
It's Way Too Easy to Get a .gov Domain Name - jakejarvis
https://krebsonsecurity.com/2019/11/its-way-too-easy-to-get-a-gov-domain-name/
======
bonyt
> A review of the Top 10 most populous U.S. cities indicates only half of them
> have obtained .gov domains, including Chicago, Dallas, Phoenix, San Antonio,
> and San Diego.

> Yes, you read that right: houston.gov, losangeles.gov, newyorkcity.gov, and
> philadelphia.gov are all still available. As is the .gov for San Jose,
> Calif., the economic, cultural and political center of Silicon Valley.

A minor nit: Many of these cities _do_ have a .gov domain. For example, NYC
has nyc.gov. So, I would suspect (or I’d hope) the GSA wouldn’t issue
newyorkcity.gov to a random fraudster _as_ easily.

Houston has houstontx.gov.

Philadelphia has phila.gov.

San Jose has sanjoseca.gov.

LA has .. lacity.org? That’s a bit unexpected.

Some cities may also use a subdomain of their states domain, which may or may
not be a .gov.

~~~
profmonocle
> Some cities may also use a subdomain of their states domain, which may or
> may not be a .gov.

This reminds me of how longwinded the domain hierarchy for .us originally was.
In MN (not sure if it's the same for every state), city domains were
"www.ci.cityname.mn.us". Then the school district's web site was
"www.cityname.k12.mn.us". Not only was the order inconsistent (why not
www.k12.cityname etc.?) but sometimes the city might be typed differently -
i.e. the main Minneapolis site had "minneapolis" in the domain, but the school
district had "mpls".

In the primordial days of the web, back before good search engines, this
didn't make it very easy to find the school's web site.

Fortunately many governments realized this and moved once .gov became
available to cities & states. (or they just used .org). For instance
Minneapolis uses minneapolismn.gov, but many are still on the old style
domains. The school district uses mpls.k12.mn.us, but at least they've dropped
the "www."

~~~
semi-extrinsic
In Norway, people employed by the local municipalities have email adresses
that are literally of the style

    
    
      $firstname[.$middlename].$lastname@employee.$municipalityName.municipality.no  
    

where "employee" and "municipality" are literal strings (in Norwegian) and the
others are variables. It's incredible, I've seen people with 50 character long
email addresses.

~~~
mijamo
Why is that incredible? It is pretty common for many institutions to have that
kind of email. Universities for instance often have similar emails so that
just by looking at the email you know if the person is a teacher / student /
temp worker and which chair they belong to, sometimes which campus in
addition.

Many big companies have similar things to identify the BU of the email holder
or indicate a contractor status (helpful for security policies).

~~~
semi-extrinsic
I don't know, I guess in the industries I work it's much more common to have
emails that are somewhat unpredictable, like mide54@corp.com

------
forgingahead
Good reporting, until this paragraph:

 _Now consider what a well-funded adversary could do on Election Day armed
with a handful of .gov domains for some major cities in Democrat strongholds
within key swing states: The attackers register their domains a few days in
advance of the election, and then on Election Day send out emails signed by
.gov from, say, miami.gov (also still available) informing residents that
bombs had gone off at polling stations in Democrat-leaning districts. Such a
hoax could well decide the fate of a close national election._

Why the need to specify "Democrat" strongholds? Doesn't this attack work for
any other political-party strongholds as well? Seems like an unnecessarily
partisan position to take.

~~~
MereInterest
One of the major political parties in the US has been repeatedly engaging in
voter suppression. Is it partisan to observe repeated behavior on one side of
the political spectrum, and to extrapolate accordingly?

[https://en.wikipedia.org/wiki/Voter_suppression_in_the_Unite...](https://en.wikipedia.org/wiki/Voter_suppression_in_the_United_States)

~~~
soperj
From an outsiders perspective, there's very little difference between both
your political parties.

------
Thorentis
> “I used a fake Google Voice number and fake Gmail address,” said the source,
> who asked to remain anonymous for this story but who said he did it mainly
> as a thought experiment.

I don't think "thought experiment" applies to actually carrying out what you
were thinking about.

~~~
yoaviram
Came here to say the same thing. I'm surprised how often people misuse the
term. Here's my attempt at explaining what are thought experiments:
[https://thoughtexperiments.net/pages/on-thought-
experiments/](https://thoughtexperiments.net/pages/on-thought-experiments/)

------
RandomBacon
The title reminds me when someone reported that it was just as easy to get
fully-automatic firearms and other military gear from homeland security for
free by pretending to be a police department (fake website) and a simple form.

~~~
chatmasta
An alarming amount of societal functionality depends on what effectively
amounts to the honor system. This is especially true when it comes to any sort
of gatekept specialty profession, like coroners for example.

