OPSEC FAIL: US Military Email Going to Mali — via Typo
Russian-allied government can intercept “highly sensitive information”—because there’s no “I” in .ML
Every week, thousands of email messages get sent to Mali instead of U.S. DoD addresses ending .MIL—many of them classified Sensitive or NOFORN. That’s because Mali’s top-level domain is .ML and typing is hard, yo.
And it’s not as if Mali’s a friendly government. In today’s SB Blogwatch, we tri tipin rite.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Time travel.
MX Mixup
What’s the craic? Jacob Judah, Chris Cook, Mehul Srivastava, Max Harlow and Felicia Schwartz report—“Typo leaks millions of US military emails”:
“Closely allied with Russia”
Millions of US military emails have been misdirected to Mali through a “typo leak” that has exposed highly sensitive information, including diplomatic documents, tax returns, passwords and the travel details of top officers. … Despite repeated warnings over a decade, a steady flow of email traffic continues to the .ML domain, the country identifier for Mali, as a result of people mistyping .MIL, the suffix to all US military email addresses.
…
Almost 1,000 arrived on Wednesday alone. … Some messages contain highly sensitive data [including] identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases … official travel itineraries, … briefings on domestic US terrorism marked “For Official Use Only,” … a global counter-terrorism assessment headlined “Not Releasable to the Public or Foreign Governments,” … a “sensitive” briefing on efforts by Iran’s Islamic Revolutionary Guards Corps … to conduct espionage in the US, … a presentation about corrosion problems affecting … F-35s and an artillery manual “carried by command post officers.”
…
The problem was first identified almost a decade ago by Johannes Zuurbier. … Control of the .ML domain will revert on Monday from Zuurbier to Mali’s government, which is closely allied with Russia.
Wait, did you say Russia? Chloe Taylor hammers the point home—“Now the Russia-friendly government will get access to it”:
“DoD is aware of the issue”
A simple typo means millions of emails meant for the U.S. military are about to fall into the hands of Mali, a pro-Russia … landlocked West African nation, [which] has a long history of armed rebellion, extremist activity and military dictatorship. … Washington has voiced concern about Moscow’s growing influence in Mali and the surrounding region.
…
Lt. Cmdr Tim Gorman, a spokesman for the Pentagon, [said] the Department of Defense (DoD) is aware of the issue and took all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously: … “Such emails are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients. … While it is not possible to implement technical controls preventing the use of personal email accounts … the Department continues to provide direction and training to DoD personnel.”
But if the messages are “blocked,” how are they reaching Mali? lolinder reads between the lines:
A lot of the emails are from … government contractors. They may not be able to solve all of them, but requiring government contractors to block .ml domains in their email systems would be a start.
Not just contractors. Joe_Dragon notes:
When you give a hotel .ML in error … you don’t have control over the hotel email system.
I bet the DoD is scrambling to fix this. Too late, says Hazewee @Laeken:
It was fixable—until now. The US could have bought the army.ml subdomains from Mr. Zuurbier and rerouted the misdirected emails. This would have also allowed them to pinpoint the most prolific leakers over time, and get them to set up safeguards.
…
Now the .ml top-level domain server will be managed directly by the government of Mali, or handed to another supplier of theirs. Like the Wagner group.
Yeah, something doesn’t quite add up. neilv does the math:
Sounds like [Zuurbier] set up DNS MX records and SMTP servers for domains like army.ml. [He] set up something specifically to capture the emails [he] knew weren’t intended for [him] preventing the senders’ own SMTP servers from alerting the senders of the problem almost immediately.
…
[And] it sounds like [he] also examined the content of some of the diverted emails that [he] knew were sensitive and not intended for [Him]. I wonder who leaked this situation to the press, and why.
PEBKAC. NoWayNoShapeNoForm eyerolls furiously:
Yet another reason why you should not allow children near an Internet-connected keyboard. Oh wait! It is … stupid adults who do not watch or even bother to review what they type before hitting “Send”. And they probably use “Reply All” constantly.
What other typo candidates are there? TazeTSchnitzel suggests one:
If .mil is typoed to .ml … I suppose it’s also typoed to .il (Israel). But I imagine that worries the DoD less.
And here’s another, from F2020:
There could also be interesting stuff between .cn and .ch.
Meanwhile, this Anonymous Coward has “said it before” and is saying it again:
If you depend on end users knowing what they’re doing, your security is going to fail. No amount of training can fix tired, lazy or distracted users.
And Finally:
Hat tip: Tom Scott
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
