> A review of the Top 10 most populous U.S. cities indicates only half of them have obtained .gov domains, including Chicago, Dallas, Phoenix, San Antonio, and San Diego.
> Yes, you read that right: houston.gov, losangeles.gov, newyorkcity.gov, and philadelphia.gov are all still available. As is the .gov for San Jose, Calif., the economic, cultural and political center of Silicon Valley.
A minor nit: Many of these cities do have a .gov domain. For example, NYC has nyc.gov. So, I would suspect (or I’d hope) the GSA wouldn’t issue newyorkcity.gov to a random fraudster as easily.
Houston has houstontx.gov.
Philadelphia has phila.gov.
San Jose has sanjoseca.gov.
LA has .. lacity.org? That’s a bit unexpected.
Some cities may also use a subdomain of their states domain, which may or may not be a .gov.
> Some cities may also use a subdomain of their states domain, which may or may not be a .gov.
This reminds me of how longwinded the domain hierarchy for .us originally was. In MN (not sure if it's the same for every state), city domains were "www.ci.cityname.mn.us". Then the school district's web site was "www.cityname.k12.mn.us". Not only was the order inconsistent (why not www.k12.cityname etc.?) but sometimes the city might be typed differently - i.e. the main Minneapolis site had "minneapolis" in the domain, but the school district had "mpls".
In the primordial days of the web, back before good search engines, this didn't make it very easy to find the school's web site.
Fortunately many governments realized this and moved once .gov became available to cities & states. (or they just used .org). For instance Minneapolis uses minneapolismn.gov, but many are still on the old style domains. The school district uses mpls.k12.mn.us, but at least they've dropped the "www."
where "employee" and "municipality" are literal strings (in Norwegian) and the others are variables. It's incredible, I've seen people with 50 character long email addresses.
Looks like part of that might be attempting to craft a bilingual email address? This kind of thing is tough to get right— in many cases the easiest thing is to just make up a word that's understandable in both languages but isn't obviously preferential to either, like how the transit agency in Ottawa is called "OC Transpo".
On the other hand, for email addresses in particular, it should be easy to just have one in each language, which also makes sense in terms of the person replying knowing upfront which language you'd like to use based on which address your query came in on.
Why is that incredible? It is pretty common for many institutions to have that kind of email. Universities for instance often have similar emails so that just by looking at the email you know if the person is a teacher / student / temp worker and which chair they belong to, sometimes which campus in addition.
Many big companies have similar things to identify the BU of the email holder or indicate a contractor status (helpful for security policies).
> School districts are separate from municipalities and often will span multiple.
School districts may or may not be subordinate to city or county governments, and this may not be consistent state wide (of course, he heirarchy of city vs county may not be consistent statewide—looking at NYC.)
The city of Lafayette's police department (in the SF East Bay) accepts crime tip emails using a Gmail address (94549TIP@gmail.com). It's plastered on all their police cars, even though the city and police department have an official domain. Though even that is a .org domain, lovelafayette.org.
I would assume the LA City one was chosen because it’s still shorter than Los Angeles and it also differentiates from LA County. Much of the LA metropolitan area is within the county limits but not part of the city of LA.
> LA gov doesn't belong to CA gov, federalism, etc.
Federalism does not exist within states but between states and the federal government. Los Angeles (whether county or city) is an administrative subdivision of the State of California, not an separate sovereignty.
OTOH, Los Angeles isn't getting a .ca.gov domain because the state government doesn't want to dilute it's brand with local government websites, but that's about branding, not Federalism.
While it is true that federalism is a wrong term, but there exists a general idea of independence of different levels of government. I am not sure about US constitutional arrangement, but in country where i live there there is clear and explicit concept that municipal, province and country (executive) governments are independent of each other, not subordinate. Therefore, it would be inappropriate for city to get a subdomain managed by higher-level government entity.
The relationship between states and localities is governed by the constitution and laws of each individual state and not the US Constitution.
In my particular state, and in many but not all others, local governments whether that be counties, cities or towns are administrative districts which only have the rights and powers which the state chooses to delegate to them through state law and the particular charter granted by the state to the administrative district. The state through the normal legislative process can change those rights and powers or even eliminate a particular administrative district.
In the united states, municipalities are subordinate to the state (equivalent to province). They generally have charters outlining distinct areas of responsibility, but usually to change the scope of that responsibility requires legislation at the state level. At each level the executive, judicial and legislative branches are separate.
There's not federalism within states in a legal sense the way there is between states and the feds, but cities value their independence too and prefer to have their own infrastructure. I would expect the city, rather than the state, to be the reason they don't use a subdomain of the state's .gov domain.
