May 31, 2013—June 2013: A device is bought to make back-ups of Clinton’s private server, but a Clinton company makes clear it doesn’t want any back-up data stored remotely.

130531austinmcchorderiktraufmannhearstctmedia1

Datto Cloud engineer Charles Lundblad (left) chats with CEO and founder of Datto, Austin McChord, at the firm’s Norwalk, CT headquarters. (Credit: Erik Traufmann / Hearst Connecticut Media)

On May 31, 2013, Platte River Networks (PRN) takes over management of Clinton’s private server. On the same day, PRN buys a Datto SIRIS S2000 data storage device, which is made by Datto, Inc. Over the next month, this is attached to Clinton’s server to provide periodic back-up copies of the data on the server. PRN sends a bill for the device to Clinton Executive Service Corp. (CESC), which is a Clinton family company.

CESC employees work with PRN employees on how the Datto device is configured. Datto offers a local back-up and a remote back-up using the Internet “cloud.” CESC asks for a local back-up and specifically requests that no data be stored in the Internet cloud at any time.

However, due to an apparent misunderstanding, back-up copies of the server will be periodically made both locally and in the cloud. This will only be discovered by PRN as a whole in August 2015. (US Congress, 9/12/2016)

However, despite internal PRN emails from August 2015 indicating many PRN employees didn’t know about the Datto cloud back-up until that time, the FBI will later find evidence that an unknown PRN employee deleted data from the cloud back-up in March 2015, meaning that at least one PRN employee had to have known about the cloud back-up by that time.

June 6, 2013: Chinese government hacker attacks on US government targets have steadily increased since 2008.

Shawn Henry (Credit: public domain)

Shawn Henry (Credit: public domain)

In the summer of 2008, the presidential campaigns of Barack Obama and John McCain had their computers successfully breached by hackers apparently working for the Chinese government. According to NBC News, “US officials say that Chinese intrusions have escalated in the years since, involving repeated attacks on US government agencies, political campaigns, corporations, law firms, and defense contractors—including the theft of national security secrets and hundreds of billions of dollars in intellectual property.”

Shawn Henry headed up the FBI’s investigation of the 2008 attacks and now is president of the computer security company CrowdStrike. He says there’s “little doubt” the Chinese government has an aggressive electronic espionage program targeting the US government and the commercial sector. “There’s been successful exfiltration of data from government agencies (by the Chinese) up and down Pennsylvania Avenue.” (NBC News, 6/6/2013)

Late June 2013—October 2013: During this time, it appears that Clinton’s private server is wide open to hacking attempts.

On May 31, 2013, maintenance of the server was taken over by a small Colorado-based company called Platte River Networks (PRN), and the server is sent to a data center in New Jersey. PRN then pays to use threat monitoring software called CloudJacket SMB made by a company named SECNAP. SECNAP claims the software can foil “even the most determined hackers.”

Around June 30, 2013, PRN transfers all the email accounts from the old server to the new one. However, the new software doesn’t begin working until October 2013, apparently leaving the server vulnerable. It is known that the server is repeatedly attacked by hackers in the months from October 2013 on, but it is unknown if any attacks occur when the software is not yet installed. (The Associated Press, 10/7/2015) 

An FBI report will later obliquely confirm this by mentioning that when the new server is set up in June 2013, all the hardware is built up at the time, except for an “intrusion detection device” which has to be added later after it gets shipped to the server location. (Federal Bureau of Investigation, 9/2/2016)

Justin Harvey (Credit: Third Certainty)

Justin Harvey (Credit: Third Certainty)

Justin Harvey, chief security officer of a cybersecurity company, will later comment that Clinton “essentially circumvented millions of dollars’ worth of cybersecurity investment that the federal government puts within the State Department. […] She wouldn’t have had the infrastructure to detect or respond to cyber attacks from a nation-state. Those attacks are incredibly sophisticated, and very hard to detect and contain. And if you have a private server, it’s very likely that you would be compromised.” (The Associated Press, 10/7/2015) 

In March 2013, a Romanian hacker nicknamed Guccifer discovered Clinton’s private email address and the exact address was published in the media, which would have left the server especially vulnerable in the months after.

Around July 2013: Clinton’s emails still are not encrypted.

According to an unnamed Platte River Networks (PRN) employee, Clinton’s server has encryption protection to combat hackers, but the individual emails have not been protected with encryption. With PRN taking over management of the server in June 2013, this employee will later tell the FBI that “the Clintons originally requested that email on [Clinton’s] server be encrypted such that no one but the users could read the content. However, PRN ultimately did not configure the email settings this way, to allow system administrators to troubleshoot problems occurring within user accounts.” (Federal Bureau of Investigation, 9/2/2016)

July 2013: Clinton’s private server is reconfigured to use a commercial email provider.

The MX Logic logo (Credit: MX Logic)

The MX Logic logo (Credit: MX Logic)

The Colorado-based provider, MX Logic, is owned by McAfee Inc., a top Internet security company. This comes one month after Clinton hired the Colorado-based Platte River Networks to maintain her email server, and four months after a hacker named Guccifer publicly exposed Clinton’s private email address for the first time. (The Associated Press, 3/4/2015) 

Computer security expert Matt Devost will later comment: “The timing makes sense. When she left office and was no longer worried as much about control over her emails, she moved to a system that was easier to administer.” (Bloomberg News, 3/4/2015)

October 2013: Clinton’s server gets anti-hacking protection after going several months without any.

The CloudJacket Logo (Credit: public domain)

The CloudJacket Logo (Credit: public domain)

From late June 2013 until October 2013, Platte River Networks (PRN) is managing the server, apparently without any anti-hacking software. In October 2013, the software they have been waiting for arrives and is installed. This is an intrusion detection and prevention system called CloudJacket from SECNAP Network Security.