There was a great talk at DefCon about faking death:
[https://m.youtube.com/watch?v=9FdHq3WfJgs](https://m.youtube.com/watch?v=9FdHq3WfJgs)

~~~
cortesoft
I don't know if that is a solvable problem. Society is trust, and it always
takes trusting someone to make any system work.

People try to build trust-less systems all the time (like blockchains) but
always run up against someplace where trust is required.

~~~
oefrha
Trust, but verify. In the TFA case at least, it shouldn’t be that hard to call
the office’s number (not the filled out Google Voice number of course, but
there has to be a number published by/available through reliable parties) and
confirm “is it really your office who’s registering the domain”? if (printed
on official letterhead) { return authorized; } is beyond stupid.

~~~
cortesoft
Right, but then you are trusting that number list... how is that generated?
Can I call someone up and get that number changed?

------
sb057
If you want some irony, from the "dotgov.gov" website linked in the post:

>An official website of the United States government. Here's how you know:

>The .gov means it's official. Federal government websites often end in .gov
or .mil. Before sharing sensitive information, make sure you're on a federal
government site.

------
KingMachiavelli
Isn't the main issue that TLDs are a poor way of establishing trust?

Otherwiae does every company and government need to get specialized TLDs to
prevent impersonation? Even then it only works is users know and always notice
the domain.

EV certs are dead for good reason but nothing seems to have replaced them.

I guess the only option is to verify each site once and then bookmark it and
always make sure it's https. But on the first visit, how do I know chase.com
is Chase Bank?

~~~
frei
Well the back of my Chase card says chase.com.

If you tend to use search engines to find websites, you are trusting the
search engine to give you the website for Chase Bank.

~~~
why_only_15
I feel like google is less likely to give me something fraudulent than e.g.
the risk of me misspelling chase or the like

~~~
laken
an attacker could purchase google ads for "chɑse.com" (note the unicode "s"
instead of "s"

~~~
knolax
Isn't the homoglyph the IPA "ɑ" character used in place of Basic Latin "a"?
The homoglyph URL attack also has some downsides because Unicode is only
supported for domains through an extension system, most browsers will convert
the above to "xn--chse-r5b.com" after you visit the link.

------
Thorrez
Interesting that this was done very shortly after the DOTGOV bill was
introduced. It's possible that this attack was done by a supporter of the
DOTGOV bill in order to provide evidence to help the bill pass.

------
xyz-x
Does anybody know why the USA hogs the toplevel domain? It's not the only
government in the world. It would seem more just to make it more like .com
than .edu.

~~~
ptaipale
Obviously, because of history of Internet deriving from Arpanet. The whole
domain name structure grew out of the needs of the US government, even if the
.com domain was largest TLD from the start.

------
neiman
Together with selling .org to Ethos Capital, we're getting a worrying picture
of problems with the current model of managing TLDs.

Managing TLDs is a lot of power in 2019, since the Internet is such a powerful
player now.

I'm not sure what's the best way to manage it, but I am sure that if we leave
it as is, we'll see more and more deal with dodgy commercial entities or more
entities getting domain names they should not own.

------
aaron695
This is dumb.

If someone is doing this, then link?

Else it's obviously to much bother, you're domain will get axed.

Compare to all the domains that won't get axed.

Do they real expect us to believe the population will get fooled on a
losangeles.gov but not losangelesgovernment.ws, the difference will be a small
percent.

> then on Election Day send out emails signed by .gov

Why the hell won't these be junked like any spam? New domain. Sudden flood.
People marking as spam. What, are we in 2010?

------
kitteh
I remember when it was easy to get edus. Recall someone who had irc.edu until
they got caught.

~~~
Sendotsh
It was easy to get all sorts of fun domains back in the day. All so you could
have lolz in your irc /whois.

------
curiousgal
Tangent.

This guy has the best and probably most read blog on cybersecurity incidents.
He's smart enough to serve ads from his own domain but can't even bother to
make his site mobile friendly? I've seen people pick on the sites of free
tools and side projects for the same reason but somehow this gets a pass.

~~~
tsukurimashou
he does whatever he wants

~~~
Biganon
...yeah? And? Everyone does whatever they want, not even criminal law makes it
impossible to act a certain way. What's your point? It's still a terrible
design choice, and it alienates a great number of potential readers.

~~~
tsukurimashou
not everything is a business, maybe he just writes blog posts for fun /
himself

------
Jaruzel
Co-incidently, I just watched a Family Guy episode where Peter and Tom Tucker
shoot a skateboarding video, which ends up with Peter being attacked by a
bear. The skit ends with a fake advert for www.shirt.gov

Obviously, they thought that there was no way someone could register
shirt.gov... how wrong they were ;)

------
zurn
Or too hard - why are they US only?

~~~
anoncake
What would be the point? How often do you want to make sure you are on a
government website without even caring of which country?

