back to article Hillary's sysadmin left VNC, RDP exposed to the internet - report

Not only did Democratic Party presidential hopeful Hillary Clinton run her own email server while at the State Department: someone, presumably her friendly local sysadmin, decided it needed remote desktop protocol (RDP) and desktop sharing code virtual network computing (VNC) exposed to the Internet. The folks at Associated …

Page:

  1. FozzyBear

    still leaving one mystery device to be identified. ®

    Yep that'll be the actual truth of the situation. Unfortunately that will never see the light of day.

  2. a_yank_lurker

    So the Russians, Chinese, just about everyone else was reading her email while at Foggy Bottom. It seems to give a very good perspective on why the US foreign policy has been such as disaster for the last several years.

    1. Anonymous Coward
      Anonymous Coward

      There is no need to read her email for it to be a disaster

      When Russians deal with a foreign country the guy(s) or gal(s) at MGU with a modern history PhD (and optionally history of religion PhD) on the country in question get a call and a FAT check to help with the analysis, selection of the strategy, PR, etc. The result is "successful policy alteration" in most cases - especially when privatisation, mergers, etc are involved. I have a couple of childhood friends which have made some very good money on that and have had their apartments, dachas and the spanking new BMW parked in the private garage under the apartment block paid by that. All stuff you will never get on a professor salary.

      When Chinese deal with a foreign country they come with a FAT check. One of the reasons why cleptocracy in Africa will not die any time soon.

      When Americans deal with a foreign country they come with arrogance, bulshit and start the conversation with "do not give me this crap about what happened 200 years ago". That used to work when their competition was only USSR which came with the copy of the Das Kapital and AK47s. It does not work any more in the modern world.

      1. I. Aproveofitspendingonspecificprojects

        Speaking of Kleptocrasy

        Dare tell us how the KGB got everyone rich overnight in 1990?

        Did they really have to shunt Gorbachev out past the Urals for a few weeks and install a drunk Boss of Bosses to do it?

      2. Anonymous Coward
        Anonymous Coward

        Re: There is no need to read her email for it to be a disaster

        So you think bribery of government officials is the way to deal with foreign governments?

        Remind me why billions of dollars that were shipped to Iraq didn't make any frigging difference. Remind me why the Egyptian government gets billions in "Aid" from the US Government. Remind me why we gave you European ungrateful bastards billions of aid during WWII and then forgave the "loans". Remind me why we gave Russia tractors and airplanes that they promptly copied as their own. Remind me why we kept England fed at great personal costs during the war.

        Because I cant think of single reason why we should have bothered for the simple reason that those acts allowed you useless twats to be born.

        Frankly any arrogance is deserved because you people are bunch of double dealing, backstabbing, cheats, thieves and ingrates who should be speaking German today if it wasn't for our help.

        And no, no person alive today should have to care what his/her great, great, great, grandparents did 200 years ago. But as far as I am concerned you still owe us billions of dollars and some gratitude

        1. Anonymous Coward
          Anonymous Coward

          Re: There is no need to read her email for it to be a disaster

          Someone forgot to take their meds today!?

        2. Anonymous Coward
          Anonymous Coward

          Re: There is no need to read her email for it to be a disaster

          Your arrogance is ridiculous, a front put on by History's only 'superpower' that couldn't establish an empire, whose biggest achievements are based mostly on the work of recent immigrants to that country.

          A country whose history stretches back the same length of time as my local haulage company and university, and they're latecomers compared to some of our institutions.

          A country whose greatest achievement- the moon landings- would have been unachievable without Nazi scientists. A country who've been undone militarily time and again by underestimating anyone not American.

          A country who managed to establish a massive ruling class at the expense of everyone else while fighting Communists, who managed to create a climate of fear while fighting terrorists and who cheer on freedom while clamping down on that of their own people.

          You've no military skill besides building big bombs- and the USSR had you beat at that one- as proven by your egregious record for "blue-on-blue" killings and outright defeats at the hands of Vietnam, Iraq, Afghanistan- even the Canadians (backed by the polite, tea-drinking British) beat you at war and burned your capital to the ground.

          You've got the Bomb- and large conventional forces- and apparently have no qualms about using them. That makes us fear you, yes. But it's not respect as we have for the Russians (who caught up with 150 years of european technological development in a few short years) or the Germans (who twice bettered France, supposedly their superior in every way). The arrogance we see is that of a child who's found his father's gun.

          So sit down and shut up, son, the grown-up countries are talking.

