Mil, Mali, Let’s Call the Whole Thing Off
A simple typo misdirected millions of emails intended for the US military.
CNN (“Common typo causes millions of emails intended for members of the US military to be sent to accounts in Mali“):
Millions of emails intended for Pentagon employees were inadvertently sent to email accounts in Mali over the last decade because of typos caused by the similarity of the US military’s email address and the domain for the West African country, according to a Dutch technologist who discovered the problem.
In some cases, sensitive information like hotel reservations for senior US military officials were revealed.
The emails were intended for owners of “.MIL” email accounts – the internet domain owned by the US military – but because of typos they were instead sent to the .ML domain, which handles email accounts in the West African country of Mali.
The email mishap reveals the security risks to US national security officials that can arise from an innocent typo. The personal information in the emails could be used to conduct targeted cyberattacks or to track the movements of Pentagon personnel – although there’s no evidence that happened in this case.
The Financial Times first reported on the issue.
Johannes “Joost” Zuurbier, a Dutch internet entrepreneur, received the emails because his company was contracted to manage the .ML domain. Since 2013, Zuurbier said, he has raised the issue with various US officials, including the US Embassy in Mali earlier this year.
“Yes, I was concerned, still am!” Zuurbier said in an email to CNN when asked about possible security risks and the misdirected emails.
Zuurbier’s contract to manage the .ML domain expired last week, he said, prompting him to raise awareness of the issue in the media.
None of the leaked emails were sent from official Department of Defense email addresses, but the department has blocked its email accounts from emailing .ml email addresses as a precaution, Deputy Pentagon Press Secretary Sabrina Singh said Monday.
She added that the “only thing that went through” were emails from personal accounts, like a Gmail or Yahoo account. The department strongly discourages using personal email accounts for official business, Singh said.
“The Department of Defense (DoD) is aware of this issue and takes all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously,” Lt. Cmdr. Tim Gorman said in a statement to CNN earlier on Monday.
The misdirected emails have grown less frequent in recent years, but still come by the hundreds per day, Zuurbier said. Many of the emails are spam, but some are sensitive.
One of the misdirected emails contained hotel room numbers for the Army chief of staff, Gen. James McConville, and his entourage on a trip they took in May to Indonesia.
The implications are serious, even if the story itself is amusing.
Still, misdirected email is a pretty standard problem, not limited to domain name typos. When I was working as a contractor for DISA many years ago, I got emails for a Navy lieutenant commander with my same name several times a week despite his being in Florida and me being in Virginia and mine having a .ctr right there in the email. Presumably, people were simply going to the Global Address List and not being too careful. And, for some reason, the guy who sold my houses four years ago suddenly started emailing me stuff clearly intended for other customers a few weeks back. After a few notes about the error, I just started ignoring them. Presumably, the other customers have similar letter combinations and autocomplete is the culprit.
It’s rare, indeed, that I type out an email address in a way that I could make the .mil/.ml mistake. Pretty much every email I send is to someone already in my address book—and I’m generally pretty careful to send it to the right one if there are multiples* for a given person—a reply to an email from someone else, or a situation where I can cut and paste the email address.
As to security, we all know that we’re not supposed to send sensitive information over uncontrolled networks. But I’d really need to know the circumstances around the McConville email. Who sent it? Under what circumstances?
As to Zuurbier, good on him for alerting the US government about the issue. But, while I fully understand why an administrator would monitor the number of misdirected emails going to the domain he was managing, how did he know what was in the emails?
______________
*Aside from colleagues for whom I have both a business and personal address, all of us at MCU have both a .edu account and one associated with the library.
Another inadvertent way of revealing sensitive military information: personnel that share their routes on fitness apps
@MarkedMan: I use Strava and noticed that they started blocking out the beginning and ending segments of a run, so that people’s homes could not be identified. That is to say, if you look at the routes I run, you don’t see the exact place I start and end because this could reveal where I live but rather you simply see a general area (a few blocks) that I start and end my runs. I believe this was done with individual safety/security in mind, likely to protect female athletes from stalkers primarily.
I remember reading about the military issue a little while back. To me, that is an issue for the military and its members. From the article: “Since November, the company has published a global “heat map” showing the movements of people who have made their posts public. In the last few days, after the app’s oversharing was identified on Twitter by a 20-year-old Australian university student, security analysts have started to take note of that data, and some have argued that the map represents a security breach.”
No… the app is not “oversharing.” The app — and, really, the company behind the app — is doing what companies due: providing a range of services to users and potential users. If the military doesn’t want data on troops’ movements available, ban them from using the app. There are a million run tracker apps.
I understand the concern but hate that the issue is being presented as one that the company created. We need to do a better job of identifying “user errors” and not blaming everything on big bad tech.
@MarkedMan:
Especially unwise if you are Russian military:
Oops.
