You’d think it would be hard to talk the U.S. government into giving you some random town’s .gov email address. You’d hope the process would be rigorous. But as one hacker explained to security researcher Brian Krebs, securing a U.S. government-endorsed top-level domain is actually frighteningly easy.
Calling this guy a hacker might even be a stretch. As he explained the process to Krebs, the source simply completed a form with a fake phone number and email address and then forged a document with a town’s letterhead before securing the “exeterri.gov” domain name for Exeter, Rhode Island. “I never said it was legal, just that it was easy,” the source told Krebs. “I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records.”
Well, this is unnerving. As Krebs points out in his post about the matter, lying in order to register a .gov would likely constitute wire fraud, but the crime could be worth it for a foreign agent hoping to spread misinformation. However, the U.S. government seems at odds about the top-level domain program’s security.
The General Services Administration (GSA), which manages the .gov domain program, actually took some steps last year to make it easier for certain local and state U.S. government agencies to gain access to .gov email address. The agency also added basic security features like HTTPS, improved password security, and mandatory two-step verification for the administrators of .gov domains. Many U.S. federal government websites currently cite HTTPS and the .gov domain itself as proof that a given website is an official United States government website.
Meanwhile, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) thinks it can do a better job at this. That agency told Krebs that it wants to assume control of managing the .gov top-level domain system form the GSA. A bill called the “DOTGOV Online Trust in Government Act” was even introduced in the Senate earlier this month to move the system from the GSA to CISA.
Part of this legislation would “ensure that domains are registered and maintained only by authorised individuals” and require “a .gov domain security enhancement strategy and implementation plan.” It certainly seems like the system’s security could use at least a review.
This modernisation plan reflects the government’s aim to give the appropriate local and state entities access to secure .gov domains. Currently, many towns and municipalities use the .us top-level domain which is less secure than .gov. It’s as easy as going to Google Domains and paying $US12 ($18) a year for “[town name].us.” Of course, the official websites for these places would be “[town name].[state abbreviation].us.” The system isn’t standardised, thus increasing the likelihood that the average citizen has no idea what’s an official government website and what might be a fake.
At this point in time, it’s hard to say if hackers (foreign or domestic) are taking advantage of the weak security in the .gov top-level domain system. Nevertheless, the idea of a hacker setting up a fake U.S. government website and then using social media to steer traffic towards fake information doesn’t seem like the craziest scenario ahead of the 2020 election.
Although since Facebook will let you pay money to lie in political ads, ads that can be micro-targeted to particularly vulnerable people, perhaps our 2020 woes are much worse than we ever could have imagined.