          1. The Vociferous Time Waster

            Re: There is no need to read her email for it to be a disaster

            Bravo

          2. Anonymous Coward
            Anonymous Coward

            Re: There is no need to read her email for it to be a disaster

            And we Americans twice bettered Germany, dug France out of a hole twice etc. Who liberated whom in two world wars ingrate? Shows what the unfettered military might of the US can accomplish if left alone by the politicians and simpering European aristocrats that tried bargaining with Hitler.

            BTW, it was ineffectual DEMOCRAT politicians that meddled with our Military that "lost" wars in Vietnam, Iraq and Afghanistan. France and Russia lost there too and I think some Brits and Aussies lost there too.

            Our whole country was based solely on immigrants who came here to better themselves because they got a raw deal in Europe. Seems WE were more tolerant than you ever were, so they came here. THOSE immigrants integrated into our societal "melting pot" (mine came here in 1672 is that old enough for you?) and contributed to our country unlike the ones invading your countries right now. Your so called "history" and age of your countries is certainly nothing to brag about. All you did is fight each other for centuries, keep and trade slaves, keep people in servitude, live too close in unsanitary conditions and subjugate countries. Or did you forget about the "Empire"?

            BTW, we never had a "ruling class"; YOU were the idiots with a Monarchy or several.

            Speaking of "grownups' you simpering, effete, arrogant twit, your aged European countries (no union there!) have acquired the problems of the Roman and Russian Empires. It appears that emulating your role models Caligula, Nero and Stalin is counterproductive these days and now that you given away every pound and euro to the wastrels and layabouts, there is no one left to tax but successful American companies that you can't even come close to comparing to. But hey let's not let a few facts get in the way of our so called "friendship".

            1. GrumpenKraut

              Re: There is no need to read her email for it to be a disaster

              > Speaking of "grownups' you simpering, effete, arrogant twit, your aged European countries...

              Yeah, right.

        3. LewisRage

          Re: There is no need to read her email for it to be a disaster

          "And no, no person alive today should have to care what his/her[..] grandparents did 200 years ago. But as far as I am concerned you still owe us billions of dollars and some gratitude"

          But I don't care what my grandparents did, so you can do one.

          1. Peter2 Silver badge

            Re: There is no need to read her email for it to be a disaster

            Remind me why we gave you European ungrateful bastards billions of aid during WWII and then forgave the "loans".

            Britain paid for all of the equipment bought under Lend Lease during WW2, in Gold to start with and credit after spending the entire gold reserves of the British Commonwealth. Loans were paid back in full, something which was completed only a few years ago. Nothing was "given" to the UK, and if you have contrary information then while I hate Wikipedia Citation Needed. is the appropriate term for the situation. Proof please.

            If you want to get into things being given during WW2 then you might want to consider things like the cavity magnetron, the jet engine, the design for the 57mm AT gun (British 6 pounder) etc. All of these were given without charge. For the complete avoidance of doubt, these were given from Britain to the US.

            1. John 104

              Re: There is no need to read her email for it to be a disaster

              Not to get into it too much, but there was great loss of life in the merchant navies who risked it all to deliver critical war time supplies.

            2. Anonymous Coward
              Anonymous Coward

              Re: There is no need to read her email for it to be a disaster

              Try reading THIS article. You only paid the LOANS we gave you. The Lend Lease aid was mostly free and we also gave you terms of ten cents on the dollar on the LOAN not to mention the cost of hundreds of thousands of American lives.

              All to pull you out of a "bad spot" and you wouldn't even bother to help today to do the same in return.

              BTW, for the record Radar was developed from Tesla and Marconi's work, that jet engine sucked and it wasn't until the ME-262 engines got copied everywhere did it finally become a commercial success.

              They don't compare to the sheer amount of material and personnel we provided but the only reason I commented on it in the first place is because of the continuous ungrateful, rude and downright retarded treatment of a country and it's people that once was your most dependable ally.

              How's this for a CITATION? https://en.wikipedia.org/wiki/Lend-Lease

              I cherry pick below:

              In general the aid was free, although some hardware (such as ships) were returned after the war. In return, the U.S. was given leases on army and naval bases in Allied territory during the war.

              A total of $50.1 billion (equivalent to $656 billion today) worth of supplies were shipped, or 17% of the total war expenditures of the U.S.[2] In all, $31.4 billion went to Britain, $11.3 billion to the Soviet Union, $3.2 billion to France, $1.6 billion to China, and the remaining $2.6 billion to the other Allies

        4. MyffyW Silver badge

          Re: There is no need to read her email for it to be a disaster

          Remind me why...