According to a later FBI report, it “had pre-configured settings that blocked or blacklisted certain email traffic identified as potentially harmful and provided real-time monitoring, alerting, and incident response services. SECNAP personnel would receive notifications when certain activity on the network triggered an alert. These notifications were reviewed by SECNAP personnel and, at times, additional follow-up was conducted with PRN in order to ascertain whether specific activity on the network was normal or anomalous. Occasionally, SECNAP would send email notifications to [an unnamed PRN employee], prompting him to block certain IP addresses. [This employee] described these notifications as normal and did not recall any serious security incident or intrusion attempt.”

Additionally, “PRN also implemented two firewalls for additional protection of the network. [This PRN employee] stated that he put two firewalls in place for redundancy in case one went down.”

The FBI report will also conclude, “Forensic analysis of alert email records automatically generated by CloudJacket revealed multiple instances of potential malicious actors attempting to exploit vulnerabilities on the PRN Server. FBI determined none of the activity, however, was successful against the server.” (Federal Bureau of Investigation, 9/2/2016)

 

October 2013—February 2014: Clinton’s private email server is the subject of repeated attempted cyber attacks, originating from China, South Korea, and Germany.

The attempts are foiled due to threat monitoring software installed in October 2013. However, from June to October 2013, her server is not protected by this software, and there is no way of knowing if there are successful attacks during that time.

A 2014 email from an employee of SECNAP, the company that makes the threat monitoring software, describes four attacks. But investigators will later find evidence of a fifth attack from around this time. Three are linked to China, one to South Korea, and one to Germany. It is not known if foreign governments are involved or how sophisticated the attacks are.

Clinton had ended her term as secretary of state in February 2013, but more than 60,000 of her emails remained on her server. (The Associated Press, 10/7/2015) 

In March 2013, a Romanian hacker nicknamed Guccifer discovered Clinton’s private email address and the exact address was published in the media.

December 2013: Clinton’s old server, no longer being used, is turned off.

In June 2013, Platte River Networks (PRN) took over the management of Clinton’s private server. They immediately moved her server to an Equinix data center in Secaucus, New Jersey, and then transferred the data to a new server. The old server remained turned on next to the new one, apparently to assist with the delivery of incoming emails.

According to a September 2015 FBI interview with Paul Combetta, the PRN employee who does most of the active management of the server, around December 2013, PRN decides that email delivery on the new server is working well. As a result, the old server is turned off. It, along with a NAS back-up hard drive attached to it, will remain disconnected until the FBI picks it up on August 12, 2015. (Federal Bureau of Investigation, 9/23/2016)

December 4, 2013: Some Bill Clinton doodles are made public due to the hacker Guccifer.

One of Bill Clinton's doodles. Guccifer added his name to it. (Credit: Guccifer / Gawker)

One of Bill Clinton’s doodles. Guccifer added his name to it. (Credit: Guccifer / Gawker)

Gawker publishes some doodles made by Bill Clinton when he was US president. Gawker claims the doodles come from the Romanian hacker nicknamed Guccifer. It is not clear where or how Guccifer got the doodles, except they come from a folder called “Wjcdrawings.” It is probable the doodles were stored either on The Clinton Library’s server (which has a .gov address) or The Clinton Foundation’s server. (Gawker, 12/4/2013) If it’s the latter, that would help verify Guccifer’s later claim that he looked into Clinton’s private email server, because it apparently was also The Clinton Foundation’s server until early 2015.

January 22, 2014: Guccifer is arrested in Bucharest, Romania, for his hacking activities.

 Romanian authorities arrested Marcel Lazăr Lehel aka Guccifer at his home on January 22, 2014. (Credit: Gawker)

Romanian authorities arrested Marcel Lazăr Lehel aka Guccifer at his home on January 22, 2014. (Credit: Gawker)

Later in the year, he is convicted of various hacking crimes and gets a seven-year sentence in Romania. He hacked into the email accounts of many famous people, including Clinton confidant Sid Blumenthal in March 2013. (Reuters, 4/1/2016(The New York Times, 11/10/2014)

February 7, 2014: The State Department says classified information on devices like BlackBerrys are prohibited.

Jen Psaki (Credit: ABC News)

Jen Psaki (Credit: ABC News)

A reporter asks department spokesperson Jen Psaki if “State Department officials routinely use encrypted phones, mobile phones, for their conversations…” Psaki says in her reply, “Classified processing and classified conversation on a personal digital assisted device is prohibited.” (US Department of State, 2/7/2014) 

These comments are made before the controversy about Clinton’s use of a private BlackBerry for government emails begins.

July 24, 2014: The manager of Clinton’s server asks for help in a social media forum to remove Clinton’s address from her emails.

A captured shot of Combetta's 'stonetear' GMail account with picture included. (Credit: public domain)

A captured shot of Combetta’s ‘stonetear’ GMail account with picture included. (Credit: public domain)

A Reddit user by the name of “stonetear” makes a Reddit post that will later cause controversy. Overwhelming evidence will emerge that “stonetear” is Paul Combetta, one of two Platte River Networks (PRN) employees actively managing Clinton’s private server at the time. The post reads:

“Hello all — I may be facing a very interesting situation where I need to strip out a VIP’s (VERY VIP) email address from a bunch of archived email that I have both in a live Exchange mailbox, as well as a PST file. Basically, they don’t want the VIP’s email address exposed to anyone, and want to be able to either strip out or replace the email address in the to/from fields in all of the emails we want to send out. I am not sure if something like this is possible with PowerShell, or exporting all of the emails to MSG and doing find/replaces with a batch processing program of some sort. Does anyone have experience with something like this, and/or suggestions on how this might be accomplished?”

