Another serious security flaw in Hillary Clinton’s private server has been uncovered, raising even more questions over whether the device she used as secretary of state was infiltrated by state-sponsored hackers.
According to the Associated Press, Clinton’s server was fixed with software that allows users to access information remotely. But while remote-access is a common configuration for many servers, Clinton’s appears to not have utilized an encrypted connection called a Virtual Private Network (VPN).
The AP discovered the vulnerability by reviewing documents loaded to the internet by an anonymous hacker-researcher three years ago. The hacker used a computer in Serbia to scan hundreds of millions of Internet Protocol addresses for access through what are known as ports. Clinton’s server, which she maintained in the basement of her Chappaqua, N.Y. home, was scanned at least twice in 2012.
The AP notes that the records do not make clear whether the hacker knew that Clinton’s server belonged to a high-ranking U.S. official. But the fact that it was so vulnerable to attack raises questions over the Democratic front-runner’s judgement — especially since she sent and received classified information through her personal email account.
“That’s total amateur hour,” cybersecurity entrepreneur Marc Maiffret told the AP.
“Real enterprise-class security, with teams dedicated to these things, would not do this,” he said, adding that Clinton’s configuration indicates that her system was designed for convenience rather than security.
Clinton has said in the past that she opted for one email account for convenience.
While she was in office, Clinton’s home-brew email system was maintained by Bryan Pagliano. Pagliano had worked on Clinton’s 2008 presidential campaign but was hired on at the State Department in May 2009. His official title was that of senior adviser and deputy chief information officer. But he also reportedly managed Clinton’s email system. Clinton has said that she paid Pagliano out of her own pocket to manage the system.
Pagliano invoked his Fifth Amendment right against self-incrimination when called to testify in front of the House Select Committee on Benghazi.
But Pagliano appears to have been an advocate for remote-access technology like the kind maintained on Clinton’s server. Online videos and presentation notes from meetings Pagliano attended show him discussing how to expand remote-access usage within the State Department.
Pagliano did not respond to The Daily Caller’s request for comment.
According to the AP, several federal agencies, including the State Department, warned against using the types of unsecured systems that Clinton appears to have maintained.
“An attacker with a low skill-level would be able to exploit this vulnerability,” the Homeland Security Department’s U.S. Computer Emergency Readiness Team noted in 2012.
That same year, the State Department placed restrictions on its technology officials’ use of remote-access software on unclassified servers.
And in 2008, U.S. National Institute of Standards and Technology warned that remote-access programs should only be used along with encrypted connections, such as VPN.
Clinton’s server configuration “violates the most basic network-perimeter security tenets: Don’t expose insecure services to the Internet,” Justin Harvey, the chief security officer for Fidelis Cybersecurity, told the AP.
Clinton’s campaign downplayed the AP’s findings.
“This report, like others before it, lacks any evidence of an actual breach, let alone one specifically targeting Hillary Clinton,” Brian Fallon, Clinton’s campaign spokesman, told the AP. “The Justice Department is conducting a review of the security of the server, and we are cooperating in full.”