          @AC firstly, breath hun. All that anger is not good for you.

          Secondly: You gave Russia tractors and kept England fed 'cos we were fighting the Nazis. And their idea of empire building would ultimately have reached across the Atlantic Ocean. FDR compared it to the wisdom of a man lending his neighbour a hose to put out a fire. Churchill called it "The most unsordid act in history".

          Thirdly: If you still feel the same read P. J. O'Rourke's rather more humorous take:

          https://www.goodreads.com/work/quotes/790662-holidays-in-hell

      3. Mark 75

        Re: There is no need to read her email for it to be a disaster

        Anyone know what a FAT check is?

        1. Anonymous Coward
          Anonymous Coward

          Re: There is no need to read her email for it to be a disaster

          I have a device in the bathroom that provides me with a fat check as often as I wish.

          1. Anomalous Cowturd
            Joke

            Re: I have a device in the bathroom...

            So do I, but mine keeps complaining "one at a time please."

            I think there's something wrong with it.

        2. h4rm0ny

          Re: There is no need to read her email for it to be a disaster

          >>"Anyone know what a FAT check is?"

          Checks length of the diplomat's name is under 255 characters, I think.

        3. The Vociferous Time Waster

          Re: There is no need to read her email for it to be a disaster

          Are the horizontal and vertical stripes both wide?

        4. John 104

          Re: There is no need to read her email for it to be a disaster

          RE: Anyone know what a FAT check is?

          chkdsk

        5. jelabarre59

          Re: There is no need to read her email for it to be a disaster

          > Anyone know what a FAT check is?

          The predecessor of a NTFS check?

      4. a_yank_lurker

        Re: There is no need to read her email for it to be a disaster

        In intelligence there is the concept of securing your own communications so whomever has to work hard to one get the raw intercept and two decode it. By apparently running an poorly secured server, Hildabeast made everyone's snooping very easy. At some point all the encryption must be removed for a human readable text and it is likely the snoops were sniffing when this happened.

        1. tom dial Silver badge

          Re: There is no need to read her email for it to be a disaster

          "At some point all the encryption must be removed ..."

          For a while this was not a problem. Reports published some time ago had it that for the first few months of operation the server in question lacked a certificate and the ability to encrypt http links.

  3. herman

    RDP and VNC? The level of cluelessness is despairing. Fortunately, this server only had unclassified email...

    1. Mark 85
      Trollface

      Pssst.... you forgot the joke icon.

      Cluelessness.. yes... Unclassifed email.. err.... not all of it as has been reported.

      1. oldcoder

        It isn't classified until someone classifies it...

        And that wasn't done until AFTER the mail was handed over...

  4. Anonymous Coward
    Anonymous Coward

    what does shodan say for these machines?

    Or for that matter, I'm sure Michigan State University and various other research institutions have scanned her ISPs netblock.

    I just thought of something else. What do you think google maps wifi scan found when the drove past her house?

    1. Anonymous Coward
      Anonymous Coward

      Re: what does shodan say for these machines?

      > I just thought of something else. What do you think google maps wifi scan found when the drove past her house?

      Good question. Perhaps I'll see what WiFi Analyzer shows me the next time I'm on that side of town (as much as I despise driving through Chappaqua for *anything* these days).

  5. tom dial Silver badge

    I makes me sad that this person, who one reasonably supposes declined the advice of the CIO in a sensitive government department, ran an almost certainly unauthorized and apparently quite insecure server on which were stored sensitive government communications, and failed (although quite selectively) to ensure that the department employees followed the laws and regulations governing information assurance, might actually be elected President.

    I have as little respect for the State Department CIO who allowed this to happen.

    1. ZSn

      That CIO would like to keep their job. If they stand up to Hilary, no matter how stupid her actions, they would be out on their ear. Doing your job properly is no protection against a vindictive politician.

      1. 404

        And that, sir, is why we can't have nice things...

        Too much deadwood and placeholders in the US Government.

      2. tom dial Silver badge

        That CIO was a high ranking Foreign Service officer, almost certainly receiving a salary well into six digits (in 2009). If worth her salt, she would have been able to get a comparable job in the private sector or another government department; in the event, she was appointed CIO at the International Monetary Fund in mid-2012. Furthermore, in the worst case she would be protected against retaliation by the applicable whistleblower laws and at worst be assigned, with saved grade and pay, to a null job. Alternatively, since she

        The presently incumbent CIO was Deputy CIO and CTO for operations from 2011 until his appointment in 2013 had extensive prior IT experience within the Department of State and has a masters degree in Management Information Systems.

