Mastodawn

Pavel Lokshin Dec 10

German ministry renames itself, domain expires, is bought by SEO-spammer, expires again, is bought by domain grabber, then later bought by itsec company who now learns that apparently plenty of internal systems of the ministry still try to connect to the domain...
I don't even know where to start how terrible that is and what it tells us about government IT security practices...
https://mint-secure.de/bundesdomain-im-blindflug-dns-leaks-und-ein-jahrzehnt-it-nachlaessigkeit/
@TimPhSchaefers good work!

Bundesdomain im Blindflug: DNS-Leaks und ein Jahrzehnt IT-Nachlässigkeit

Der Artikel zeigt, wie die vergessene Bundesdomain bafl.de weiterhin von Behörden-Systemen genutzt wird und DNS-Logs ausgewertet wurden.

Mint Secure

I do wonder whether @TimPhSchaefers plans to transfer the domain back to them or keep it. I guess the latter would be safer for them.
Otherwise we may have an update to that story again in 10 years that they lost it again or something...

@hanno Haha - I had the same case with them a few month ago - now again:
https://netzpolitik.org/2025/bamf-wenn-max-mustermann-zum-sicherheitsproblem-wird/

https://einteilvonjenerkraft.medium.com/veraltete-nutzerkonten-erm%C3%B6glichten-unautorisierten-zugriff-auf-bamf-daten-b040c487562e

I offered them the domain - but still have it ... seems to be a structural problem.

BAMF: Wenn Max Mustermann zum Sicherheitsproblem wird

Durch einen ungenutzten E-Mail-Account verschaffte sich ein Sicherheitsforscher mit wenigen Klicks Administratorenrechte. Dieser Vorfall bei einem IT-System des BAMF zeigt, wie wichtig eine sorgfältige Benutzerverwaltung ist und wo die Behörde nachbessern muss.

netzpolitik.org

jan klarname ullrich Dec 10

@hanno
gzuz kreist
@TimPhSchaefers

gregR ☯Dec 11

@hanno @TimPhSchaefers Hi, is there an english version of this blogpost or the ccc presentation ?
https://fahrplan.events.ccc.de/congress/2025/fahrplan/event/verlorene-domains-offene-turen-was-alte-behordendomains-verraten
Great job !
Here is another example in french. French only, sorry
https://guillem.lefait.fr/martinique/2021/06/25/pwn-region-martinique-domain-control.html

[39c3] Verlorene Domains, offene Türen - Was alte Behördendomains verraten

Im Rahmen der Untersuchung zeigten sich nicht nur Fehlkonfigurationen, sondern auch Phänomene wie Bitsquatting und Typoquatting innerhalb der Verwaltungsnetze. Mit dem Betrieb eines DNS-Servers und dem Erwerb von bund.ee (naher Typosquatting/Bitqu...

39c3

@gregr @hanno
Thank you. There will be an english translation of the CCC talk I guess.

Heise has a Newsarticle in english about our case: https://www.heise.de/en/news/Digital-Trust-in-Danger-When-Authorities-Forget-Their-Old-Domains-11111066.html

Digital Trust in Danger: When Authorities Forget Their Old Domains

Abandoned government web addresses enable disinformation and fraud. The federal government lacks uniform rules and transparency.

heise online

gregR ☯Dec 11

@TimPhSchaefers @hanno many thanks !

@hanno @TimPhSchaefers interessiert nicht, Nerdkram.

@hanno @TimPhSchaefers kümmern sich demnächst hochintelligente Maschinchen drum, alles wird gut.

jesterchen42 Dec 10

@hanno @TimPhSchaefers OMFG.

BAFfLing.

Echt Neuland, das alles, oder?

Aris, third of their name Dec 10

@jesterchen @hanno @TimPhSchaefers
Came here to make that pun, knowing probably somebody already had

Graeme 🏴󠁧󠁢󠁳󠁣󠁴󠁿Dec 10

@hanno @TimPhSchaefers That's Trump levels of incompetence...

cosmiction Dec 10

@hanno @TimPhSchaefers I don’t understand why they don’t adopt .gov.de , the current system is confusing, and it’s difficult to know if the website is impersonating a government website or if it’s fake.

@cosmiction they have bund.de with subdomains, which sorta gives you the same without being a formal subdomain. But it appears usage is inconsistent. They probably also should name-separate internal systems from public web pages.

