U.S. General Services Administration

US Government Sites Give Bad Security Advice

Many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.

For example, the official U.S. Census Bureau website https://my2020census.gov carries a message that reads, “An official Web site of the United States government. Here’s how you know.” Clicking the last part of that statement brings up a panel with the following information:

A message displayed at the top of many U.S. .gov Web sites.

The text I have a beef with is the bit on the right, beneath the “This site is secure” statement. Specifically, it says, “The https:// ensures that you are connecting to the official website….”

Here’s the deal: The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.

However, the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

In other words, while readers should never transmit sensitive information to a site that does not use https://, the presence of this security feature tells you nothing about the trustworthiness of the site in question.

Here’s a sobering statistic: According to PhishLabs, by the end of 2019 roughly three-quarters (74 percent) of all phishing sites were using SSL certificates. PhishLabs found this percentage increased from 68% in Q3 and 54% in Q2 of 2019.

“Attackers are using free certificates on phishing sites that they create, and are abusing the encryption already installed on hacked web sites,” PhishLabs founder and CTO John LaCour said.

Image: PhishLabs.com

The truth is anyone can get an SSL certificate for free, and that’s a big reason why most phishing sites now have them. The other reason is that they help phishers better disguise their sites as legitimate, since many Web browsers now throw up security warnings on non-https:// sites.

KrebsOnSecurity couldn’t find any reliable information on how difficult it may be to obtain an SSL certificate for a .gov site once one has a .gov domain, but it is apparently not difficult for just about anyone to get their very own .gov domain name.

The U.S. General Services Administration (GSA), which oversees the issuance of .gov domains, recently made it a tiny bit more difficult to do so — by requiring all applications be notarized — but this seems a small hurdle for scam artists to clear.

Regardless, it seems the federal government is doing consumers a disservice with this messaging, by perpetuating the myth that the presence of “https://” in a link denotes any kind of legitimacy.

“‘Https’ does not mean that you are at the correct website or that the site is secure,” LaCour said. “It only indicates that the connection is encrypted. The server could still be misconfigured or have software vulnerabilities. It is good that they mention to look for ‘.gov’. There’s no guarantee that a .gov website is secure, but it should help ensure that visitors are on the right website.”

I should note that this misleading message seems to be present only on some federal government Web sites. For instance, while the sites for the GSA, the Department of Labor, Department of Transportation, and Department of Veterans Affairs all include the same wording, those for the Commerce Department and Justice Department are devoid of the misleading text, stating:

“This site is also protected by an SSL (Secure Sockets Layer) certificate that’s been signed by the U.S. government. The https:// means all transmitted data is encrypted — in other words, any information or browsing history that you provide is transmitted securely.”

Other federal sites — like dhs.gov, irs.gov and epa.gov — simply have the “An official website of the United States government” declaration at the top, without offering any tips about how to feel better about that statement.

U.S. Govt. Makes it Harder to Get .Gov Domains

The federal agency in charge of issuing .gov domain names is enacting new requirements for validating the identity of people requesting them. The additional measures come less than four months after KrebsOnSecurity published research suggesting it was relatively easy for just about anyone to get their very own .gov domain.

In November’s piece It’s Way Too Easy to Get a .gov Domain Name, an anonymous source detailed how he obtained one by impersonating an official at a small town in Rhode Island that didn’t already have its own .gov.

“I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source said. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”

While what my source did was technically wire fraud (obtaining something of value via the Internet through false pretenses), cybercriminals bent on using fake .gov domains to hoodwink Americans likely would not be deterred by such concerns.

“I never said it was legal, just that it was easy,” the source told KrebsOnSecurity. “I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records.”

Now, Uncle Sam says in a few days all new .gov domain applications will include an additional authorization step.

“Effective on March 10, 2020, the DotGov Program will begin requiring notarized signatures on all authorization letters when submitting a request for a new .gov domain,” reads a notice published March 5 by the U.S. General Services Administration, which overseas the .gov space.

“This is a necessary security enhancement to prevent mail and wire fraud through signature forgery in obtaining a .gov domain,” the statement continues. “This step will help maintain the integrity of .gov and ensure that .gov domains continue to be issued only to official U.S. government organizations.”

The GSA didn’t say whether it was putting in place any other safeguards, such as more manual verification of .gov domain applications. It certainly hadn’t followed up on the fraudulent application from my source before granting him the .gov domain name he sought (exeterri[.]gov). The GSA only did that four days after I asked them for comment, and approximately 10 days after they’d already granted the phony domain request.

“GSA is working with the appropriate authorities and has already implemented additional fraud prevention controls,” the agency said in a written statement at the time, without elaborating on what those additional controls might be.

But I’m left to wonder: If I’m a bad guy who’s willing to forge someone’s signature and letterhead in a fraudulent application for a .gov domain, why wouldn’t I also be willing to fake a notarization? Especially when there are plenty of services in the cybercrime underground that specialize in spoofing these phony attestations for a small fee.

“This is a classic case of ‘we must do something’ and this is certainly something,” said John Levine, a domain name expert, consultant and author of the book The Internet for Dummies.

Levine said it would not be terribly difficult for the GSA to do a slightly more thorough job of validating .gov domain requests, but that some manual verification probably would be required. Still, he said, it’s not clear how big a threat fake .gov domains really are.

“As far as we know, only one person tried to fake a .gov,” Levine said. “Maybe this is good enough?”

The Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security, has argued that more needs to be done to secure the .gov domain space, and is making a play to wrest control over the process from the GSA.

The DOTGOV bill, introduced in October 2019, would “ensure that only authorized users obtain a .gov domain, and proactively validate existing .gov holders,” according to a statement CISA shared with this author last year.

It’s Way Too Easy to Get a .gov Domain Name

Technical Security Assessment

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu. Aenean ornare sem urna, vel aliquet lacus hendrerit non. Mauris cursus lectus nec dui fringilla viverra. Phasellus molestie erat non risus blandit, eu tincidunt felis aliquet. Pellentesque enim massa, vulputate eu quam in, interdum pellentesque leo. Aliquam non scelerisque dui, quis semper turpis. Nam eget semper dolor.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu. Aenean ornare sem urna, vel aliquet lacus hendrerit non. Mauris cursus lectus nec dui fringilla viverra. Phasellus molestie erat non risus blandit, eu tincidunt felis aliquet. Pellentesque enim massa, vulputate eu quam in, interdum pellentesque leo. Aliquam non scelerisque dui, quis semper turpis. Nam eget semper dolor.

technical security assessment

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu.

A solution for every business need

We offer a wide range of services within this category. Please contact us today to further explore the areas in which you can improve your IAM systems.

About

IT Security.org are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227