        One or the other of these officials should have been aware that Ms. Clinton chose to use a private server for her official email - perhaps advised by a conscientious subordinate or other State Department employee.

    2. Tom 13

      @ tom dial

      Anyone familiar with the Clintons and their modus operandi would NOT reasonably assume the CIO provided such advice. Instead they would assume he wasn't consulted.

      Everybody keeps dancing around what we all know: $Hrillary was selling access to State through Bill and Chelsea via the Clinton Foundation. The server was intended to keep all that secret which was why she deleted MORE personal email than she turned over to the government. You don't ask the CIO about something like that because it causes too many plausible deniability problems down the road.

      Even the whole one device meme she keeps trying to start is transparently a lie. And I mean beyond the NYT showing her using an iPhone when she was supposedly issued a Blackberry. Because of the Hatch Act, it's illegal to use your government account to engage in fundraising activities of any sort. In fact, an aggressive prosecutor can go after you for posting anything even slightly partisan using a government device (not account). And because of the Presidential Records Act (which means the whole Executive branch, not just the President) you HAVE to use a government account and server. It's not just a guideline, or a regulation. It is in fact the ONLY way you've got a 50/50 shot at complying with the law. So she's now up to two email accounts. Then you get into the whole classified angle and you're up to THREE accounts.

      1. martinusher Silver badge

        Re: @ tom dial

        If Hilary's Email is anything like mine then there will be a lot of deleted mail traffic. It won't be super-secret nefarious plans, just never ending pitches for dubious products, phishes, appeals to help get secret funds out of African countries and so on. Junk filters take care of a lot of this before it even hits the in-box. This whole email thing is another Benghazi, just an attempt to make political capital out of a rather ho-hum issue (since there wasn't a specific prohibition on what Hilary was doing until after she left the State Department).

        Knowing what we know these days I'm confident that if we really wanted to read all her mail then we'd just have to ask the NSA for a copy.

        1. Tom 13

          Re: @ tom dial

          (since there wasn't a specific prohibition on what Hilary was doing until after she left the State Department)

          Another DNC kool-aid drinker I see. NO, it was not an internal prohibition which came into being in 2014. IT IS IN FACT A LONG ESTABLISHED LAW. It's called the Federal Records Preservation Act and its origins are all the way back in WW2.

          Here's a little snippet that pretty much puts your lies in the grave:

          http://www.ediscoverylaw.com/2004/12/preservation-of-email-required-under-federal-records-act/

          To put it simply, in 1993 the DC Circuit Court (so regardless of SCOTUS it has jurisdiction over DC unless reversed) found:

          1. Email constitute federal records.

          2. The electronic record itself still constitutes a federal record even if paper copies are printed

          3. Must be managed and preserved as per the Act's requirements.

          Shorter synopsis: There isn't a statement $Hrillary has made about her email which is true.

          1. dieselbug

            Re: @ tom dial

            Yet her predecessor at State under GWB and his VP, both used personal email servers and not. one. Congressional. Inquiry.

            Explain.

            1. tom dial Silver badge

              Re: @ tom dial

              Clinton's predecessors used personal email *accounts*, not (unauthorized, personally owned, badly configured, and highly vulnerable) *servers*. There is a difference.

              In addition, under earlier Secretaries, email was less important compared with old fashioned telex type messaging. This is explained in an interview with the CIO who served from 2009 - 2012, available on youtube at about 13:45:

              https://www.youtube.com/watch?v=WmxMRJzQgxU

      2. tom dial Silver badge
        Joke

        Re: @ tom dial

        Nonsense. Everyone knows that all this is a Republican conspiracy to prevent Hillary assuming her rightful place as the Democratic presidential nomnee or, failing that, to gather ammunition for their candidate to use in the election campaign.

        A couple of additional observations in non-joke mode:

        Based on the information reported in the article, the private server did not comply with FiSMA requirements, and probably was not certified and accredited by the department CIO.

        The secure network should not be connected electrically or logically to the non-secure network. Any email capability there should be limited to that network. That classified (and classifiable) messages seem to have been sent or received on the internet and probably the non-secure State Department network suggests fairly widespread ignorance or disregard of proper security behaviour among the employees and, perhaps, by the CIO's office and the CISO or equivalent, who normally would have a (possibly additional) reporting chain that bypasses the CIO.

