Categories
Shared

It’s Way Too Easy To Get a .gov Domain Name

Brian Krebs:

Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. But a recent experience suggests this trust may be severely misplaced, and that it is relatively straightforward for anyone to obtain their very own .gov domain. Earlier this month, KrebsOnSecurity received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a “.us” domain name, and impersonating the town’s mayor in the application.

“I used a fake Google Voice number and fake Gmail address,” said the source, who asked to remain anonymous for this story but who said he did it mainly as a thought experiment. “The only thing that was real was the mayor’s name.” The email from this source was sent from exeterri[.]gov, a domain registered on Nov. 14 that at the time displayed the same content as the .us domain it was impersonating — town.exeter.ri.us — which belongs to the town of Exeter, Rhode Island (the impostor domain is no longer resolving). “I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source continued. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”

As found on Slashdot

Categories
Shared

Democrats Propose Sweeping Online Privacy Laws

mspohr quotes a report from The Guardian:

Top Democrats on Tuesday proposed tough new privacy laws to rein in the U.S.’s tech companies after a series of scandals that have shaken confidence in the companies and exposed the personal data of millions of consumers. The effort, led by Senator Maria Cantwell, the top Democrat on the Senate commerce, science and transportation committee, aims to “provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.” The Consumer Online Privacy Rights Act (Copra) comes after a series of failed attempts to rein in the tech giants in the U.S.

The act resembles Europe’s sweeping General Data Protection Regulation (GDPR) legislation, passed in 2016. It would force tech companies to disclose the personal information they have collected, delete or correct inaccurate or incomplete information and allow consumers to block the sale of their information. The bill’s sponsors are all Democrats and include presidential candidate Senator Amy Klobuchar. “Companies continue to profit off of the personal data they collect from Americans, but they leave consumers completely in the dark about how their personal information is being used,” she said. “It’s time for Congress to pass comprehensive privacy legislation.”