Trump's Cyber Security Advisor Rudy Giuliani Runs Ancient, Utterly Hackable Website (theregister.co.uk)

← Back to Stories (view on slashdot.org)

Trump's Cyber Security Advisor Rudy Giuliani Runs Ancient, Utterly Hackable Website (theregister.co.uk)

Posted by BeauHD on Friday January 13, 2017 @09:20AM from the irony-and-its-best dept.

mask.of.sanity writes from a report via The Register: U.S. president-elect Donald Trump's freshly minted cyber tsar Rudy Giuliani runs a website so insecure that its content management system is five years out of date, unpatched and is utterly hackable. Giulianisecurity.com, the website for Giuliani's eponymous infosec consultancy firm, runs Joomla! version 3.0, released in 2012, and since found to carry 15 separate vulnerabilities. More bugs and poor secure controls abound. The Register report adds: "Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server. This seemingly insecure system also has a surprising number of network ports open -- from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007. It also runs a rather old version of FreeBSD. 'You can probably break into Giuliani's server,' said Robert Graham of Errata Security. 'I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses. 'But that doesn't matter. There's nothing on Giuliani's server worth hacking.'"

26 of 280 comments (clear)

Min score:

Reason:

Sort:

Not really a big deal. by Lisandro · 2017-01-13 09:28 · Score: 5, Insightful

Robert Graham explained it succinctly: http://blog.erratasec.com/2017... .
The real story here is that Giuliani is now a goddamn cybersecurity advisor, not that this personal site is crap. The guy was hired not because of competence but because he spent the entire campaign kissing Trump's ass.
1. Re:Not really a big deal. by Anonymous Coward · 2017-01-13 09:34 · Score: 4, Funny
  
  Sorry that can't be true, Trump was elected to drain the swamp and no one could ever mislead the American people so this can't happen anymore.
  You're obviously just spreading fake news. Next you'll be saying Trump paid some Russian hookers to piss on each other in front of him in Moscow.
2. Re:Not really a big deal. by Anonymous Coward · 2017-01-13 09:41 · Score: 5, Insightful
  
  You might not get anything interesting from the server, but you could use it to infect other systems and visitors, who might be high profile targets given what it's hosting. The complete disregard for a server might be acceptable for a mom & pop shop, but not for someone who's going to advise the President of the United States of America on security issues.
3. Re:Not really a big deal. by Dr.+Evil · 2017-01-13 09:49 · Score: 5, Insightful
  
  "All this tells us is that Verio/NTT.net is a crappy hosting provider, not that Giuliani has done anything wrong."
  He outsourced to a 2-bit shop with no recognition of the reputational risk. That's a security fail.
4. Re:Not really a big deal. by Cyberax · 2017-01-13 09:53 · Score: 3, Informative
  
  Yeah, remember that clueless Obama cabinet. For example, Steven Chu - a Nobel Prize laureate tapped to lead department of Housing?
5. Re:Not really a big deal. by gmack · 2017-01-13 09:56 · Score: 3, Interesting
  
  He is completely wrong. It does matter. How can Rudy Giuliani be the cyber security czar if he doesn't even know enough to contract competent people to keep his website secure?
6. Re:Not really a big deal. by unrtst · 2017-01-13 09:58 · Score: 5, Insightful
  
  Agreed, and I'd take it several steps further...
  Sure, not all people leading these positions are experts at those fields. I'd argue they should be, but if they're competent enough at leading people that are experts, that'd probably do as well.
  I'd also concede that Giuliani almost certainly didn't set up this server himself, so he's not directly to blame for that.
  However, when those two are combined, it's an utter failure. He is not qualified to do the actual work, and when he has had others do the work (for an "infosec consultancy firm", no less), they utterly failed - thus his leadership of them is also an utter failure. To fill the cyber security advisor role, one should be able to either do the work directly, or be smart enough to interface with those that can do the work. As Trump would say, so sad!
7. Re: Not really a big deal. by Anonymous Coward · 2017-01-13 10:19 · Score: 5, Informative
  
  Stephen Chu was the Energy Secretary, and was followed by Ernest Moniz, a nuclear physicist from MIT. They understand nuclear physics, unlike Rick Perry who doesn't even remember the name of the department he was recently appointed to lead:
  http://abcnews.go.com/blogs/politics/2011/11/rick-perrys-debate-lapse-oops-cant-remember-department-of-energy/
8. Re: Not really a big deal. by ClickOnThis · 2017-01-13 10:30 · Score: 5, Insightful
  
  Stephen Chu was the Energy Secretary, and was followed by Ernest Moniz, a nuclear physicist from MIT. They understand nuclear physics, unlike Rick Perry who doesn't even remember the name of the department he was recently appointed to lead:
  http://abcnews.go.com/blogs/politics/2011/11/rick-perrys-debate-lapse-oops-cant-remember-department-of-energy/
  He had a brain-freeze. It can happen to any of us.
  But what's ironic here is not that he forgot the name of the department. It's that he intended to shut it down, and now he's going to lead it.
  
