Free Trial
Contact Us
Podcast

Root Causes 326: The Difference Between .ml and .mil

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
August 15, 2023

A recent Financial Times article reveals that mistyped email addresses aimed at the US military frequently are sent to email addresses in Mali instead, to the tune of hundreds of thousands per year. Some of this includes sensitive military content.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanWe have a news item today. I guess this was originally reported in the Financial Times. I'm actually looking at the pickup in The Verge and this article I'm looking at is by Emma Roth on July 17, 2023. Here's the headline that's in The Verge - Millions Of Sensitive US Military Emails Were Reportedly Sent to Mali Due To A Typo.

So, domain name stuff, as we discussed in a recent episode, we think interesting domain name stuff is in our purview because of the close overlap between SSL certificates and domains and this definitely qualified as an interesting domain name thing wouldn’t you say?
Jason SorokoJason SorokoOh, I would sure say, yeah. Tim, you got to remind me what's going on here. I mean, Mali, military, hmmm. Let me see. Did the TLD, the top level domain of .mil get messed up with .ml?
Tim CallanTim CallanYou got it. Exactly right. So the TLD for military domains is .mil and the TLD for the nation of Mali is .ml. So you can see, absolutely see, how this mistake would occur either just because of a simple typo, or because somebody is misremembering what the correct TLD for the email should be.

Here's kind of the gist of it is that Mali had outsourced DNS for its TLD, which is not unheard of, at all, to a company in the Netherlands. And this contract has now expired. It expired late July. But this contract has expired, but for 10 years, this Dutch company had been managing the .ml, everything that came through the .ml domain and apparently, they came to realize that there were a large number of emails that couldn't resolve and the reason they couldn't resolve is because they were going to .ml instead of .mil. And these are from things from places like army.mil, or.ml, navy.ml, etc. and to the tune of 117,000 of these emails in the first half of this year. So, that's a big number. And you see how this happens? Again, this is like lots and lots and lots of individuals. So, and indeed, it's lots and lots of content. So not only is it 117,000, but as you would expect, as people are sending emails to .mil a lot of this is probably going to be very humdrum stuff - hey, can you pick up some eggs on the way home from work, but some of these things are not. So here's what they say.