July 24, 2014 Reddit post contained this request for advice about “stripping out” the email address of a “VERY VIP” email account. (Credit: Reddit)

This July 24, 2014 Reddit post contained a request for advice about “stripping out” the email address of a “VERY VIP” email account. (Credit: Reddit)

A response captured in the Reddit chat warning Combetta that what he wants to do is illegal. (Credit: Reddit)

A response captured in the Reddit chat warning Combetta that what he wants to do could result in “major legal issues.” (Credit: Reddit)

The post in made in a sub-forum frequented by other people who manage servers. One poster comments: “There is no supported way to do what you’re asking. You can only delete emails after they’re stored in the database. You can’t change them. If there was a feature in Exchange that allowed this, it would result in major legal issues. There may be ways to hack a solution, but I’m not aware of any.”

Despite this warning, “stonetear” replies, “As a .pst file or exported MSG files, this could be done though, yes? The issue is that these emails involve the private email address of someone you’d recognize and we’re trying to replace it with a placeholder as to not expose it.” (Reddit, 9/19/2016)

The post occurs one day after the House Benghazi Committee reached an agreement with the State Department on the production of records relating to Clinton’s communications. It also came one day after Combetta sent some of Clinton’s emails to Clinton’s lawyers so they could begin sorting them.

After Combetta is discovered to have authored the post in September 2016, Fortune Magazine will comment, “it’s not clear if there is anything illegal about the Reddit request. But the optics sure don’t look good, and strongly suggest that Combetta turned to social media for advice about how to tamper with government records that should been preserved.” (Fortune, 9/21/2016)

November 2014: The Romanian hacker “Guccifer,” who broke into the email account of Clinton associate Sid Blumenthal in 2013, appears to be freely cooperating with US investigators.

Guccifer, whose real name is Marcel-Lehel Lazar, started serving a seven-year prison sentence in Romania earlier in 2014 due to his hacking activities. A New York Times reporter who interviews him there in November 2014 writes, I learned [he was] also busy meeting with American investigators who had traveled to Romania to meet the man who had outfoxed them for so long. They, too, wanted to find out how he burrowed into so many American computers.” (The New York Times, 11/21/2014)

Mid-November 2014: The State Department apparently successfully thwarts an attempt by Russian hackers to penetrate its email system.

The State Department apparently successfully thwarts an attempt by Russian hackers to penetrate its email system.”’ The entire computer network is quickly shut down for several days after evidence is found that a hacker entered the system. (The Washington Post, 11/16/2014) 

It is alleged that the US government believes the Russian government is responsible. The attack begins when a department employee falls for “spear phishing,” a trick in which a computer user is is led to click on a bogus link that loads malicious software onto the network. It is believed that only the department’s unclassified network is infected, since the classified and unclassified networks are never allowed to reside on the same computer. But the damage is widespread, and thousands of computers in embassies and offices around the world are affected.

In February 2015, the Wall Street Journal will report that the department is still struggling to make sure all traces of the attack are gone from its network. (The Wall Street Journal, 2/18/2015)

In March 2015, Wired Magazine will later comment, “[A]t least, in that case, there was a response. If the same sort of highly resourced hackers had gone after the server in Clinton’s basement, there’s no guarantee that the same alarms would have gone off.” (Wired, 3/4/2015)

December 2014: Clinton finally stops using the clintonemail.com domain and server for her daily emails.

Since early 2009, Clinton and her aide Huma Abedin have had private email accounts on the clintonemail.com domain, which is hosted on Clinton’s private email server.

Chelsea Clinton and Huma Abedin chat while on the campaign trail in 2008. (Credit: Reuters)

Chelsea Clinton and Huma Abedin chat while on the campaign trail in 2008. Huma also appears to be holding two flip phones and a BlackBerry. (Credit: Reuters)

According to a September 2016 FBI report, the new domain hrcoffice.com is created in December 2014. In a later FBI interview, Abedin stated the clintonemail.com system was “going away,” and after the initiation of the new domain, she didn’t have access to her clintonemail.com account anymore. Presumably the same is true for Clinton (and the few others who had email accounts on the domain, such as Chelsea Clinton).

The FBI report will indicate the hrcoffice.com domain is hosted on different equipment, which presumably means a different server. But the clintonemail.com server will continue to run until October 2015, when it will be confiscated by the FBI.

As part of the transfer process, Platte River Networks employee Paul Combetta copies all of Clinton’s emails from her current account on the clintonemail.com server to her new acccount on the hrcoffice.com server.

In Clinton’s July 2016 FBI interview, the FBI will summarize Clinton as saying: “Clinton transitioned to an email address on the hrcoffice.com domain because she had a small number of personal staff, but no physical office or common email domain. To address these issues, she moved to a common email domain and physical office space. After this move, Clinton did not recall any further access to clintonemail.com.”

The switch comes about one month after the State Department formally asked Clinton for all of her work-related emails from her secretary of state tenure, when she used her clintonemail.com account. (Federal Bureau of Investigation, 9/2/2016)

March 2, 2015: The company managing Clinton’s server tightens security on the server after its existence is exposed.

On the morning of March 2, 2015, a front-page New York Times article reveals Clinton’s use of her own private email server. Platte River Networks (PRN) is managing the server.

Bill Thornton (Credit: public domain)

Bill Thornton (Credit: public domain)

Later in the day, PRN employee Bill Thornton writes in an internal company email, “I spent some time in their firewall just now locking everything down (pretty tight).” (The New York Post, 9/18/2016)

However, on March 4, 2015, an analysis of the server’s publicly visible settings will show it has a misconfigured encryption system. Further articles the next day will expose more security vulnerabilities.

PRN will make more changes to improve the server’s security around March 7, 2015.