We have a TLD for NYC. It is, expectedly, not used for the city's official website. I guess people don't know how to visit TLDs in their browser. (I believe it would be "nyc.")
That's not how .nyc is used or is expected to be used. It's a top-level domain, not a dotless host name. Here's an example of how it's used: https://thecity.nyc/
> That's not how .nyc is used or is expected to be used. It's a top-level domain, not a dotless host name.
While it is prohibited by the ICANN policy [1], it is not strictly enforced so that there are multiple TLDs with A/AAAA records. They traditionally could be resolved with a trailing dot (thus it is not a dotless host name, that would have no dot), but nowadays many browsers refuse to resolve them without an explicit scheme. But they do still exist: try `http://pn./` for example.
The DNS server at work (which I maintain... oops) doesn't work, but home and other servers do work:
host ai. 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases:
ai has address 209.59.119.34
ai mail is handled by 10 mail.offshore.ai.
I see that the Vatican has given up. Long ago, http://va/ was it. No other name under va existed. Netscape Navigator was able to navigate to that part of the net.
The reasons why these don't work go much belong policy. Let's say that you're trying to advertise city social services in a subway ad campaign; how in the world do you get people to go to just "nyc" as the domain name? I guarantee you most of them will end up just performing a search on "nyc". It simply doesn't work. When you put nyc.gov as the domain name, everyone knows what that is and how to navigate to it.
Secondly, we have the expectation that subdomains of a given domain are run by the same entity, and represent natural semantic subdivisions. E.g. there's google.com, the over-arching website for all of Google and its first major product, and then for its other major products there's maps.google.com, mail.google.com, docs.google.com, etc.
This doesn't work with nyc, because subdomains of nyc are actually registrable domain names all their own that are controlled by other entities. So you can't have nyc be the overarching website for NYC, and then have parks.nyc, housing.nyc, business.nyc, etc., as natural subdivisions of it, because other people can own those domain names! So now you have no great way to subdivide up your site, and other people's sites are easily confusable as yours.
The only real way to do a dotless root DNS website is if you control the entire TLD; it has to be closed and not open to registration by external parties.
Just because the cities have .gov domains does not counter the fact that the other, very official looking, domains are unused and potentially available.
> A review of the Top 10 most populous U.S. cities indicates only half of them have obtained .gov domains, including Chicago, Dallas, Phoenix, San Antonio, and San Diego.
Now consider what a well-funded adversary could do on Election Day armed with a handful of .gov domains for some major cities in Democrat strongholds within key swing states: The attackers register their domains a few days in advance of the election, and then on Election Day send out emails signed by .gov from, say, miami.gov (also still available) informing residents that bombs had gone off at polling stations in Democrat-leaning districts. Such a hoax could well decide the fate of a close national election.
Why the need to specify "Democrat" strongholds? Doesn't this attack work for any other political-party strongholds as well? Seems like an unnecessarily partisan position to take.
I see what you mean, but I suspect the author might be referring to the Russian disinformation campaign to favour Republicans. I see it just as an example - obviously it can be adapted in either direction, or both just to deter voter participation altogether.
It would be shocking, though, if it turned out that Russia was the only country trying to influence US elections, though, instead of the only one that has been publically exposed.
I think many countries assessed that they were capable of it, but many would think this was a casus belli. Had Clinton been elected instead, she probably would have sought additional sanctions and a firmer stance against Russia because of this.
Yet, with an exception of Iran, the countries with most aggressive foreign policies (Russia, China, North Korea, Saudi Arabia, and Turkey) seem to currently support the election of Republican nominees.
But once you have the domain, somebody who knows what they're doing with DNS and SMTP absolutely could set up proper email services on it (forward-confirmed rDNS, SPF, DKIM signing, DMARC), and send spam with it. It's functionally equivalent to any other domain. Particularly if the intention was to be a one-shot approach that would "burn" both the domain and the hosting services, such as in the days leading up to an election.
A really smart bad actor would use some IP space from an ISP that traditionally has not been a source of spam. Eg: Not an ISP with a lot of low-dollar-value VPS/VM/hosting customers.
There's still some totally "clean" /24 IP blocks out there in the various RBLs and spam listing services if you go searching.
If I were an evil person and did this, I'd try to get the domain at least a few weeks in advance and try to generate a moderate volume of totally legit looking emails, destined for the top 20 major destinations (office365, gmail, etc) and verify from a bunch of sockpuppet accounts that the mail was actually getting delivered. Then I'd turn loose the fire hose.
