#2290: Marine Links Spy In Bag To Serco Black-Hand Jetway Snuff, Clinton Server Hack
Plum City – (AbelDanger.net): United States Marine Field McConnell has linked a sports bag used in the torture murder of MI6 spy Gareth Williams to Serco V-P Maureen Baginski’s alleged deployment of Black Hand* snuff-film crews through HSBC Jetways in 81 countries and hack of Hillary Clinton’s server domain page formerly hosted in the British Virgin Islands.
Black Hand* – HSBC’s drug-hub navigators with a “License to Track, Film and Kill” for the City of London’s Honourable Artillery Company 1537; The Master Mariners and Air Pilots (formerly GAPAN) 1929, and The Ancient and Honorable Artillery Company of Massachusetts 1638 – whose alumni include the United States’ Presidents James Monroe, Chester Alan Arthur, Calvin Coolidge and John F. Kennedy and – perhaps – Barack ‘Choom Gang’ Obama.
McConnell alleges that Baginski had Williams’ body transported in a North Face sports bag and placed in the bath of his flat in Pimlico, barely a mile from the headquarters of MI6 across the River Thames, where the property used by MI6 as a safe house, was owned by a British Virgin Islands-registered company called New Rodina, meaning ‘new motherland’ in Russian.
McConnell alleges that Ms. Baginski had Williams tracked through HSBC Jetways and then killed by her Black Hand snuff-film crews after the MI6 spy was found to have discovered the Serco hack in the British Virgin Islands of Clinton’s server and the associated man-in-the-middle attacks on the Obama White House.
McConnell has now exposed Serco’s deployment of Black Hand snuff-film crews through HSBC Jetways and Serco’s use of Hillary Clinton’s servers to launch man-in-the-middle attacks on the military and intelligence services of the Five Eyes countries (U.S.A., U.K., Canada, Australia and New Zealand), resulting, inter alia, in the wrongful death of the late MI6 spy Gareth Williams.
Prequel 1: #2289: Marine Links Clinton’s Bin-Laden Black-Hand Patent Thefts To Serco’s Pentagon Sheraton Check-Free Turns
Prequel 2: #2038: Marine Links Serco Baginski to Patsy Offender’s Tag, SIMAS Times and MH Extortion 17
Hillary Emails on Personal Server Credibility Questioned
Serco… Would you like to know more?
Last Updated: 9:34PM GMT 28/01/2012
An inquest into the death of the spy whose body was found in a locked holdall is set to go ahead this spring, casting light on one of the most baffling mysteries in the recent history of the secret services.
It remains one of the most baffling mysteries in the history of the British secret services.
When the body of an MI6 spy was found locked in a holdall in the bath of his flat, in August 2010, it led to a rash of conspiracy theories, from the disturbing to the downright bizarre.
Nearly 18 months on, police have been unable to establish what led to the death of Gareth Williams, despite a battery of toxicology tests and an exhaustive investigation into his background and his movements.
But Dr Fiona Wilcox, the recently-appointed coroner for Westminster, has decided the time is now right to attempt to record the first official account of what happened to the 31-year-old spy.
She will hold a Pre Inquest Review (PIR) on March 29 at Horseferry Road Coroners Court. A full inquest will begin three weeks later, probably at a larger venue, and is expected to last three to four days.
The PIR is required to establish who will give evidence and, crucially, in what form. Attending will be a member of Scotland Yard’s investigation team and legal representatives of GCHQ and MI6.
A solicitor is understood to have been appointed by Mr Williams’s parents Ian and Ellen to represent his family.
It is expected that some, if not all, the evidence from as many as 40 of Mr Williams’s colleagues will be held ‘in camera’, to protect their identities and the content of their statements.
The spy’s badly-decomposed body was found at 6.30pm on August 23 at his flat in Pimlico, barely a mile from the headquarters of MI6, the Secret Intelligence Services, across the River Thames.
The property was used by MI6 as a safe house. In what was apparently a secret services in-joke, the building was owned by a British Virgin Islands-registered company called New Rodina, meaning ‘new motherland’ in Russian.”
