It's Way Too Easy To Get a .gov Domain Name

Brian Krebs: Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. But a recent experience suggests this trust may be severely misplaced, and that it is relatively straightforward for anyone to obtain their very own .gov domain. Earlier this month, KrebsOnSecurity received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a ".us" domain name, and impersonating the town's mayor in the application.

"I used a fake Google Voice number and fake Gmail address," said the source, who asked to remain anonymous for this story but who said he did it mainly as a thought experiment. "The only thing that was real was the mayor's name." The email from this source was sent from exeterri[.]gov, a domain registered on Nov. 14 that at the time displayed the same content as the .us domain it was impersonating -- town.exeter.ri.us -- which belongs to the town of Exeter, Rhode Island (the impostor domain is no longer resolving). "I had to [fill out] 'an official authorization form,' which basically just lists your admin, tech guy, and billing guy," the source continued. "Also, it needs to be printed on 'official letterhead,' which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts."

I can see why he wants to remain anonymous

[TWX]

I can see why he's remaining anonymous, if he impersonated the mayor of that town then he could probably be busted for identity theft, and I imagine there are other charges such as ones for intent to defraud the government.

Sadly it's usually easier to bust white-hats that demonstrate a vulnerability than it is to actually bust black-hats that have ill intent.

Re:

[davidwr]

Don't worry, unless that researcher went way out of his way to hide his tracks, he is traceable.

The server logs from where he filled out the form will show his IP address, unless he took steps to hide it. From there, a subpoena to the ISP will reveal the account behind the IP address.

Google no doubt has analytics that can be subpoenaed in a criminal investigation. Unless the researcher took pains to hide himself from Google, he can be found.

And so on.

Bottom line: The feds MAY choose to "take a pass" on t

Re:

[WoodstockJeff]

That said, the researcher does have a point: ".gov" should require at least a little bit of verification by a competent human being at the .gov registration office before the domain becomes active.

Assumes facts not in evidence - that "competent" humans work in the registration office.

Re:

[Sir_Eptishous]

Lest you remind, the Russians impersonated million of American and "voted" for TRUMP.

I'm not sure why you would post such a thing. That assertion is blatantly false.

And yes, I am a confirmed 'Never Trumper' who thinks he is the worst thing to happen to the US since 9/11.
However, by making such a statement about who voted for who(m), you are merely(and perhaps purposefully) playing into the Authoritarian Meme Pool.

I was going to say much the same thing ...

[davidwr]

... until I read between the lines and recognized that the quotation-marks indicated that he didn't mean there were actually Russians casting actual votes as if they were Americans.

I think what he meant was Russians pretended to be Americans during the PR campaign, thereby influencing people who might not have otherwise voted for Trump to vote for him, and/or influence people who might otherwise have voted for Clinton to not vote for her.

I will call him to "put up or shut up" on the "millions" part though -

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[apparently]

Oh please! Shillary

Wow, it took you all of three words to reveal what a fucking moron you are, and that there's no point in reading any further. Fantastic work!

Re:

[Aighearach]

You make it sound like he scored a personal record or something, but no such luck, that's about par.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[apparently]

What? Seriously, can you even make a passing attempt to use your words like a big boy and communicate a thought?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[HiThere]

That's clearly wrong. 9/11 was a minor tragedy. What was a major tragedy was the laws that got voted into existence afterwards. And I think Trump is much worse.

OTOH, he may turn out to be a good thing in the long term. He may allow dominant power status to transition from the US to China without a war happening, which is what usually accompanies such transitions. And we've been going downhill since we abdicated dominance in manufacturing, while China has been advancing.

For awhile I had hopes that Japan

Re: I can see why he wants to remain anonymous

[NagrothAgain]

The only things the Russians did was shitpost all over the internet, and publish the emails showing how Hillary stole the Nomination from Sanders. There was no vote tampering, the Dems spent a very great deal of time and effort trying to find anything which could have nullified Trump's win and came up empty.

Re:

[HiThere]

Well, they did a bit more than that, but that's all that's blatantly obvious. I still suspect that they let Trump know they had blackmail material on him, though that's dubious as he seems totally shameless. Perhaps Putin just threatened to kill him or destroy is companies or some such. As subtly as you can to someone like Trump and still get through. Don't expect to ever find proof of that, though. It may all just have been person-to-person conversation (with no real intent of ever carrying through).

Re:

[twocows]

The one mentioned in the article is wire fraud.

There should be a protocol white hat hackers can follow to appropriately disclose these kinds of security flaws that also give them legal protection, in my opinion.

Re: I can see why he wants to remain anonymous

[NagrothAgain]

The fact that he refers to it as a "thought experiment" means he's at best a gray hat, not a white hat. When you actually take action it's no longer a "thought experiment" no matter how benign the action is.

org

[stabiesoft]

At least gov will probably be taken down, unlike .org which has turned into a hot mess of spammers. I get spam(the hot lady type) regularly from registered .org domains and it is from their registered IP address, so not an imposter. Whatever happened to .org was for schools and non profits?

