Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Government The Internet Technology

It's Way Too Easy To Get a .gov Domain Name (krebsonsecurity.com) 42

Brian Krebs: Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. But a recent experience suggests this trust may be severely misplaced, and that it is relatively straightforward for anyone to obtain their very own .gov domain. Earlier this month, KrebsOnSecurity received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a ".us" domain name, and impersonating the town's mayor in the application.

"I used a fake Google Voice number and fake Gmail address," said the source, who asked to remain anonymous for this story but who said he did it mainly as a thought experiment. "The only thing that was real was the mayor's name." The email from this source was sent from exeterri[.]gov, a domain registered on Nov. 14 that at the time displayed the same content as the .us domain it was impersonating -- town.exeter.ri.us -- which belongs to the town of Exeter, Rhode Island (the impostor domain is no longer resolving). "I had to [fill out] 'an official authorization form,' which basically just lists your admin, tech guy, and billing guy," the source continued. "Also, it needs to be printed on 'official letterhead,' which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts."

This discussion has been archived. No new comments can be posted.

It's Way Too Easy To Get a .gov Domain Name

Comments Filter:
  • by TWX ( 665546 ) on Wednesday November 27, 2019 @09:12AM (#59461962)

    I can see why he's remaining anonymous, if he impersonated the mayor of that town then he could probably be busted for identity theft, and I imagine there are other charges such as ones for intent to defraud the government.

    Sadly it's usually easier to bust white-hats that demonstrate a vulnerability than it is to actually bust black-hats that have ill intent.

    • The one mentioned in the article is wire fraud.

      There should be a protocol white hat hackers can follow to appropriately disclose these kinds of security flaws that also give them legal protection, in my opinion.
    • The fact that he refers to it as a "thought experiment" means he's at best a gray hat, not a white hat. When you actually take action it's no longer a "thought experiment" no matter how benign the action is.
  • At least gov will probably be taken down, unlike .org which has turned into a hot mess of spammers. I get spam(the hot lady type) regularly from registered .org domains and it is from their registered IP address, so not an imposter. Whatever happened to .org was for schools and non profits?
    • Re:org (Score:4, Informative)

      by willamowius ( 193393 ) on Wednesday November 27, 2019 @09:37AM (#59462060) Homepage

      The limitation of .org to non-profits has been removed ages ago. Anyone can officially register a .org.

      • Yes I know, but it seems to have turned into a mess this year for some reason. Maybe the spammers just figured it out, I don't know. It is too bad. I am close to outright banning the .org TLD at this point.
        • by dissy ( 172727 )

          Are you saying you figured out a way to avoid 99% of the internets spam from .com domains?
          Care to share your filtering secrets? You sure you didn't just block *.com ?

          • Nope. I don't block .com. Depends on the sender IP address, sender IP domain, sender address (in the mail), spf records, prior history of the sender IP, ... And yes, at this point over 99%. But I run my own mail server, and I have me as a client. Not a generic recipe. I could for example, blanket block .org with no ill effect to me, and I may.
    • Well, I personally can't wait to get spam from asianfucksluts.gov

  • Comment removed based on user account deletion
  • by rmdingler ( 1955220 ) on Wednesday November 27, 2019 @09:20AM (#59461982) Journal

    Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org.

    While that is likely generally true in the mainstream population, a majority of /. readers might be most suspicious of something with the government's stink on it.

  • by Ryzilynt ( 3492885 ) on Wednesday November 27, 2019 @09:39AM (#59462070)

    Anyone can have a .gov just so long as you are willing to commit a string of felony crimes.

    • Yeah, I think this is the main point. It seems like the requirements to get a .gov are fairly reasonable all things considered.

    • by MobyDisk ( 75490 )

      Anyone who wants a .gov site (and isn't a member of the government) is probably doing so with the intent of committing a string of felony crimes. So committing more felony crimes isn't a deterrent.

      Why would someone want to setup a fake .gov site? And who would want to do it? The most obvious answer would be a foreign government looking to interfere with elections or a foreign hacker looking to steal personal information. Neither of those organizations are likely to be deterred by the fact that they must

  • by cascadingstylesheet ( 140919 ) on Wednesday November 27, 2019 @09:47AM (#59462094) Journal

    So, it's apparently (or was; after this, who knows?) possible to temporarily impersonate a small town by, er, feloniously impersonating their mayor. OK.

    You can temporarily pretend to be a cop too, by donning a uniform and badge. Good luck with all that.

    • Isn't impersonation pretty much social engineering 101?
    • That's kinda his point. It isn't enough to merely pass a law making an activity illegal. In order to dissuade bad actors from conducting that illegal activity, you also need to enforce the law. Which apparently they're not bothering to even take trivial measures to do.
  • by argStyopa ( 232550 ) on Wednesday November 27, 2019 @10:44AM (#59462310) Journal

    ...let's look at this.
    "...grabbing some letterhead off the homepage of a small U.S. town that only has a ".us" domain name, and impersonating the town's mayor in the application...."
    So yeah, he got it, but let's be clear: he committed FEDERAL MAIL FRAUD to do it.

    There are a lot of things that it's easy to do, if you're willing to commit a federal crime to do it. Murder, for example.

    I'm honestly not sure how much I believe this, anyway. I was getting a domain for our local boy scout troop and felt that it should be .org not .com...getting that was a bit of a challenge with a fair amount of back and forth as I recall. It was an even bigger discussion trying to get Google to accept that we were a non profit.

    • I'm not an attorney , but it seems like there would be a good case for impersonating a government employee and forgery as well. There are likely more.

    • ...let's look at this.
      "...grabbing some letterhead off the homepage of a small U.S. town that only has a ".us" domain name, and impersonating the town's mayor in the application...."
      So yeah, he got it, but let's be clear: he committed FEDERAL MAIL FRAUD to do it.

      There are a lot of things that it's easy to do, if you're willing to commit a federal crime to do it. Murder, for example.

      I'm honestly not sure how much I believe this, anyway. I was getting a domain for our local boy scout troop and felt that it should be .org not .com...getting that was a bit of a challenge with a fair amount of back and forth as I recall. It was an even bigger discussion trying to get Google to accept that we were a non profit.

      It's not even clear that the hacker was based in the US of A. Federal Mail Fraud is really only a crime you're worried about if (a) you're a law abiding citizen and (b) reside in the USA.

  • *.oh.gov example for state. *.us.gov for United States government sites
    No clue though when it comes to city/borough/? domain names

Be sociable. Speak to the person next to you in the unemployment line tomorrow.

Working...