"Installing malware"
"Copying all data to China"

As for enterprise grade firewall, how'd that work for OMB, DoD, IRS, Blue Cross/Blue Shield, Target........

Enable logging to capture the details of the network traffic
http://cookbook.fortinet.com/logging-fortigate-traffic/

"Security logs" can refer to many different things. Could be the Windows security log for the OS, or could be the mail server's security log.

They should assign a reporter who knows enough about IT security to relay all the relevant information in a story.

The exact phrase used was "computer security logs from Mrs. Clinton’s private server". Might be reporter ignorance but my guess is that that is a different log than one made by a network security appliance.

Last edited Fri Mar 4, 2016, 05:09 AM - Edit history (1)

Step 1 of your attack is to gain access to the system.

Step 2 of your attack is to erase all evidence of your attack from the system.

If Clinton's server was successfully compromised, there would be no record in any logs on her server.

No one competent enough to do the hack in the first place is likely to leave the logs intact. Basic shit...

Not in business. At least not my server.

Or are you going to claim nation-state-level attacks would write to your log files?

It shows a stunning lack of knowledge about business level security. We aren't running servers in our basements.

If you do, I really hope you're not storing anything important. 'Cause I assure you it does not leave anything you can grep.

Btw, "Business-level-security" has leaked my identity 4 times in the last 2 years. That I know about. "Government-level security" has leaked my identity once.

When business level security is in place. The government and the server in mom's basement are not in the same league has business level security, and I am sure that is exactly what the Clinton's employed.

When they take complete control of your servers and network, they get to decide what you see.

There is a reason the state department server was hacked and hers was not. Do you not think WikiLeaks would have gotten in if they could have?

The fact is her server was never hacked.

It's like proving a negative. With evidence one can prove a hack occurred, but a conclusion of not being hacked can only be based on the lack of evidence of a hack. There is no positive direct evidence that can be produced that a machine hasn't been hacked, although one can present evidence that proper security measures were taken.

Businesses do get hacked all the time, even big ones with nominally secure infrastructure. Off the top of my head, Target and SONY both experienced hacks that got 100 million+ customer records each. The IRS has been hacked in a big way at least twice recently, and of course OPM got its whole database stolen in an insider job. All these businesses use industry standard information security doctrine, but implementing them in detail is a whole different animal. A whole IT infrastructure can be penetrated through something as simple as a failure to protect a web application from an SQL injection attack in one input on one screen (as happened in the SONY case).

Then there's the infamous Ashley Madison hack which was not so long ago, either. Smaller organizations are even less likely to be properly secured than large ones.

FFS, if you're going to claim to be an expert on security, you should at least know that an authorized user copying information they were authorized to access onto a CD is not a "hack".

The US Government doesn't use and never will use stock commercial CA's. That would be a horrible idea.

That page is exactly what you want to see.

Central CA's are a horrible, horrible idea, and I'm glad the government is avoiding them. Self-signed certificates are significantly more secure.

You've got no idea if the server you're connecting to is the "real" server, or a man-in-the-middle or similar hijacking.

All they do is present a self-signed cert and say "trust me". That's why you get the big giant warning in Chrome.

Pre-shared self-signed certs give some security, but only as long as that certificate has not been stolen. The third-party authentication via root CAs give more security, because you have to steal more certificates from multiple sources in order to set up your man-in-the-middle attack.

Again, that's only good as long as the certificates have not been stolen. You've got a single point of failure with a giant target on it.

Root CAs (assuming a competent root CA company) require hacking both the target server and a root CA server to exploit. That's significantly harder.

The certificate on a government server is not a root CA. The government has its own root CA servers that are separate from, say, a government web server.

The browser in this scenario still contacts a root CA to authenticate the remote server. It just contacts a government-only root CA instead of Verisign, et al.

You still seem to be missing the fundamental point:

Replace Verisign and 170 other entities with USG. It's the same infrastructure, but 1 and only 1 certificate authority is trusted.

That's more secure.

The web server has a certificate. It is not a root CA, and the public key from that certificate is not installed on the client.

Instead, that certificate chains to a government root CA. The client has that government root CA's public key to authenticate the web server's certificate.

There's (at least) 2 certificates involved.

We actually agreed on this downthread.

I'm still curious why we started on this from the results of an HTTPS request when to my knowledge a WWW site was never involved.

No root CA at all.

None.

A web server located at that same IP address seems to have, but that's a very different question, isn't it?

And what would a web server be doing at that address other than providing access to email?

What's the point of Clinton even having a web server on the box if not to provide web-based access to email?

are the Chinese government.

You're just wrong here. PKI is exactly the wrong solution for true security.

There's a reason even the DoD uses a root CA system - they just have their own root CAs. It requires stealing more certificates from multiple places.

A public key is very different from a shared key.

In a secure government system, one and only one public key is trusted, and that is the key whose private key is owned by a government server (again, this is not a shared-key cryptosystem; I suspect you'll realize this if you think about it for a second). This is the exact same cryptosystem that we use, except that the only trusted root certificate is from the US government.

