AP Photo/Manuel Balce Ceneta
A number of malicious attackers apparently tried to break into Hillary Clinton's private email server while she was serving as Secretary of State, according to new documents released from the FBI's investigation into its use.
In a section detailing the FBI's look into potential intrusions of the server, Bryan Pagliano, the IT worker who helped set it up, told agents the server had no security breaches, but it had many failed login attempts, which he characterized as "brute force attacks."
In these types of attacks, a hacker triesto guess passwords one by one, or uses an automated tool to do it until getting it right. Pagliano said these types of attacks "increased over the life" of the server, and he set up alerts for when they occurred.
It's worth noting, that most companies of all sizes experience the same sort of attempts by hackers to break into their computers and networks.
The FBI could not determine whether hackers gained full access to the server, but on at least one occasion, a hackerdid take over an email account belonging to a staffer for President Bill Clinton, the documents said.
"Forensic analysis noted that on January 5, 2013, three IP addresses matching known Tor exit nodes were observed accessing" the account, meaning that an attacker using the Tor service ― which encrypts and hides a person's online presence ― logged in andbrowsed emails, folders, and attachments. The FBI was unable to determine who theattacker was.
There were also number of security lapses revealed in the FBI documents.
While the server was set up in Jan. 2009, it wasn't until late March that Pagliano set it up with an SSLsecuritycertificate that would encrypt login credentials as a user logged in, though thisnever covered email content stored on the server. For this three-month period ― if a hacker were so inclined and could intercept the traffic ― email traffic from clintonemail.com was "potentially vulnerable to compromise," the FBI said.
Pagliano also recalled a conversation with someone (redacted in the documents) who advised he set up Transport Layer Security, or TLS, a tunnel which would protect data traveling to the server from servers hosted at the State Department. This move apparently never happened.
However, it's also worth noting that the two technologies, SSL and TLS, are related, and when it comes to setting up email servers, often a server in those days would use one or the other.
The FBI also found that Microsoft's Remote Desktop Protocol (RDP) was enabled on the server, which the FBI said had "known vulnerabilities"associated with it. Though RDP is used by many organizations to allow certain employees to access a system over the internet, they are often only as strong as what they use for ausername and password.
In his statement following the investigation, FBI Director JamesComey said that the FBI did not find "direct evidence" the server was successfully hacked, but he added, " given the nature of the system and of the actors potentially involved, we assess that we would be unlikely to see such direct evidence."
Translation: We did not find the fingerprints of hackers on this system, but hackers often cover up their tracks and delete traces of their breaches, so it's very possible they broke in and we would never know it.
Of whether the server was hacked, Clinton's website says : " No, there is no evidence there was ever a breach."
Still, Comey spoke of"hostile actors" who did gain access to private email accounts of people Clinton emailed. Though he didn't name names, at least one of those actors was Guccifer, whose real name is Marcel Lehel Lazar, the infamous hacker ― recently sentenced to four years in prison ― who broke into more than 100 accounts of prominent Americans.
" She also used her personal e-mail extensively while outside the United States, including sending and receiving work-related e-mails in the territory of sophisticated adversaries," Comey said. "Given that combination of factors, we assess it is possible that hostile actors gained access to Secretary Clinton’s personal e-mail account."