Shortly After March 2, 2015: A surge of hacking attempts follows the revelation of Clinton’s use of a private email server in the media.

On March 2, 2015, a New York Times article publicly reveals Clinton’s use of a personal email account and private server to conduct government business. The FBI’s Clinton email investigation will later identify an increased number of login attempts to her server and its associated domain controller just after this article comes out.

According to the FBI in September 2016, “Forensic analysis revealed none of the login attempts were successful. [The] FBI investigation also identified an increase in unauthorized login attempts into the Apple iCloud account likely associated with Clinton’s email address during this time period.” (Clinton’s email address, which had been publicly revealed in March 2013, was still used as the user name for the account.) “Investigation determined all potentially suspicious Apple iCloud login attempts were unsuccessful.”

Despite all this, Clinton does not simply turn the server off. Instead, Platte River Networks (PRN) employees, who are managing the server, make some security improvements around March 7, 2015.

PRN staff also discuss the possibility of conducting penetration testing against the server to highlight vulnerabilities, so they can be fixed. However, the penetration testing ultimately doesn’t happen. (Federal Bureau of Investigation, 9/2/2016)

Shortly After March 2, 2015: The company managing Clinton’s private server fails to fully test its security vulnerabilities.

Johannes Ullrich (Credit: LinkedIn)

Johannes Ullrich (Credit: LinkedIn)

Platte River Networks (PRN) is the company managing Clinton’s private server. Due to a wave of hacking attacks on the server following the public revelation of the server on March 2, 2015, PRN considers doing penetration testing. That  means hiring someone to try to hack the server in order to expose its vulnerabilities so they can be fixed.

Cybersecurity expert Johannes Ullrich will later comment, “It’s a good idea, and it’s also commonly done.”

However, the penetration testing never happens. It isn’t clear why. (The New York Post, 9/18/2016) (Federal Bureau of Investigation, 9/2/2016)

Shortly After March 2, 2015: Cheryl Mills has a computer company check on the condition of Clinton’s private server after the media makes Clinton’s use of the server front-page news.

On March 2, 2015, the New York Times publishes a front-page story about Clinton’s emails practices and her use of a private email server.

The Equinix data center in Secaucus, NY. (Credit: public domain)

In the days following the publication of the article, Cheryl Mills, who is one of Clinton’s lawyers as well as her former chief of staff, requests that Platte River Networks (PRN), the computer company managing Clinton’s server, conduct a complete inventory of all equipment related to the server.

In response to this request, an unnamed PRN employee travels to the Equinix data center in Secaucus, New Jersey, where the server is located, to conduct an onsite review of the equipment. At the same time, another unnamed PRN employee logs in to the server remotely to check on it.

This will result in some changes to the security settings of the server  around March 7, 2015. Additionally, many emails (other than Clinton’s) are deleted from the server on March 8, 2015. (Federal Bureau of Investigation, 9/2/2016)

March 3, 2015: An unnamed State Department technology expert complains that he and others tried to warn that Clinton’s use of a private email account was a security risk.

He says, “We tried. We told people in her office that it wasn’t a good idea. They were so uninterested that I doubt the secretary was ever informed.” He was a member of the department’s cybersecurity team. He says it was well known amongst the team that Clinton’s private account was at greater risk of being hacked or monitored, but their warnings were ignored. (Al Jazeera America, 3/3/2015)

March 4, 2015: It is reported for the first time that Clinton’s private email address was hosted on a private server.

On March 2, 2015, the New York Times revealed that Clinton exclusively used a private email acccount while she was secretary of state. However, that article made no mention of private servers. On this day, the Associated Press reveals that account was registered to a private server located at Clinton’s house in Chappaqua, New York. This was discovered by searching Internet records. For instance, someone named Eric Hoteham used Clinton’s Chappaqua physical address to register an Internet address for her email server since August 2010. (This may be a misspelling of Clinton aide Eric Hothem.)

The Associated Press reports, “Operating her own server would have afforded Clinton additional legal opportunities to block government or private subpoenas in criminal, administrative or civil cases because her lawyers could object in court before being forced to turn over any emails. And since the Secret Service was guarding Clinton’s home, an email server there would have been well protected from theft or a physical hacking.”

The article continues, “But homemade email servers are generally not as reliable, secure from hackers or protected from fires or floods as those in commercial data centers. Those professional facilities provide monitoring for viruses or hacking attempts, regulated temperatures, off-site backups, generators in case of power outages, fire-suppression systems, and redundant communications lines.”

The article mentions that it is unclear Clinton’s server is still physically located in Chappaqua.  (The Associated Press, 3/4/2015) It will later be revealed that it was moved to a data center in New Jersey in June 2013.

 

March 4, 2015: Clinton’s private server used a misconfigured encryption system.

Alex McGeorge (Credit: CNBC)

Alex McGeorge (Credit: CNBC)

Alex McGeorge, head of threat intelligence at Immunity Inc., a digital security firm, investigates what can be learned about Clinton’s still-operating server. He says, “There are tons of disadvantages of not having teams of government people to make sure that mail server isn’t compromised. It’s just inherently less secure.” He is encouraged to learn the server is using a commercial encryption product from Fortinet. However, he discovers it uses the factory default encryption “certificate,” instead of one purchased specifically for Clinton.

Bloomberg News reports: “Encryption certificates are like digital security badges, which websites use to signal to incoming browsers that they are legitimate. […] Those defaults would normally be replaced by a unique certificate purchased for a few hundred dollars. By not taking that step, the system was vulnerable to hacking.”

McGeorge comments, “It’s bewildering to me. We should have a much better standard of security for the secretary of state.” (Bloomberg News, 3/4/2015)

March 4, 2015: Clinton’s emails could have been read by the company that filtered them for spam.