@cosmiction but even then, this is, of course, technical debt. If they start doing this today, they could still be harmed by their 15 year old abandoned domains.

christian mock Dec 10

@hanno @TimPhSchaefers Sniffing around in one Austrian ministry's DNS, I see three generations of domains being in active use... and I feel for the admins that need to change all their infrastructure at the drop of a hat because their ministry gets renamed way too often.

The good thing here, tho, is that this is all under .gv.at, which is a tightly managed second-level domain, so the risk of grabbers is not present.

fedithom Dec 10

God damn ...

@TimPhSchaefers

Alexander Goeres 𒀯 Dec 10

@hanno that's why we call this "newland"!

Dmian 🇪🇺Dec 10

@hanno @TimPhSchaefers It’s very surprising to see that NIC .de doesn’t have a reserved second level domain for government sites (like the “.gov” or “.gob” you normally see, “.reg.de” maybe?). The German government buying private domains like a regular Joe is a really weak move. 😝

@dmian @hanno there is gov.de and bund.de - but room for improvement ...

Dmian 🇪🇺Dec 10

@TimPhSchaefers @hanno Oh! Thanks for the info. When I checked it said there was no second level domains for Germany. If so, why not use that for ministers? Everything government here in Spain is under gob.es, a reserved second level.

@dmian @hanno We just start that :)

Dmian 🇪🇺Dec 10

@TimPhSchaefers @hanno Ok. I see. But it’s strange that a nameless person like me knows that you don’t immediately abandon a domain for a new one, you keep the old one with redirects until the reports say no one is calling those urls anymore, but a government was not doing that 😆

hallunke23 🇺🇦

DeNIC used to have a policy that 2-letter domains and any domain that matches a license plate code is unavailable.

Problem with that: VW sued against that policy because they wanted to register vw.de and won, so DeNIC had to abandon the policy. Now all the domain names that match license plate codes (which were supposed to be used by the district administrations) are in the hands of random people.

@dmian @hanno @TimPhSchaefers

Dmian 🇪🇺Dec 11

@hallunke23 @hanno @TimPhSchaefers Oh! Wow… That’s a really shocking bit of information. Thanks!

Ryek Darkener Dec 10

@hanno @TimPhSchaefers

That is the current average level of digital competence. Everywhere.

Troed Sångberg Dec 10

I'm bafl.ed

@TimPhSchaefers

Kristof Provost Dec 11

@hanno @TimPhSchaefers I don't understand why governments (or indeed any large organisations) ever releases domain names again.
It's not as if they cost actual money to keep, and the potential downsides of releasing one, even if *you* don't use it any more, are massive.

Klaus Stein Dec 11

@hanno @TimPhSchaefers
Ähnlich absurd (wenngleich nicht gefährlich) war ja die bmftr Domain.

Und alles komplett vermeidbar. Die Ministerien könnten alle unter kürzel.bund.de firmieren und für sämtliche internen Links etc. auch nur diese nutzen, und die Kurzform kürzel.de (für die Nutzung auf Plakaten etc) wäre dann einfach eine Weiterleitung (oder ein C-Record).

Und natürlich sollte alles, was man je hat, auch langfristig behalten werden. Aber das BMFTR hat ja schon nach 3 Monaten geschafft, daß alle Links von Forschungsprojekten auf das Ministerium (inkl Links in Veröffentlichungen etc) einfach kaputt sind und ins Leere führen, weil natürlich jede Regierung alles immer komplett neu strukturieren muß.

@Lapizistik @TimPhSchaefers bmftr[dit]de? steht zum verkauf, steht allerdings kein Preis dran, man kann ein Angebot abgeben.

Klaus Stein Dec 11

@hanno @TimPhSchaefers

Jep, das hat sich ein Domaingrabber einen Monat bevor sie die Abkürzung offiziell verkündet haben gesichert.

@hanno @TimPhSchaefers Maybe it is time to make domain pirating illegal... It's not like they are not already among the scum of the internet.

@hanno @TimPhSchaefers this is pretty common. In my former life I discovered that an AD used internally a not-yet-claimed domain. I did that then for pentesting which was scary and funny at the same time. I gave the domain back 5 years after everything was switched to a really internal domain and _no_ DNS-requests came to me for 2 years ;) so, this is quite... usual.