A new report from cybersecurity watchdog Brian Krebs revealed that it is alarmingly easy to get a .gov site. As it appears, an unnamed source impersonated a small-town mayor using a fake Google Voice number and fake Gmail address, and it's baffling just how easily he got himself an official .gov website.
“I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source said. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”
Facebook's law enforcement subpoena system
If that isn't scary enough, once the person had the .gov domain, they were also privy to Facebook's law enforcement subpoena system. This system gives government agencies permission to request Facebook users' personal data.
Krebs explained that what his source did was wire fraud, which is something his source was well aware of.
“I never said it was legal, just that it was easy,” the source said. “I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records.”
Krebs reached out to the town of Exeter, Rhode Island, which is the town that the source impersonated. He asked if the U.S. General Services Administration (GSA), the agency responsible for managing the .gov domains, had made any attempts to validate the request for a .gov site.
Too little, too late
It was revealed that the GSA only reached out four days after Krebs revealed the fraud to them. This was about 10 days after the GSA had already issued the fraudulent site.
But, it is not all bad news. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) told Krebs it is now aiming to take control over the issuance of all .gov domains.
“The .gov top-level domain (TLD) is critical infrastructure for thousands of federal, state and local government organizations across the country,” reads a statement CISA sent to Krebs. “Its use by these institutions should instill trust. In order to increase the security of all US-based government organizations, CISA is seeking the authority to manage the .gov TLD and assume governance from the General Services Administration.”