In contrast, my browser (on OpenBSD, which is fairly paranoid) trusts by default 171 different public keys.

The government's way is more secure.

That typically triggers self-signed behavior, but it's technically not self-signed - the same server is not authenticating the certificate, so it's technically not self-signed.

In that it prevents all passive attacks (you might be being phished by the Russian mob, but at least you know the NSA can't listen in).

I still stand by my main point: the results of an HTTPS request don't actually tell me much about the cert an email server was using.

.


And Windows is one of the last places to do it!


.

State Department server was hacked. Hers was not. And lots of companies with "billions" don't seem to know about or deploy the proper security. If you think it depends on "bus architecture" you are severely behind the times.

.


Are you freakin' kidding me?


.

I can tell you have first hand experience from both the content of your comments and the level of exasperation.

I can only imagine the nightmare of trying to secure that machine. I doubt it was really tried, anyone competent would have raised bloody murder over the configuration.

From what I read about that server it set up so many red flags in my mind. I'd never run anything like this on a server like that. I can't imagine any foreign government who wanted to get in wouldn't have a handful of zero day hacks they could use to get real time access to that server. This assumes of course that they knew about her use of the server, which seems reasonably likely but I can't say for sure. I can't imagine the Russians or Chinese wouldn't have waltzed right into this server if they tried.

Secondly, the claim that there was only 1 person using the server is ridiculous. In my mind it's quite obvious the whole point of this server was to avoid freedom of information requests. In order to effectively do that is to get all your aids on the server. When it leaks out onto other servers is when you no longer control the records (like the Sidney Blumenthal emails).

I also wonder why the server admin was in possession of the logs and required an immunity agreement to turn them over. If I own that server, I should be the one in possession of the logs. One of my employees doesn't keep a copy of the server logs at home and require immunity to turn them over, those should be owned by the employer since she paid him.

Surely the compromise won't involve disabling the ability to detect the compromise!!!

Concocted by some flack who doesn't understand or care about cybersecurity.

But then, you knew that.

It's about classified info.

In this particular case the absence of evidence that the server was hacked is akin to a drunk driver stopped for speeding in the wrong direction in a school zone who says 'But I didn't have an accident.'

would be over and there wouldn't be a need to grant anyone immunity from prosecution.

The computer guy said "there were no signs of foreign hacking in the security logs."

No signs of it. Doesn't mean it didn't happen. Any hacker worth his or her salt knows how to erase his footprints amd fingerprints from the server logs. That's what they do.

Any time they do leave a trail is when they want a quick in and out and don't care if the victim knows. Mossad, the KGB, the Chinese, and the Iranians know exactly how to hack a server and not leave any trail behind. Give them some credit.

You can bet that the best experts we have examined and concluded that no breaks occurred. That's what the FBI does.

If they're even slightly better, there would be no evidence.

And the advantage typically goes to the person who has control over the syslog files, so they can clean their tracks of anything the FBI wants to find.

I have been told that her private server was some Rube Goldberg home brew device but the evidence suggests this Brian Pagliano guy built an impenetrable system.

cite to Pagliano or "aide" for the never-hacked statement.

and working in intelligence as an analyst, I would never have gotten away with this excuse. It's really disheartening.

As much as I would rather have Bernie be our nominee, I'm not so unrealistic as to pretend that there isn't a good-to-excellent chance that it'll be Hillary. And I realize there's more to the issue than just whether it was hacked, but I'm glad that her server having been vulnerable won't be an issue.

"The fools, don't they know I control EVERYTHING!!!!!

MMWWAAAAAA, MMWWWAAAAAA MMWWAAAAAA

Hillary is Dr. Evil.

But many of them are real BSers.

Thing is, it's a steaming pile of bullshit. The logs don't show it? Which logs? How often were the logs rotated? Who compiled the logs and sent them? Who read them?

"My ass doesn't hurt right now, so I've nobody's ever seen me naked."

Mr. Pagliano told the agents that nothing in his security logs suggested that any intrusion occurred. Security logs keep track of, among other things, who accessed the network and when. They are not definitive, and forensic experts can sometimes spot sophisticated hacking that is not apparent in the logs, but computer security experts view logs as key documents when detecting hackers.

time will tell

The server was just used for yoga routines and discussions of Chelsea's wedding. Hillary said so herself.

They can accuse her of being careless, or using bad judgement, but they can hardly indict her if nobody ever got hold of the classified emails.

I would ONLY trust it (and only a slight amount, BTW) if it was running the most up to date version of SELinux from Redhat and Tresys Technology (validation). And then only if the most secure policies offered were actually used.

And... even with all that (SELinux is used/from the NSA), you still can't PROVE that it wasn't hacked. Snowden was an admin using SELinux for the NSA... and he only mistake was going public with his information (the easiest way to hack into any system is to be one of the trusted people that administer that system).

from the Justice Department, I believe.

Well, golly-gee, I'm sure his word is just oakely-dokely with the FBI! All that pleading and immunity wasn't needed at all because he had his logs. Sheesh . . . everybody back on the bus 'cause there's nothing to see here!