    3. oldcoder

      Like the OPM hack?

      Or the Department of State Email hacked so bad they couldn't even use it?

      Using Windows for anything is not safe - yet people still do it.

  6. A Non e-mouse Silver badge

    Passowrd not service?

    Surely, it doesn't matter what service is exposed (RDP, SSH, VPN). What matters is how strong the authentication is?

    Having a password of, say, "?[au]f'=){p71 F" on RDP is better than a username/password of root/root on VPN?

    Unless what is being claimed is that the RDP protocol is weaker than, say, an IPSEC VPN so more hackable?

    1. Anonymous Coward
      Anonymous Coward

      Re: Passowrd not service?

      Password security is only part of the solution. Services like RDP and VNC can be hacked without a password due to widely available exploit code.

      If they are stupid enough to allow these ports to be open to the Internet, they are likely to be stupid enough not to patch them against these attacks.

      1. Anonymous Coward
        Anonymous Coward

        Re: Passowrd not service?

        "Services like RDP and VNC can be hacked without a password due to widely available exploit code."

        Still a better choice than say SSH though - which has historically had more exploits.

        1. phil dude
          Trollface

          Re: Passowrd not service?

          Anon - you forgot your troll icon...----->

          P.

        2. This post has been deleted by its author

        3. Anonymous Coward
          Anonymous Coward

          Re: Passowrd not service?

          Sometimes arguing with idiots is what I do. Here goes....

          Remote access over the Internet is bad if you are solely relying on username/password combination and the HOPE that those applicationa do not have vulnerabilities in which allow them to be compromised without user/pass.

          VNC and RDP and Telnet and SSH and Remotely Anywhere versions along with a raft of other remote access tools have all been shown to be vulnerable to exploit. Maybe they are running a version which isn't but it will be more by good luck than good management if they are, given the stupidity which led them to doing this in the first place.

          Simple user/pass protection is not enough. Best case scenario they iterate through a password list and lock out accounts. Worst case, they find the password and have a ready made remote access tool in place.

          If the server is compromised with malware, you don't even have to put a RAT in place as there is already remote access in place for you to use.

          Remote access tools should have multi factor authentication. The requirement for additional keys, only accept connections from a specific IP address, banning IP which attempt hacks, VPN only access...

          It seems the down voting commentards know a lot less than they think they do. Try googling the Dunning Kruger effect. You are probably overestimating your knowledge and competency.

        4. oldcoder

          Re: Passowrd not service?

          Actually, fewer exploits.

          Windows as a whole is the worst for exploits.

  7. Anonymous Coward
    Anonymous Coward

    Why both? They both pretty much do the same thing.

    Seems to me this non-story is being repeated over and over again, is she running for election or something?

    1. Roland6 Silver badge

      Re: Why both?

      These articles provide some more details:

      http://bigstory.ap.org/article/5ad0f6bb57eb487f84e98fe9a74a08b1/clinton-subject-hack-attempts-china-korea-germany

      http://bigstory.ap.org/article/467ff78858bf4dde8db21677deeff101/only-ap-clinton-server-ran-software-risked-hacking

      Basically, it seems that like many SME's and home office setups Hilary was calling on different people and so whoever was responsible for the website console preferred VNC, whereas whoever was responsible for the Windows Server (I suspect it was an SBS server) preferred RDP. And probably Hilary's security consultant didn't know about this because they were never sufficiently hands on to get a full understanding of Hilary's actual home set up, rather than the one they had advised her to use.

      Been through this with a client who has upgraded/refreshed to WS2012-R2, and who has implemented RDS Server to allow people to work from home. The IT supplier has set this up using MS defaults, so if you attempt an RDP connection to their router you will be automatically forwarded to the RDS server, which as we know from various MS statements over the year is hackable... Similar considerations apply to OWA... So in my experience Hilary having the VNC and RDP ports open on her Internet/firewall/router isn't something to be surprised about, likewise I suspect her email server used the standard ports and wasn't hidden behind a cloud-based mail preprocessor.

  8. Hans 1

    Who says it was not the Microsoft scammers who called her up and said "Hello, we are Microsoft, we need to fix your computer, please download this software (VNC) and install it for us to take a look .... the rest is history.

    Seeing that VNC stores passwords in clear text, ROFL ...

    >Having a password of, say, "?[au]f'=){p71 F" on RDP is better than a username/password of root/root on VPN?

    Better, yes, still braindead, though.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like