Hillary Clinton’s private email server could be controlled remotely over an open Internet connection, potentially exposing the server to hackers, The Associated Press reported.
Clinton’s server, which the Democratic presidential candidate used to host all of her email exchanges while serving as secretary of State, was set up with a Microsoft remote desktop service. The tool allows users to control devices remotely via an Internet connection.
{mosads}That connection, however, is supposed to have additional security measures, such as encryption, to block nefarious actors from exploiting the remote-control software and hijacking a device. Most employ an encrypted private connection, or virtual private network (VPN), when controlling a device from afar.
The U.S. government issued warnings about this vulnerability during Clinton’s time in office. The State Department even banned technology officials from using remote-access software to work on unclassified servers without a waiver, according to the AP.
The AP discovered details of the setup in data and documents compiled in 2012 by an anonymous hacker-researcher who scanned Clinton’s server at least twice for available entry points, or “ports.” His scan picked up the open ports created by the remote-control software.
It’s not clear whether the person knew it was Clinton’s server being scanned.
Clinton spokesman Brian Fallon told the news service that the findings do not show the server was actually infiltrated.
“This report, like others before it, lacks any evidence of an actual breach, let alone one specifically targeting Hillary Clinton,” he said. “The Justice Department is conducting a review of the security of the server, and we are cooperating in full.”
Since the revelation that Clinton used a private email server to host all of her digital correspondence while at the State Department, security experts have sought to discover exactly what measures she used to protect her email and server from hackers and spies.
Clinton has maintained the system had “numerous safeguards,” without specifying exactly what those measures were.
The discovery of the remote-access configuration is a rare glimpse into the server’s security measures, or lack thereof.
Cybersecurity experts said the oversight is a rudimentary mistake, one that professionals should not make.
“I suspect her system was hacked,” said Ron Gula, chief executive officer of Tenable Network Security, by email.
Open ports, such as the ones on Clinton’s server “are easily discovered with massive Internet scanning tools, and then easily exploited,” he added. “A firewall should have been configured to stop this sort of access. … This implies the firm operating the server was not serious about security.”