March 7, 2020

The federal agency in charge of issuing .gov domain names is enacting new requirements for validating the identity of people requesting them. The additional measures come less than four months after KrebsOnSecurity published research suggesting it was relatively easy for just about anyone to get their very own .gov domain.

In November’s piece It’s Way Too Easy to Get a .gov Domain Name, an anonymous source detailed how he obtained one by impersonating an official at a small town in Rhode Island that didn’t already have its own .gov.

“I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source said. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”

While what my source did was technically wire fraud (obtaining something of value via the Internet through false pretenses), cybercriminals bent on using fake .gov domains to hoodwink Americans likely would not be deterred by such concerns.

“I never said it was legal, just that it was easy,” the source told KrebsOnSecurity. “I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records.”

Now, Uncle Sam says in a few days all new .gov domain applications will include an additional authorization step.

“Effective on March 10, 2020, the DotGov Program will begin requiring notarized signatures on all authorization letters when submitting a request for a new .gov domain,” reads a notice published March 5 by the U.S. General Services Administration, which oversees the .gov space.

“This is a necessary security enhancement to prevent mail and wire fraud through signature forgery in obtaining a .gov domain,” the statement continues. “This step will help maintain the integrity of .gov and ensure that .gov domains continue to be issued only to official U.S. government organizations.”

The GSA didn’t say whether it was putting in place any other safeguards, such as more manual verification of .gov domain applications. It certainly hadn’t followed up on the fraudulent application from my source before granting him the .gov domain name he sought (exeterri[.]gov). The GSA only did that four days after I asked them for comment, and approximately 10 days after they’d already granted the phony domain request.

“GSA is working with the appropriate authorities and has already implemented additional fraud prevention controls,” the agency said in a written statement at the time, without elaborating on what those additional controls might be.

But I’m left to wonder: If I’m a bad guy who’s willing to forge someone’s signature and letterhead in a fraudulent application for a .gov domain, why wouldn’t I also be willing to fake a notarization? Especially when there are plenty of services in the cybercrime underground that specialize in spoofing these phony attestations for a small fee.

“This is a classic case of ‘we must do something’ and this is certainly something,” said John Levine, a domain name expert, consultant and author of the book The Internet for Dummies.

Levine said it would not be terribly difficult for the GSA to do a slightly more thorough job of validating .gov domain requests, but that some manual verification probably would be required. Still, he said, it’s not clear how big a threat fake .gov domains really are.

“As far as we know, only one person tried to fake a .gov,” Levine said. “Maybe this is good enough?”

The Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security, has argued that more needs to be done to secure the .gov domain space, and is making a play to wrest control over the process from the GSA.

The DOTGOV bill, introduced in October 2019, would “ensure that only authorized users obtain a .gov domain, and proactively validate existing .gov holders,” according to a statement CISA shared with this author last year.


12 thoughts on “U.S. Govt. Makes it Harder to Get .Gov Domains

  1. JimV

    Better late than never, but that long-open barn door might also require closing by a thorough vetting and validation of the existing .gov domains already granted.

    1. Navanax

      I’d agree, and looks like CISA does also: last paragraph, “…proactively validate existing .gov holders”

      1. Mikey Doesn't Like It

        Sadly, that text is buried in the bill, which is now just sitting somewhere in the Senate, awaiting action.

        Even then, there’s enough ambiguity that leaves CISA plenty of latitude for dropping the ball.

        We can always hope that IF the bill is finally passed and signed into law, it will lead to some badly needed but positive outcomes.

        OTOH, meanwhile, there’s nothing that currently prevents CISA from acting proactively NOW. If only…

  2. John

    Why they don’t just decide to send someone from the federal agency in charge of issuing .gov domain names, to check in person on the official address that it really is someone from there who asked to have the domain.

    They must have access to all that data in official public records, so they use it to make sure in person everything is ok.

    I know, I know… a robot should do it, but maybe, just maybe sending someone is a better idea.

  3. The Sunshine State

    All domain names should have some type of human verification to prevent things like phishing scams from happening

    1. Jason

      Daylight Saving Time started this morning… sounds like you need to turn your clock forward about 30 years. There are close to half a billion domain names, in about a thousand top-level domains, administered by hundreds of governments and registrars. That ship has already sailed, got caught in a perfect storm, taken on water, sank, been explored by James Cameron, had its safe pilfered, and become the ironic namesake of dozens of personal pleasure craft.

      1. Dread Pirate

        “That ship has sailed” is a good boat name

  4. illumina23

    It would be an interesting exercise for your source to try to get another .gov domain after the new requirements go into effect.

  5. jJ

    Because the feds undoubtedly will audit every notary since it is so difficult to become a notary…

    Example:

    https://www.nationalnotary.org/west-virginia

    May I become a West Virginia Notary if I am not a U.S. citizen?

    Yes. You do not have to be a U.S. citizen to become a West Virginia Notary Public. You must, however, be a permanent legal U.S. resident and meet all other application requirements.

    Although West Virginia does not require training, where can I get it?

    Requirements to be a Notary in West Virginia
    Who can become a Notary?
    A Notary Public applicant in West Virginia must meet the following requirements:

    Must be at least 18 years old
    Be a citizen or permanent legal resident of the United States
    Must be a resident of or have a place of employment in West Virginia
    High school diploma or equivalent
    Not be disqualified from a commission under WVC 39-4-23, which prohibits offering unauthorized legal advice and false advertising
    Must not have been convicted of a felony or any crime involving fraud, dishonesty or deceit or had a Notary commission suspended or revoked in another state

  6. ResourceAllocator

    We don’t have enough human resources to actually vet each application. Like all the corporations we do business with, the US Government only has enough resources to pay someone to tell you, “Sorry, that’s not my department. Please hold while I transfer you to another department,” and they only know how to refer you to another department, which then refers you back to the first department. Lather, rinse, repeat.

    The world needs to devote more resources to training workers how to do the jobs that need to be done, and waste less resources having people do jobs they can’t do fully. When I call tech support, I don’t want to talk to someone who can only tell me how to restart my device and hope it works, I want someone who knows at least as much as I do about the product I need support for.

    Government is no different, we should only have people that have the knowledge to make good, informed decisions about the task they are in charge of, and are willing and able to do so without corrupting influence. Properly allocating the government work force to areas where they can do an efficient job should free up the needed workers for tasks like vetting .gov applications. I mean, we’re not really talking about much more than the ability to pick up the phone and navigate the switchboard of the city/town/agency requesting the site… We could practically train zoo animals to do it…

Comments are closed.