Trump's Cyber Security Advisor Rudy Giuliani Runs Ancient, Utterly Hackable Website

mask.of.sanity writes from a report via The Register: U.S. president-elect Donald Trump's freshly minted cyber tsar Rudy Giuliani runs a website so insecure that its content management system is five years out of date, unpatched and is utterly hackable. Giulianisecurity.com, the website for Giuliani's eponymous infosec consultancy firm, runs Joomla! version 3.0, released in 2012, and since found to carry 15 separate vulnerabilities. More bugs and poor secure controls abound. The Register report adds: "Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server. This seemingly insecure system also has a surprising number of network ports open -- from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007. It also runs a rather old version of FreeBSD. 'You can probably break into Giuliani's server,' said Robert Graham of Errata Security. 'I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses. 'But that doesn't matter. There's nothing on Giuliani's server worth hacking.'"

Not really a big deal.

[Lisandro]

Robert Graham explained it succinctly: http://blog.erratasec.com/2017... .

The real story here is that Giuliani is now a goddamn cybersecurity advisor, not that this personal site is crap. The guy was hired not because of competence but because he spent the entire campaign kissing Trump's ass.

Re:Not really a big deal.

You might not get anything interesting from the server, but you could use it to infect other systems and visitors, who might be high profile targets given what it's hosting. The complete disregard for a server might be acceptable for a mom & pop shop, but not for someone who's going to advise the President of the United States of America on security issues.

Re:Not really a big deal.

[Dr.+Evil]

"All this tells us is that Verio/NTT.net is a crappy hosting provider, not that Giuliani has done anything wrong."

He outsourced to a 2-bit shop with no recognition of the reputational risk. That's a security fail.

Re:Not really a big deal.

[unrtst]

Agreed, and I'd take it several steps further...

Sure, not all people leading these positions are experts at those fields. I'd argue they should be, but if they're competent enough at leading people that are experts, that'd probably do as well.

I'd also concede that Giuliani almost certainly didn't set up this server himself, so he's not directly to blame for that.

However, when those two are combined, it's an utter failure. He is not qualified to do the actual work, and when he has had others do the work (for an "infosec consultancy firm", no less), they utterly failed - thus his leadership of them is also an utter failure. To fill the cyber security advisor role, one should be able to either do the work directly, or be smart enough to interface with those that can do the work. As Trump would say, so sad!

Re: Not really a big deal.

[ClickOnThis]

Stephen Chu was the Energy Secretary, and was followed by Ernest Moniz, a nuclear physicist from MIT. They understand nuclear physics, unlike Rick Perry who doesn't even remember the name of the department he was recently appointed to lead:

http://abcnews.go.com/blogs/politics/2011/11/rick-perrys-debate-lapse-oops-cant-remember-department-of-energy/

He had a brain-freeze. It can happen to any of us.

But what's ironic here is not that he forgot the name of the department. It's that he intended to shut it down, and now he's going to lead it.

This should be the only comment

[H3lldr0p]

there's nothing else to talk about. /THREAD

Re:This should be the only comment

[JoeMerchant]

Nothing to talk about, plenty to do... 15 known exploits: get to work.

Joomla Considered Harmful

[Tenebrousedge]

I figured it would have to be Joomla. I'm doing maintenance programming on a Joomla site right now, and it's just a complete mess. There is nothing good about any part of the framework and no one should use it for anything. There is no "right way" to do things, and the documentation is beyond awful: obsolete, incomplete, badly written. Beyond the official documentation, most books on Joomla either don't cover the latest major version, or mention it but focus on the legacy interfaces. One is forced to look at the code itself for examples of what to do, and apparently that means make it up as you go along, There is no consistency even in the unit tests, hell, even in which testing framework they're using. And (at least IMO) there is no consistent vision because the fundamental design is crap.

Use of Joomla for any purpose should be a firing offense.

Re:Random aspersions

[Fire_Wraith]

Just because someone is good at getting city bureaucrats in line doesn't mean they know jack squat about information security. I've dealt with lots of very successful people who run large businesses in various industries, and are very good at that. They're good in their field, but they don't know infosec. The ones who realize that (and that it's important) hire people who do know it... something Giuliani clearly hasn't done.

I certainly don't expect Giuliani himself to go code up a solution or configure his servers himself. I do expect that he ought to know the importance of hiring good people, and of showing people that you know what you're talking about. Would you hire a plumber who has a broken toilet he can't/won't fix in his own shop's bathroom?

Par for the course

[damn_registrars]

Considering how many Trump cabinet appointees are openly opposed to the missions - or even existence - of the departments he is aiming to appoint them to head, why would it be a surprise that a "cyber security advisor" is running an atrociously insecure site?