- cross-posted to:
- worldnews@lemmy.ml
- cross-posted to:
- worldnews@lemmy.ml
Some of the emails reportedly contained sensitive information such as passwords, medical records and the itineraries of top officers.
You must log in or register to comment.
That’s what we in the cybersec business call an “oopsie daisy I made a little fucky-wucky”.
For real though, this isn’t a problem yet. The TL;DR is that Mali has a top-level domain “.ml”. Just like “.co.uk” for the UK. And the military uses the domain “.mil”. So lots of emails accidentally get sent to “[Military email]@[Military email server].ml” instead of sending to .mil.
So a bad actor could simply set up an e-mail server with .ml domains that mirror the military’s .mil ones, and start collecting all of those mis-addressed emails.
So why isn’t it an issue yet? Because we had a contract with Mali to manage their domain. They literally signed administrative rights for the .ml domain over. So the US was able to basically set up their own .ml mirrored sites, to capture all of those mis-addressed emails. They have captured thousands throughout the years, because military members keep misaddressing their emails. Supposedly containing all kinds of sensitive data. Everything from medical records to troop movements and equipment inspection reports.
But that contract ends this week, so Mali could 100% start registering their own domains when that contract expires and domain registrations begin expiring.
Sounds like the military should consider migrating from .mil to something like .usmil
Or simply set rules to disallow any emails sent to a .ml domain. It’s not a perfect solution because legitimate emails could get caught in the filter. But it would prevent the issue of mis-addressed emails.
I doubt the number of US military who legitimately needs to email .ml addresses is that big. Block it for everyone minus known ppl who deal with mali stuff (and have been briefed on the issue). Sort out the ones you missed on day 0. Worst case some legitimate mail to mali gets delayed - whatever. If its urgent, i hope they have better comms channels than email. For external contractors, send them an email with vague threats of consequences if they leak (and instructions to fix their address books). Some mail will still be missent, but this should mitigate most of it.
This is the simple answer so you know it won’t happen.
Yea that’s cheaper than my plan. Good call.
Or mil.us. .mil and .gov should be removed, and the US should use subdomains for their government sites, just like all other countries.
Note to self: set up a usmail domain!
Thanks for the explanation ☺️
What I don’t understand is my company set things up to give everyone an alert every time they’re sending something to a non company domain. Why aren’t there any protections like this in place?
