> Yes, you read that right: houston.gov, losangeles.gov, newyorkcity.gov, and philadelphia.gov are all still available. As is the .gov for San Jose, Calif., the economic, cultural and political center of Silicon Valley.
A minor nit: Many of these cities do have a .gov domain. For example, NYC has nyc.gov. So, I would suspect (or I’d hope) the GSA wouldn’t issue newyorkcity.gov to a random fraudster as easily.
Houston has houstontx.gov.
Philadelphia has phila.gov.
San Jose has sanjoseca.gov.
LA has .. lacity.org? That’s a bit unexpected.
Some cities may also use a subdomain of their states domain, which may or may not be a .gov.
This reminds me of how longwinded the domain hierarchy for .us originally was. In MN (not sure if it's the same for every state), city domains were "www.ci.cityname.mn.us". Then the school district's web site was "www.cityname.k12.mn.us". Not only was the order inconsistent (why not www.k12.cityname etc.?) but sometimes the city might be typed differently - i.e. the main Minneapolis site had "minneapolis" in the domain, but the school district had "mpls".
In the primordial days of the web, back before good search engines, this didn't make it very easy to find the school's web site.
Fortunately many governments realized this and moved once .gov became available to cities & states. (or they just used .org). For instance Minneapolis uses minneapolismn.gov, but many are still on the old style domains. The school district uses mpls.k12.mn.us, but at least they've dropped the "www."
$firstname[.$middlename].$lastname@employee.$municipalityName.municipality.no
ci.<locality name>.<state>.us is assigned to the city, there are several other similarly non-obvious assignments, anyone is permitted to register one.
I found this page that talks about it more: http://telecafe.org/smw/.US_Locality_Domains
Legitimate domains for government entities should ALL be on .gov, which should be rigorously controlled.
Then I can tell my family to trust any .gov site, and assume that anything else is fraudulent.
lacity.org undermines this.
Vs lacounty.gov I guess?
It needs disambiguation because of Louisiana, while "Los Angeles" is more heavily in the collective conscious
> A review of the Top 10 most populous U.S. cities indicates only half of them have obtained .gov domains, including Chicago, Dallas, Phoenix, San Antonio, and San Diego.
Is factually wrong.
Now consider what a well-funded adversary could do on Election Day armed with a handful of .gov domains for some major cities in Democrat strongholds within key swing states: The attackers register their domains a few days in advance of the election, and then on Election Day send out emails signed by .gov from, say, miami.gov (also still available) informing residents that bombs had gone off at polling stations in Democrat-leaning districts. Such a hoax could well decide the fate of a close national election.
Why the need to specify "Democrat" strongholds? Doesn't this attack work for any other political-party strongholds as well? Seems like an unnecessarily partisan position to take.
But once you have the domain, somebody who knows what they're doing with DNS and SMTP absolutely could set up proper email services on it (forward-confirmed rDNS, SPF, DKIM signing, DMARC), and send spam with it. It's functionally equivalent to any other domain. Particularly if the intention was to be a one-shot approach that would "burn" both the domain and the hosting services, such as in the days leading up to an election.
A really smart bad actor would use some IP space from an ISP that traditionally has not been a source of spam. Eg: Not an ISP with a lot of low-dollar-value VPS/VM/hosting customers.
There's still some totally "clean" /24 IP blocks out there in the various RBLs and spam listing services if you go searching.
If I were an evil person and did this, I'd try to get the domain at least a few weeks in advance and try to generate a moderate volume of totally legit looking emails, destined for the top 20 major destinations (office365, gmail, etc) and verify from a bunch of sockpuppet accounts that the mail was actually getting delivered. Then I'd turn loose the fire hose.
Should a person want to be really evil, they'd do something like the reverse of what happened to the City of Baltimore with the cryptolocker trojan. Find a list of municipal (water, sewer, gas, electrical, property tax) bill payers and email each of them a plausible looking invoice, with cryptolocker attached. The likelihood of people opening it would be high.
0: https://www.houstonchronicle.com/news/politics/texas/article...
This one is particularly great. Made by an enterprising private individual. https://joebiden.info/
1. Attacker needs a .gov from a swing state
2. No they don't, because nobody who'd fall for this would analyze the sender address/website URL, let alone for .gov instead of .org/.net/.com, and there's zero need to emulate a gov website anyway, when emulating a news site would be at least as effective
3. It relies on people reading an email on election day before voting and then not bothering to verify what it says anywhere, not having someone tell them it's fake and not hearing about the scam on the news they're watching for the bomb story
Far more direct to just spread those rumors through social media. Which more people pay attention to and believe than .gov. Or just make actual bomb threats.
tldr; republicans tend to win by slimmer margins compared to democrats
https://en.wikipedia.org/wiki/Voter_suppression_in_the_Unite...
It could be criticized regardless of the characters chosen.
I don't think "thought experiment" applies to actually carrying out what you were thinking about.
