Many readers probably think they can trust links and emails from US Federal Government domain names, or assume that there are at least more stringent verification requirements to get a .gov domain versus a commercial domain ending in .com or .org. But recent experience suggests that this trust can be seriously misplaced, and that it’s relatively easy for anyone to get their own .gov domain.
Earlier this month, KrebsOnSecurity received an email from a researcher who said they obtained a .gov domain simply by filling out and submitting an online form, grabbing letterhead from the page of home of a small American town which only has a “.us” domain name. , and posing as the mayor of the city in demand.
“I used a fake Google Voice number and a fake Gmail address,” said the source, who requested to remain anonymous for this story but said he did so primarily as a thought experiment. “The only thing that was real was the mayor’s name.”
The email from this source has been sent from exterminated[.]government, a domain registered on November 14 which at the time displayed the same content as the .us domain it impersonated – town.exeter.ri.us – which belongs to the city of Exeter, Rhode Island (the domain of the impostor is no longer resolution).
“I had to [fill out] “An official authorization form,” which simply lists your administrator, technician, and billing manager, “the source continued. “Also, it should be printed on ‘official letterhead’, which of course can be easily forged just by Google searching for a document from said municipality. Then you send it by mail or fax. that they send account creation links to all contacts.
Technically, what my source did was wire fraud (getting something of value over the Internet / phone / fax under false pretenses); if he had done it through the US mail, he could face postal fraud charges if caught.
But a cybercriminal – especially a state-sponsored actor operating outside the US – probably wouldn’t hesitate to do so if they thought registering a .gov was worth it to make their site. Malicious web, more credible emails or fake news campaign on social media.
“I never said it was legal, just that it was easy,” the source said. “I assumed there would be at least one identity check. The most in-depth search I had to do was through the Yellow Pages files.
Earlier today, KrebsOnSecurity contacted officials in the real city of Exeter, RI to find out if anyone from the we General service administration – the federal agency responsible for managing the .gov domain registration process – had sought to validate the request before granting a .gov in their name.
One person who called back from the city clerk’s office but asked not to be named said someone from the GSA called their office on November 24 – four days after I contacted the federal agency about the domain in question and about 10 days after the GSA has already granted the bogus request.
WHO WANTS TO BE A GOVERNMENT?
Responding today via email, a spokesperson for the GSA said the agency is not commenting on open investigations.
“The GSA is working with the relevant authorities and has already put in place additional fraud prevention controls,” the agency wrote, without specifying what these additional controls might be.
KrebsOnSecurity got a substantial response from Cybersecurity and Infrastructure Security Agency, a division of US Department of Homeland Security leading efforts to protect the federal .gov domain from civilian government networks [NB: The head of CISA, Christopher C. Krebs, is of no relation to this author].
The CISA has stated that this issue is so essential to maintaining the security and integrity of the .gov space that DHS is now making a game of assuming control of the issuance of all .gov domains.
“The .gov top level domain (TLD) is a critical infrastructure for thousands of federal, state and local government organizations across the country,” read a CISA statement sent to KrebsOnSecurity. “Its use by these institutions should inspire confidence. In order to increase the security of all US-based government organizations, CISA is seeking authority to manage the .gov TLD and to assume governance of the General Services Administration.
The statement continues:
“This transfer would allow CISA to modernize the .gov registrar, improve the security of individual .gov domains, ensure that only authorized users obtain a .gov domain, proactively validate existing .gov holders, and better secure everyone who depends on .gov. We appreciate the efforts of Congress to introduce the DOTGOV bill [link added] which would give the CISA this important authority to move forward. The GSA has been an important partner in these efforts and our two agencies will continue to work hand in hand to identify and implement short term security improvements for the .gov.
At a time when the country’s main intelligence agencies continue to warn of efforts by Russia and other countries to interfere in our elections and democratic processes, it can be hard to imagine that a attacker could so easily use such a simple method to impersonate the state and local authorities.
Despite the ease with which apparently anyone can get their own .gov domain, there are a lot of major US cities that currently don’t have one, probably because they never realized they were. could with very little effort or expense. A review of the 10 most populous US cities shows that only half of them have obtained .gov domains, including Chicago, Dallas, Phoenix, San Antonio, and San Diego.
Yes, you read that right: houston.gov, losangeles.gov, newyorkcity.gov, and philadelphia.gov are all still available. As is the .gov of San Jose, Calif., The economic, cultural and political hub of Silicon Valley. There is no doubt that a large number of small towns also did not realize that they were eligible to secure their own .gov domains. That said, some of these cities have .gov domains (e.g. nyc.gov), but it is not clear if the GSA would allow the same city to have multiple .gov domains.
Besides being able to convincingly spoof city and town communications and websites, there are almost certainly a myriad of other ways that owning a fake .gov domain could be abused. For example, my source said he was able to register his domain in Facebook’s subpoena, although he said he did not attempt to abuse that access.
Now consider what a well-funded opponent might do on election day armed with a handful of .gov domains for some major cities in Democratic strongholds in key states: Attackers register their domains a few days before the election, then the On Election Day, send emails signed by .gov from, say, miami.gov (also still available) notifying residents that bombs have been detonated at polling stations in Democratic-leaning districts. Such a hoax could well decide the fate of a close national election.
John Levine, domain name expert, consultant and author of the book Internet for Dummies, stated that the .gov domain space was not always as open as it is today.
“Back then, anyone outside of the federal government was supposed to register in the .us space,” Levine said. “At one point, someone decided that .gov was going to be more democratic and let everyone register in the states. But as we see, there is still no validation.
Levine, who served as mayor of the village of Trumansburg, New York for three years, said it wouldn’t be very difficult for the GSA to better validate .gov domain requests, but that manual verification would likely be required.
“When I was mayor, I was in frequent contact with the state, and states know who all their municipalities are and how to reach the people who are in charge of them,” Levine said. “In addition, each state has a secretary of state who keeps track of all subdivisions, and including them in the process might help as well.”
Levine said that, like the internet itself, this whole debacle is another example of an important resource with potentially explosive geopolitical implications that was never designed with security or authentication in mind.
“Turns out the GSA is good enough at doing boring office stuff,” he said. “But as we continue to discover, what we once thought was a boring office thing now has real-world security implications.”