It’s been awhile since I looked through the process that SMTP uses to send e-mails, but I’m guessing that any e-mail to “.ml”, the top-level domain (TLD) for Mali, was going to an e-mail server managed by Zuurbier. The e-mail server would get the entire e-mail, lookup whether it can be routed to the correct person’s e-mail account, find that person doesn’t exist, and then send a bounce back to the originating e-mail domain.
Given the Dept of Defense’s annual budget, you would think they could afford their own custom mail client that did routine checks on outgoing mail addresses and prompted the user to double check things like this.
@Michael Cain: The Financial Times article (https://www.ft.com/content/ab62af67-ed2a-42d0-87eb-c762ac163cf0) indicates that in fact is what happens
If one reads the FT article closely, this appears to be principally an issue of contractors and third parties not actually US Military itself.
@Kazzy:
Oh fuck no. Hard disagree.
A lot of apps are designed to be just terrible, and I’m willing to put the blame on big tech. Put privacy concerns earlier in the product design pipeline.
This tells me that roughly no women* were involved in designing the product, and that they are responding after the fact.
It’s good that they are responding now, but it’s terrible that they had that in the beginning. And it’s still terrible that the sharing appears to be entirely public, rather than “route data shared only with trusted friends” — it still tells me that they pass the Foo Roasters Coffee Shop every day between 7:45 and 8:00. Also, blurring the ends of the run is not great, as if you’re running on city blocks, it’s pretty clear where the start/end point is going to be. Imagine a rectangle, and then removing a little bit around a corner… you have a very good idea of where that corner is.
(Sharing summary data is less of a concern, so a public share of “ran 12 miles” would likely be fine for most people)
They are not considering the potential threats, and not educating users, and that’s on them. Technology shouldn’t be filled with booby traps, it should be safe out of the box, with the normal defaults.
Elizabeth Warren frequently makes the argument that you don’t need a degree in electrical engineering to buy a safe toaster, and you shouldn’t need a degree in economics to get a safe mortgage. I would extend that to a lot of products.
(Don’t get me started on requiring real names on things, verified users, etc… it’s how you make an online sausage festival as many ladyfolk opt out of being there, and you then get a critical mass of men who try to gatekeep and drive the rest of the women away through harassment)
——
*: Far, far more women have had stalkers or overly interested followers than men have, and tend to be much more aware of those issues when designing products. The solution is either to hire more women for these positions, or have the men in those positions stalked.
@Timothy Watson: A bunch more steps, but I think that’s basically correct.
If we valued security for these things, we wouldn’t use SMTP. In theory there shouldn’t be sensitive information in stuff going over SMTP, but in practice… how hard is it to send things the “right” way? If it’s a nuisance, everything gets sent the easy way.
@Gustopher: People WANTED to be able to say, “HEY EVERYONE! LOOK WHERE I RAN! GIVE ME KUDOS!” Then were shocked when… people knew where they ran.
Data wasn’t shared against their wishes. It was why they chose the app.
@Kazzy: Everybody wants the kudos, til it’s a stalker or a bullet in the head, like the Russian guy.
I’m not arguing that there aren’t issues with mass sharing of personal data. But I’m saying when someone chooses Strava over MapMyRun specifically because the former allows them to share their routes so that other people can see what they’ve done and congratulate them on it, that isn’t a design flaw with Strava. That is how Strava is SUPPOSED to work. Now, people may be surprised to learn that other users may do bad things with the data they’ve publicly shared but… people really shouldn’t be surprised by that any more.
If Strava said the data was private and then shared it publicly, that’d be a whole different issue. But Strava’s whole THING is being a social network running app. If you goto their website, the first thing you see is:
“Record. Sweat. Share. Kudos.
People on Strava upload everything from dog walks to Olympic marathons. It’s all kudos-worthy in our book.”
Click through and the second feature they advertise (after tracking/analyzing) is:
“Strava is the social network for athletes.
Record an activity and it goes to your Strava feed, where your friends and followers can share their own races and workouts, give kudos to great performances and leave comments on each other’s activities.”
For extra money, you can even allow yourself to be tracked in real time! (by select users/dogs)
“Beacon: Peace of mind for athletes and their loved ones.
Turn on Beacon and you can share your location in real time with your friend, partner, parent, coach, butler, therapist, highly intelligent dog – anyone cool enough to have your back in an emergency.”
It goes further: “Don’t just track your adventure — show it.”
And they advertise the HeatMaps as a special feature:
“Heatmaps
Whether you’re in a new city or just looking to rediscover your own, heatmaps give you an instant look at routes that get the most activity.”
The military should ban their members from using it. Governments should consider banning members/employees from using it. Strava is not for everyone! But anyone who uses it knows what they’re choosing to do with their data or didn’t read one word about what the app does. This wasn’t buried in the fine print. It is screamed out loud.