It's Way Too Easy to Get a .gov Domain Name

&gt; A review of the Top 10 most populous U.S. cities indicates only half of them have obtained .gov domains, including Chicago, Dallas, Phoenix, San Antonio, and San Diego.<p>&gt; Yes, you read that right: houston.gov, losangeles.gov, newyorkcity.gov, and philadelphia.gov are all still available. As is the .gov for San Jose, Calif., the economic, cultural and political center of Silicon Valley.<p>A minor nit: Many of these cities <i>do</i> have a .gov domain. For example, NYC has nyc.gov. So, I would suspect (or I’d hope) the GSA wouldn’t issue newyorkcity.gov to a random fraudster <i>as</i> easily.<p>Houston has houstontx.gov.<p>Philadelphia has phila.gov.<p>San Jose has sanjoseca.gov.<p>LA has .. lacity.org? That’s a bit unexpected.<p>Some cities may also use a subdomain of their states domain, which may or may not be a .gov.

Good reporting, until this paragraph:<p><i>Now consider what a well-funded adversary could do on Election Day armed with a handful of .gov domains for some major cities in Democrat strongholds within key swing states: The attackers register their domains a few days in advance of the election, and then on Election Day send out emails signed by .gov from, say, miami.gov (also still available) informing residents that bombs had gone off at polling stations in Democrat-leaning districts. Such a hoax could well decide the fate of a close national election.</i><p>Why the need to specify &quot;Democrat&quot; strongholds? Doesn&#x27;t this attack work for any other political-party strongholds as well? Seems like an unnecessarily partisan position to take.

&gt; “I used a fake Google Voice number and fake Gmail address,” said the source, who asked to remain anonymous for this story but who said he did it mainly as a thought experiment.<p>I don&#x27;t think &quot;thought experiment&quot; applies to actually carrying out what you were thinking about.

The title reminds me when someone reported that it was just as easy to get fully-automatic firearms and other military gear from homeland security for free by pretending to be a police department (fake website) and a simple form.

If you want some irony, from the &quot;dotgov.gov&quot; website linked in the post:<p>&gt;An official website of the United States government. Here&#x27;s how you know:<p>&gt;The .gov means it&#x27;s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you&#x27;re on a federal government site.

Isn&#x27;t the main issue that TLDs are a poor way of establishing trust?<p>Otherwiae does every company and government need to get specialized TLDs to prevent impersonation? Even then it only works is users know and always notice the domain.<p>EV certs are dead for good reason but nothing seems to have replaced them.<p>I guess the only option is to verify each site once and then bookmark it and always make sure it&#x27;s https. But on the first visit, how do I know chase.com is Chase Bank?

Interesting that this was done very shortly after the DOTGOV bill was introduced. It&#x27;s possible that this attack was done by a supporter of the DOTGOV bill in order to provide evidence to help the bill pass.

Does anybody know why the USA hogs the toplevel domain? It&#x27;s not the only government in the world. It would seem more just to make it more like .com than .edu.

Together with selling .org to Ethos Capital, we&#x27;re getting a worrying picture of problems with the current model of managing TLDs.<p>Managing TLDs is a lot of power in 2019, since the Internet is such a powerful player now.<p>I&#x27;m not sure what&#x27;s the best way to manage it, but I am sure that if we leave it as is, we&#x27;ll see more and more deal with dodgy commercial entities or more entities getting domain names they should not own.

This is dumb.<p>If someone is doing this, then link?<p>Else it&#x27;s obviously to much bother, you&#x27;re domain will get axed.<p>Compare to all the domains that won&#x27;t get axed.<p>Do they real expect us to believe the population will get fooled on a losangeles.gov but not losangelesgovernment.ws, the difference will be a small percent.<p>&gt; then on Election Day send out emails signed by .gov<p>Why the hell won&#x27;t these be junked like any spam? New domain. Sudden flood. People marking as spam. What, are we in 2010?

I remember when it was easy to get edus. Recall someone who had irc.edu until they got caught.

Tangent.<p>This guy has the best and probably most read blog on cybersecurity incidents. He&#x27;s smart enough to serve ads from his own domain but can&#x27;t even bother to make his site mobile friendly? I&#x27;ve seen people pick on the sites of free tools and side projects for the same reason but somehow this gets a pass.

Co-incidently, I just watched a Family Guy episode where Peter and Tom Tucker shoot a skateboarding video, which ends up with Peter being attacked by a bear. The skit ends with a fake advert for www.shirt.gov<p>Obviously, they thought that there was no way someone could register shirt.gov... how wrong they were ;)

Or too hard - why are they US only?

This is what I used to do back in the day, to get high pagerank(remember that?) In Google

I wonder if anyone&#x27;s done any sort of research on how many possible fraudulant .gov sites there could be. Definitely seems like a tool disseminators of fake news and hate campaigns would do.

&gt; who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a “.us” domain name, and impersonating the town’s mayor in the application.<p>He also can get prosecuted and potentially jail time for such a gamble.

I would also like to add signing up for an AWS Gov account was at least 12 months ago...a completely automated process where I was approved in no more than 15 mins. The account had a credit card but otherwise was 100% still in free tier mode, and in fact was being used by an open source team so it included ppl from around the world.<p>The CIA has stated multiple times in court documents (typically they have emerged in cases where the FBI attaché that all embassies have post-911 or someone similar is testifying) concerns about this and why they demanded and got “AWS secret”, a level higher than gov, that was opened in 2017.<p>Keep in mind though that many governments at state and local still use the TLD of “.us”. For instance Texas has widely used, until within the last year, “https:&lt;subdomain&gt;state.tx.us”. Many states have this legacy naming convention left over, and of course the restrictions are about as somewhat paper thin and avoided on .us as they are on .gov but more. There are changes in the works for this though.<p>More concerningly though is that the recent issue with the .org TLD clearly, and this can be proven in a straightforward manner, involves a group with unlimited funding by the People’s Liberation Army making this purchase. Ethol Capital is a joke of a firm. They’ve already sanitized the Google Search Results about them, which lol should be obvious when you realize they have taken out a Google Ad for “keypointsabout.org” when you Google them. The proof though is that if you look at court documents from 2015 you will find mention of a firm...SharkTech. Another front company that the PLA loans out from time to time to the Middle East and even as I recall Israel. Anyway as I’ve stated before in comments if you do the reverse Whois searches and dns subdomain enumeration you can find the trail back to No 31 Jin-rong Street. I’ve been asked before to write a post about this always elaborating and Christ I finally took out a domain <a href="https:&#x2F;&#x2F;blog.12security.com" rel="nofollow">https:&#x2F;&#x2F;blog.12security.com</a> ... it has nothing on it but Jesus just look at the DNS records it took forever to get that DMARC record to the strictest level involving no 3rd parties and also to split that DKIM key across 3 txt records...which you have to do sometimes for the 2048 keys.<p>EDIT: forgot to mention there is obviously a connection between SharkTech and Ethol Capital. That will be proven in the blog and it is on me and my very tardy credibility to do it :) look at <a href="http:&#x2F;&#x2F;dcsmanage.com" rel="nofollow">http:&#x2F;&#x2F;dcsmanage.com</a> out of Los Angeles though if you want to get a head start, and if anyone claims that’s a real IT firm...

Sounds to me like this researcher is going to be brought up on charges. Well deserved charges. We don’t know what he did with this domain before he contacted krebs. He very well could be covering his tracks and creating plausible deniability.<p>You break the law, you go to jail. Simple as that. They aught to make an example out of him.