there would be no evidence.
And the advantage typically goes to the person who has control over the syslog files, so they can clean their tracks of anything the FBI wants to find.
morningfog
(18,115 posts)DemocratSinceBirth
(99,705 posts)I have been told that her private server was some Rube Goldberg home brew device but the evidence suggests this Brian Pagliano guy built an impenetrable system.
morningfog
(18,115 posts)cite to Pagliano or "aide" for the never-hacked statement.
DemocratSinceBirth
(99,705 posts)Brian Pagliano= former aide
FBI officials = people close to the investigation, speaking anonymously of course.
morningfog
(18,115 posts)LP2K12
(885 posts)and working in intelligence as an analyst, I would never have gotten away with this excuse. It's really disheartening.
renate
(13,776 posts)As much as I would rather have Bernie be our nominee, I'm not so unrealistic as to pretend that there isn't a good-to-excellent chance that it'll be Hillary. And I realize there's more to the issue than just whether it was hacked, but I'm glad that her server having been vulnerable won't be an issue.
TheBlackAdder
(28,076 posts)Darb
(2,807 posts)"The fools, don't they know I control EVERYTHING!!!!!
MMWWAAAAAA, MMWWWAAAAAA MMWWAAAAAA
Hillary is Dr. Evil.
oasis
(49,152 posts)silenttigersong
(957 posts)Maybe some of the Clinton supporters will stop berating Sanders supporters as RWers.Nice break for awhile.
calguy
(5,223 posts)But many of them are real BSers.
mindwalker_i
(4,407 posts)Thing is, it's a steaming pile of bullshit. The logs don't show it? Which logs? How often were the logs rotated? Who compiled the logs and sent them? Who read them?
"My ass doesn't hurt right now, so I've nobody's ever seen me naked."
lovuian
(19,362 posts)Mr. Pagliano told the agents that nothing in his security logs suggested that any intrusion occurred. Security logs keep track of, among other things, who accessed the network and when. They are not definitive, and forensic experts can sometimes spot sophisticated hacking that is not apparent in the logs, but computer security experts view logs as key documents when detecting hackers.
time will tell
Nuclear Unicorn
(19,497 posts)The server was just used for yoga routines and discussions of Chelsea's wedding. Hillary said so herself.
MoonRiver
(36,926 posts)Chemisse
(30,793 posts)They can accuse her of being careless, or using bad judgement, but they can hardly indict her if nobody ever got hold of the classified emails.
lapfog_1
(29,166 posts)I would ONLY trust it (and only a slight amount, BTW) if it was running the most up to date version of SELinux from Redhat and Tresys Technology (validation). And then only if the most secure policies offered were actually used.
And... even with all that (SELinux is used/from the NSA), you still can't PROVE that it wasn't hacked. Snowden was an admin using SELinux for the NSA... and he only mistake was going public with his information (the easiest way to hack into any system is to be one of the trusted people that administer that system).
Kip Humphrey
(4,753 posts)lynne
(3,118 posts)from the Justice Department, I believe.
Well, golly-gee, I'm sure his word is just oakely-dokely with the FBI! All that pleading and immunity wasn't needed at all because he had his logs. Sheesh . . . everybody back on the bus 'cause there's nothing to see here!