Should a person want to be really evil, they'd do something like the reverse of what happened to the City of Baltimore with the cryptolocker trojan. Find a list of municipal (water, sewer, gas, electrical, property tax) bill payers and email each of them a plausible looking invoice, with cryptolocker attached. The likelihood of people opening it would be high.
The Houston Chronicle reported today that the Texas GOP plans to purchase several domains resembling democratic candidates and run active disinformation campaigns against them using fake campaign sites[0]. Might’ve had something to do with it.
Another news story today is the lawsuit against the "Devin Nunes' Cow/Mother" Twitter accounts run by anonymous DNC personnel. In each of these incidents the "disinformation" label is used by partisan officials and obsessively repeated by the media (because the creator's identity is not placed in large font at the top), but anyone who looks at it themselves can clearly see that such is satire and opposition material.
This one is particularly great. Made by an enterprising private individual. https://joebiden.info/
When was it confirmed that those twitter accounts were run by the DNC and not just ordinary people? Did the owners break anonymity to the press to prove ownership even though a lawsuit is trying to reveal their identity? That's wild.
"Devin Nunes' Cow" is obviously a satire account. As the judge ruled, a cow clearly can not tweet so nobody reasonably can believe that is actually his cow.
"ZweinerforTexas.com", "ZweinerforTx.com" are not obviously satire, they look like normal campaign urls and are clearly made to deceive.
I'd say it is an unnecessary position to take but would not call it especially partisan. There is no symmetry in the amount of election meddling that has been done by both parties. Saying the GOP may be a party interested in election meddling is like saying Iran may be interested in funding islamist terror groups. An unnecessary accusation, but hardly a partisan one.
Large cities tend to be blue, and you want to pick a recognizable large city name to get the point across. Politics aside, the example would've had less impact for a republican stronghold just because it wouldn't be as recognizable a city name.
2. No they don't, because nobody who'd fall for this would analyze the sender address/website URL, let alone for .gov instead of .org/.net/.com, and there's zero need to emulate a gov website anyway, when emulating a news site would be at least as effective
3. It relies on people reading an email on election day before voting and then not bothering to verify what it says anywhere, not having someone tell them it's fake and not hearing about the scam on the news they're watching for the bomb story
Far more direct to just spread those rumors through social media. Which more people pay attention to and believe than .gov. Or just make actual bomb threats.
Democrats _want_ people to vote, most voter registration drives and voter services (offering transportation to a polling place, etc) are run by Democrats or aligned organizations.
One of the major political parties in the US has been repeatedly engaging in voter suppression. Is it partisan to observe repeated behavior on one side of the political spectrum, and to extrapolate accordingly?
It's a figure, not every sentence needs to have stand-in characters written in to appeal to sensitivities like this. Also, maybe if he chose “Republican” it wouldn't hit home, and it'd sound like he's threatening his audience with a good time. ;- )
It could be criticized regardless of the characters chosen.
> “I used a fake Google Voice number and fake Gmail address,” said the source, who asked to remain anonymous for this story but who said he did it mainly as a thought experiment.
I don't think "thought experiment" applies to actually carrying out what you were thinking about.
>Technically, what my source did was wire fraud (obtaining something of value via the Internet/telephone/fax through false pretenses); had he done it through the U.S. mail, he could be facing mail fraud charges if caught.
Yeah, I'm pretty confident that a true thought experiment can't lead to wire fraud charges. "Security research" seems like a more popular, and reasonable, umbrella to hide behind.
The title reminds me when someone reported that it was just as easy to get fully-automatic firearms and other military gear from homeland security for free by pretending to be a police department (fake website) and a simple form.
An alarming amount of societal functionality depends on what effectively amounts to the honor system. This is especially true when it comes to any sort of gatekept specialty profession, like coroners for example.
This is an incredibly important comment. You cannot legislate loyalty to the country. You cannot legislate morality. You cannot legislate most of what makes a country a hospitable place to make a life.
Trust, but verify. In the TFA case at least, it shouldn’t be that hard to call the office’s number (not the filled out Google Voice number of course, but there has to be a number published by/available through reliable parties) and confirm “is it really your office who’s registering the domain”? if (printed on official letterhead) { return authorized; } is beyond stupid.
Some schemes create paper trails in federal agencies, others do not. In America you can acquire rifles without filling out any paperwork at all, let alone lying to a federal agency on paper. Converting those rifles to automatics can, again, be done without lying on any paperwork in a variety of ways (some more effective than others.) Somebody up to no good would be better served by low-profile acquisition schemes that fly under the radar of regulators, rather than getting their attention then trying to actively deceive them.