Included in the emails are such things as medical records, identity document information, list of staff and military bases, photos of military bases, naval inspection reports, ship crew lists, tax records, and more. Again, all of that stuff makes perfect sense. You can see why all of those things would be emailed. And so here it goes on to say some of the misdirected emails were sent by military staff members, travel agents working for the US military, US intelligence, private contractors and others. So again, like anybody who is sending something to this email address, which could be anybody, right, they're just email addresses, could make this typo and depending on what they're sending, that could be sensitive stuff.
Jason SorokoJason SorokoMy goodness. I think when people are setting up these things, and all the best intentions of IT security, I mean, for those of us who are not in the military and we're looking at this from the enterprise standpoint, this is like oh, my goodness. If this happened to any of us.
Tim CallanTim CallanSo the Financial Times actually gives one example. In an email from earlier this year, it contained the travel itinerary for this General, General James McConville, the US Army's Chief of Staff for his visit to Indonesia. The mail included a full list of room numbers along with details of the collection of McConville’s room key at the Grand Hyatt Jakarta. So you could imagine hypothetically, something like that puts a high value command and control target at risk, right? That could be the bit of information that somebody needs to do something bad - a kidnapping, or an assassination or a bombing or something like that. And, I know how this happens. I get how it happens. I'm actually not sure what you do about it.
Jason SorokoJason SorokoThat is what we try to do on these podcast is to ask ourselves the questions, okay, root cause, well, root cause is fat fingering, um…
Tim CallanTim CallanAnd what do you do? Right. So tell people not to, right?
Jason SorokoJason SorokoDon’t do that.
Tim CallanTim CallanEmphasize. Emphasize the importance of double checking this and you can say that to your own employees, but how many people work for the military? How many people have a .mil address? And, they might, they might see the memo or not see the memo and there's a lot of other memos, too. And even if they do see the memo, do they really absorb it? And does it hit them on any given day? And then, in addition to all of that, I don't know. Having been around a lot of organizations for a long time, having communicated, the phishing message, hey, look, watch out for phishing in this way and that way, in an email, people still fall for it. Education campaigns are only so effective. They're good. You should do them. But there are limits on the effectiveness of an education campaign, and I'm not sure what else you do here.
Jason SorokoJason SorokoI'm not sure what else you do here except perhaps, Tim, if it's emails that you're worried about it, which in this case, it is S/MIME certificates can encrypt your emails, and I don't think that those of us who are on .com, or .ca, .co.uk, folks, those of us who live in that world, in the enterprise world, it's a little different. This kind of fat fingering might not apply completely. But on the other hand, it makes the case for what other kinds of things are like this, Tim? Maybe that's almost a podcast, a brainstorming podcast we could have and say to ourselves, what are some security things where if it happened a simple mistake. That there's just no training. There's no endpoint security. There's no PKI. There's no anything that can help you. It's just the mistake sent private information where it shouldn't be, then how do you protect yourself? And in this case, I think, I don't know something like S/MIME just comes to mind to be able to deal with just protecting intellectual property and privacy within emails.
Tim CallanTim CallanAt least if it were encrypted. That would that would help. But if it's encrypted, and you're sending it to, I mean, you're legitimately sending it to that email address. Like, that's the thing. You're actually giving it to the .ml. So if I were a bad guy, and I set up [email protected], and you wanted to send something to [email protected], and you accidentally send it to me, you sent it to me. Like the systems allow it to go. That doesn't even solve it. Right? I think in a lot of ways this is akin to the social engineering problem, which is, if I trick you into putting in your name and password and opening up and giving me access, then the systems are working correctly. And it's very difficult to modify the system to prevent that if the person who is supposed to have legitimate access is getting legitimate access, but they're being tricked into misusing it. And so in that way, I think it's hard to set up a system here because that's actually where they sent the email. They just sent the email to the wrong place.
Jason SorokoJason SorokoThat is correct. I think the point only being if it's sent encrypted to somebody who is the intended receiver these kinds of things can help. But, on the other hand goodness gracious.
Tim CallanTim CallanI think we've all had this experience, Jason, of autofill, of misdirected autofill. I want to send it to Jason Soroko, but I also know Jason something else and it auto fills Jason something else because it's earlier in the alphabetical list. And, and then Jason something else gets my confidential email that's supposed to go to Jason Soroko. Like everybody has witnessed that or done that. It just is a thing that can happen and again, you go - this is a hard one to defend against.
Jason SorokoJason SorokoIt really is. That is a form of fat fingering. In fact, there's two people with a first name of Jason within our organization, and we commonly forward each other's emails.
Tim CallanTim CallanI have another Tim and I get his email he gets mine. Exactly. And these are difficult things to solve.
Jason SorokoJason SorokoIt is difficult. It's one of those oh, boy, moments and you asked a good question. How do you deal with it? And how many other issues like this are there and I think within an enterprise environment, there's probably more than a few.
Tim CallanTim CallanI think there are. I mean, we talked about the one, right, the autofill problem is absolutely one. And, there may be others. Let's keep that on our radar. If we find some interesting ones, we'll come back.

Anyway. That's the gist of it is this is a thing. And I guess what was kind of a gee whiz to me was the number of misdirected emails. The more than 100,000 in a six month period just was more than I ever would have guessed. And so, gosh, it's a lot.
Jason SorokoJason SorokoIt is a lot. I'm really hoping that's a lot of grocery lists, but I suspect if I had a .mil email address, Tim, I'm probably not sending my grocery list through that. It's probably some serious stuff.
Tim CallanTim CallanProbably not. That's the other thing. Probably not. Anyways, that's it.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud