Security concerns were raised after someone obtained a .gov domain name successfully. Domain names with suffix .gov belong only to federal U.S. institutions, state, and local governments.
Domain name with .gov suffix is only open to federal U.S. institutions, state, and local governments. It is assumed that there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. Despite these security protections, someone succeeded in obtaining their very own .gov domain. At the beginning of November, KrebsOnSecurity received an email from a researcher who said he got a .gov domain only by filling out and emailing an online form.
This researcher sent this e-mail from exeterri[.]gov, a domain registered on November 14, which belongs to the town of Exeter, Rhode Island. The source wrote in his e-mail:
“I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source continued. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”
No need to verify ID
Briefly, someone who has a fake Google Voice number and Gmail address, both completely unaffiliated with the town, got account creation links by mailing or faxing an official letterhead. It is needed to underline that it is not legal, as the source said. It is easy to get account creation links to obtain a domain with .gov. The source assumed there would be at least ID verification.
With this e-mail address with .gov, he can sign up for Facebook’s law enforcement subpoena request system, including law enforcement and government entities, with personal user records.
The exeterri.gov domain has been revoked, but severe flaws in the system are raised security concerns. A town clerk from Exeter said that the only inquiry the city received from the U.S. General Services Administration (GSA) came 10 days after the researcher’s fake registration was approved. And the GSA only called Exeter after Krebs on Security asked about the domain.
KrebsOnSecurity tried to contact with the federal agency, GSA, Cybersecurity and Infrastructure Security Agency (CISA) and Exeter. GSA responds via e-mail:
“GSA is working with the appropriate authorities and has already implemented additional fraud prevention controls.”
CISA, which is a division of the U.S. Department of Homeland Security which is leading efforts to protect the federal .gov domain of civilian government networks, send a statement:
“The .gov top-level domain (TLD) is critical infrastructure for thousands of federal, state and local government organizations across the country. Its use by these institutions should instill trust. In order to increase the security of all US-based government organizations, CISA is seeking the authority to manage the .gov TLD and assume governance from the General Services Administration.”
Warning by Russia and other countries
The statement continues:
“In an era when the nation’s top intelligence agencies continue to warn about ongoing efforts by Russia and other countries to interfere in our elections and democratic processes, it may be difficult to fathom that an attacker could so easily leverage such a simple method for impersonating state and local authorities.”