Re:org

[willamowius]

The limitation of .org to non-profits has been removed ages ago. Anyone can officially register a .org.

Re:

[stabiesoft]

Yes I know, but it seems to have turned into a mess this year for some reason. Maybe the spammers just figured it out, I don't know. It is too bad. I am close to outright banning the .org TLD at this point.

Re:

[dissy]

Are you saying you figured out a way to avoid 99% of the internets spam from .com domains?
Care to share your filtering secrets? You sure you didn't just block *.com ?

Re:

[stabiesoft]

Nope. I don't block .com. Depends on the sender IP address, sender IP domain, sender address (in the mail), spf records, prior history of the sender IP, ... And yes, at this point over 99%. But I run my own mail server, and I have me as a client. Not a generic recipe. I could for example, blanket block .org with no ill effect to me, and I may.

Re: org

[Hentai007]

Well, I personally can't wait to get spam from asianfucksluts.gov

Re:

[Aighearach]

I welcome our new asianfuckslut overlords!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Sir_Eptishous]

People also trust Google to do no evil.

Thats some funny shit right there.

Target audience

[rmdingler]

Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org.

While that is likely generally true in the mainstream population, a majority of /. readers might be most suspicious of something with the government's stink on it.

It's Easy

[Ryzilynt]

Anyone can have a .gov just so long as you are willing to commit a string of felony crimes.

Re:

[darkwing_bmf]

Yeah, I think this is the main point. It seems like the requirements to get a .gov are fairly reasonable all things considered.

Re:

[MobyDisk]

Anyone who wants a .gov site (and isn't a member of the government) is probably doing so with the intent of committing a string of felony crimes. So committing more felony crimes isn't a deterrent.

Why would someone want to setup a fake .gov site? And who would want to do it? The most obvious answer would be a foreign government looking to interfere with elections or a foreign hacker looking to steal personal information. Neither of those organizations are likely to be deterred by the fact that they must

Er, ok

[cascadingstylesheet]

So, it's apparently (or was; after this, who knows?) possible to temporarily impersonate a small town by, er, feloniously impersonating their mayor. OK.

You can temporarily pretend to be a cop too, by donning a uniform and badge. Good luck with all that.

Re: Er, ok

[ElectronicSpider]

Isn't impersonation pretty much social engineering 101?

Re:

[iggymanz]

also illegal and subject to fines and imprisonment. not sure what this proves really....

Re:

[ElectronicSpider]

Newflash: Not everybody is trying to prove anything when shitpo-*cough* commenting in slashdot.

Re:

[Solandri]

That's kinda his point. It isn't enough to merely pass a law making an activity illegal. In order to dissuade bad actors from conducting that illegal activity, you also need to enforce the law. Which apparently they're not bothering to even take trivial measures to do.

Well, yeah...

[argStyopa]

...let's look at this.
"...grabbing some letterhead off the homepage of a small U.S. town that only has a ".us" domain name, and impersonating the town's mayor in the application...."
So yeah, he got it, but let's be clear: he committed FEDERAL MAIL FRAUD to do it.

There are a lot of things that it's easy to do, if you're willing to commit a federal crime to do it. Murder, for example.

I'm honestly not sure how much I believe this, anyway. I was getting a domain for our local boy scout troop and felt that it should be .org not .com...getting that was a bit of a challenge with a fair amount of back and forth as I recall. It was an even bigger discussion trying to get Google to accept that we were a non profit.

Re:

[Ryzilynt]

I'm not an attorney , but it seems like there would be a good case for impersonating a government employee and forgery as well. There are likely more.

Re:

[PhunkySchtuff]

...let's look at this.
"...grabbing some letterhead off the homepage of a small U.S. town that only has a ".us" domain name, and impersonating the town's mayor in the application...."
So yeah, he got it, but let's be clear: he committed FEDERAL MAIL FRAUD to do it.

There are a lot of things that it's easy to do, if you're willing to commit a federal crime to do it. Murder, for example.

I'm honestly not sure how much I believe this, anyway. I was getting a domain for our local boy scout troop and felt that it should be .org not .com...getting that was a bit of a challenge with a fair amount of back and forth as I recall. It was an even bigger discussion trying to get Google to accept that we were a non profit.

It's not even clear that the hacker was based in the US of A. Federal Mail Fraud is really only a crime you're worried about if (a) you're a law abiding citizen and (b) reside in the USA.

IIsn't state and federal naming standards

[pgmrdlm]

*.oh.gov example for state. *.us.gov for United States government sites
No clue though when it comes to city/borough/? domain names