~~~
zurn
It's just a name, doesn't hold any special assurance for most people.

~~~
delfinom
Until some enemy country starts registering punicode domain lookalikes lol.

------
HNLurker2
This is what I used to do back in the day, to get high pagerank(remember
that?) In Google

~~~
frei
You used to defraud the US Government back in the day? For pagerank? Did you
get in trouble?

~~~
C1sc0cat
It was more .edu's back then, I came across more than one (presumably hacked)
professors personal sites that where hosting link spam directories

------
walterkrankheit
I wonder if anyone's done any sort of research on how many possible fraudulant
.gov sites there could be. Definitely seems like a tool disseminators of fake
news and hate campaigns would do.

------
nodesocket
> who said he got a .gov domain simply by filling out and emailing an online
> form, grabbing some letterhead off the homepage of a small U.S. town that
> only has a “.us” domain name, and impersonating the town’s mayor in the
> application.

He also can get prosecuted and potentially jail time for such a gamble.

~~~
Nextgrid
> He also can get prosecuted and potentially jail time for such a gamble.

I'm sure such a threat is definitely going to stop the bad guys, so let's not
worry about _actual_ security. /s

The people that should be prosecuted are the ones falling for such an obvious
fraud. If you're in control of the .gov TLD and explicitly tell people to use
the domain as a sign of legitimacy you are expected to know what you're doing
and not be an idiot like the people currently running it.

------
rshnotsecure
I would also like to add signing up for an AWS Gov account was at least 12
months ago...a completely automated process where I was approved in no more
than 15 mins. The account had a credit card but otherwise was 100% still in
free tier mode, and in fact was being used by an open source team so it
included ppl from around the world.

The CIA has stated multiple times in court documents (typically they have
emerged in cases where the FBI attaché that all embassies have post-911 or
someone similar is testifying) concerns about this and why they demanded and
got “AWS secret”, a level higher than gov, that was opened in 2017.

Keep in mind though that many governments at state and local still use the TLD
of “.us”. For instance Texas has widely used, until within the last year,
“https:<subdomain>state.tx.us”. Many states have this legacy naming convention
left over, and of course the restrictions are about as somewhat paper thin and
avoided on .us as they are on .gov but more. There are changes in the works
for this though.

More concerningly though is that the recent issue with the .org TLD clearly,
and this can be proven in a straightforward manner, involves a group with
unlimited funding by the People’s Liberation Army making this purchase. Ethol
Capital is a joke of a firm. They’ve already sanitized the Google Search
Results about them, which lol should be obvious when you realize they have
taken out a Google Ad for “keypointsabout.org” when you Google them. The proof
though is that if you look at court documents from 2015 you will find mention
of a firm...SharkTech. Another front company that the PLA loans out from time
to time to the Middle East and even as I recall Israel. Anyway as I’ve stated
before in comments if you do the reverse Whois searches and dns subdomain
enumeration you can find the trail back to No 31 Jin-rong Street. I’ve been
asked before to write a post about this always elaborating and Christ I
finally took out a domain
[https://blog.12security.com](https://blog.12security.com) ... it has nothing
on it but Jesus just look at the DNS records it took forever to get that DMARC
record to the strictest level involving no 3rd parties and also to split that
DKIM key across 3 txt records...which you have to do sometimes for the 2048
keys.

EDIT: forgot to mention there is obviously a connection between SharkTech and
Ethol Capital. That will be proven in the blog and it is on me and my very
tardy credibility to do it :) look at
[http://dcsmanage.com](http://dcsmanage.com) out of Los Angeles though if you
want to get a head start, and if anyone claims that’s a real IT firm...

~~~
dylz
Sharktech/Nobistech is basically just Leaseweb, a VPS/dedicated server
company. I don't believe it to be particularly linked.

And "No 31 Jin-rong Street" is like multiple /8's worth of users, China's
largest ISP.

~~~
ryanlol
[https://news.ycombinator.com/item?id=21412052](https://news.ycombinator.com/item?id=21412052)

According to rshnotsecure every hosting company seems to be a government
front, even really small ones like ramnode.

------
iamleppert
Sounds to me like this researcher is going to be brought up on charges. Well
deserved charges. We don’t know what he did with this domain before he
contacted krebs. He very well could be covering his tracks and creating
plausible deniability.

You break the law, you go to jail. Simple as that. They aught to make an
example out of him.

~~~
Biganon
"You break the law, you go to jail. Simple as that."

This is laughably ignorant. It's absolutely not simple as that, by chance.

