Hillary Clinton's personal email server was hit by a 'drive-by' — and that's not even the most troubling part

US Democratic presidential candidate Hillary Clinton takes the stage at the New Hampshire Democratic Party State Convention in Manchester, New Hampshire, September 19, 2015.


Russia-based hackers attempted at least five times to infiltrate Hillary Clinton's personal email server, according to the Associated Press.

The attempts were basic phishing scams disguised as speeding tickets, the AP reported, and rather unsophisticated.

Still, the malicious emails highlight the fact that Clinton's server was as vulnerable as any other to attack, which is concerning given the presence of top secret and classified information in her inbox and her recent admission that, when it comes to technology, the former Secretary of State "doesn't know how it all works."

"This obviously wasn’t 'spam' as Hillary’s people are calling it — it was malicious, so that’s not spam," Jonathan Pollet, founder of the cybersecurity firm Red Tiger Security, said in an email.

Pollet noted that the attacks were likely part of a larger phishing campaign that targets thousands of people, and Clinton's server just happened to get hit.

"They call this a drive-by," he said.

'A huge security gap'

"The bigger problem is that her email did not have any enterprise-level security filters or proxies, and I bet her laptop or smartphone didn’t have endpoint protection either," Pollet added. 

"She probably used those devices to connect to both her private email server and her .gov systems — probably not at the same time, but her devices had access to both."

Pollet said devices that move between a private account and a .gov account, such as Clinton's Blackberry phone, are particularly vulnerable to attack.

"This was a huge security gap and huge lapse of judgment on her part," he said.

Clinton's use of the server was allowed under State Department regulations, but there are rules governing how the server should be configured and protected so it is not vulnerable to cyberattacks.
It is still unclear which safeguards were taken to protect it.
The phishing attempts may not have been sophisticated, but that is no guarantee that Clinton did not fall for them.

"We would hope that in 2015 people still aren't clicking on these malicious links," Jason Glassberg, cofounder of cybersecurity firm Casaba Security, said in an interview. "But then again you never know."

And Clinton appears to have bypassed the State Department's mandatory cybersecurity course, The Daily Caller reported.

'Not by any means a technical expert'

Last week, Clinton told Meet the Press that she was unfamiliar with the server's "technical aspects." She added that she "was not that focused" on the server, which she left in the hands of experts when it came to security.

"There's only so much I can control," she said. "I can't control the technical aspects of it. I'm not by any means a technical expert. I relied on people who were."

(NBC News) Questions have also been raised, however, about how competent her security team really was.
The FBI has reportedly been able to recover emails Clinton said she had deleted, which has led cybersecurity experts to question whether her team could have adequately secured her server if it did not even know how to properly delete emails.
Clinton's unusual email system was originally set up by a staffer during Clinton's 2008 presidential campaign, replacing a server used by her husband, former President Bill Clinton.

"It was already there," she told Meet the Press. "It had been there for years. It is the system that my husband's personal office used when he got out of the White House. And so it was sitting there in the basement. It was not any trouble at all."

Facing mounting criticism over her use of the server while she served as Secretary of State, Clinton handed over the server to the FBI in August.
The investigation is now being led by an FBI "A-team" out of its Washington, D.C., headquarters.