All schemes may be risky, but they're not all equally risky. Some schemes are more risky than others. However all of these schemes probably have negative expected payouts if you factor in the FBI being pretty damn good at their jobs. Whatever crime you hypothetically plan on committing with automatic rifles will almost certainly not have a positive payoff when you include the cost of getting busted, and you almost certainly will eventually get busted. When smart people decide to be criminals, they choose white collar crime (arrest rates are very low, and sentencing for those captured is frequently lax.) Violent crime is for idiots who fail to rationally consider the likely consequences of their actions.
Sure, but the point is that federal prison is always a factor in illegal arms, regardless of how you acquire them.
With modern machining and 3D printing, "ghost" guns can just be manufactured from scratch. There are even companies that sell legal components, blueprints and raw material meant to be easily tweaked and machined into a complete weapon.
If you want some irony, from the "dotgov.gov" website linked in the post:
>An official website of the United States government. Here's how you know:
>The .gov means it's official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.
Isn't the main issue that TLDs are a poor way of establishing trust?
Otherwiae does every company and government need to get specialized TLDs to prevent impersonation? Even then it only works is users know and always notice the domain.
EV certs are dead for good reason but nothing seems to have replaced them.
I guess the only option is to verify each site once and then bookmark it and always make sure it's https. But on the first visit, how do I know chase.com is Chase Bank?
Isn't the homoglyph the IPA "ɑ" character used in place of Basic Latin "a"? The homoglyph URL attack also has some downsides because Unicode is only supported for domains through an extension system, most browsers will convert the above to "xn--chse-r5b.com" after you visit the link.
Interesting that this was done very shortly after the DOTGOV bill was introduced. It's possible that this attack was done by a supporter of the DOTGOV bill in order to provide evidence to help the bill pass.
Does anybody know why the USA hogs the toplevel domain? It's not the only government in the world. It would seem more just to make it more like .com than .edu.
Obviously, because of history of Internet deriving from Arpanet. The whole domain name structure grew out of the needs of the US government, even if the .com domain was largest TLD from the start.
Nope, .gov belongs to the US, so they get to hog it.
It's a historical vestige, the Internet started out as a U.S. government-sponsored research network, so they built it for their own needs. There's absolutely no reason to them to give that up.
In addition to all the siblings, government isn't always spelled with 'gov' so it would be useful to the subset of countries where those letters make sense. Compared to say Mexico with http://gob.mx .
Together with selling .org to Ethos Capital, we're getting a worrying picture of problems with the current model of managing TLDs.
Managing TLDs is a lot of power in 2019, since the Internet is such a powerful player now.
I'm not sure what's the best way to manage it, but I am sure that if we leave it as is, we'll see more and more deal with dodgy commercial entities or more entities getting domain names they should not own.
Else it's obviously to much bother, you're domain will get axed.
Compare to all the domains that won't get axed.
Do they real expect us to believe the population will get fooled on a losangeles.gov but not losangelesgovernment.ws, the difference will be a small percent.
> then on Election Day send out emails signed by .gov
Why the hell won't these be junked like any spam? New domain. Sudden flood. People marking as spam. What, are we in 2010?
This guy has the best and probably most read blog on cybersecurity incidents. He's smart enough to serve ads from his own domain but can't even bother to make his site mobile friendly? I've seen people pick on the sites of free tools and side projects for the same reason but somehow this gets a pass.
Well, it loads instantly and I can read it just fine on my mobile device, which is more than I can say for half of "mobile friendly" sites out there, so there's that...
Anyway, he mentioned about a year ago that he knows the design of his blog is outdated, and he was looking at making it more modern.
...yeah? And? Everyone does whatever they want, not even criminal law makes it impossible to act a certain way. What's your point? It's still a terrible design choice, and it alienates a great number of potential readers.
Co-incidently, I just watched a Family Guy episode where Peter and Tom Tucker shoot a skateboarding video, which ends up with Peter being attacked by a bear. The skit ends with a fake advert for www.shirt.gov
Obviously, they thought that there was no way someone could register shirt.gov... how wrong they were ;)
Because they created it as one of the original TLDs (along with .arpa, .com, .org, .net, .int, .edu, and .mil) for their research network, ARPANET. Later on the Internet was built from ARPANET.
If we go back to the original PageRank algorithm, I don't think it would be affected by this attack. The original algorithm just counts the number of links (or number of sites making links), not the TLDs. So a .com site would be just as good as a .gov site.
