Feeds

Taliban official's email blunder leaks 400+ contacts

Cc list puts journalists, activists at risk

High performance access to file storage

Anyone in the bulk email business should know never to mix up cc: ("carbon copy") and bcc: ("blind carbon copy") – especially if the materials you're sending out are Taliban press releases.

That was exactly the rookie mistake made by Taliban spokesman Qari Yousuf Ahmedi last week, ABC News reports, which resulted in Ahmedi inadvertently disclosing his full mailing list of more than 400 email addresses.

Ahmedi is one of two official spokesmen for the Islamic fundamentalist movement, the other being Zabiullah Mujahid. Ahmedi was reportedly forwarding a press release he received from Mujahid when he mistakenly put recipients' addresses in "cc" field, causing contacts he meant to keep private to be viewable to everyone on the list.

According to the ABC News report, most of those addresses belonged to journalists. That's bad news (no pun intended), because in war-torn Afghanistan, targeted attacks on journalists are commonplace.

According to Nai, an Afghan media watchdog group, there have been 121 acts of violence against journalists in the last three years alone, an average of more than three per month.

One reporter outed by Ahmedi's error was Mustafa Kazemi, a prolific blogger whose Twitter feed has more than 9,500 followers. On November 10, Kazemi turned to the micro-blogging service to announce the leak:

In later posts, Kazemi explained that the leaked email addresses were not limited to the media, but also included addresses from the US and Afghan governments, in addition to "a large number" of Taliban personnel.

ABC expounded further, noting that academics and activists were also included in the list, as were members of other, non-Taliban militant groups.

It may surprise some to learn that, for a fundamentalist religious group that imposes a strict, archaic interpretation of Islamic law, the Taliban is fairly modern where communications are concerned. The group regularly uses its email list and various blogs to issue press releases, generally to claim responsibility for attacks.

Earlier this year, Qari Yousuf Ahmedi told the Arabic newspaper Asharq Alawsat, "Visiting websites is not more difficult than joining jihad and the battlefield. More important than visiting websites is winning over the minds and hearts of the masses who visit websites."

Ahmedi also has his own Twitter feed, though as of this writing he has not posted anything about his email gaffe; in fact, it has been silent since November 6. Your intrepid Reg reporter couldn't find a Facebook page for him, either, though he has claimed to have one. Maybe that's one thing he knows how to keep private? ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.