Employees at a company that provided spam-filtering services for Hillary Clinton’s private email account could have easily copied or forwarded her emails without her knowledge, an internet security expert tells The Daily Caller.
Marc Perkel, a tech entrepreneur and former systems administrator at the Electronic Frontier Foundation, analyzed Clinton’s server configuration, the one she had registered to her Chappaqua, N.Y. home, and found that it routed emails through the spam-filtering company MxLogic.
And according to Perkel — who runs his own spam-filtering firm — that is a problem, especially if Clinton sent classified documents — something that she has so far denied doing.
“All the emails going to her account at Clintonemail.com went through that spam-filtering service,” Perkel told TheDC in a phone interview. “And anybody who worked at that company who was in the tech area could read all her emails.”
“They could read it,” Perkel said of employees at MxLogic, which is now owned by McAfee. “They could forward it on to Putin or Israel or North Korea or whoever they wanted. They could do anything they wanted with that email without her having any knowledge that it happened.”
Perkel said he has no evidence that anything like this happened at MxLogic but said that the possibility is disconcerting.
Clinton’s emails were encrypted when sent and received. But by using a third-party firm to filter spam — a service that email service providers like Gmail or large outfits like the State Department would provide — Clinton’s emails would route through MxLogic. There the emails would be decrypted, analyzed to determine whether they were spam, reencrypted, and then sent on their way.
It is in that state of decrypted limbo that the emails would have been vulnerable to being compromised.
What’s worse, “she would have absolutely no idea if it was compromised or not,” Perkel said.
During the ongoing fallout from Clinton’s private email use, she and her handlers have insisted that her email account and her server were never infiltrated.
“Robust protections were put in place and additional upgrades and techniques were employed over time as they became available,” Clinton spokesman Nick Merrill told Bloomberg View on Thursday. “There was never evidence of a breach, nor any unauthorized intrusions.”
But Perkel thinks such assurances are impossible to make.
“There was no way that she could make the statement ‘it was not compromised’ because she could not know it was compromised or not,” Perkel said.
Perkel’s findings, which he first shared on a blog he hosts on his own private server for well-known tech writer John C. Dvorak, comes as Bloomberg View spoke to other tech security experts who also questioned the security of Clinton’s email arrangement.
Clinton failed to protect her email account from “spoofing” and “spear phishing” attacks, Bloomberg View reported. Hackers could have used those tactics to pose as Clinton while sending emails to her contacts.
Such a lax arrangement placed Clinton’s contacts — which we now know included President Obama among other high-ranking officials — at risk of being hacked as well.
Experts reached by Bloomberg View found that Clinton’s system did not enable what’s known as a Sender Policy Framework, or SPF. That simple security mechanism would block hackers from sending emails from what would appear to be the clintonemail.com domain.
“I have no doubt in my mind that this thing was penetrated by multiple foreign powers, to assume otherwise is to put blinders on,” Bob Gourley, a cybersecurity consultant and the chief technology officer at the Defense Intelligence Agency from 2005 to 2008, told Bloomberg View.
Clinton’s vulnerable system also opened her up to the possibility of a “spear phishing” attack. In that scenario a hacker could send an email seemingly from Clinton. When the recipient opened the message their system would be compromised.
Similar to what Perkel told TheDC, Bloomberg View’s experts also said that Clinton would not have known that her system was compromised.
“This isn’t even plausible,” Perkel said of Clinton’s various defenses and justifications for her private email use. “This is at a point where she’s insulting my intelligence.”
“Who would think that the secretary of state is going to have a private email server that goes through a commercial spam-filtering service for secure email?” Perkel said. “It’s almost like security through obscurity.”
Perkel’s critique of Clinton’s use of private email and her incomplete defense during the fallout isn’t fueled by political animus, he says. Evidence of that is a picture posted to his blog of him standing next to Clinton in 1992. He also says he will still vote for Clinton over any Republican if she is nominated.