McAfee Logo (Credit: McAfee)

McAfee Logo (Credit: McAfee)

In July 2013, Clinton’s private server was reconfigured to use a commercial email provider, MX Logic, which is owned by McAfee, Inc. (The Associated Press, 3/4/2015) 

Cybersecurity expert Brian Reid analyzed public records about the server and found that Clinton’s emails were routed to McAfee for spam and virus filtering. He says, “The email traces all end at McAfee. If nothing else, they have and had the technical ability to read her email. This does not mean they did, only that they could have.” (McClatchy Newspapers, 3/4/2015)

March 4, 2015: A cybersecurity expert says that Clinton’s privately managed email communications “obviously would have been targeted when she stepped outside of the secure State Department networks.”

Tom Kellerman (Credit: Cyber Risk Summit 2015)

Tom Kellerman (Credit: Cyber Risk Summit 2015)

This comment is made by Tom Kellermann. He adds that leaving the State Department’s security protocols and systems would have been similar to leaving her bodyguards while in a dangerous place. The result is that she may have “undermined State Department security.” (The New York Times, 3/4/2015)

March 5, 2015: Clinton’s private server is active and shows obvious security vulnerabilities.

A screenshot of the sslvpn.clintonemail.com log-in on March 4, 2015. (Credit: Gawker)

A screenshot of the sslvpn.clintonemail.com log-in on March 4, 2015. (Credit: Gawker)

Gawker reports that Clinton’s private email server is still active and shows signs of poor security. If one goes to the web address clintonemail.com, one gets a blank page. But if one goes to the subdomain sslvpn.clintonemail.com, a log-in page appears. That means anyone in the world who puts in the correct user name and password could log in.

Furthermore, the server has an invalid SSL certificate. That means the encryption is not confirmed by a trusted third party. Gawker notes, “The government typically uses military-grade certificates and encryption schemes for its internal communications that designed with spying from foreign intelligence agencies in mind,” and Clinton’s server clearly is not up to that standard.

It also opens the server to what is called a “man in the middle” hacker attack, which means someone could copy the security certificate being used and thus scoop up all the data without leaving a trace. The invalid certificate also leaves the server vulnerable to widespread Internet bugs that can let hackers copy the entire contents of a servers’ memory.

As a result, independent security expert Nic Cubrilovic concludes, “It is almost certain that at least some of the emails hosted at clintonemails.com were intercepted.” (Gawker, 3/5/2015)

Clinton still doesn’t shut the server down. However, about two days later, the security settings are changed.

March 5, 2015: Clinton’s private server shows more obvious security vulnerabilities.

A screenshot of the mail.clintonemail.com Outlook log-in on March 4, 2015. (Credit: Gawker)

A screenshot of the mail.clintonemail.com Outlook log-in on March 4, 2015. (Credit: Gawker)

Gawker reports that in addition to the security problems shown by the subdomain to Clinton’s private email server sslvpn.clintonemail.com, there is another subdomain that reveals even more security issues. If one goes to various web addresses of the server’s mail host mail.clintonemail.com, one is presented with a log-in for Microsoft Outlook webmail.

Gawker notes that the “mere existence” of this log-in “is troubling enough: there have been five separate security vulnerabilities identified with Outlook Web Access since clintonemail.com was registered in 2009.”

Furthermore, security expert Robert Hansen says having a public log-in page for a private server is “pretty much the worst thing you can do. […] Even if [Clinton] had a particularly strong password,” simply trying a huge number of passwords will “either work eventually – foreign militaries are very good at trying a lot – or it’ll fail and block her from accessing her own email.” He says that the server shows so many vulnerabilities that “any joe hacker” could break in with enough time and effort.

Independent security expert Nic Cubrilovic says, “With your own email hosting you’re almost certainly going to be vulnerable to Chinese government style spearphishing attacks – which government departments have enough trouble stopping – but the task would be near impossible for an IT [information technology] naive self-hosted setup.” (Gawker, 3/5/2015)

Around March 7, 2015: Changes are made to the security settings of Clinton’s private server after its existence was revealed in the media.

In the days following a New York Times article revealing Clinton’s use of her private server, Cheryl Mills, who is one of Clinton’s lawyers as well as her former chief of staff, requests that Platte River Networks (PRN), the computer company managing Clinton’s server, conduct a complete inventory of all equipment related to the server. Two unnamed PRN employees do so.

This results in some changes to the server’s security settings around March 7, 2015. According to a September 2016 FBI report, these changes “include disabling the server’s public-facing VPN page and switching from SSL protocol to TLS to increase security.”

The FBI will explain: “TLS is a protocol that ensures privacy between communicating applications, such as web browsing, email, and instant-messaging, with their users on the Internet. TLS ensures that no third-party eavesdrops on the two-way conummication. TLS is the successor to SSL and is considered more secure.” (Federal Bureau of Investigation, 9/2/2016)

March 10, 2015: Clinton falsely claims that her private server had “no security breaches.”

Clinton answers questions at a United Nations press conference on March 10, 2015. (Credit: The Associated Press)

Clinton answers questions at a United Nations press conference on March 10, 2015. (Credit: The Associated Press)

During her United Nations press conference, Clinton says about her private email server at her Chappaqua, New York, house: “The system we used was set up for President Clinton’s office. And it had numerous safeguards. It was on property guarded by the Secret Service. And there were no security breaches.”

However, in May 2016, a State Department inspector general’s report will detail hacking attempts on Clinton’s emails housed in the server. In January 2011, Justin Cooper, who helped manage the server, wrote in an email that he shut down the server because he suspected “someone was trying to hack us…” Later that day, he wrote, “We were attacked again so I shut (the server) down for a few min [minutes].” And in May 2011, Clinton told her aides that someone was “hacking into her email.”