There was a great talk at DefCon about faking death: https://m.youtube.com/watch?v=9FdHq3WfJgs
Culture matters more than anything else.
People try to build trust-less systems all the time (like blockchains) but always run up against someplace where trust is required.
A) military gear is more than automatic weapons. Sometimes they send out things harder to come by than guns to police departments.
B) This scheme costs less than pennies on the dollar.
>An official website of the United States government. Here's how you know:
>The .gov means it's official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.
Otherwiae does every company and government need to get specialized TLDs to prevent impersonation? Even then it only works is users know and always notice the domain.
EV certs are dead for good reason but nothing seems to have replaced them.
I guess the only option is to verify each site once and then bookmark it and always make sure it's https. But on the first visit, how do I know chase.com is Chase Bank?
If you tend to use search engines to find websites, you are trusting the search engine to give you the website for Chase Bank.
https://en.wikipedia.org/wiki/Extended_Validation_Certificat...
It's a historical vestige, the Internet started out as a U.S. government-sponsored research network, so they built it for their own needs. There's absolutely no reason to them to give that up.
Managing TLDs is a lot of power in 2019, since the Internet is such a powerful player now.
I'm not sure what's the best way to manage it, but I am sure that if we leave it as is, we'll see more and more deal with dodgy commercial entities or more entities getting domain names they should not own.
If someone is doing this, then link?
Else it's obviously to much bother, you're domain will get axed.
Compare to all the domains that won't get axed.
Do they real expect us to believe the population will get fooled on a losangeles.gov but not losangelesgovernment.ws, the difference will be a small percent.
> then on Election Day send out emails signed by .gov
Why the hell won't these be junked like any spam? New domain. Sudden flood. People marking as spam. What, are we in 2010?
This guy has the best and probably most read blog on cybersecurity incidents. He's smart enough to serve ads from his own domain but can't even bother to make his site mobile friendly? I've seen people pick on the sites of free tools and side projects for the same reason but somehow this gets a pass.
Anyway, he mentioned about a year ago that he knows the design of his blog is outdated, and he was looking at making it more modern.
Obviously, they thought that there was no way someone could register shirt.gov... how wrong they were ;)
He also can get prosecuted and potentially jail time for such a gamble.
I'm sure such a threat is definitely going to stop the bad guys, so let's not worry about actual security. /s
The people that should be prosecuted are the ones falling for such an obvious fraud. If you're in control of the .gov TLD and explicitly tell people to use the domain as a sign of legitimacy you are expected to know what you're doing and not be an idiot like the people currently running it.
The CIA has stated multiple times in court documents (typically they have emerged in cases where the FBI attaché that all embassies have post-911 or someone similar is testifying) concerns about this and why they demanded and got “AWS secret”, a level higher than gov, that was opened in 2017.
Keep in mind though that many governments at state and local still use the TLD of “.us”. For instance Texas has widely used, until within the last year, “https:<subdomain>state.tx.us”. Many states have this legacy naming convention left over, and of course the restrictions are about as somewhat paper thin and avoided on .us as they are on .gov but more. There are changes in the works for this though.
More concerningly though is that the recent issue with the .org TLD clearly, and this can be proven in a straightforward manner, involves a group with unlimited funding by the People’s Liberation Army making this purchase. Ethol Capital is a joke of a firm. They’ve already sanitized the Google Search Results about them, which lol should be obvious when you realize they have taken out a Google Ad for “keypointsabout.org” when you Google them. The proof though is that if you look at court documents from 2015 you will find mention of a firm...SharkTech. Another front company that the PLA loans out from time to time to the Middle East and even as I recall Israel. Anyway as I’ve stated before in comments if you do the reverse Whois searches and dns subdomain enumeration you can find the trail back to No 31 Jin-rong Street. I’ve been asked before to write a post about this always elaborating and Christ I finally took out a domain https://blog.12security.com ... it has nothing on it but Jesus just look at the DNS records it took forever to get that DMARC record to the strictest level involving no 3rd parties and also to split that DKIM key across 3 txt records...which you have to do sometimes for the 2048 keys.
EDIT: forgot to mention there is obviously a connection between SharkTech and Ethol Capital. That will be proven in the blog and it is on me and my very tardy credibility to do it :) look at http://dcsmanage.com out of Los Angeles though if you want to get a head start, and if anyone claims that’s a real IT firm...
Are you implying this is somehow an issue? Any US person is able to spin up a Govcloud environment, it isn't meant to be limited to only government agencies/organizations.
I recently worked on a project where we created a govcloud for a non-government company that wanted a secure enclave for a subset of their data. It's certainly not a problem, and I'm not seeing how it relates to this article
And "No 31 Jin-rong Street" is like multiple /8's worth of users, China's largest ISP.
According to rshnotsecure every hosting company seems to be a government front, even really small ones like ramnode.
You break the law, you go to jail. Simple as that. They aught to make an example out of him.
This is laughably ignorant. It's absolutely not simple as that, by chance.
Who was the victim?