0
The US government is rolling out new security protections for .gov domains with measures meant to prevent DNS domain takeover attacks.
Starting last week, with October 1, DotGov, the official registrar that manages official .gov domains for the US government has begun rolling out a 2-step verification (2SV) system to protect .gov registrar accounts.
These are the accounts that sysadmins in federal, state, and local administration have used to register and manage official .gov government domains.
If an attacker phishes or brute-forces their way into one of these domains, they can change DNS entries for the domain and redirect users to fake or malicious sites. As such, securing .gov registrar accounts is a crucial step in ensuring .gov domain security.
To address this issue, between October 1, 2018, and February 13, 2019, DotGov, which is part of the US General Services Administration, will prompt all .gov domain owners to set up 2-step verification for their accounts.
The 2SV mechanism that DotGov chose to implement is Google Authenticator.
Government domain owners will be asked to install the Google Authenticator app on their mobile devices, and after logging in on domains.dotgov.gov with their credentials, they’ll have to scan a barcode with the app, and the app will generate a one-time code they can use for the second phase of the login process.
Enabling 2SV for tens of thousands of .gov domains will take a while. To ensure everything goes without a hitch, DotGov has split the rollout process in multiple phases across the next five months.
The full rollout schedule is below. The first date is when .gov domain owners can enable 2SV for their accounts, while the second date is when 2SV becomes mandatory and domain owners won’t be able to log in without 2SV.
GSA-owned domains: October 1 – 31Federal Agency: October 8 – November 7Native Sovereign Nation: October 8 – November 7County: October 22 – November 21State/Local Govt: November 5 – December 5City: Done in phases, based on the first letter of your username: A – D: November 19 – December 19E – J: December 5 – January 9, 2019K – P: December 17 – January 23, 2019Q – Z: January 14, 2019 – February 13
“This extra layer of security makes it harder for someone to log in as you, which protects the services you make available to the public via a .gov domain,” DotGov said in FAQ page with details about the 2SV rollout.
RELATED COVERAGE:
DHS and GCHQ join Amazon and Apple in denying Bloomberg chip hack storyDOJ explains recent wave of cyber-espionage-related indictmentsGoogle forcibly enables G Suite alerts for government-backed attacksDHS aware of ongoing APT attacks on cloud service providersTechRepublic: North Korea is likely underwriting cyberattacks by mining MoneroCNET: Google tested this security app with activists in Venezuela. Now you can use it tooTwitter bans distribution of hacked materials ahead of US midterm electionsMicrosoft’s efforts for a Digital Geneva Convention get underwayUK Conservative Party conference app leaks MPs’ personal details
Related Topics:
Security TV
Data Management
CXO
Data Centers
0