Additionally, the Associated Press will later comment that “it’s unclear what protection her email system might have achieved from having the Secret Service guard the property. Digital security breaches tend to come from computer networks, not over a fence.” (The Associated Press, 5/27/2016)

March 18, 2015: The DIA’s former chief technology officer says: “I have no doubt in my mind that [Clinton’s server] was penetrated by multiple foreign powers.”

Bob Gourley (Credit: public domain)

Bob Gourley (Credit: public domain)

He adds, “To assume otherwise is to put blinders on.” This is according to Bob Gourley, who was the chief technology officer at the DIA [Defense Intelligence Agency] from 2005 to 2008 and is the founder of Cognitio, a cybersecurity consulting firm. (Bloomberg News, 3/18/2015)

March 18, 2015: Clinton’s private server was not protected against hackers who might impersonate her identity.

A security evaluation of Clinton's server. (Credit: Bloomberg View)

A security evaluation of Clinton’s server. (Credit: Bloomberg View)

Bloomberg News reports, “According to publicly available information, whoever administrated [Clinton’s private server] didn’t enable what’s called a Sender Policy Framework, or SPF, a simple setting that would prevent hackers sending emails that appear to be from clintonemail.com. SPF is a basic and highly recommended security precaution for people who set up their own servers.”

Bob Gourley, who was the chief technology officer at the DIA [Defense Intelligence Agency] and is the founder of his own cybersecurity consulting firm, says: “If [an SPF] was not in use, [hackers] could send an email that looks like it comes from her to, say, the ambassador of France that says, ‘leave the back door open to the residence a package is coming.’ Or a malicious person could send an email to a foreign dignitary meant to cause an international incident or confuse US foreign policy.” This also would have made it easy for hackers to launch “spear phishing” attacks from Clinton’s account. Other government officials could have thought they were getting a real email from Clinton and then be tricked into having their own accounts breached.

Clinton’s spokesperson claims there is no evidence her account was ever successfully exploited in this manner. But Bloomberg News points out, “The problem with such confidence is that if hackers exploited the SPF vulnerability, Clinton’s office would likely never have known her domain name…was being used surreptitiously.” (Bloomberg News, 3/18/2015)

March 18, 2015: Clinton’s team won’t answer basic questions about the security of her private server.

John A. Lewis (Credit: John Hopkins University)

John A. Lewis (Credit: John Hopkins University)

Clinton spokesperson Nick Merrill claims that when Clinton set up her private email server, “Robust protections were put in place and additional upgrades and techniques were employed over time as they became available. There was never evidence of a breach, nor any unauthorized intrusions.”

However, Merrill declines to say who exactly was in charge of maintaining the server and ensuring its security. Furthermore, it’s unclear what sort of security vetting that person or persons received, if any. Additionally, Merrill won’t reveal if other departments that protect government communications, such as the FBI or the NSA, were ever told of the server’s existence, and if so, if they helped provide security for it.

James A. Lewis, who held senior technology posts at the White House and State Department, comments that emails “that run on commercial services are vulnerable to collection. […] I don’t think people realize how much of this information is available to foreign intelligence services.” (Bloomberg News, 3/18/2015)

Contrary to Merrill’s claim, a May 2016 State Department inspector general report will reveal that there were hacker attacks on Clinton’s server.

April 6, 2015: Former Defense Intelligence Agency (DIA) Director Michael Flynn says it’s very likely foreign governments have Clinton’s emails.

Defense Intelligence Agency Director Michael Flynn (The Daily Caller)

Defense Intelligence Agency Director Michael Flynn (The Daily Caller)

He is asked in an interview, “What do you think the odds are that the Chinese, the Russians hacked into [Clinton’s] server and her email account?” He replies, “Very high. […] They’re very good at it. China, Russia, Iran, potentially the North Koreans. And other countries who may be ‘our allies’ because they can.” He adds that since Clinton’s only excuse for using the private server was convenience, she should have been fired.

The DIA is similar to the CIA, but focuses on military intelligence. Since retiring in 2014, Flynn has been notably critical of President Obama. (The Weekly Standard, 4/7/2015) (CNN, 2/13/2016) 

By January 2016, Flynn will occasionally advise Republican presidential candidate Donald Trump. (Bloomberg News, 1/31/2016) In February 2016, Flynn will say, “I think Hillary Clinton, for the good of the country, should step down [from the presidential race] and let this FBI investigation play out.” (The Daily Caller, 2/10/2016)

April 15, 2015: A computer expert privately advises the Clinton campaign to hire a company to investigate if Clinton’s private server was hacked.

Barbara Simons (Credit: public domain)

Barbara Simons (Credit: public domain)

Barbara Simons, a renowned computer expert, writes Clinton campaign chair John Podesta in an email, “I am following up on our very brief discussion, held as you were leaving the DA meeting, about Hillary Clinton’s emails.  I’ve included a summary of the issues and a precautionary step that I think should be taken.”

Simons attaches a short document to the email, which is entitled, “Hillary Clinton’s emails and what to do about them.” In it, she writes, “I believe that this is a more serious situation than perhaps Secretary Clinton and her aides realize. … There is a very real risk that the system was broken into, possibly by Republican operatives (or China or some other country or organization).  If this has happened and if there is anything that might appear problematic in those emails, whether or not it actually is, the relevant emails might be released to the press shortly before the election.  Even if the system was not broken into, there is the threat that opponents might release forged emails that are difficult to impossible to distinguish from real ones.”

