Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Security IT Technology

Typo Leaks Millions of US Military Emails To Mali Web Operator (ft.com) 52

Millions of US military emails have been misdirected to Mali through a "typo leak" that has exposed highly sensitive information, including diplomatic documents, tax returns, passwords and the travel details of top officers. Financial Times: Despite repeated warnings over a decade, a steady flow of email traffic continues to the .ML domain, the country identifier for Mali, as a result of people mistyping .MIL, the suffix to all US military email addresses. The problem was first identified almost a decade ago by Johannes Zuurbier, a Dutch internet entrepreneur who has a contract to manage Mali's country domain.

Zuurbier has been collecting misdirected emails since January in an effort to persuade the US to take the issue seriously. He holds close to 117,000 misdirected messages -- almost 1,000 arrived on Wednesday alone. In a letter he sent to the US in early July, Zuurbier wrote: "This risk is real and could be exploited by adversaries of the US."

This discussion has been archived. No new comments can be posted.

Typo Leaks Millions of US Military Emails To Mali Web Operator

Comments Filter:
  • Correct me if I'm wrong, but doesn't this assumes some malicious configuration on the .ml side (MX records and SMTP server accepting the user mentioned in the To: header)? So how can a "steady flow of emails" exist? How could the guy collect so many emails? The article is paywalled so I could not get any details. In any case, sending unencrypted confidential data over email is not a good idea. If only email encryption was easier to use from an end user's perspective...
    • by Anonymous Coward

      how can a "steady flow of emails" exist?

      The answer is right there in the summary:

      as a result of people mistyping

    • Paywall removed. https://archive.li/K3NSz [archive.li]

    • Well, even if no system is configured to actually deliver the messages, they are still transiting servers that you never intended the messages to transit.

  • Sounds a little sketchy to me.

  • Yet another reason why you should not allow children near an Internet-connected keyboard.

    Oh wait! It is being done by stupid adults who do not watch or even bother to review what they type before hitting "Send". And they probably use "Reply All" constantly.

  • Russia (Score:5, Informative)

    by richi ( 74551 ) on Monday July 17, 2023 @09:35AM (#63692656) Homepage
    This is the important bit missing from the summary:

    Control of the .ML domain will revert on Monday from Zuurbier to Mali's government, which is closely allied with Russia. When Zuurbier's 10-year management contract expires, Malian authorities will be able to gather the misdirected emails.
  • Blame Sans (Score:3, Interesting)

    by bill_mcgonigle ( 4333 ) * on Monday July 17, 2023 @09:41AM (#63692672) Homepage Journal

    New Hotness:

    fred.flintstone@ssf.ml
    fred.flintstone@ssf.mil

    Old and Busted:

    FRED.FLINTSTONE@SSF.ML
    FRED.FLINTSTONE@SSF.MIL

    Now imagine your Major General's eyes are old and busted too.

    The fools will say you'd better ask a 23-yr-old 'web developer' what looks good. He'll believe it's not worth keeping military secrets if the site looks lame.

    Next week he's swirching to light gray text on a white background. "Beautiful!" his buddies will say.

    Maybe the PLA can offer this ISP free hosting.

    • Agh, case sensitivity. Why does that even matter? Asking for a friend, who may or not be a female gnat called George. Also, fuck white backgrounds; I'd rather ear my own spleen than stare at one for any longer than necessary.
  • Granted it's been over a decade since I'm an email administrator... but it is TRIVIAL to blacklist a domain. Until one can get their crap together, why not just block .ML?
    • and when you give an hotel .ML in error vs .MIL you don't have control over the hotel email system.

      • by jd ( 1658 )

        You should, in a hotel, be using a VPN to a secure email server, and said secure email server had better be one inside of government and not gmail. You really want the message to stay inside a virtualised military-controlled network (or government-controlled, for government stuff in general), travelling over public servers and the public networks as little as possible and ONLY for physical transport, not for any processing.

        • by GlennC ( 96879 )

          The problem is not if the user is in a hotel or not.

          The problem is that the user gave the hotel (or other recipient) a reply-to address of user_name@example.ML instead of the intended user_name@example.MIL

          Once that happens the hotel (or other recipient) will be more likely to use the @example.ML address to send email intended for the user whose correct address ends in @example.MIL.

          The contents of the incorrectly addressed email will then be more likely to be read by those who shouldn't have access to it.

          Add

          • by jd ( 1658 )

            Hotels shouldn't be sending classified information. Indeed, they shouldn't even have classified information. Since that's the information people are apparently sending, it's not the hotels sending email that is the problem.

