Millions Of Sensitive US Military Emails Misdirected To Mali, Despite 2014 Warning From Me

In August 2014, I noticed a potential security vulnerability in relation to the .mil top-level domain, which is operated by the US military. As such, I reported the issue to CERT, describing the issue in sufficient detail that they could understand the problem.

Today, I learned via a tweet from Elliot Silver:

about the report in the Financial Times concerning millions of US military emails being misdirected, and quote-tweeted that I had reported the issue many years ago:

https://twitter.com/GeorgeKirikos/status/1680925062621216768

Elliot Silver later blogged about it, and it’s been reported on by many other news outlets.

You can read my August 6, 2014 CERT “Vulnerability Report” here (I had prudently saved a copy), and the confirmation was VRF#HYIXW4Z4. [The PDF is redacted, as it had contained my cell phone number, which I rarely disclose.]

It’s a 5 page submission, and began with:

I’m not 100% sure, but I believe that there *may* be a vulnerability in association with typos of the .mil (US Military) top-level domain name that might be actively exploited, particularly in association with the .ml (Mali) top-level domain name.

In particular, by registering similar domain names in .ML and activating the mail records (“MX records”), an attacker could read emails that are intended for someone in the .MIL namespace. Given the sensitivity of .MIL for military use, an attacker could be reading all emails that are misdirected to the .ML domain name, instead of the .MIL domain name. This is particularly the case if the attacker sets up a “Catch All” email address.

Since typos are very common (especially for mobile users inputting an address on a cell phone or
tablet), an attacker can quietly intercept sensitive communications that were sent to an incorrect
email address (on an unintended basis).

I believe someone had done a research paper examining typos of corporate domain names, and the
researchers were able to suck up 20 GB of corporate emails in only 6 months:

http://www.cnn.com/2011/TECH/web/09/09/email.typos.stolen.data.wired/

These typos of the .mil domain name might have been going on for much longer. (see below)

And then I went into more technical detail in the rest of the submission.

On August 9, 2014, several days after the initial submission, I received a PGP-signed message from CERT that it was “forwarded directly to US-CERT for action.”  I responded with additional analysis, in relation to new top-level domains like .army with potential risks of “collisions”. After no additional response, I followed up on September 10, 2014, and was contemplating blogging about the issue. They replied saying that they’d put me in touch with US-CERT, but again on September 13, 2014 I emailed saying that I didn’t hear back from US-CERT. I even noted that there had been some changes to the IP addresses and servers handing the misdirected emails. I openly debated whether I should blog about the issue, saying:

So, I’d like to be able to blog about this domain name issue, to raise awareness, so that security-conscious companies can take appropriate counter-measures. e.g. if I was running .mil mail servers, I would consider a blacklist of the entire .ml (Mali) ccTLD for all outgoing
emails (with perhaps a “white-list” for appropriate addresses). If I was running a corporation on a .com domain name, I might implement a similar policy for .co (Colombia) and .cm (Cameroon) ccTLD to reduce
the risk of misdirect emails being intercepted. There are other counter-measures one can take, beyond just these. Of course, such policies require that individuals in those organizations only send email through their organizational servers (e.g. if one made a typo
and sent to a .ml or .co or .cm domain from Gmail or Hotmail, obviously it’s not going to be caught by the organization’s email blacklisting rules/policies).

However, if I did blog about this, it might interfere with any investigation that US-CERT might be conducting, allowing the potential attacker (if there’s an attack; as I made clear before, I’m not 100% sure, but I can see no good reason why all those .ml domains are being
registered with hidden WHOIS, inactive websites, but active incoming email servers, all corresponding to .mil domains) to destroy evidence, cover their tracks, etc. Given that it involves .mil, I’m sensitive to the military aspect, that they might be a bit slower with their
bureaucracy, etc.

So, I’m put into an ethical dilemma. While I remain silent, more corporations remain vulnerable. However, if I blog, it might hamper an investigation over who is operating these .ml domains, and whether they are malevolent or not.

Since I have no actual “official word” that anyone from US-CERT is even investigating the issue, or cares whether I blog about it or not, that inclines me towards blogging about it. But, I wanted to give yet another opportunity for someone to say “Hey, we think something’s worth investigating, please give us more time to look into this. We’ll need a reasonable amount of time….etc.” I don’t want to stay silent indefinitely, but it’s been over a month already. If you have some guidance or advice on responsible disclosure
for this particular incident, I’d appreciate it.