VP Intelligence & Technical Advisory Services Senior National Security Advisor, Serco
Maureen Baginski is Vice President of Intelligence Services at Serco North America. Ms. Baginski entered the private sector in 2005 following a 27 year career in the Intelligence Community. From 2003 to 2005 Ms. Baginski served as the Executive Assistant Director for Intelligence (EAD I) where she built and managed the FBI’s first-ever intelligence program, including technology acquisition and workforce development. From 1979-2005, Ms. Baginski served in a number of positions at the National Security Agency, including Director of SIGINT, the third highest ranking official at NSA. Ms. Baginski s serves on the Board of Directors of Argon S&T. She is a member of the Defense Science Board, the Intelligence Science Board, the National Defense Intelligence College Board of Governors, and serves on the Board of Directors of the Intelligence and National Security Alliance (INSA) and is the Vice Chairman of the Armed Forces Communications and Electronics Association’s Intelligence Committee. Ms. Baginski is the recipient of two Presidential Rank Awards, two Director of Central Intelligence National Achievement Medals, the Director of Military Intelligence’s Leadership Award, and NSA’s Exceptional Civilian Service Award. In addition, Ms Baginski was the first-ever recipient of NSA’s Outstanding Leadership Award, an award voted on and bestowed by the NSA workforce. Ms. Baginski holds a BA and MA in Slavic Languages and Linguistics from the University of Albany. In June 2006, Ms. Baginski received an honorary Doctorate of Humane Letters from the University of Albany for her service to the nation.”
“How Unsafe Was Hillary Clinton’s Secret Staff Email System?
When Hillary Clinton ditched government email in favor of a secret, personal address, it wasn’t just an affront to Obama’s vaunted transparency agenda—security experts consulted by Gawker have laid out a litany of potential threats that may have exposed her email conversations to potential interception by hackers and foreign intelligence agencies.
“It is almost certain that at least some of the emails hosted at clintonemails.com were intercepted,” independent security expert and developer Nic Cubrilovic told Gawker.
Within the instant classic “ClintonEmail.com” domain, it appears there are three separate servers. The domain’s blank landing page is hosted by Confluence Networks, a web firm in the British Virgin Islands, known for monetizing expired domain names and spam.
But the real worry comes from two other public-facing ClintonEmail.com subdomains, which can allow anyone with the right URL to try to sign in.
One is sslvpn.clintonemail.com, which provides a login page that apparently uses an SSL VPN—a protocol that allows your web browser to create an encrypted connection to a local network from any internet connection—to users to access their email. That sounds secure, and under the right circumstances, for regular users, it can be. But there are two huge problems with using it for the Secretary of State’s communications with her staff and others.
First: Anyone in the world with that URL can attempt to log in. It’s unclear what exactly lies on the other side of this login page, but the fact that you could log into anything tied to the Secretary of State’s email is, simply, bad. If the page above is directly connected to Clinton’s email server, a login there could be disastrous, according to Robert Hansen, VP of security firm WhiteHat Labs:
It might be the administrative console interface to the Windows machine or a backup. In that case, all mail could have been copied.
What’s more troubling is the fact that, at least as of yesterday, the server at sslvpn has an invalid SSL certificate. Digital certificates are used to “sign” the encryption keys that servers and browsers use to establish encrypted communications. (The reason that hackers can’t just vacuum the internet traffic between your browser and Google’s Gmail servers and read your email is that your browser is encrypting the data to a public encryption key. The reason that you know that you are encrypting to Google’s key and not to, say, the People’s Liberation Army’s, is that the Gmail servers have a digital certificate from a trusted third-party confirming that the key is theirs.)
When you attempt to access sslvpn.clintonemail.com using Google’s Chrome browser, this is what you see:
The apparent reason for that message is that the certificate used by Clinton’s server is self-signed—verified by the authority that issued it, but not by a trusted third party—and therefore regarded by Google’s Chrome browser as prima facie invalid. The government typically uses military-grade certificates and encryption schemes for its internal communications that designed with spying from foreign intelligence agencies in mind. But the ClintonEmail.com setup? “If you’re buying jam online,” says Hansen, “you’re fine.” But for anything beyond consumer-grade browsing, it’s a shoddy arrangement.
Security researcher Dave Kennedy of TrustedSec agrees: “It was done hastily and not locked down.” Mediocre encryption from Clinton’s outbox to a recipient (or vice versa) would leave all of her messages open to bulk collection by a foreign government or military. Or, if someone were able to copy the security certificate Clinton used, they could execute what’s called a “man in the middle” attack, invisible eavesdropping on data. “It’s highly likely that another person could simply extract the certificate and man in the middle any user of the system without any warnings whatsoever,” Hansen said.
The invalid certificate would have also likely left Clinton vulnerable to widespread internet bugs like “Heartbleed,” which was only discovered last spring, and may have let hackers copy the entire contents of the Clinton servers’ memory. Inside that memory? Who knows: “It could very well have been a bunch of garbage,” said Hansen, or “it could have been her full emails, passwords, and cookies.” Heartbleed existed unnoticed for years. A little social engineering, Hansen said, could give attackers access to Clinton’s DNS information, letting them route and reroute data to their own computers without anyone realizing. “It’s a fairly small group of people who know how to do that,” Hansen noted, but “it’s not hard—it’s just a lot of steps.”
“It was done hastily and not locked down.”
We don’t know, of course, if the current state of Clinton’s servers is representative of the security precautions that were in place while she was using it as Secretary of State. The system could have previously been hardened against attack, and left to get weedy and vulnerable after she left government. We don’t know. But that’s part of the problem—at the Department of State, there is accountability for the security of email systems. If we learned that State’s email servers had been hacked or left needlessly vulnerable, there would be investigations and consequences. With Clinton’s off-the-books scheme, there are only questions.
The final address behind ClintonEmail is a mail host, mail.clintonemail.com, which will kick back an error message when visited directly:
But if you plug in a different URL with the same mail server, you’re presented with a user-friendly, familiar Outlook webmail login:
This is basically no more secure than the way you’d log into AOL, Facebook, or any other website. There’s no evidence that Clinton (or her staffers) used this web interface to check their emails, as opposed to logging in through a smartphone or other email software. But its mere existence is troubling enough: there have been five separate security vulnerabilities identified with Outlook Web Access since ClintonEmail.com was registered in 2009. These security bugs include doozies like “a flaw that may lead to an unauthorized information disclosure” (2010) and “a remote attacker can gain access to arbitrary files” (2014).
But even without exploiting software bugs, Hansen says leaving a public login page for something that’s meant to be private is “pretty much the worst thing you can do.” Clinton’s Outlook form could’ve been susceptible to a brute force attack—where random combinations of words and characters are tried until one of them works—or an old fashioned denial of service assault. “Even if she had a particularly strong password,” Hansen said, a brute force attack will “either work eventually—foreign militaries are very good at trying a lot—or it’ll fail and block her from accessing her own email.”
If Clinton had been using a government account, Hansen explained, her messages with colleagues would all be held within one relatively tidy system, monitored by the federal government. It’s the difference between doing your laundry at home and dropping it off. But with a private account, you’re introducing many separate points of failure; every single company in this custom system is a place to pry and attack. “Any joe hacker” could get inside with enough knowledge and time, according to Hansen.
“Pretty much the worst thing you can do.”
Cubrilovic echoed Hansen’s concern: “When you are a staffer in a government department, internal email never leaves the network that the department has physical control over,” he told me. But “with externally hosted email every one of those messages would go out onto the internet,” where they’re subject to snooping.
Security researcher Kenn White agrees that private internet access stirs up too many dangerous variables while emails bounced from person to person:
I think the bigger security concern here is the complete lack of visibility into who has been administering, backing up, maintaining, and accessing the Secretary’s email. If classified documents were exchanged, who viewed them? Were they forwarded? Where multiple devices (ie, mobile phones and tablets) configured to access the account? Was encryption required or optional for remote access?
Cubrilovic agreed that opting out of the government’s system is an awful idea for someone with a hacker bullseye on her back: “having a high profile target host their own email is a nightmare for information security staff working for the government,” he told me, “since it can undo all of the other work they’ve done to secure their network.” The kind of off-the-shelf email service it appears Clinton used comes with a lot of inherent risk, especially since a pillar of her job is overseas travel:
With your own email hosting you’re almost certainly going to be vulnerable to Chinese government style spearphishing attacks—which government departments have enough trouble stopping—but the task would be near impossible for an IT naive self-hosted setup.
While some of these hacking scenarios may sound outlandish or far-fetched, keep in mind that Clinton’s emails would have been a prime target for some of the globe’s most sophisticated state-sponsored cyberwarriors—the Chinese, the Israelis, the Iranians. The very existence of Clinton’s private account was revealed by the hacker Guccifer, an unemployed Romanian taxi driver who managed to gain access to former Clinton aide Sidney Blumenthal’s AOL account with relative ease. The Hillary account was reported by Gawker in 2013, and White House spokesman Eric Schultz used that story to argue that the Clinton email story was old news: “This was public years ago,” he told Business Insider, linking to the 2013 Gawker story.
Which is another way of saying that foreign intelligence agencies have had two years to work on the target.”
“One millionth Patent Application in US
Download PDF [PDF, 16 KB] (Please note: this link will open the page in a new browser window)”