Yes but they used to had, I remember correctly higher PR. Back in the day (Twitter had 10, Google had 9 and any gov had 7 atleast) I used to buy those and link to my directory webs.
I wonder if anyone's done any sort of research on how many possible fraudulant .gov sites there could be. Definitely seems like a tool disseminators of fake news and hate campaigns would do.
> who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a “.us” domain name, and impersonating the town’s mayor in the application.
He also can get prosecuted and potentially jail time for such a gamble.
> He also can get prosecuted and potentially jail time for such a gamble.
I'm sure such a threat is definitely going to stop the bad guys, so let's not worry about actual security. /s
The people that should be prosecuted are the ones falling for such an obvious fraud. If you're in control of the .gov TLD and explicitly tell people to use the domain as a sign of legitimacy you are expected to know what you're doing and not be an idiot like the people currently running it.
I would also like to add signing up for an AWS Gov account was at least 12 months ago...a completely automated process where I was approved in no more than 15 mins. The account had a credit card but otherwise was 100% still in free tier mode, and in fact was being used by an open source team so it included ppl from around the world.
The CIA has stated multiple times in court documents (typically they have emerged in cases where the FBI attaché that all embassies have post-911 or someone similar is testifying) concerns about this and why they demanded and got “AWS secret”, a level higher than gov, that was opened in 2017.
Keep in mind though that many governments at state and local still use the TLD of “.us”. For instance Texas has widely used, until within the last year, “https:<subdomain>state.tx.us”. Many states have this legacy naming convention left over, and of course the restrictions are about as somewhat paper thin and avoided on .us as they are on .gov but more. There are changes in the works for this though.
More concerningly though is that the recent issue with the .org TLD clearly, and this can be proven in a straightforward manner, involves a group with unlimited funding by the People’s Liberation Army making this purchase. Ethol Capital is a joke of a firm. They’ve already sanitized the Google Search Results about them, which lol should be obvious when you realize they have taken out a Google Ad for “keypointsabout.org” when you Google them. The proof though is that if you look at court documents from 2015 you will find mention of a firm...SharkTech. Another front company that the PLA loans out from time to time to the Middle East and even as I recall Israel. Anyway as I’ve stated before in comments if you do the reverse Whois searches and dns subdomain enumeration you can find the trail back to No 31 Jin-rong Street. I’ve been asked before to write a post about this always elaborating and Christ I finally took out a domain https://blog.12security.com ... it has nothing on it but Jesus just look at the DNS records it took forever to get that DMARC record to the strictest level involving no 3rd parties and also to split that DKIM key across 3 txt records...which you have to do sometimes for the 2048 keys.
EDIT: forgot to mention there is obviously a connection between SharkTech and Ethol Capital. That will be proven in the blog and it is on me and my very tardy credibility to do it :)
look at http://dcsmanage.com out of Los Angeles though if you want to get a head start, and if anyone claims that’s a real IT firm...
>I would also like to add signing up for an AWS Gov account was at least 12 months ago...a completely automated process where I was approved in no more than 15 mins. The account had a credit card but otherwise was 100% still in free tier mode, and in fact was being used by an open source team so it included ppl from around the world.
Are you implying this is somehow an issue? Any US person is able to spin up a Govcloud environment, it isn't meant to be limited to only government agencies/organizations.
I recently worked on a project where we created a govcloud for a non-government company that wanted a secure enclave for a subset of their data. It's certainly not a problem, and I'm not seeing how it relates to this article
Sounds to me like this researcher is going to be brought up on charges. Well deserved charges. We don’t know what he did with this domain before he contacted krebs. He very well could be covering his tracks and creating plausible deniability.
You break the law, you go to jail. Simple as that. They aught to make an example out of him.
Surely everyone already knows what happens if you maliciously create a .gov domain? What would making an example of this security researcher do, other than have a chilling effect on the field as a whole?
> Yes, you read that right: houston.gov, losangeles.gov, newyorkcity.gov, and philadelphia.gov are all still available. As is the .gov for San Jose, Calif., the economic, cultural and political center of Silicon Valley.
A minor nit: Many of these cities do have a .gov domain. For example, NYC has nyc.gov. So, I would suspect (or I’d hope) the GSA wouldn’t issue newyorkcity.gov to a random fraudster as easily.
Houston has houstontx.gov.
Philadelphia has phila.gov.
San Jose has sanjoseca.gov.
LA has .. lacity.org? That’s a bit unexpected.
Some cities may also use a subdomain of their states domain, which may or may not be a .gov.