On September 17, 2014, CERT replied with:

Try emailing them at [email protected] and see if you get a response.

Otherwise, this sort of typosquatting is fairly well known, http://en.wikipedia.org/wiki/Typosquatting . We generally handle responsible disclosure for vulnerabilities, and this particular issue is not a vulnerability as we define it. If you feel that this needs to be disclosed, we usually recommend that you speak to the affected party first (which you’ve done).

I replied on September 18, 2014 with:

Thanks for your email. Yes, that’s exactly what the issue is, namely typosquatting in order to harvest the misdirected email messages. It’s not a “buffer overflow” or something that’s more easily fixable….it’s a different type of “attack.”

In this case, I thought perhaps the US military might want a “heads up”, because obviously the attacker isn’t doing the “usual” kind of thing, namely putting up parked pages, or making phishing attacks in order to make quick case. They’re playing the “long game”, just
quietly harvesting US MILITARY emails — and, as per that CNN article I mentioned in the initial report:

http://www.cnn.com/2011/TECH/web/09/09/email.typos.stolen.data.wired/

there can be quite a lot of data (those researchers were able to get 20 Gigabytes of emails in just 6 months.

Not many people would have the resources or the patience to be targeting a large number of typos of US military domains, all with hidden WHOIS, and for an obscure country-code domain like .ml (Mali). If it turns out the ‘attacker’ has interests that are counter to US
interests, isn’t that something they should investigate or would wants to be aware of??

Anyhow, I’ll drop them a line, and see if they care about whether I blog about it.

The sentences “Not many people would have the resources or the patience to be targeting a large number of typos of US military domains, all with hidden WHOIS, and for an obscure country-code domain like .ml (Mali). If it turns out the ‘attacker’ has interests that are counter to US
interests, isn’t that something they should investigate or would wants to be aware of??” should have alarmed them.

A copy of that entire thread of emails can be read here.

I then  started a new email subject on September 18, 2014, emailing the contact email that was suggested, asking if it was alright to blog about the matter. I wrote:

I submitted a report to CERT (VU#928700) more than a month ago about an entity that is typosquatting a large number of US Military domain names (via mass registrations of corresponding Mali .ml top-level
domain names, which is a typo of the .mil US military top-level domain). As I’ve pointed out, unlike most typosquatters, this one is unusual because:

1. the target — it’s the US military
2. breadth — they’re targeting a large number of .mil domains, via registration of the .ml (Mali) counterparts, and
3. apparent non-commercial focus — instead of trying to monetize the typos via pay-per-click, etc., they’re instead playing a “long game”, quietly harvesting large amounts of email, and not activating any website. As I pointed in the initial report, that amount of email can
be significant (researchers were able to gather 20 Gigabytes of email in 6 months targeting typos of Fortune 500 companies, e.g. see
http://www.cnn.com/2011/TECH/web/09/09/email.typos.stolen.data.wired/
).

Anyhow, I thought it would be appropriate to report this, lest some malevolent entity with interests counter to those of the US military was behind this (e.g. a foreign government, foreign intelligence agency, terrorists, etc.)…i.e. someone who doesn’t care about
short-term “profit” in terms of parking the domains with ads, but instead wants to gather up lots of misdirected US military email messages, to gather intelligence.

I wanted to eventually blog about this to raise awareness, since the same kind of attack can target companies (as per that CNN article). However, since I believe in “responsible disclosure”, I thought it wise to make sure that by blogging on this I wasn’t interfering with any official investigation that might be taking place (i.e. the “attacker”, if this is truly an attack — it’s certainly unusual and suspicious given the above), since whoever is doing this might cover their tracks if they know that others are aware of their behaviour.

Thus, it was suggested I write to you, to check if there’s any concerns (i.e. whether I should hold off on blogging for a reasonable amount of time, if the matter is being investigated), or if instead it’s ok to blog about this matter (the emails exchanges with CERT are below).

They never replied, but that entire email thread (my email at the top, and then some of the past emails quoted below it, from the prior thread) can be read here. Out of an abundance of caution, I decided at the time to not blog about the topic.

In conclusion, this was an entirely preventable debacle. Security is not taken seriously, and security reports are dismissed with little analysis.

The same thing happens within ICANN, where thoughtful analysis from the public is ignored. Saying “I told you so” isn’t what folks like myself want. Instead, we want policies and decisions to be changed, to incorporate that thoughtful analysis.