  • by PPH ( 736903 ) on Monday July 17, 2023 @09:57AM (#63692736)

    Why isn't it .mil.us?

    • by jd ( 1658 ) <imipak&yahoo,com> on Monday July 17, 2023 @10:04AM (#63692764) Homepage Journal

      Because the American government has yet to admit to the existence of other countries. Parts of it are still struggling with the whole "world is round" idea.

  • MSN has a syndicated version of the Verge's 'Millions' of sensitive US military emails were reportedly sent to Mali due to a typo [msn.com] article, which at least provides a more thorough summary of the paywalled FT article than we have here.

    Here's a tasty tidbit:

    Johannes Zuurbier, a Dutch entrepreneur contracted to manage Mali’s domain, [...] has reportedly intercepted 117,000 misdirected emails [since January alone], several of which contain sensitive information related to the US military. [...] Zuurbier

  • by Anonymous Coward

    If you depend on end users knowing what they're doing, your security is going to fail. No amount of training can fix tired, lazy or distracted users. If the client software doesn't stop users from making mistakes, they can and will happen. High security email users should not be typing addresses, they should be using contacts. Contacts created by security personnel who know how to vet contacts and make sure the person end users think they are communicating with is actually that person.
    It's not just emai

  • by NotInKansas ( 5367383 ) on Monday July 17, 2023 @11:04AM (#63693068)
    Oh good god! The same wrong finger pointing and the same wrong conclusions again.

    First of all, ".mil" is for unclassified content only. Sensitive but unclassified requires the use of encryption.

    " ... One FBI agent ... included an urgent Turkish diplomatic letter to the US state department about possible operations ... The same person also forwarded a series of briefings on domestic US terrorism marked “For Official Use Only" ... Not Releasable to the Public or Foreign Governments. A “sensitive” briefing ... Others sent the passwords needed to access documents ... passport numbers sent by the state department’s special issuances agency ... future military procurement options ... corrosion problems affecting Australian F-35s ... "

    While typos happen, none of this should have been sent unencrypted to a ".mil" address even without a typo! Most of the examples are from organizations that already have direct access to a classified secure secure network exchange, that's why it exists.

    This isn't a technical problem, it's a stupid problem. It's not ignorance because every one of these persons and organizations are subjected to regular training so it's not a question of education, it's just plain stupidity.
    • by HiThere ( 15173 )

      That's not an argument in favor of the current approach. You've identified a second problem, but that doesn't eliminate the one being pointed at, and this is a (largely) technical site, not an administrative or legal site, which is the kind of answer you're asking for.

      The proper approach is to peruse solving BOTH problems. The one this site has expertise available on is the technical one. And it *IS* a real problem.

      P.S.: You can't fix stupid. You need to reframe the problem so it's a different kind of

    • by Anonymous Coward

      As Number 1.0 would say-- You are technically correct--the best kind of correct

      The problem is that the services aren't always on the same PKI cert management system. DoD, DHS, and DoJ have even more problems as do communications between Govt and government contractors not using an official govt email address. The result is encrypted emails can be a real pain in the ass. Combine with not everyone being tech and information security savvy, and mistakes will be made.

      Are there ways around this? Yes, SAFE, e

      • "The better solution would be to also have the enterprise DNS server redirect things going to adversarial countries by country code for additional screening. This would catch lots of other things without necessarily standing in the way of those that have a genuine need to send and receive official messages (DoS, etc.). As this is very, simple safeguard to put in place, I'm not sure why it isn't there."

        Your are correct, you don't understand. Let me try again:

        DNS checking and routing verification are a
      • Anyone with access to sensitive material should be tech and information security savvy and know how to handle sensitive material.
  • So a very quick play in Python. The idea is that you use some method (e.g. sha256) to hash the domain components.
    Probably only the first two or three. But anyway, this is a quick play. Basically all you need to do is to check that the
    checksum matches. You could use an email address of the form "andy=dda1-85d9@my.uni.ac.uk" where the convention
    is that the "dda1-85d9" is a checksum of the domain name. Then a mail client could notice that "andy=dda1-85d9@my.uni.ac.at"
    fails the checksum whereas "andy=dda1-85d9@

  • Funny how the technology exists to mitigate this, and it's Open Source, Trusted and Free, yet not in use. PGP is an essential aspect of any functional email system, if you can't cryptographically validate who you claim to be, then you're not who you claim.

    Since PGP can mitigate incorrect email address, and you can set up the systems to check against key rings, then any misplaced or misdirected email is intentional through incompetence.

Every program is a part of some other program, and rarely fits.

Working...