Forwarded from: William Knowles <wk@c4i.org>
http://news.com.com/2100-1023-983384.html
By Declan McCullagh Staff Writer, CNET News.com February 5, 2003
WASHINGTON--In a move that raises questions about the security of governmental domains, the Bush administration has pulled the plug on a .gov Web site pending an investigation into the authenticity of the organization that controlled it.
Until recently, visitors to the AONN.gov Web site were treated to a smorgasbord of information about an agency calling itself the Access One Network Northwest (AONN), a self-described cyberwarfare unit claiming to employ more than 2,000 people and had the support of the U.S. Department of Defense.
No federal agency called AONN appears to exist, and no agency with that name is on the official list of organizations maintained by the U.S. National Institute of Standards and Technology.
The General Services Administration (GSA), which runs the .gov registry, pulled the domain on Jan. 24, after a query from CNET News.com.
"There are questions about the authenticity of the Web site that includes the AONN name," the agency said in an e-mail reply. "Until the situation is resolved, we have eliminated the URL from the .gov directory name server."
The action could point to the first case of a .gov domain name hijacking.
The GSA investigation raises questions about the integrity of federal Web sites at a time when the Bush administration is touting electronic government initiatives. President Bush signed the E-Government Act of 2002 in December, and the IRS in January began a program to encourage Americans to file their taxes electronically.
Cybersquatting, or registering a domain to which you may not be entitled, is hardly uncommon among the multitude of .com and .net domains. In 1999, President Bill Clinton signed an anticybersquatting law, and an alternate process through which domain names can be challenged has resulted in more than 11,000 domain names being transferred away from the parties who had registered them.
But there are no known cybersquatting incidents involving a governmental domain, according to the GSA. "I'm not aware of any incident" in the past when an unapproved individual has gained control of a .gov domain name, an agency representative said.
Chris Casey, who in 1995 helped to create Congress' first Web sites and now runs a Web design company called Casey.com, says he was surprised to hear that AONN had apparently secured a .gov name, and said a misappropriated .gov domain could create confusion among Web users.
"I'm not aware of it ever happening before," Casey said. ".gov, .edu and .mil carry a feeling of trustworthiness...People have learned to place more faith in them."
AONN's background
Claiming credit for the deleted .gov site is a man who calls himself Robert L. Taylor III, whose name and contact information appeared in documents on the AONN.gov site.
Taylor, who appears to reside near Everett, Wash., declined to explain how, exactly, he secured a .gov domain for the group, calling AONN's operations "classified."
"We have exploited a security hole in the bureaucracy," Taylor said in a telephone interview. "There are loopholes, there are security holes, there are holes in the system."
On its now-deleted site, AONN contended its "U.S. Defense Security Intelligence Network" (DSIN) was launched at Harvard University's John F. Kennedy School of Government last year, but Doug Gavel, the Kennedy School's communications director, says he's not aware of any such program. Similarly, AONN said its champion in Congress is Rep. Jay Inslee, D-Wash., whose office categorically denies it. A Senate Budget Committee representative said he had never heard of AONN.
A Pentagon representative also said that AONN has no affiliation with the U.S. military and he had no knowledge of the organization.
It's unclear when the site was first registered or how Taylor may have taken control of a .gov domain. According to the official .gov registration rules, only organizations that appear in an official list of government agencies qualify for a .gov domain--and AONN is not on it. If AONN were a legitimate Defense Department agency, it would have to register a .mil--rather than a .gov--domain name.
One loophole exists for city and state governments, which were allowed to register .gov domains before the current rules took effect in May 1997. Such registrations are no longer permitted. But local and state governments with existing sites, such as the state of California's ca.gov, were allowed to keep them.
Registering a .gov domain name involves writing an authorization letter--two samples are provided on the GSA Web site--printing it out, and then sending it to the ".GOV Domain Manager" in Reston, Va. The GSA would not comment on what security measures were in place, and what changes, if any, have been made.
The GSA's safeguards don't provide foolproof security, says Adrian Lamo, a hacker and social engineer who claims to have penetrated computer systems run by The New York Times and a string of other corporations.
"The process isn't intended to stop anyone who isn't going to be stopped by the need to go to Kinko's, print out some letterhead and then send an honest-to-God postal letter," Lamo said. "It'll stop the people that are willing to break any rule, as long as they can fill out a Web form to do it. And that eliminates 95 percent of pranks."
If someone expressed interest in AONN, Taylor would send them a 122-page PDF file containing buzzwords such as "computer intrusion teams, "beyond state-of-the-art super computing... next level broad-range security systems, cyber warfighting, highly advanced satellite technologies and nano-technologies." It described AONN as a "joint-counterstrike force (that) possesses such a culmination of some of the world's brightest and most brilliant intellect, intelligentsia, academicians and minds, it can quite easily be said that the AONN DSI concept by itself is worth multibillions."
A notice on AONN.gov offered to "split payment on contract disbursements" with its fund-raisers. Taylor also offered this deal to potential buyers: "You come up with fifty million dollars and we'll sign contracts as well as deliver both human assets and the DSIN program."
Taylor would not say if he had collected any money from corporations and individuals as a result of these offers.
Besides claiming to be a military intelligence agency, AONN also said it has an "emerging and expensive clothing line" and an urban and R&B record label that has signed "certified platinum artists." In November 2000, a company named AONN Records released a CD called November 12 Projekt that a local newspaper described as a collaboration of "two ambitious young rappers."
Taylor said that that AONN.gov and AONN Records are the same.
No company named AONN Records or Access One Network Northwest is listed with directory assistance, and the Washington state government has no record of a company with either name being incorporated.
AONN Records' CD release appears to have been distributed by The Orchard, which provides a vehicle for independent musicians to sell to online stores such as Amazon.com and CDNow.com. The Orchard could not locate AONN Records or Robert Taylor in its files. A representative said that would be the case if The Orchard no longer carried the November 12 Projekt CD.
One document Taylor distributed from his Hotmail account this week, called a "Special Projects Dossier," lists excerpts from job applications apparently sent to him by intelligence officers seeking employment.
"Some have suggested it is a spoof by a rock group who has misused the aonn.com and aonn.gov registrations," a representative for the Association of Former Intelligence Officers said this week. "How they obtained the (top-level domain) of .gov is baffling and shows a flaw in the registration system that could create greater mischief in other hands."