  --
  If it weren't for deadlines, nothing would be late.
9. Re: Not really a big deal. by PopeRatzo · 2017-01-13 10:51 · Score: 3, Funny
  
  They understand nuclear physics, unlike Rick Perry who doesn't even remember the name of the department he was recently appointed to lead:
  But he was a fourth runner-up on Dancing With The Stars, so I'm pretty sure that qualifies him to be in Trump's cabinet.
  
  --
  You are welcome on my lawn.
10. Re: Not really a big deal. by FFOMelchior · 2017-01-13 13:14 · Score: 3, Funny
  
  ^ I have no idea whether to vote that funny or insightful...... :/
This should be the only comment by H3lldr0p · 2017-01-13 09:29 · Score: 4, Insightful

there's nothing else to talk about. /THREAD
1. Re:This should be the only comment by JoeMerchant · 2017-01-13 09:39 · Score: 5, Insightful
  
  Nothing to talk about, plenty to do... 15 known exploits: get to work.
2. Re:This should be the only comment by Anonymous Coward · 2017-01-13 09:39 · Score: 3, Funny
  
  Oh yes there is. You people might think this conversation is done, you might try to wiggle your way out of it, but it's not going to happen. There's a VITAL issue that needs to be addressed, and, frankly, I'm tired of people dancing around the real issues.
  Now... I understand that the guy is running FreeBSD. I mean, what the crap? He should be running OpenBSD for Pete's sake.
  FreeBSD is just, like, wrong.
They need better cyber by DogDude · 2017-01-13 09:31 · Score: 5, Funny

"So we had to get very, very tough on cyber and cyber warfare. It is a huge problem. I have a son—he’s 10 years old. He has computers. He is so good with these computers. It’s unbelievable. The security aspect of cyber is very, very tough. And maybe, it's hardly doable. But I will say, we are not doing the job we should be doing. But that’s true throughout our whole governmental society. We have so many things that we have to do better, Lester. And certainly cyber is one of them."

--
I don't respond to AC's.
1. Re:They need better cyber by gtall · 2017-01-13 11:27 · Score: 3, Informative
  
  Remember when asked to describe what undisclosed information he knew, Trump said, "You'll find out on Tuesday or Wednesday." That was last week or the week before. We're still waiting. Maybe he's too busy watching for Hollywood slights to get back to us on that.
  And there is this gem talking about the intelligence services, "I think it's unfair if they don't know," he said. "And I know a lot about hacking. And hacking is a very hard thing to prove."
  The trick is to bang the rocks together, Trump.
  (courtesy of Douglas Adams)
What website? by Grand+Facade · 2017-01-13 09:32 · Score: 3, Informative

"giulianisecurity.com’s DNS address could not be found."

--
Rick B.
Let's call it what it is... by tempo36 · 2017-01-13 09:33 · Score: 3, Insightful

Giuliani has been hired to endorse and push laws that further Trump's administration's ability to invade the privacy of those they dislike, and to prosecute those who dare to use technology or the internet to speak out against them.
Require Muslim citizens to register their devices before being allowed to sign up for broadband? Sounds like cybersecurity to me! Emailing someone an article disparaging Trump? Sounds like CYBERTERRORISM right Rudy?
Competency by HogGeek · 2017-01-13 09:39 · Score: 5, Informative

The DNS entry has been removed, but the server continues to run:
http://209.238.99.227/index.ph...
Re:Website is already down but... by Archangel+Michael · 2017-01-13 09:40 · Score: 4, Funny

Yes, you can actually get a "cloth or something"
http://www.bleachbit.org/cloth...

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Joomla Considered Harmful by Tenebrousedge · 2017-01-13 09:53 · Score: 4, Insightful

I figured it would have to be Joomla. I'm doing maintenance programming on a Joomla site right now, and it's just a complete mess. There is nothing good about any part of the framework and no one should use it for anything. There is no "right way" to do things, and the documentation is beyond awful: obsolete, incomplete, badly written. Beyond the official documentation, most books on Joomla either don't cover the latest major version, or mention it but focus on the legacy interfaces. One is forced to look at the code itself for examples of what to do, and apparently that means make it up as you go along, There is no consistency even in the unit tests, hell, even in which testing framework they're using. And (at least IMO) there is no consistent vision because the fundamental design is crap.
Use of Joomla for any purpose should be a firing offense.