Jeremy Epstein a program manager with I2O, took his official photo on March 8, 2016 at DARPA in Arlington, Va. (Photo By: Sun L. Vega)

Jeremy Epstein (Credit: Sun L. Vega)

As a result, she and a prominent computer security expert Jeremy Epstein suggest that the Clinton campaign hire a cybersecurity company called Mandiant. They are said to be competent and discrete in dealing with major corporate hacks. They will try to determine if Clinton’s private server was hacked. However, Simons notes that “if nothing serious is uncovered by a forensics examination, that does not prove that nothing happened.  Regrettably, the absence of proof of a break-in is not proof of the absence of a break-in.” (WikiLeaks, 10/23/2016)

Whatever reply Podesta gives is unknown. It is also unknown if Mandiant or any other company is ever hired. However, the FBI’s Clinton email investigation final report will make no mention of any evidence of such a forensic examination.

August 2015: A company recommends improving security for Clinton’s server, which is still in use, but the FBI wants no changes.

At some point in August 2015, employees at Datto, Inc., a company that specializes in backing up computer data, realize that a private server they have been backing up belongs to Clinton. The server is being managed by Platte River Networks (PRN), and Datto made the connection after media reports revealed PRN’s role.

According to an unnamed Datto official, due to worries about the “sensitive high profile nature of the data,” Datto then recommends that PRN should upgrade security by adding sophisticated encryption technology to its backup systems.

150801AndyBoianFoxNews

Andy Boian (Credit: Fox News)

PRN spokesperson Andy Boian later acknowledges receiving upgrade requests from Datto, but he says, “It’s not that we ignored them, but the FBI had told us not to change or adjust anything.”

Boian adds, however, the company did not take Datto’s concerns to the FBI.

The newest version of the server is still in use by the Clintons’ personal office at the time, despite being in news headlines since March 2015. (The Washington Post, 10/7/2015)

On August 12, 2015, the FBI takes an older version of the server from PRN’s control. The FBI doesn’t realize Clinton’s emails were moved from the old server to the new one. They eventually will figure this out and take the new server away as well, on October 3, 2015.

August 11, 2015: Secretary of State John Kerry suggests the Russian and Chinese governments could be reading his email.

Secretary of State John Kerry (Credit: Andrew Burton / Getty Images)

Secretary of State John Kerry (Credit: Andrew Burton / Getty Images)

Discussing this possibility, Kerry says, “It is very likely. It is not outside the realm of possibility, and we know they have attacked a number of American interests over the course of the last few days.” He adds that given the number of recent cyber attacks, he “certainly writes things with that awareness.” (Time, 8/12/2015)

August 12, 2015: The company managing Clinton’s private server is worried they will be blamed for a change of policy that results in the deletion of Clinton’s emails.

Platte River Networks (PRN) has been managing Clinton’s private email server. According to a New York Post article in September 2016, around August 2015, PRN wants to double check their behavior after media reports that the FBI is investigating Clinton’s server. “Company execs scrambled to find proof that Clinton’s reps had months earlier asked to cut the retention of emails from 60 days to 30 days.”

Paul Combetta (left) Bill Thornton (right) (Credit: AP)

Paul Combetta (left) Bill Thornton (right) (Credit: AP)

On August 12, 2015, PRN employee Bill Thornton writes, “OK, we may want to work with our attorneys to draft up something that absolves us of that question. I can only assume that will be the first and last question for us, ‘Why did we have backups of the system since the time of inception, then decide to cut them back to just 60 or 30 days?’ If we can get that from them in writing, I would feel a whole lot better about this.”

The other PRN employee who has been actively managing the Clinton account with Thornton, Bill Combetta, responds that he believes the request was made to PRN by phone.

An email exchange between the two on the same topic several days later will make clear that the Clinton representatives are employees of Clinton Executive Services Corp. (CESC) the Clinton family company that has been paying PRN. (The New York Post, 9/18/2016)

August 14, 2015: The FBI is trying to find out if foreign countries, especially China or Russia, broke into Clinton’s private server.

The New York Times reports that according to several unnamed US officials, “specially trained cybersecurity investigators will seek to determine whether Russian, Chinese, or other hackers breached the account or tried to transfer any of Mrs. Clinton’s emails…” (The New York Times, 8/14/2015)

August 19, 2015: Nobody in the company that managed Clinton’s private email server had any government security clearances.

A generic photo of a relatively low-cost server rack. (Credit: rackmountsolutions)

A generic photo of a relatively low-cost server rack. (Credit: rackmountsolutions)

Platte River Networks is a small Colorado-based technology company, and they managed Clinton’s server from mid-2013 to early August 2015. They had never had a federal government contract and did not work for political campaigns. Nearly all their clients are local businesses. David DeCamillis, the company’s vice president of sales, says that if they’d had any clue what might have resulted from accepting the contract, “we would never have taken it on.” (The Washington Post, 8/19/2016) 

Furthermore, Cindy McGovern, a Defense Department spokesperson, says that Platte River “is not cleared” to have access to classified material. (Business Insider, 8/17/2015) 

Cybersecurity expert Alex McGeorge believes that if classified information was mishandled, the onus is on Clinton, not on the company. “The fact that Platte River is not a cleared contractor is largely irrelevant, [since] they were handling what should have been unclassified email. That classified email may have been received by a server under their control is troubling, and they may have been less equipped to deal with it, but it is ultimately not their fault.” (Business Insider, 8/19/2016)

September 2, 2015: It is widely believed foreign governments have intercepted Clinton’s emails.

The Daily Beast reports on Clinton’s email scandal, “There’s a widely held belief among American counterspies that foreign intelligence agencies had to be reading the emails on Hillary’s private server, particularly since it was wholly unencrypted for months. ‘I’d fire my staff if they weren’t getting all this,’ explained one veteran Department of Defense counterintelligence official, adding: ‘I’d hate to be the guy in Moscow or Beijing right now who had to explain why they didn’t have all of Hillary’s email.’ Given the widespread hacking that has plagued the State Department, the Pentagon, and even the White House during Obama’s presidency, senior counterintelligence officials are assuming the worst about what the Russians and Chinese know.”

