People who are upset that Hillary Clinton\u2019s personal email server may have been hacked are missing the big picture. Nearly everything that is worth hacking and connected to the internet is already hacked -- and that which is not can be hacked at will.I don\u2019t want to get into the morass of whether Clinton\u2019s use of personal email while she was Secretary of State was legal or ethical. That\u2019s been debated to death.Instead, I\u2019m talking about whether it was hacked.\u00a0Could it have been? I'll say it again: Everything is hackable. Stuxnet took down Iranian centrifuges that were running on an air-gapped private network. The State Department\u2019s email was hacked -- very likely before, during, and after Clinton's tenure there.Was Clinton's email server hacked?As for Clinton's personal email server, the fact is we\u2019ll never know whether it was hacked.Her server ran Microsoft Exchange 2010. Arrested Romanian hacker Marcel Laz\u0103r (aka Guccifer) claimed he had hacked it. But beyond his public claim no evidence has come to light to back up his statement.The FBI forensic investigation into the server did not corroborate his statement. As far as I can tell, Guccifer socially engineered her aide, Sidney Blumenthal, out of his AOL account password and nothing more. The same hacking technique was used against her senior adviser John Podesta for the thousands of emails now shared via Wikileaks. I\u2019ve yet to hear any evidence that the server itself was exploited.Could someone have hacked the server without leaving evidence?Yes, although it seems unlikely. Most hackers leave behind lots of evidence because it doesn't matter if they do. Almost no one gets caught, much less prosecuted. Thus, hackers have become lazy and don\u2019t attempt to clear log files or cover up evidence of their crimes.For the sake of argument, let's say a Russian superhacker broke into Clinton's server without leaving behind signs of compromise. In that case, wouldn't we see emails other than those coming from two aides? It\u2019s highly unlikely that a hacker would gain complete access, download every email, and fail to leak emails from Hillary and Bill Clinton.Don't get me wrong -- I think plenty of hackers are capable of hacking her server and not leaving behind evidence. But I seriously doubt those hackers realized the importance of the email server serving up the @clintonemail.com domain. The FBI\u2019s own investigation revealed the server was scanned and a few hacks were attempted, but none seemed to get through.How would you hack Clinton\u2019s email server?This is penetration testing 101. First, you canvas your target. It\u2019s Microsoft Exchange 2010 running on Microsoft Windows -- you can get that much by sending a few SMTP query commands to the email service port or running a port scanner like Nmap against the IP address. Using a port scanner and a few fingerprinting apps, you\u2019d likely come away with the Windows version and perhaps even its patch status, along with whatever other services it was running.We know from reports that it was running Microsoft Outlook Web Access (OWA) and Remote Desktop Protocol (RDP) for remote access. That helps a lot. OWA means it\u2019s also running Microsoft\u2019s Internet Information Services (IIS). Any hacker worth his or her salt already has all the possible exploits that might work against Microsoft Windows, IIS, Exchange, and RDP. Lots of hackers like to use the Metasploit Framework, but I\u2019m partial to custom code for each vulnerability.RDP and OWA also give you remote logons to try. Even if they have account lockout enabled, you can guess slowly. Better yet, you can guess against the Administrator account. As long as it hasn\u2019t been renamed, you can guess forever as many times as you like and you won\u2019t get locked out. If you have Bill's or Hillary\u2019s email address, the logon account name is likely to be the same as their email address.One of my favorite penetration tests, when I have the time, is to identify all \u00a0running software and wait until a new vulnerability appears. Microsoft releases new patches at least once a month, and almost every Windows server needs to be patched each time. All you need to do is wait for the patch announcement and exploit the identified vulnerability before the system administrator can patch it. You usually have a day or so before the admin patches a server, if not longer.If the exploit gets you on the email server, you can then configure Exchange to forward copies of all new emails. Or you can use a program like ExMerge to suck up every existing email, including deleted ones. Once you're on the server, you can create new accounts, add backdoors, or do pretty much anything else.A few critics have noted that Clinton\u2019s email server didn\u2019t have SSL protection. The SSL page was available, but the system admin didn\u2019t populate it with an SSL certificate. This means the connections to the server were in plaintext. While not having an SSL cert to protect the server isn\u2019t great, it isn\u2019t necessarily game over. It isn\u2019t easy to pop onto someone else\u2019s network streams simply because you know they are there. You have to get close to the server\u2019s original point and perform a man-in-the-middle attack on the main connection. It\u2019s easy to do if you\u2019re already on the local network, but not so easy if you\u2019re not.One of the more interesting feats you can perform with a public email server is to try and take over its domain. Perhaps Clinton\u2019s server is bulletproof -- fully patched and unhackable. Email hackers are famous for gaining control over DNS domains (in this case, clintonemail.com and wjcoffice.com) and, if successful, redirect all email and connections headed to those domains to a fraudulent email server. You wouldn\u2019t be able to see preexisting emails, but you'd be able to capture new inbound emails (and all the long threads of previous emails they probably contain).What would have stopped the leak?In the social engineering instances, using a system that required two-factor authentication (2FA) would have helped. Gmail had 2FA available back then, although I\u2019m not sure about AOL. Clinton should have been using the State Department systems for all business email, and her personal email server should have required 2FA (although the system admin would have to know how to set it up and show the Clintons how to use it).That\u2019s water under the bridge now.What I\u2019m sure Clinton really wishes she had used, besides the State Department email system, is a mechanism that prevents private email from being easily read by unauthorized parties. There are myriad solutions, including Microsoft\u2019s Rights Management System (RMS).Information protection software such as RMS is pretty nifty. It encrypts all protected email and requires the user to retrieve an authorized personal digital certificate to view, print, or copy the email. At any time the personal certificate can be revoked. Hence, if a hacker stole the email, as soon as someone noticed, the certificate could be revoked and the email would become unreadable. Try posting that to Wikileaks.After all the huge corporate hacking incidents, in which embarrassing private emails were leaked, I\u2019m surprised the email information protection market isn\u2019t growing faster. Remember, we are either hacked or the attackers haven't gotten around to it yet. Your confidential emails should be protected in a manner that prevents your emails from being so easy to share.What happened to Clinton could absolutely happen to any person in any company who fails to use strong information protection for email. That\u2019s the real lesson we all should take away.