--
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
Random aspersions by Okian+Warrior · 2017-01-13 10:02 · Score: 3, Informative

Robert Graham explained it succinctly: http://blog.erratasec.com/2017... .
The real story here is that Giuliani is now a goddamn cybersecurity advisor, not that this personal site is crap. The guy was hired not because of competence but because he spent the entire campaign kissing Trump's ass.
"Thus historian Vincent J. Cannato concluded in September 2006, "With time, Giuliani's legacy will be based on more than just 9/11. He left a city immeasurably better off — safer, more prosperous, more confident — than the one he had inherited eight years earlier, even with the smoldering ruins of the World Trade Center at its heart. Debates about his accomplishments will continue, but the significance of his mayoralty is hard to deny."
You might be correct, in that Giuliani was not hired because of competence, but you are completely incorrect implying that Giuliani is wholly without competance.
And once again, I have to ask: is [what you said] this important? Is *why* someone is hired more important than their competence?
And once again again, I have to ask: compared to what? Is hiring Giuliani any worse than the practices of the previous administration or the runner-up candidate?
For contrast, note that Bush appointed a crony as head of FEMA who completely fell on his face during Katrina, and Obama appointed Caroline Kennedy as ambassador to Japan, who was completely outmastered in our recent Japanese treaty negotiations(*).
Is it useful *at all* to just throw throws random aspersions around?
(*) Resulting in a treaty which is beneficial to Japan, but a very bad deal for America. I have no opinion about Ms. Kennedy, good or bad, only note that she was unqualified for the position, was apparently appointed because of her ties to a famous family dynasty, and America was worse off because of it.
1. Re:Random aspersions by Fire_Wraith · 2017-01-13 10:25 · Score: 4, Insightful
  
  Just because someone is good at getting city bureaucrats in line doesn't mean they know jack squat about information security. I've dealt with lots of very successful people who run large businesses in various industries, and are very good at that. They're good in their field, but they don't know infosec. The ones who realize that (and that it's important) hire people who do know it... something Giuliani clearly hasn't done.
  
  I certainly don't expect Giuliani himself to go code up a solution or configure his servers himself. I do expect that he ought to know the importance of hiring good people, and of showing people that you know what you're talking about. Would you hire a plumber who has a broken toilet he can't/won't fix in his own shop's bathroom?
2. Re:Random aspersions by guises · 2017-01-13 11:21 · Score: 5, Informative
  
  Ugh. I hate those posts which go line-by-line quoting and responding and ultimately don't say anything. That's really what I want to do here, because everything you've written here is just... terrible. I'm only going to focus on one thing though:
  
  Obama appointed Caroline Kennedy as ambassador to Japan, who was completely outmastered in our recent Japanese treaty negotiations(*). (*) Resulting in a treaty which is beneficial to Japan, but a very bad deal for America.
  I assume you're talking about the TPP and, in particular, the point that this person is trying to make about the TPP being good for the Japanese auto industry and bad for the American auto industry? If not I don't know what you're talking about, but that's the talking point which was making the rounds.
  
  Let me quote the AC directly underneath that:
  
  The negative impact on the US auto industry really misses the point, protectionism is almost always to the detriment of the country as a whole. Under the deal the Japanese agricultural industry suffers, but all Japanese people get cheaper food. It's a net benefit to Japan, even though it has a negative impact on that specific industry. At the same time the US agricultural industry gains from this. Likewise: under the deal the US auto industry suffers, but all Americans get cheaper cars. Since almost all Americans drive, it's a net benefit to the US. And, at the same time, the Japanese auto industry gains from this. Exactly the same situation as above.
  Disclaimer: I was that AC. Just didn't log in.
  
  Of your points, this is one that I wanted to address because this sort of protectionism is something which really resonates with people who don't think too hard about it. It seems so simple: "Protect American jobs! The only cost is screwing some foreigners! Why haven't we been doing this all along? Our government must be corrupt or stupid or something." It's a topic which demagogues can latch onto, but the only people who protectionism really benefits are the people in control of the industry in question. Even to the peons in that industry the benefit from protectionism is questionable.
  
  It's like those people who claim that climate change doesn't exist because it still gets cold in winter: it kinda makes sense as long as you don't think to hard about it. And that's all it takes to convince some people.
3. Re:Random aspersions by Actually,+I+do+RTFA · 2017-01-13 15:09 · Score: 3, Interesting
  
  NYC was better off off after Giuliani because all of America improved during that time. Compared to the rest of America, NYC actually lost ground.
  Part of that was due to wasteful, counterproductive and possibly unconstitutional policing policies (broken window policing, stop and frisk). Part of that was due to setting up charter schools that actually underperformed the public schools. Part of that was due to botching the ability to respond to 9/11 by failing to properly prepare (e.g. putting the emergency command and control building in the WTC against all advice). And part of that was giving jobs to corrupt associates as opposed to qualified bureaucrats.
  
  --
  Your ad here. Ask me how!
Par for the course by damn_registrars · 2017-01-13 10:29 · Score: 5, Insightful

Considering how many Trump cabinet appointees are openly opposed to the missions - or even existence - of the departments he is aiming to appoint them to head, why would it be a surprise that a "cyber security advisor" is running an atrociously insecure site?

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.