An unnamed senior official who is “close to the investigation” says, “Of course they knew what they were doing, it’s as clear as day from the emails. I’m a Democrat and this makes me sick. They were fully aware of what they were up to, and the Bureau knows it.” (The Daily Beast, 9/2/2015)

September 3, 2015: Snowden criticizes Clinton for her use of a private server.

Edward Snowden (Credit: Barton Gellman / Getty Images)

Edward Snowden (Credit: Barton Gellman / Getty Images)

Former National Security Agency (NSA) contractor turned whistleblower and international fugitive Edward Snowden says that lower-level government employees would “not only lose their jobs, [but] would very likely face prosecution” for doing that. He adds, “Anyone who has the clearances that the secretary of state has or the director of any top level agency has knows how classified information should be handled. When the unclassified systems of the United States government—which has a full time information security staff—regularly get hacked, the idea that someone keeping a private server in the renovated bathroom of a server farm in Colorado, is more secure is completely ridiculous.” (Al Jazeera America, 9/3/2015) 

The last statement is a reference to the fact that Platte River Networks, which managed Clinton’s server from June 2013 until August 2015, did in fact keep her server in a renovated bathroom. (The Daily Mail, 8/18/2015)

September 10, 2015: Clinton’s computer technician refuses to testify to Congressional investigators.

Bryan Pagliano (Credit: Bloomberg News / Getty Images)

Bryan Pagliano (Credit: Bloomberg News / Getty Images)

Clinton’s former private server manager Bryan Pagliano invokes his Fifth Amendment rights and refuses to speak in a private meeting before the House Benghazi Committee. (The Wall Street Journal, 9/30/2015)  His unwillingness to cooperate was first reported on September 2, 2015. (The New York Times, 9/2/2015)

Pagliano begins secretly cooperating with the FBI investigation of Clinton’s emails in the fall of 2015, though it’s not clear if it is before or after this meeting. He describes how he set up the private server in Clinton’s house and gives the FBI the server’s security logs. (The New York Times, 3/3/2016)

October 2015—Mid-May 2016: Hackers, alleged to be Russian, target almost 4,000 Google accounts related to US politics.

Center for American Progress logo (Credit: public domain)

Center for American Progress logo (Credit: public domain)

According to a June 17, 2016 Bloomberg News article, during this time period, the same allegedly Russian hackers who breach the computers of the DNC [Democratic National Committee] and Clinton’s presidential campaign “[burrow] much further into the US political system, sweeping in law firms, lobbyists, consultants, foundations, and the policy groups known as think tanks, according to a person familiar with investigations of the attacks.” Almost 4,000 Google accounts are targeted by “spear phishing,” which involves tricking targets to give log-in information so their data can be accessed. The Center for American Progress, a think tank with ties to Clinton and the Obama administration, is one known target.

Bloomberg News will further report that, “Based on data now being analyzed, various security researchers believe the campaign stems from hackers linked to Russian intelligence services and has been broadly successful, extracting reams of reports, policy papers, correspondence and other information.”

The Russian government denies any involvement, but cybersecurity experts who have investigated the attacks believe the hackers are working for Russia. It is believed that either or both of two major Russian hacking groups, Fancy Bear (or APT 28) and Cozy Bear (or APT 29) are behind the attacks. (Bloomberg News, 6/17/2016)

October 12, 2015: Cheryl Mills says Clinton’s use of a private email server should have been done differently.

Clinton’s former chief of staff Cheryl Mills is interviewed by the Washington Post. She says regarding Clinton’s use of a private server, “gosh, if you could do it again, you’d just do it again differently…” She says, “I wish there had been a lot more thought and deliberation around it,” but she was not involved in its set-up or discussions about it. She also doesn’t recall having discussions about security vulnerabilities. (The Washington Post, 10/12/2015)

October 13, 2015: Clinton’s private server was especially vulnerable to hacker attacks.

Clinton checks her phone at the United Nations Security Council on March 12, 2012. (Credit: Richard Drew / The Associated Press)

Clinton checks her phone at the United Nations Security Council on March 12, 2012. (Credit: Richard Drew / The Associated Press)

The Associated Press reports that “The private email server running in [Clinton’s] home basement when she was secretary of state was connected to the Internet in ways that made it more vulnerable to hackers, according to data and documents reviewed by the Associated Press. […] Experts said the Microsoft remote desktop service [used on the server] wasn’t intended for such use without additional protective measures, and was the subject of US government and industry warnings at the time over attacks from even low-skilled intruders.” (The Associated Press, 10/13/2015) 

One anonymous senior National Security Agency (NSA) official comments after reading the Associated Press report, “Were they drunk? Anybody could have been inside that server—anybody.” (The New York Observer, 10/19/2015)

October 19, 2015: A Congressperson says a President Clinton could be quickly impeached due to her email scandal.

Representative Mo Brooks (Credit: Public Domain)

Representative Mo Brooks (Credit: Public Domain)

Representative Mo Brooks (R) says that his concern with Clinton’s use of a private email server is “how many lives she put at risk by violating all rules of law that are designed to protect America’s top secret and classified information from falling into the hands of our geopolitical foes who then might use that information to result in the deaths of Americans. […] [S]he will be a unique president if she is elected by the public next November [2016], because the day she’s sworn in is the day that she’s subject to impeachment because she has committed high crimes and misdemeanors.” (The Huffington Post, 10/19/2015)

A few days later, Clinton reacts to the impeachment threat: “It’s just laughable! It’s so totally ridiculous. […] It perhaps is good politics with… the most intense, extreme part of [the Republican] base.” (Politico, 10/23/2015)