Trump's Cyber Security Advisor Rudy Giuliani Runs Ancient, Utterly Hackable Website

mask.of.sanity writes from a report via The Register: U.S. president-elect Donald Trump's freshly minted cyber tsar Rudy Giuliani runs a website so insecure that its content management system is five years out of date, unpatched and is utterly hackable. Giulianisecurity.com, the website for Giuliani's eponymous infosec consultancy firm, runs Joomla! version 3.0, released in 2012, and since found to carry 15 separate vulnerabilities. More bugs and poor secure controls abound. The Register report adds: "Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server. This seemingly insecure system also has a surprising number of network ports open -- from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007. It also runs a rather old version of FreeBSD. 'You can probably break into Giuliani's server,' said Robert Graham of Errata Security. 'I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses. 'But that doesn't matter. There's nothing on Giuliani's server worth hacking.'"

Not really a big deal.

[Lisandro]

Robert Graham explained it succinctly: http://blog.erratasec.com/2017... .

The real story here is that Giuliani is now a goddamn cybersecurity advisor, not that this personal site is crap. The guy was hired not because of competence but because he spent the entire campaign kissing Trump's ass.

Re:Not really a big deal.

You might not get anything interesting from the server, but you could use it to infect other systems and visitors, who might be high profile targets given what it's hosting. The complete disregard for a server might be acceptable for a mom & pop shop, but not for someone who's going to advise the President of the United States of America on security issues.

Re:Not really a big deal.

[Dr.+Evil]

"All this tells us is that Verio/NTT.net is a crappy hosting provider, not that Giuliani has done anything wrong."

He outsourced to a 2-bit shop with no recognition of the reputational risk. That's a security fail.

Re:Not really a big deal.

[unrtst]

Agreed, and I'd take it several steps further...

Sure, not all people leading these positions are experts at those fields. I'd argue they should be, but if they're competent enough at leading people that are experts, that'd probably do as well.

I'd also concede that Giuliani almost certainly didn't set up this server himself, so he's not directly to blame for that.

However, when those two are combined, it's an utter failure. He is not qualified to do the actual work, and when he has had others do the work (for an "infosec consultancy firm", no less), they utterly failed - thus his leadership of them is also an utter failure. To fill the cyber security advisor role, one should be able to either do the work directly, or be smart enough to interface with those that can do the work. As Trump would say, so sad!

Re: Not really a big deal.

[ClickOnThis]

Stephen Chu was the Energy Secretary, and was followed by Ernest Moniz, a nuclear physicist from MIT. They understand nuclear physics, unlike Rick Perry who doesn't even remember the name of the department he was recently appointed to lead:

http://abcnews.go.com/blogs/politics/2011/11/rick-perrys-debate-lapse-oops-cant-remember-department-of-energy/

He had a brain-freeze. It can happen to any of us.

But what's ironic here is not that he forgot the name of the department. It's that he intended to shut it down, and now he's going to lead it.

Re:This should be the only comment

[JoeMerchant]

Nothing to talk about, plenty to do... 15 known exploits: get to work.

Par for the course

[damn_registrars]

Considering how many Trump cabinet appointees are openly opposed to the missions - or even existence - of the departments he is aiming to appoint them to head, why would it be a surprise that a "cyber security advisor" is running an atrociously insecure site?